canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Modules/slave secrets: Difference between revisions
ReleaseEngineering/PuppetAgain/Modules/slave secrets (view source)
Revision as of 16:39, 26 November 2013
, 26 November 2013→SSH Keys
| Line 7: | Line 7: | ||
= SSH Keys = | = SSH Keys = | ||
SSH keys are a little more complicated. First, slaves have a trustlevel, which is set as a [[ReleaseEngineering/PuppetAgain/node-scope variables|node-scope variable]]. This should | SSH keys are a little more complicated. First, slaves have a trustlevel, which is set as a [[ReleaseEngineering/PuppetAgain/node-scope variables|node-scope variable]] $slave_trustlevel. This should be "core" in general, or "try" for hosts which build or run untrusted code. The intention is to separate slaves that are trusted to have important secrets and create real builds from those which might easily be compromised. | ||
Second, you'll need to provide a "keyset", which is the list of keys to be installed on the slave, by adding a clause for your organization to `modules/slave_secrets/manifests/ssh_keys.pp`. The keysets are a map from key name (the filename in ~/.ssh) to secret name. This can be as simple as | Second, you'll need to provide a "keyset", which is the list of keys to be installed on the slave, by adding a clause for your organization to `modules/slave_secrets/manifests/ssh_keys.pp`. The keysets are a map from key name (the filename in ~/.ssh) to secret name. This can be as simple as | ||