From 4df162dab356b4dfe6e47d6876ff9ea4684b9006 Mon Sep 17 00:00:00 2001
From: David Galloway <dgallowa@redhat.com>
Date: Tue, 15 Sep 2020 10:30:23 -0400
Subject: [PATCH] ansible: Pass API key to slave.jar as file

vstart_runner.py runs 'ps ww' for the jenkins-build user.  This exposes the API key by showing the java.jar process in Jenkins logs.  If we pass the credentials as a file, there's less of a chance of it getting exposed.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---
 ansible/examples/slave.yml                   | 9 ++++++---
 ansible/templates/systemd/jenkins.secret.j2  | 1 +
 ansible/templates/systemd/jenkins.service.j2 | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 ansible/templates/systemd/jenkins.secret.j2

diff --git a/ansible/examples/slave.yml b/ansible/examples/slave.yml
index 3e68c96f..c7973a89 100644
--- a/ansible/examples/slave.yml
+++ b/ansible/examples/slave.yml
@@ -725,10 +725,13 @@
             dest: "/home/{{ jenkins_user }}/slave.jar"
             force: yes
 
-        - name: Install the systemd unit file for jenkins
+        - name: Install the systemd unit files for jenkins
           template:
-            src: "templates/systemd/jenkins.service.j2"
-            dest: "/etc/systemd/system/jenkins.service"
+            src: "templates/systemd/jenkins.{{ item }}.j2"
+            dest: "/etc/systemd/system/jenkins.{{ item }}"
+          with_items:
+            - service
+            - secret
 
         - name: Reload systemd unit files (to pick up potential changes)
           systemd:
diff --git a/ansible/templates/systemd/jenkins.secret.j2 b/ansible/templates/systemd/jenkins.secret.j2
new file mode 100644
index 00000000..b048faa7
--- /dev/null
+++ b/ansible/templates/systemd/jenkins.secret.j2
@@ -0,0 +1 @@
+{{ api_user }}:{{ token }}
diff --git a/ansible/templates/systemd/jenkins.service.j2 b/ansible/templates/systemd/jenkins.service.j2
index 97ba7d9d..badcfc12 100644
--- a/ansible/templates/systemd/jenkins.service.j2
+++ b/ansible/templates/systemd/jenkins.service.j2
@@ -13,7 +13,7 @@ User={{ jenkins_user }}
 ExecStart=/usr/bin/java \
           -jar /home/{{ jenkins_user }}/slave.jar \
           -jnlpUrl {{ api_uri }}/computer/{{ ansible_default_ipv4.address }}+{{ nodename }}/slave-agent.jnlp \
-          -jnlpCredentials {{ api_user }}:{{ token }}
+          -jnlpCredentials @/etc/systemd/system/jenkins.secret
 StandardOutput=journal
 StandardError=journal
 Restart=always
-- 
2.39.5