Merge "Cert/key related improvements to gate-multinode"
This commit is contained in:
commit
730d1f3f6e
@ -140,6 +140,11 @@ collect_ssh_key() {
|
|||||||
ssh_keypair_declare
|
ssh_keypair_declare
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ "${USE_EXISTING_SECRETS}" ]]; then
|
||||||
|
log "Using existing manifests for secrets"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
cat << EOF > ${GATE_DEPOT}/airship_ubuntu_ssh_key.yaml
|
cat << EOF > ${GATE_DEPOT}/airship_ubuntu_ssh_key.yaml
|
||||||
---
|
---
|
||||||
schema: deckhand/Certificate/v1
|
schema: deckhand/Certificate/v1
|
||||||
|
@ -21,6 +21,14 @@ export UPSTREAM_DNS=${UPSTREAM_DNS:-"8.8.8.8 8.8.4.4"}
|
|||||||
export NTP_POOLS=${NTP_POOLS:-"0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org"}
|
export NTP_POOLS=${NTP_POOLS:-"0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org"}
|
||||||
export NTP_SERVERS=${NTP_SERVERS:-""}
|
export NTP_SERVERS=${NTP_SERVERS:-""}
|
||||||
|
|
||||||
|
# key-pair used for drydock/maas auth towards libvirt and access to
|
||||||
|
# the virtual nodes; auto-generated if no value provided
|
||||||
|
export GATE_SSH_KEY=${GATE_SSH_KEY:-""}
|
||||||
|
|
||||||
|
# skip generation of certificates, and other security manifests
|
||||||
|
# auto-generated by default
|
||||||
|
export USE_EXISTING_SECRETS=${USE_EXISTING_SECRETS:-""}
|
||||||
|
|
||||||
export SHIPYARD_PASSWORD=${SHIPYARD_OS_PASSWORD:-'password18'}
|
export SHIPYARD_PASSWORD=${SHIPYARD_OS_PASSWORD:-'password18'}
|
||||||
export AIRSHIP_KEYSTONE_URL=${AIRSHIP_KEYSTONE_URL:-'http://keystone.gate.local:80/v3'}
|
export AIRSHIP_KEYSTONE_URL=${AIRSHIP_KEYSTONE_URL:-'http://keystone.gate.local:80/v3'}
|
||||||
|
|
||||||
|
@ -41,9 +41,17 @@ ssh_config_declare() {
|
|||||||
ssh_keypair_declare() {
|
ssh_keypair_declare() {
|
||||||
log Validating SSH keypair exists
|
log Validating SSH keypair exists
|
||||||
if [ ! -s "${SSH_CONFIG_DIR}/id_rsa" ]; then
|
if [ ! -s "${SSH_CONFIG_DIR}/id_rsa" ]; then
|
||||||
|
if [[ "${GATE_SSH_KEY}" ]]; then
|
||||||
|
log "Using existing SSH keys for VMs"
|
||||||
|
cp "${GATE_SSH_KEY}" "${SSH_CONFIG_DIR}/id_rsa"
|
||||||
|
chmod 600 "${SSH_CONFIG_DIR}/id_rsa"
|
||||||
|
|
||||||
|
cp "${GATE_SSH_KEY}.pub" "${SSH_CONFIG_DIR}/id_rsa.pub"
|
||||||
|
else
|
||||||
log Generating SSH keypair
|
log Generating SSH keypair
|
||||||
ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}"
|
ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}"
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
ssh_load_pubkey() {
|
ssh_load_pubkey() {
|
||||||
|
@ -301,22 +301,35 @@ make_virtmgr_account() {
|
|||||||
gen_libvirt_key() {
|
gen_libvirt_key() {
|
||||||
log Removing any existing virtmgr SSH keys
|
log Removing any existing virtmgr SSH keys
|
||||||
sudo rm -rf ~virtmgr/.ssh
|
sudo rm -rf ~virtmgr/.ssh
|
||||||
log Generating new SSH keypair for virtmgr
|
|
||||||
sudo mkdir -p ~virtmgr/.ssh
|
sudo mkdir -p ~virtmgr/.ssh
|
||||||
|
|
||||||
|
if [[ "${GATE_SSH_KEY}" ]]; then
|
||||||
|
log "Using existing SSH keys for virtmgr"
|
||||||
|
cp "${GATE_SSH_KEY}" ~virtmgr/.ssh/airship_gate
|
||||||
|
cp "${GATE_SSH_KEY}.pub" ~virtmgr/.ssh/airship_gate.pub
|
||||||
|
else
|
||||||
|
log "Generating new SSH keypair for virtmgr"
|
||||||
sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}"
|
sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Install private key into site definition
|
# Install private key into site definition
|
||||||
install_libvirt_key() {
|
install_libvirt_key() {
|
||||||
export PUB_KEY=$(sudo cat ~virtmgr/.ssh/airship_gate.pub)
|
export PUB_KEY=$(sudo cat ~virtmgr/.ssh/airship_gate.pub)
|
||||||
|
|
||||||
mkdir -p ${TEMP_DIR}/tmp
|
mkdir -p ${TEMP_DIR}/tmp
|
||||||
envsubst < "${TEMPLATE_DIR}/authorized_keys.sub" > ${TEMP_DIR}/tmp/virtmgr.authorized_keys
|
envsubst < "${TEMPLATE_DIR}/authorized_keys.sub" > ${TEMP_DIR}/tmp/virtmgr.authorized_keys
|
||||||
sudo cp ${TEMP_DIR}/tmp/virtmgr.authorized_keys ~virtmgr/.ssh/authorized_keys
|
sudo cp ${TEMP_DIR}/tmp/virtmgr.authorized_keys ~virtmgr/.ssh/authorized_keys
|
||||||
sudo chown -R virtmgr ~virtmgr/.ssh
|
sudo chown -R virtmgr ~virtmgr/.ssh
|
||||||
sudo chmod 700 ~virtmgr/.ssh
|
sudo chmod 700 ~virtmgr/.ssh
|
||||||
sudo chmod 600 ~virtmgr/.ssh/authorized_keys
|
sudo chmod 600 ~virtmgr/.ssh/authorized_keys
|
||||||
mkdir -p "${GATE_DEPOT}"
|
|
||||||
|
|
||||||
|
if [[ "${USE_EXISTING_SECRETS}" ]]; then
|
||||||
|
log "Using existing manifests for secrets"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p "${GATE_DEPOT}"
|
||||||
cat << EOF > ${GATE_DEPOT}/airship_drydock_kvm_ssh_key.yaml
|
cat << EOF > ${GATE_DEPOT}/airship_drydock_kvm_ssh_key.yaml
|
||||||
---
|
---
|
||||||
schema: deckhand/CertificateKey/v1
|
schema: deckhand/CertificateKey/v1
|
||||||
|
@ -17,6 +17,14 @@ do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
CERTS_PATH="/certs/*.yaml"
|
||||||
|
KEYS_PATH="/gate/*.yaml"
|
||||||
|
if [[ "${USE_EXISTING_SECRETS}" ]]
|
||||||
|
then
|
||||||
|
CERTS_PATH=""
|
||||||
|
KEYS_PATH=""
|
||||||
|
fi
|
||||||
|
|
||||||
log Building scripts
|
log Building scripts
|
||||||
docker run --rm -t \
|
docker run --rm -t \
|
||||||
-w /config \
|
-w /config \
|
||||||
@ -31,4 +39,5 @@ docker run --rm -t \
|
|||||||
build-all \
|
build-all \
|
||||||
--validators \
|
--validators \
|
||||||
-o /scripts \
|
-o /scripts \
|
||||||
/config/*.yaml /certs/*.yaml /gate/*.yaml
|
/config/*.yaml ${CERTS_PATH} ${KEYS_PATH}
|
||||||
|
|
||||||
|
@ -30,6 +30,12 @@ GATE_FILES=($(find "${GATE_DEPOT}" -name '*.yaml' | xargs -n 1 basename | xargs
|
|||||||
mkdir -p "${CERT_DEPOT}"
|
mkdir -p "${CERT_DEPOT}"
|
||||||
chmod 777 "${CERT_DEPOT}"
|
chmod 777 "${CERT_DEPOT}"
|
||||||
|
|
||||||
|
if [[ "${USE_EXISTING_SECRETS}" ]]
|
||||||
|
then
|
||||||
|
log Certificates already provided by manifests
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
log Generating certificates
|
log Generating certificates
|
||||||
docker run --rm -t \
|
docker run --rm -t \
|
||||||
-w /tmp \
|
-w /tmp \
|
||||||
|
@ -57,9 +57,15 @@ ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/site"
|
|||||||
rsync_cmd "${DEFINITION_DEPOT}"/*.yaml "${BUILD_NAME}:${BUILD_WORK_DIR}/site/"
|
rsync_cmd "${DEFINITION_DEPOT}"/*.yaml "${BUILD_NAME}:${BUILD_WORK_DIR}/site/"
|
||||||
|
|
||||||
sleep 120
|
sleep 120
|
||||||
|
|
||||||
check_configdocs_result "$(shipyard_cmd create configdocs design --directory=${BUILD_WORK_DIR}/site --replace)"
|
check_configdocs_result "$(shipyard_cmd create configdocs design --directory=${BUILD_WORK_DIR}/site --replace)"
|
||||||
|
|
||||||
|
# Skip certs/gate if already part of site manifests
|
||||||
|
if [[ "${USE_EXISTING_SECRETS}" ]]
|
||||||
|
then
|
||||||
|
OMIT_CERTS=1
|
||||||
|
OMIT_GATE=1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ "${OMIT_CERTS}" == "0" ]]
|
if [[ "${OMIT_CERTS}" == "0" ]]
|
||||||
then
|
then
|
||||||
ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/certs"
|
ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/certs"
|
||||||
|
Loading…
Reference in New Issue
Block a user