From: Dan Mick <dan.mick@redhat.com>
Date: Thu, 12 Jun 2025 02:24:13 +0000 (-0700)
Subject: builder.yml: fix jenkins ssh key and github.com host key code
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=cf6ae67a238c349b9459e299f3d18b548e35f5ff;p=ceph-build.git

builder.yml: fix jenkins ssh key and github.com host key code

Previous code was just wrong; 'first_found' can fail, and does
not return file contents; default(URL) just doesn't work

Signed-off-by: Dan Mick <dan.mick@redhat.com>
---

diff --git a/ansible/examples/builder.yml b/ansible/examples/builder.yml
index cc0e45e3..5dfb9a0b 100644
--- a/ansible/examples/builder.yml
+++ b/ansible/examples/builder.yml
@@ -588,17 +588,27 @@
     # On a mita/prado provisioned builder, everything gets put into a 'playbook' dir.
     # Otherwise it can be found in files/ssh/...
     - set_fact:
-        jenkins_key: "{{ lookup('first_found', key_locations) }}"
+        jenkins_key_file: "{{ lookup('first_found', key_locations, errors='ignore') }}"
       vars:
         key_locations:
           - "playbook/files/ssh/keys/jenkins_build.pub"
           - "files/ssh/keys/jenkins_build.pub"
 
+    - name: get jenkins_key from key file if found
+      set_fact:
+        jenkins_key: "{{ lookup('file', jenkins_key_file) }}"
+      when: jenkins_key_file != ""
+
     # And worst case scenario, we just pull the key from github.
+    - name: Set the jenkins key string from github if necessary
+      set_fact:
+        jenkins_key: " {{ lookup('url', 'https://raw.githubusercontent.com/ceph/ceph-build/main/ansible/files/ssh/keys/jenkins_build.pub') }}"
+      when: not jenkins_key is defined
+
     - name: Set the authorized keys
       authorized_key:
         user: "{{ jenkins_user }}"
-        key: "{{ lookup('file', '{{ jenkins_key }}')|default('https://raw.githubusercontent.com/ceph/ceph-build/main/ansible/files/ssh/keys/jenkins_build.pub') }}"
+        key: "{{ jenkins_key }}"
 
     - name: "Ensure {{ jenkins_user }} can sudo without a prompt"
       lineinfile:
@@ -800,31 +810,37 @@
     ## GITCONFIG TASKS
     - name: Ensure the gitconfig file exists
       shell: printf "[user]\name=Ceph CI\nemail=ceph-release-team@redhat.com\n" > /home/{{ jenkins_user }}/.gitconfig
-      tags: github
 
     - name: Ensure the gitconfig file has right permissions
       file:
         path: "/home/{{ jenkins_user }}/.gitconfig"
         owner: "{{ jenkins_user }}"
-      tags: github
 
     # On a mita/prado provisioned builder, everything gets put into a 'playbook' dir.
     # If all else fails, get it from github (using the |default)
     - set_fact:
-        github_key: "{{ lookup('first_found', key_locations) }}"
+        github_host_key_file: "{{ lookup('first_found', key_locations, errors='ignore') }}"
       vars:
         key_locations:
           # github.com.pub is the output of `ssh-keyscan github.com`
           - "playbook/files/ssh/hostkeys/github.com.pub"
           - "files/ssh/hostkeys/github.com.pub"
-      tags: github
+
+    - name: get github host key from file
+      set_fact:
+        github_host_key: "{{ lookup('file', github_host_key_file) }}"
+      when: github_host_key_file != ""
+
+    - name: get github host key from github if necessary
+      set_fact:
+        github_host_key: "{{ lookup('url', 'https://raw.githubusercontent.com/ceph/ceph-build/main/ansible/files/ssh/hostkeys/github.com.pub') }}"
+      when: github_host_key == ""
 
     - name: Add github.com host key
       known_hosts:
         name: github.com
         path: '/etc/ssh/ssh_known_hosts'
-        key: "{{ lookup('file', '{{ github_key }}')|default('https://raw.githubusercontent.com/ceph/ceph-build/main/ansible/files/ssh/hostkeys/github.com.pub') }}"
-      tags: github
+        key: "{{ github_host_key }}"
 
     ## PIP TASKS
     - set_fact: