[Chart] support ssh private key

- Add support for optionally mounting a
  private key for the maas user to access
  remote hosts via ssh (e.g. virsh)
- Add libvirt-bin to the rack controller

Change-Id: I18efb6a6947a5a5f91800bf6494b7d9d15d8aaf2

charts/maas/templates/bin/_start.sh.tpl

@@ -19,4 +19,10 @@ set -ex
 # show env
 env > /tmp/env
 
+if [[ -d ~maas/.ssh ]]
+then
+  chown -R maas:maas ~maas/.ssh
+fi
+chsh -s /bin/bash maas
+
 exec /bin/systemd --system

charts/maas/templates/deployment-rack.yaml

@@ -87,8 +87,23 @@ spec:
               mountPath: /lib/systemd/system/register-rack-controller.service
               subPath: register-rack-controller.service
               readOnly: true
+{{- if .Values.manifests.secret_ssh_key }}
+            - name: maas-ssh
+              mountPath: /var/lib/maas/.ssh
+            - name: priv-key
+              subPath: PRIVATE_KEY
+              mountPath: /var/lib/maas/.ssh/id_rsa
+{{- end }}
 {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
       volumes:
+{{- if .Values.manifests.secret_ssh_key }}
+        - name: maas-ssh
+          emptyDir: {}
+        - name: priv-key
+          secret:
+            secretName: {{ .Release.Name}}-{{ .Values.secrets.ssh_key }}
+            defaultMode: 0400
+{{- end }}
         - name: maas-bin
           configMap:
             name: maas-bin

charts/maas/templates/secret-ssh-key.yaml

@@ -0,0 +1,29 @@
+
+{{/*
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_ssh_key }}
+{{- $secretName := .Values.secrets.ssh_key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name}}-{{ $secretName }}
+type: Opaque
+data:
+  PRIVATE_KEY: |-
+{{ .Values.conf.ssh.private_key | b64enc | indent 4 }}
+...
+{{- end }}

charts/maas/templates/statefulset-region.yaml

@@ -1,5 +1,5 @@
 {{/*
-# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

charts/maas/values.yaml

@@ -66,6 +66,7 @@ manifests:
   region_statefulset: true
   rack_deployment: true
   test_maas_api: true
+  secret_ssh_key: false
 
 images:
   tags:
@@ -113,6 +114,13 @@ network:
     db_service_target: 5432
 
 conf:
+  ssh:
+    # A SSH private key strings to mount
+    # to allow MaaS access virsh over SSH
+    # The corresponding public key should be
+    # added to a authorized_keys file to a user
+    # in the libvirt group on the hypervisors
+    private_key: null
   bind:
     override:
     append:
@@ -202,6 +210,7 @@ secrets:
   maas_region:
     name: maas-region-secret
     value: 3858f62230ac3c915f300c664312c63f
+  ssh_key: ssh-private-key
 
 pod:
   affinity:

images/maas-rack-controller/Dockerfile

@@ -16,7 +16,10 @@ RUN systemctl set-default multi-user.target
 # everything else below is to setup maas into the systemd initialized
 # container based on ubuntu 16.04
 RUN apt-get -qq update && \
-    apt-get -y install sudo software-properties-common
+    apt-get -y install \
+    sudo \
+    software-properties-common \
+    libvirt-bin
 
 # TODO(alanmeadows)
 # we need systemd 231 per https://github.com/systemd/systemd/commit/a1350640ba605cf5876b25abfee886488a33e50b