Merge "Cert/key related improvements to gate-multinode"

This commit is contained in:
Zuul 2019-03-18 18:19:51 +00:00 committed by Gerrit Code Review
commit 730d1f3f6e
7 changed files with 62 additions and 7 deletions

View File

@ -140,6 +140,11 @@ collect_ssh_key() {
ssh_keypair_declare
fi
if [[ "${USE_EXISTING_SECRETS}" ]]; then
log "Using existing manifests for secrets"
return 0
fi
cat << EOF > ${GATE_DEPOT}/airship_ubuntu_ssh_key.yaml
---
schema: deckhand/Certificate/v1

View File

@ -21,6 +21,14 @@ export UPSTREAM_DNS=${UPSTREAM_DNS:-"8.8.8.8 8.8.4.4"}
export NTP_POOLS=${NTP_POOLS:-"0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org"}
export NTP_SERVERS=${NTP_SERVERS:-""}
# key-pair used for drydock/maas auth towards libvirt and access to
# the virtual nodes; auto-generated if no value provided
export GATE_SSH_KEY=${GATE_SSH_KEY:-""}
# skip generation of certificates, and other security manifests
# auto-generated by default
export USE_EXISTING_SECRETS=${USE_EXISTING_SECRETS:-""}
export SHIPYARD_PASSWORD=${SHIPYARD_OS_PASSWORD:-'password18'}
export AIRSHIP_KEYSTONE_URL=${AIRSHIP_KEYSTONE_URL:-'http://keystone.gate.local:80/v3'}

View File

@ -41,8 +41,16 @@ ssh_config_declare() {
ssh_keypair_declare() {
log Validating SSH keypair exists
if [ ! -s "${SSH_CONFIG_DIR}/id_rsa" ]; then
log Generating SSH keypair
ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}"
if [[ "${GATE_SSH_KEY}" ]]; then
log "Using existing SSH keys for VMs"
cp "${GATE_SSH_KEY}" "${SSH_CONFIG_DIR}/id_rsa"
chmod 600 "${SSH_CONFIG_DIR}/id_rsa"
cp "${GATE_SSH_KEY}.pub" "${SSH_CONFIG_DIR}/id_rsa.pub"
else
log Generating SSH keypair
ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}"
fi
fi
}

View File

@ -301,22 +301,35 @@ make_virtmgr_account() {
gen_libvirt_key() {
log Removing any existing virtmgr SSH keys
sudo rm -rf ~virtmgr/.ssh
log Generating new SSH keypair for virtmgr
sudo mkdir -p ~virtmgr/.ssh
sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}"
if [[ "${GATE_SSH_KEY}" ]]; then
log "Using existing SSH keys for virtmgr"
cp "${GATE_SSH_KEY}" ~virtmgr/.ssh/airship_gate
cp "${GATE_SSH_KEY}.pub" ~virtmgr/.ssh/airship_gate.pub
else
log "Generating new SSH keypair for virtmgr"
sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}"
fi
}
# Install private key into site definition
install_libvirt_key() {
export PUB_KEY=$(sudo cat ~virtmgr/.ssh/airship_gate.pub)
mkdir -p ${TEMP_DIR}/tmp
envsubst < "${TEMPLATE_DIR}/authorized_keys.sub" > ${TEMP_DIR}/tmp/virtmgr.authorized_keys
sudo cp ${TEMP_DIR}/tmp/virtmgr.authorized_keys ~virtmgr/.ssh/authorized_keys
sudo chown -R virtmgr ~virtmgr/.ssh
sudo chmod 700 ~virtmgr/.ssh
sudo chmod 600 ~virtmgr/.ssh/authorized_keys
mkdir -p "${GATE_DEPOT}"
if [[ "${USE_EXISTING_SECRETS}" ]]; then
log "Using existing manifests for secrets"
return 0
fi
mkdir -p "${GATE_DEPOT}"
cat << EOF > ${GATE_DEPOT}/airship_drydock_kvm_ssh_key.yaml
---
schema: deckhand/CertificateKey/v1

View File

@ -17,6 +17,14 @@ do
fi
done
CERTS_PATH="/certs/*.yaml"
KEYS_PATH="/gate/*.yaml"
if [[ "${USE_EXISTING_SECRETS}" ]]
then
CERTS_PATH=""
KEYS_PATH=""
fi
log Building scripts
docker run --rm -t \
-w /config \
@ -31,4 +39,5 @@ docker run --rm -t \
build-all \
--validators \
-o /scripts \
/config/*.yaml /certs/*.yaml /gate/*.yaml
/config/*.yaml ${CERTS_PATH} ${KEYS_PATH}

View File

@ -30,6 +30,12 @@ GATE_FILES=($(find "${GATE_DEPOT}" -name '*.yaml' | xargs -n 1 basename | xargs
mkdir -p "${CERT_DEPOT}"
chmod 777 "${CERT_DEPOT}"
if [[ "${USE_EXISTING_SECRETS}" ]]
then
log Certificates already provided by manifests
exit 0
fi
log Generating certificates
docker run --rm -t \
-w /tmp \

View File

@ -57,9 +57,15 @@ ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/site"
rsync_cmd "${DEFINITION_DEPOT}"/*.yaml "${BUILD_NAME}:${BUILD_WORK_DIR}/site/"
sleep 120
check_configdocs_result "$(shipyard_cmd create configdocs design --directory=${BUILD_WORK_DIR}/site --replace)"
# Skip certs/gate if already part of site manifests
if [[ "${USE_EXISTING_SECRETS}" ]]
then
OMIT_CERTS=1
OMIT_GATE=1
fi
if [[ "${OMIT_CERTS}" == "0" ]]
then
ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/certs"