diff --git a/tools/multi_nodes_gate/airship_gate/lib/airship.sh b/tools/multi_nodes_gate/airship_gate/lib/airship.sh index fc096dc1..39f5ec3a 100644 --- a/tools/multi_nodes_gate/airship_gate/lib/airship.sh +++ b/tools/multi_nodes_gate/airship_gate/lib/airship.sh @@ -140,6 +140,11 @@ collect_ssh_key() { ssh_keypair_declare fi + if [[ "${USE_EXISTING_SECRETS}" ]]; then + log "Using existing manifests for secrets" + return 0 + fi + cat << EOF > ${GATE_DEPOT}/airship_ubuntu_ssh_key.yaml --- schema: deckhand/Certificate/v1 diff --git a/tools/multi_nodes_gate/airship_gate/lib/config.sh b/tools/multi_nodes_gate/airship_gate/lib/config.sh index 78796873..3c0b85a4 100644 --- a/tools/multi_nodes_gate/airship_gate/lib/config.sh +++ b/tools/multi_nodes_gate/airship_gate/lib/config.sh @@ -21,6 +21,14 @@ export UPSTREAM_DNS=${UPSTREAM_DNS:-"8.8.8.8 8.8.4.4"} export NTP_POOLS=${NTP_POOLS:-"0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org"} export NTP_SERVERS=${NTP_SERVERS:-""} +# key-pair used for drydock/maas auth towards libvirt and access to +# the virtual nodes; auto-generated if no value provided +export GATE_SSH_KEY=${GATE_SSH_KEY:-""} + +# skip generation of certificates, and other security manifests +# auto-generated by default +export USE_EXISTING_SECRETS=${USE_EXISTING_SECRETS:-""} + export SHIPYARD_PASSWORD=${SHIPYARD_OS_PASSWORD:-'password18'} export AIRSHIP_KEYSTONE_URL=${AIRSHIP_KEYSTONE_URL:-'http://keystone.gate.local:80/v3'} diff --git a/tools/multi_nodes_gate/airship_gate/lib/ssh.sh b/tools/multi_nodes_gate/airship_gate/lib/ssh.sh index 0b872bf6..954c5cbf 100644 --- a/tools/multi_nodes_gate/airship_gate/lib/ssh.sh +++ b/tools/multi_nodes_gate/airship_gate/lib/ssh.sh @@ -41,8 +41,16 @@ ssh_config_declare() { ssh_keypair_declare() { log Validating SSH keypair exists if [ ! -s "${SSH_CONFIG_DIR}/id_rsa" ]; then - log Generating SSH keypair - ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}" + if [[ "${GATE_SSH_KEY}" ]]; then + log "Using existing SSH keys for VMs" + cp "${GATE_SSH_KEY}" "${SSH_CONFIG_DIR}/id_rsa" + chmod 600 "${SSH_CONFIG_DIR}/id_rsa" + + cp "${GATE_SSH_KEY}.pub" "${SSH_CONFIG_DIR}/id_rsa.pub" + else + log Generating SSH keypair + ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}" + fi fi } diff --git a/tools/multi_nodes_gate/airship_gate/lib/virsh.sh b/tools/multi_nodes_gate/airship_gate/lib/virsh.sh index 6d288b57..fe097c79 100644 --- a/tools/multi_nodes_gate/airship_gate/lib/virsh.sh +++ b/tools/multi_nodes_gate/airship_gate/lib/virsh.sh @@ -301,22 +301,35 @@ make_virtmgr_account() { gen_libvirt_key() { log Removing any existing virtmgr SSH keys sudo rm -rf ~virtmgr/.ssh - log Generating new SSH keypair for virtmgr sudo mkdir -p ~virtmgr/.ssh - sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}" + + if [[ "${GATE_SSH_KEY}" ]]; then + log "Using existing SSH keys for virtmgr" + cp "${GATE_SSH_KEY}" ~virtmgr/.ssh/airship_gate + cp "${GATE_SSH_KEY}.pub" ~virtmgr/.ssh/airship_gate.pub + else + log "Generating new SSH keypair for virtmgr" + sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}" + fi } # Install private key into site definition install_libvirt_key() { export PUB_KEY=$(sudo cat ~virtmgr/.ssh/airship_gate.pub) + mkdir -p ${TEMP_DIR}/tmp envsubst < "${TEMPLATE_DIR}/authorized_keys.sub" > ${TEMP_DIR}/tmp/virtmgr.authorized_keys sudo cp ${TEMP_DIR}/tmp/virtmgr.authorized_keys ~virtmgr/.ssh/authorized_keys sudo chown -R virtmgr ~virtmgr/.ssh sudo chmod 700 ~virtmgr/.ssh sudo chmod 600 ~virtmgr/.ssh/authorized_keys - mkdir -p "${GATE_DEPOT}" + if [[ "${USE_EXISTING_SECRETS}" ]]; then + log "Using existing manifests for secrets" + return 0 + fi + + mkdir -p "${GATE_DEPOT}" cat << EOF > ${GATE_DEPOT}/airship_drydock_kvm_ssh_key.yaml --- schema: deckhand/CertificateKey/v1 diff --git a/tools/multi_nodes_gate/airship_gate/stages/build-scripts.sh b/tools/multi_nodes_gate/airship_gate/stages/build-scripts.sh index f3ec2480..6fe06822 100755 --- a/tools/multi_nodes_gate/airship_gate/stages/build-scripts.sh +++ b/tools/multi_nodes_gate/airship_gate/stages/build-scripts.sh @@ -17,6 +17,14 @@ do fi done +CERTS_PATH="/certs/*.yaml" +KEYS_PATH="/gate/*.yaml" +if [[ "${USE_EXISTING_SECRETS}" ]] +then + CERTS_PATH="" + KEYS_PATH="" +fi + log Building scripts docker run --rm -t \ -w /config \ @@ -31,4 +39,5 @@ docker run --rm -t \ build-all \ --validators \ -o /scripts \ - /config/*.yaml /certs/*.yaml /gate/*.yaml + /config/*.yaml ${CERTS_PATH} ${KEYS_PATH} + diff --git a/tools/multi_nodes_gate/airship_gate/stages/generate-certificates.sh b/tools/multi_nodes_gate/airship_gate/stages/generate-certificates.sh index 94a70887..80e5694e 100755 --- a/tools/multi_nodes_gate/airship_gate/stages/generate-certificates.sh +++ b/tools/multi_nodes_gate/airship_gate/stages/generate-certificates.sh @@ -30,6 +30,12 @@ GATE_FILES=($(find "${GATE_DEPOT}" -name '*.yaml' | xargs -n 1 basename | xargs mkdir -p "${CERT_DEPOT}" chmod 777 "${CERT_DEPOT}" +if [[ "${USE_EXISTING_SECRETS}" ]] +then + log Certificates already provided by manifests + exit 0 +fi + log Generating certificates docker run --rm -t \ -w /tmp \ diff --git a/tools/multi_nodes_gate/airship_gate/stages/shipyard-load-design.sh b/tools/multi_nodes_gate/airship_gate/stages/shipyard-load-design.sh index 93568763..a8fb8872 100755 --- a/tools/multi_nodes_gate/airship_gate/stages/shipyard-load-design.sh +++ b/tools/multi_nodes_gate/airship_gate/stages/shipyard-load-design.sh @@ -57,9 +57,15 @@ ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/site" rsync_cmd "${DEFINITION_DEPOT}"/*.yaml "${BUILD_NAME}:${BUILD_WORK_DIR}/site/" sleep 120 - check_configdocs_result "$(shipyard_cmd create configdocs design --directory=${BUILD_WORK_DIR}/site --replace)" +# Skip certs/gate if already part of site manifests +if [[ "${USE_EXISTING_SECRETS}" ]] +then + OMIT_CERTS=1 + OMIT_GATE=1 +fi + if [[ "${OMIT_CERTS}" == "0" ]] then ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/certs"