[Chart] SSH private key support
- Support optionally mounting a SSH private key to allow Drydock to interact with remote hosts via ssh (e.g. virsh) Change-Id: Ib83bc53a46497af6d05f4d87595f1000d3178ec0
This commit is contained in:
parent
2d2bb08d86
commit
97f9fbd12b
2
Makefile
2
Makefile
@ -60,7 +60,7 @@ lint: pep8 helm_lint
|
|||||||
.PHONY: dry-run
|
.PHONY: dry-run
|
||||||
dry-run: clean
|
dry-run: clean
|
||||||
tools/helm_tk.sh $(HELM)
|
tools/helm_tk.sh $(HELM)
|
||||||
$(HELM) template charts/drydock
|
$(HELM) template --set manifests.secret_ssh_key=true --set conf.ssh.private_key=foo charts/drydock
|
||||||
|
|
||||||
# Make targets intended for use by the primary targets above.
|
# Make targets intended for use by the primary targets above.
|
||||||
|
|
||||||
|
@ -75,5 +75,11 @@ data:
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{ if .Values.manifests.secret_ssh_key }}
|
||||||
|
ssh-config: |+
|
||||||
|
{{- range $option, $val := .Values.conf.ssh.config }}
|
||||||
|
{{ $option }}={{ $val }}
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
...
|
...
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -73,7 +73,27 @@ spec:
|
|||||||
subPath: policy.yaml
|
subPath: policy.yaml
|
||||||
mountPath: /etc/drydock/policy.yaml
|
mountPath: /etc/drydock/policy.yaml
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.manifests.secret_ssh_key }}
|
||||||
|
- name: root-ssh
|
||||||
|
mountPath: /root/.ssh
|
||||||
|
- name: priv-key
|
||||||
|
subPath: PRIVATE_KEY
|
||||||
|
mountPath: /root/.ssh/id_rsa
|
||||||
|
readOnly: true
|
||||||
|
- name: drydock-etc
|
||||||
|
subPath: ssh-config
|
||||||
|
mountPath: /root/.ssh/config
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
|
{{- if .Values.manifests.secret_ssh_key }}
|
||||||
|
- name: root-ssh
|
||||||
|
emptyDir: {}
|
||||||
|
- name: priv-key
|
||||||
|
secret:
|
||||||
|
secretName: {{ .Release.Name }}-{{ .Values.secrets.ssh_key }}
|
||||||
|
defaultMode: 0400
|
||||||
|
{{- end }}
|
||||||
- name: etc-drydock
|
- name: etc-drydock
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: drydock-etc
|
- name: drydock-etc
|
||||||
|
28
charts/drydock/templates/secret-ssh-key.yaml
Normal file
28
charts/drydock/templates/secret-ssh-key.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
{{/*
|
||||||
|
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
*/}}
|
||||||
|
{{- if .Values.manifests.secret_ssh_key }}
|
||||||
|
{{- $secretName := .Values.secrets.ssh_key }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-{{ $secretName }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
PRIVATE_KEY: |-
|
||||||
|
{{ .Values.conf.ssh.private_key | b64enc | indent 4 }}
|
||||||
|
...
|
||||||
|
{{- end }}
|
@ -113,6 +113,7 @@ manifests:
|
|||||||
job_drydock_db_sync: true
|
job_drydock_db_sync: true
|
||||||
secret_keystone: true
|
secret_keystone: true
|
||||||
secret_database: true
|
secret_database: true
|
||||||
|
secret_ssh_key: false
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
service_drydock: true
|
service_drydock: true
|
||||||
@ -233,9 +234,20 @@ secrets:
|
|||||||
postgresql:
|
postgresql:
|
||||||
admin: drydock-postgresql-admin
|
admin: drydock-postgresql-admin
|
||||||
user: drydock-postgresql-user
|
user: drydock-postgresql-user
|
||||||
|
ssh_key: ssh-private-key
|
||||||
|
|
||||||
# Settings for drydock.conf
|
# Settings for drydock.conf
|
||||||
conf:
|
conf:
|
||||||
|
ssh:
|
||||||
|
# A SSH private key strings to mount
|
||||||
|
# to allow Drydock access virsh over SSH
|
||||||
|
# The corresponding public key should be
|
||||||
|
# added to a authorized_keys file to a user
|
||||||
|
# in the libvirt group on the hypervisors
|
||||||
|
private_key: null
|
||||||
|
config:
|
||||||
|
UserKnownHostsFile: '/dev/null'
|
||||||
|
StrictHostKeyChecking: 'no'
|
||||||
uwsgi:
|
uwsgi:
|
||||||
threads: 1
|
threads: 1
|
||||||
workers: 1
|
workers: 1
|
||||||
@ -255,6 +267,7 @@ conf:
|
|||||||
oob_driver:
|
oob_driver:
|
||||||
- 'drydock_provisioner.drivers.oob.pyghmi_driver.driver.PyghmiDriver'
|
- 'drydock_provisioner.drivers.oob.pyghmi_driver.driver.PyghmiDriver'
|
||||||
- 'drydock_provisioner.drivers.oob.manual_driver.driver.ManualDriver'
|
- 'drydock_provisioner.drivers.oob.manual_driver.driver.ManualDriver'
|
||||||
|
- 'drydock_provisioner.drivers.oob.libvirt_driver.driver.LibvirtDriver'
|
||||||
node_driver: 'drydock_provisioner.drivers.node.maasdriver.driver.MaasNodeDriver'
|
node_driver: 'drydock_provisioner.drivers.node.maasdriver.driver.MaasNodeDriver'
|
||||||
timeouts:
|
timeouts:
|
||||||
drydock_timeout: 5
|
drydock_timeout: 5
|
||||||
|
Loading…
Reference in New Issue
Block a user