Merge "Add winrm certificate handling"

2018-08-09 20:28:40 +00:00 · 2018-08-09 20:28:40 +00:00 · 2c395d90af
parent f87a97ae80 e2de74033b
commit 2c395d90af
3 changed files with 38 additions and 0 deletions
--- a/doc/source/admin/components.rst
+++ b/doc/source/admin/components.rst
@ -499,6 +499,21 @@ The following sections of ``zuul.conf`` are used by the executor:

      SSH private key file to be used when logging into worker nodes.

+   .. attr:: winrm_cert_key_file
+      :default: ~/.winrm/winrm_client_cert.key
+
+      The private key file of the client certificate to use for winrm
+      connections to Windows nodes.
+
+   .. attr:: winrm_cert_pem_file
+      :default: ~/.winrm/winrm_client_cert.pem
+
+      The certificate file of the client certificate to use for winrm
+      connections to Windows nodes.
+
+      .. note:: Currently certificate verification is disabled when
+                connecting to Windows nodes via winrm.
+
   .. _admin_sitewide_variables:

   .. attr:: variables
--- a/releasenotes/notes/winrm-af968bf3269c25d9.yaml
+++ b/releasenotes/notes/winrm-af968bf3269c25d9.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Client certificate locations to be used by winrm connections can be
+    configured now.
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@ -634,6 +634,12 @@ class AnsibleJob(object):
        self.private_key_file = get_default(self.executor_server.config,
                                            'executor', 'private_key_file',
                                            '~/.ssh/id_rsa')
+        self.winrm_key_file = get_default(self.executor_server.config,
+                                          'executor', 'winrm_cert_key_file',
+                                          '~/.winrm/winrm_client_cert.key')
+        self.winrm_pem_file = get_default(self.executor_server.config,
+                                          'executor', 'winrm_cert_pem_file',
+                                          '~/.winrm/winrm_client_cert.pem')
        self.ssh_agent = SshAgent()

        self.executor_variables_file = None
@ -1071,6 +1077,18 @@ class AnsibleJob(object):
                connection_type = node.get('connection_type')
                if connection_type:
                    host_vars['ansible_connection'] = connection_type
+                    if connection_type == "winrm":
+                        host_vars['ansible_winrm_transport'] = 'certificate'
+                        host_vars['ansible_winrm_cert_pem'] = \
+                            self.winrm_pem_file
+                        host_vars['ansible_winrm_cert_key_pem'] = \
+                            self.winrm_key_file
+                        # NOTE(tobiash): This is necessary when using default
+                        # winrm self-signed certificates. This is probably what
+                        # most installations want so hard code this here for
+                        # now.
+                        host_vars['ansible_winrm_server_cert_validation'] = \
+                            'ignore'

                host_keys = []
                for key in node.get('host_keys'):