[Chart] SSH private key support
- Support optionally mounting a SSH private key to allow Drydock to interact with remote hosts via ssh (e.g. virsh) Change-Id: Ib83bc53a46497af6d05f4d87595f1000d3178ec0
This commit is contained in:
parent
2d2bb08d86
commit
97f9fbd12b
2
Makefile
2
Makefile
@ -60,7 +60,7 @@ lint: pep8 helm_lint
|
||||
.PHONY: dry-run
|
||||
dry-run: clean
|
||||
tools/helm_tk.sh $(HELM)
|
||||
$(HELM) template charts/drydock
|
||||
$(HELM) template --set manifests.secret_ssh_key=true --set conf.ssh.private_key=foo charts/drydock
|
||||
|
||||
# Make targets intended for use by the primary targets above.
|
||||
|
||||
|
@ -75,5 +75,11 @@ data:
|
||||
{{- else -}}
|
||||
{{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
{{- end }}
|
||||
{{ if .Values.manifests.secret_ssh_key }}
|
||||
ssh-config: |+
|
||||
{{- range $option, $val := .Values.conf.ssh.config }}
|
||||
{{ $option }}={{ $val }}
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
...
|
||||
{{- end }}
|
||||
|
@ -73,7 +73,27 @@ spec:
|
||||
subPath: policy.yaml
|
||||
mountPath: /etc/drydock/policy.yaml
|
||||
readOnly: true
|
||||
{{- if .Values.manifests.secret_ssh_key }}
|
||||
- name: root-ssh
|
||||
mountPath: /root/.ssh
|
||||
- name: priv-key
|
||||
subPath: PRIVATE_KEY
|
||||
mountPath: /root/.ssh/id_rsa
|
||||
readOnly: true
|
||||
- name: drydock-etc
|
||||
subPath: ssh-config
|
||||
mountPath: /root/.ssh/config
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if .Values.manifests.secret_ssh_key }}
|
||||
- name: root-ssh
|
||||
emptyDir: {}
|
||||
- name: priv-key
|
||||
secret:
|
||||
secretName: {{ .Release.Name }}-{{ .Values.secrets.ssh_key }}
|
||||
defaultMode: 0400
|
||||
{{- end }}
|
||||
- name: etc-drydock
|
||||
emptyDir: {}
|
||||
- name: drydock-etc
|
||||
|
28
charts/drydock/templates/secret-ssh-key.yaml
Normal file
28
charts/drydock/templates/secret-ssh-key.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
{{/*
|
||||
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.secret_ssh_key }}
|
||||
{{- $secretName := .Values.secrets.ssh_key }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .Release.Name }}-{{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
PRIVATE_KEY: |-
|
||||
{{ .Values.conf.ssh.private_key | b64enc | indent 4 }}
|
||||
...
|
||||
{{- end }}
|
@ -113,6 +113,7 @@ manifests:
|
||||
job_drydock_db_sync: true
|
||||
secret_keystone: true
|
||||
secret_database: true
|
||||
secret_ssh_key: false
|
||||
configmap_etc: true
|
||||
configmap_bin: true
|
||||
service_drydock: true
|
||||
@ -233,9 +234,20 @@ secrets:
|
||||
postgresql:
|
||||
admin: drydock-postgresql-admin
|
||||
user: drydock-postgresql-user
|
||||
ssh_key: ssh-private-key
|
||||
|
||||
# Settings for drydock.conf
|
||||
conf:
|
||||
ssh:
|
||||
# A SSH private key strings to mount
|
||||
# to allow Drydock access virsh over SSH
|
||||
# The corresponding public key should be
|
||||
# added to a authorized_keys file to a user
|
||||
# in the libvirt group on the hypervisors
|
||||
private_key: null
|
||||
config:
|
||||
UserKnownHostsFile: '/dev/null'
|
||||
StrictHostKeyChecking: 'no'
|
||||
uwsgi:
|
||||
threads: 1
|
||||
workers: 1
|
||||
@ -255,6 +267,7 @@ conf:
|
||||
oob_driver:
|
||||
- 'drydock_provisioner.drivers.oob.pyghmi_driver.driver.PyghmiDriver'
|
||||
- 'drydock_provisioner.drivers.oob.manual_driver.driver.ManualDriver'
|
||||
- 'drydock_provisioner.drivers.oob.libvirt_driver.driver.LibvirtDriver'
|
||||
node_driver: 'drydock_provisioner.drivers.node.maasdriver.driver.MaasNodeDriver'
|
||||
timeouts:
|
||||
drydock_timeout: 5
|
||||
|
Loading…
Reference in New Issue
Block a user