feat(e2e): custodian-keygen + wire id_custodian_agent into e2e automation

- make custodian-keygen: generates ~/.ssh/id_custodian_agent, writes public key to railiance-infra/ansible/inventory/group_vars/all.yaml - make custodian-key-show: prints the current public key - e2e targets automatically use id_custodian_agent when present - e2e-cron-install uses custodian key, no manual key passing needed Full flow: make custodian-keygen # one-time cd ~/railiance-infra && make provision-custodian-agent # deploy key make e2e-cron-install REPO=activity-core # install cron Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 01:22:04 +01:00
parent 6dace03a9b
commit d2fe95735b
1 changed files with 50 additions and 1 deletions
--- a/51
+++ b/51
@@ -1,4 +1,48 @@
 # the-custodian top-level Makefile
+#
+# Custodian agent SSH identity
+# ----------------------------
+# make custodian-keygen        — generate ~/.ssh/id_custodian_agent (one-time)
+#                                and write the public key into railiance-infra
+#                                ansible/inventory/group_vars/all.yaml
+# make custodian-key-show      — print the current public key (for manual ops)
+#
+# After keygen, run in railiance-infra:
+#   make provision-custodian-agent   (deploys the key to all managed hosts)
+#
+# The private key is NEVER committed. The public key is committed via railiance-infra.
+
+CUSTODIAN_KEY     := $(HOME)/.ssh/id_custodian_agent
+RAILIANCE_INFRA   := $(HOME)/railiance-infra
+AGENT_VARS_FILE   := $(RAILIANCE_INFRA)/ansible/inventory/group_vars/all.yaml
+
+.PHONY: custodian-keygen
+custodian-keygen: ## Generate custodian agent SSH keypair (one-time setup)
+	@if [ -f "$(CUSTODIAN_KEY)" ]; then \
+	  echo "Key already exists at $(CUSTODIAN_KEY). Remove it first to regenerate."; \
+	  exit 1; \
+	fi
+	ssh-keygen -t ed25519 -f "$(CUSTODIAN_KEY)" -C "custodian-agent" -N ""
+	@echo ""
+	@echo "Public key:"
+	@cat "$(CUSTODIAN_KEY).pub"
+	@echo ""
+	@PUBKEY=$$(cat "$(CUSTODIAN_KEY).pub") && \
+	  python3 -c "\
+import sys, re; \
+content = open('$(AGENT_VARS_FILE)').read(); \
+updated = re.sub(r'custodian_agent_pubkey:.*', 'custodian_agent_pubkey: \"' + sys.argv[1] + '\"', content); \
+open('$(AGENT_VARS_FILE)', 'w').write(updated); \
+print('Public key written to $(AGENT_VARS_FILE)')" "$$PUBKEY"
+	@echo ""
+	@echo "Next steps:"
+	@echo "  1. cd $(RAILIANCE_INFRA) && git add ansible/inventory/group_vars/all.yaml && git commit -m 'feat: add custodian agent public key'"
+	@echo "  2. cd $(RAILIANCE_INFRA) && make provision-custodian-agent"
+
+.PHONY: custodian-key-show
+custodian-key-show: ## Print the custodian agent public key
+	@test -f "$(CUSTODIAN_KEY).pub" || (echo "No key found at $(CUSTODIAN_KEY). Run: make custodian-keygen"; exit 1)
+	@cat "$(CUSTODIAN_KEY).pub"

 ## Run e2e tests for a repo in a remote sandbox
 ## Usage: make e2e REPO=activity-core
@@ -28,6 +72,8 @@ endif

 ifdef KEY
  E2E_KEY_FLAG := --key $(KEY)
+else ifneq ($(wildcard $(CUSTODIAN_KEY)),)
+  E2E_KEY_FLAG := --key $(CUSTODIAN_KEY)
 else
  E2E_KEY_FLAG :=
 endif
@@ -52,7 +98,10 @@ endif

 RAILIANCE_HOST  := $(or $(HOST),$(RAILIANCE01_HOST),92.205.62.239)
 RAILIANCE_USER  := $(or $(SSHUSER),$(RAILIANCE01_USER),tegwick)
-RAILIANCE_SSH   := ssh -o StrictHostKeyChecking=no $(RAILIANCE_USER)@$(RAILIANCE_HOST)
+# Default SSH key: custodian agent identity (generated via make custodian-keygen)
+# Override with KEY=~/.ssh/other_key if needed
+RAILIANCE_KEY   := $(or $(KEY),$(CUSTODIAN_KEY))
+RAILIANCE_SSH   := ssh -i "$(RAILIANCE_KEY)" -o StrictHostKeyChecking=no $(RAILIANCE_USER)@$(RAILIANCE_HOST)

 .PHONY: e2e-cron-install
 e2e-cron-install: