(replies inline) On Mon, 26 Mar 2018, Jesse Glick wrote:
> Jenkins already includes the `instance-identity` module, which is the > standard mechanism¹ for both uniquely identifying a Jenkins > installation, and permitting asymmetrically-encrypted communications > with it. Is there a reason you are not using it? If so, that should be > clearly documented under ???Alternative Approaches???. There is a vague > mention of OpenSSH keys, but this module is not limited to SSH (much > less OpenSSH), and public-key encryption has widespread library > support. Thanks for taking a look Jesse! You're right that Jenkins already does have an instance identity floating around. In a much earlier iteration of my thinking I was considering using this until I started to think about how this would work in practice for new installations. Unfortunately when the jenkins/evergreen image comes online and checks for updates, it will not have run `jenkins.war` at all yet, and therefore no instance identity. Rather than have one unprotected/identified route in the service backend for bootstrapping new nodes, I am erring on the side of treating all "got updates?" requests the same, which requires a client registration and identity to kick the process off. You're absolutely right that the 'Alternative Approaches" section doesn't list this and should, I'll update shortly. Cheers - R. Tyler Croy ------------------------------------------------------ Code: <https://github.com/rtyler> Chatter: <https://twitter.com/agentdero> xmpp: rty...@jabber.org % gpg --keyserver keys.gnupg.net --recv-key 1426C7DC3F51E16F ------------------------------------------------------ -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20180326153407.5on7xn7gdl7odfue%40blackberry.coupleofllamas.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature