Ansible request for adding GitHub and GitHub Enterprise (IBM) ssh key fingerprints to known_hosts in the docker build images

[AdamBrousseau]

• Request for new playbook addition

Details:

We (IBM Semeru) are running all our Linux compiles in Adopt's centos containers[1][2]. We clone over ssh as it is more reliable than https (curl). We currently have a hack in our fork of the pipeline code to add in the gh/ghe keys on the fly in the build. We are proposing adding these keys to a Playbook so they can be build into the containers (and machines). I see there is a PB for gh.com known hosts entry under the jenkins_user adoptopenjdk tags [3]. But I see it is skipped when the container images are built [4]. I'm not sure why it is skipped but I doubt it would be because of the known_hosts entry piece.

a) Is there a way we can not skip at least that part of the PB? b) Can we add another key there for our GHE? [5]

More info https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

Slack conversation with @sxa https://adoptium.slack.com/archives/C09NW3L2J/p1717421779597569

[1] adoptopenjdk/centos6_build_image [2] adoptopenjdk/centos7_build_image [3] https://github.com/adoptium/infrastructure/blob/c96f2d57b511e888cd465e01a7433199b776ab73/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Jenkins_User/tasks/main.yml#L87 [4] https://github.com/adoptium/infrastructure/blob/c96f2d57b511e888cd465e01a7433199b776ab73/ansible/docker/Dockerfile.CentOS7#L15 [5]

github.ibm.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1K6pnwsCh8hFCqvzWkb1y3ajXervgfokIdZ/VIURIItVBIINtH5Ynupt2cLLBMYysYjR1I/P4VNZf7bX+HejjJqMf92psXQ1VToyKeNZ+i01CrhZko11157veidnMwVmKoCIdrKpsLgqthJ6kXLrTqaVIQ1sh3lKZ0tFRsqgiwNbstwhRZe/MyUoDuzHZQPooxsiy5dBO+LpkovCShwVfZ3380UyAfScPrUZcX2zY/qmGDz4puXOWj/CQupoe76JoVenfwrjfTw2I+GoPxpZK6R47akoAekCO+Dw8VW4NnTDR6L7eGkclltQSC7HQ9MiFDB4Z49ONWQwotLdttDr5

[sxa]

The reason for skipping the jenkins user role would be because the user does not require the jenkins authorized_keys file as the containers are never accessed directly, although as you've pointed out this does mean that the github entry is skipped.

What we'd want here for your use case is for the jenkins_authorized_key to be skipped instead of the whole jenkins role when adoptopenjdk is skipped - although the reason for having it skipped is primarily because in general end users wanting to make use our our playbooks outside the adoptium infrastructure are encouraged to skip adoptopenjdk which prevents this extra jenkins user ID being added to their system. We'll need to think on a way around that.

I'll raise the GHE key issue with the PMC this week.

[sxa]

This was discussed at the PMC call yesterday and the general feeling was that it would not be appropriate to add vendor-specific SSH host keys into the Temurin scripts. I'll keep this open if you still want the main GitHub one in though (I guess it depends on whether not having both in the build images means you have to keep your additional process in place, so it's just as easy to add both keys instead of just one)