From e69d1d72525703b764de3d4a23ccfbba369d1bf2 Mon Sep 17 00:00:00 2001 From: Kaspars Skels Date: Thu, 5 Dec 2019 13:04:14 -0600 Subject: [PATCH] Move global secrets to site This gives users a straight forward way to update airship SSH key for deployment (MAAS/divingbell config). Change-Id: Ib67774fb67daa79e255b32e6a3e98a5bde96af4f --- doc/source/authoring_and_deployment.rst | 10 ++++++++++ .../secrets/passphrases/private_docker_key.yaml | 2 +- .../secrets/publickey/airship_ssh_public_key.yaml | 2 +- .../secrets/passphrases/private_docker_key.yaml | 14 ++++++++++++++ .../secrets/passphrases/private_docker_key.yaml | 14 ++++++++++++++ .../secrets/passphrases/private_docker_key.yaml | 14 ++++++++++++++ .../secrets/publickey/airship_ssh_public_key.yaml | 11 +++++++++++ .../secrets/passphrases/private_docker_key.yaml | 14 ++++++++++++++ .../secrets/publickey/airship_ssh_public_key.yaml | 11 +++++++++++ .../secrets/passphrases/private_docker_key.yaml | 14 ++++++++++++++ .../secrets/publickey/airship_ssh_public_key.yaml | 11 +++++++++++ 11 files changed, 115 insertions(+), 2 deletions(-) rename {global => site/aiab}/secrets/passphrases/private_docker_key.yaml (94%) rename {global => site/aiab}/secrets/publickey/airship_ssh_public_key.yaml (97%) create mode 100644 site/airskiff-suse/secrets/passphrases/private_docker_key.yaml create mode 100644 site/airskiff/secrets/passphrases/private_docker_key.yaml create mode 100644 site/airsloop/secrets/passphrases/private_docker_key.yaml create mode 100644 site/airsloop/secrets/publickey/airship_ssh_public_key.yaml create mode 100644 site/seaworthy-virt/secrets/passphrases/private_docker_key.yaml create mode 100644 site/seaworthy-virt/secrets/publickey/airship_ssh_public_key.yaml create mode 100644 site/seaworthy/secrets/passphrases/private_docker_key.yaml create mode 100644 site/seaworthy/secrets/publickey/airship_ssh_public_key.yaml diff --git a/doc/source/authoring_and_deployment.rst b/doc/source/authoring_and_deployment.rst index 34699bf9e..5b5cb3707 100644 --- a/doc/source/authoring_and_deployment.rst +++ b/doc/source/authoring_and_deployment.rst @@ -318,6 +318,16 @@ Run the following command to get an up-to-date list of required DNS names: Update Secrets ~~~~~~~~~~~~~~ +Replace public SSH key under +``site/${NEW_SITE}/secrets/publickey/airship_ssh_public_key.yaml`` +with a lab specific SSH public key. This key is used for MAAS initial +deployment as well as the default user for Divingbell +``site/${NEW_SITE}/software/charts/ucp/divingbell/divingbell.yaml``. + +Add additional keys and Divingbell substitutions for any other users +that require SSH access to the deployed servers. See more details at +``__. + Replace passphrases under ``site/${NEW_SITE}/secrets/passphrases/`` with random generated ones: diff --git a/global/secrets/passphrases/private_docker_key.yaml b/site/aiab/secrets/passphrases/private_docker_key.yaml similarity index 94% rename from global/secrets/passphrases/private_docker_key.yaml rename to site/aiab/secrets/passphrases/private_docker_key.yaml index d3a0341e1..b42317427 100644 --- a/global/secrets/passphrases/private_docker_key.yaml +++ b/site/aiab/secrets/passphrases/private_docker_key.yaml @@ -5,7 +5,7 @@ metadata: name: private_docker_key layeringDefinition: abstract: false - layer: global + layer: site storagePolicy: cleartext # sample key for potential private docker registry # see Docker documentation for info on how to generate the key diff --git a/global/secrets/publickey/airship_ssh_public_key.yaml b/site/aiab/secrets/publickey/airship_ssh_public_key.yaml similarity index 97% rename from global/secrets/publickey/airship_ssh_public_key.yaml rename to site/aiab/secrets/publickey/airship_ssh_public_key.yaml index b14a575bd..b49c7a95f 100644 --- a/global/secrets/publickey/airship_ssh_public_key.yaml +++ b/site/aiab/secrets/publickey/airship_ssh_public_key.yaml @@ -5,7 +5,7 @@ metadata: name: airship_ssh_public_key layeringDefinition: abstract: false - layer: global + layer: site storagePolicy: cleartext data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyb6CDrai3VcFW1ew5ikf7IDSpqfFyrJNLI1DPyd28vcy6D1oFXdELYK7DsXzVCgV7YNDiKpneXMBTJ/Mr/aZi9K3eVvtRp1HAK3y6ycx9KRfyfMVAU0aT3xMOpE5xS/xTH8HNRbOSszp0woVYKhncpkumHweji7wbLKm/WxsggIoGDjn29KIoRhpo96tWz/DBsoU1pIHTMoZNyHW2aYWEx6kOzTEmhxL0LkKv7+A/2HJuLnqcXoQH9jl3kRQDyikNlSw2T3gQV3I8m0od/lEf98MZb1Yv9GrlDCmnUPXAJ2HQaWaVaPPpGcBW7veOZlLfeulwD4zlo6P6JW1SZaat airship@seaworthy ... diff --git a/site/airskiff-suse/secrets/passphrases/private_docker_key.yaml b/site/airskiff-suse/secrets/passphrases/private_docker_key.yaml new file mode 100644 index 000000000..b42317427 --- /dev/null +++ b/site/airskiff-suse/secrets/passphrases/private_docker_key.yaml @@ -0,0 +1,14 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: private_docker_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# sample key for potential private docker registry +# see Docker documentation for info on how to generate the key +# base64 of password123 +data: cGFzc3dvcmQxMjM= +... diff --git a/site/airskiff/secrets/passphrases/private_docker_key.yaml b/site/airskiff/secrets/passphrases/private_docker_key.yaml new file mode 100644 index 000000000..b42317427 --- /dev/null +++ b/site/airskiff/secrets/passphrases/private_docker_key.yaml @@ -0,0 +1,14 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: private_docker_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# sample key for potential private docker registry +# see Docker documentation for info on how to generate the key +# base64 of password123 +data: cGFzc3dvcmQxMjM= +... diff --git a/site/airsloop/secrets/passphrases/private_docker_key.yaml b/site/airsloop/secrets/passphrases/private_docker_key.yaml new file mode 100644 index 000000000..b42317427 --- /dev/null +++ b/site/airsloop/secrets/passphrases/private_docker_key.yaml @@ -0,0 +1,14 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: private_docker_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# sample key for potential private docker registry +# see Docker documentation for info on how to generate the key +# base64 of password123 +data: cGFzc3dvcmQxMjM= +... diff --git a/site/airsloop/secrets/publickey/airship_ssh_public_key.yaml b/site/airsloop/secrets/publickey/airship_ssh_public_key.yaml new file mode 100644 index 000000000..b49c7a95f --- /dev/null +++ b/site/airsloop/secrets/publickey/airship_ssh_public_key.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/PublicKey/v1 +metadata: + schema: metadata/Document/v1 + name: airship_ssh_public_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyb6CDrai3VcFW1ew5ikf7IDSpqfFyrJNLI1DPyd28vcy6D1oFXdELYK7DsXzVCgV7YNDiKpneXMBTJ/Mr/aZi9K3eVvtRp1HAK3y6ycx9KRfyfMVAU0aT3xMOpE5xS/xTH8HNRbOSszp0woVYKhncpkumHweji7wbLKm/WxsggIoGDjn29KIoRhpo96tWz/DBsoU1pIHTMoZNyHW2aYWEx6kOzTEmhxL0LkKv7+A/2HJuLnqcXoQH9jl3kRQDyikNlSw2T3gQV3I8m0od/lEf98MZb1Yv9GrlDCmnUPXAJ2HQaWaVaPPpGcBW7veOZlLfeulwD4zlo6P6JW1SZaat airship@seaworthy +... diff --git a/site/seaworthy-virt/secrets/passphrases/private_docker_key.yaml b/site/seaworthy-virt/secrets/passphrases/private_docker_key.yaml new file mode 100644 index 000000000..b42317427 --- /dev/null +++ b/site/seaworthy-virt/secrets/passphrases/private_docker_key.yaml @@ -0,0 +1,14 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: private_docker_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# sample key for potential private docker registry +# see Docker documentation for info on how to generate the key +# base64 of password123 +data: cGFzc3dvcmQxMjM= +... diff --git a/site/seaworthy-virt/secrets/publickey/airship_ssh_public_key.yaml b/site/seaworthy-virt/secrets/publickey/airship_ssh_public_key.yaml new file mode 100644 index 000000000..b49c7a95f --- /dev/null +++ b/site/seaworthy-virt/secrets/publickey/airship_ssh_public_key.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/PublicKey/v1 +metadata: + schema: metadata/Document/v1 + name: airship_ssh_public_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyb6CDrai3VcFW1ew5ikf7IDSpqfFyrJNLI1DPyd28vcy6D1oFXdELYK7DsXzVCgV7YNDiKpneXMBTJ/Mr/aZi9K3eVvtRp1HAK3y6ycx9KRfyfMVAU0aT3xMOpE5xS/xTH8HNRbOSszp0woVYKhncpkumHweji7wbLKm/WxsggIoGDjn29KIoRhpo96tWz/DBsoU1pIHTMoZNyHW2aYWEx6kOzTEmhxL0LkKv7+A/2HJuLnqcXoQH9jl3kRQDyikNlSw2T3gQV3I8m0od/lEf98MZb1Yv9GrlDCmnUPXAJ2HQaWaVaPPpGcBW7veOZlLfeulwD4zlo6P6JW1SZaat airship@seaworthy +... diff --git a/site/seaworthy/secrets/passphrases/private_docker_key.yaml b/site/seaworthy/secrets/passphrases/private_docker_key.yaml new file mode 100644 index 000000000..b42317427 --- /dev/null +++ b/site/seaworthy/secrets/passphrases/private_docker_key.yaml @@ -0,0 +1,14 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: private_docker_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# sample key for potential private docker registry +# see Docker documentation for info on how to generate the key +# base64 of password123 +data: cGFzc3dvcmQxMjM= +... diff --git a/site/seaworthy/secrets/publickey/airship_ssh_public_key.yaml b/site/seaworthy/secrets/publickey/airship_ssh_public_key.yaml new file mode 100644 index 000000000..b49c7a95f --- /dev/null +++ b/site/seaworthy/secrets/publickey/airship_ssh_public_key.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/PublicKey/v1 +metadata: + schema: metadata/Document/v1 + name: airship_ssh_public_key + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyb6CDrai3VcFW1ew5ikf7IDSpqfFyrJNLI1DPyd28vcy6D1oFXdELYK7DsXzVCgV7YNDiKpneXMBTJ/Mr/aZi9K3eVvtRp1HAK3y6ycx9KRfyfMVAU0aT3xMOpE5xS/xTH8HNRbOSszp0woVYKhncpkumHweji7wbLKm/WxsggIoGDjn29KIoRhpo96tWz/DBsoU1pIHTMoZNyHW2aYWEx6kOzTEmhxL0LkKv7+A/2HJuLnqcXoQH9jl3kRQDyikNlSw2T3gQV3I8m0od/lEf98MZb1Yv9GrlDCmnUPXAJ2HQaWaVaPPpGcBW7veOZlLfeulwD4zlo6P6JW1SZaat airship@seaworthy +...