From 74b119db35187a62a1d00a35ba489fdda1c9e5b3 Mon Sep 17 00:00:00 2001 From: okozachenko Date: Tue, 22 Sep 2020 20:27:16 +0300 Subject: [PATCH] Add nova-compute-ssh Change-Id: Ia555bb69182441d5f17040504efc7d1d524e59ec --- nova/Chart.yaml | 2 +- nova/templates/bin/_ssh-init.sh.tpl | 31 +++++++++++++ nova/templates/bin/_ssh-start.sh.tpl | 17 ++----- nova/templates/configmap-bin.yaml | 2 + nova/templates/daemonset-compute.yaml | 46 ++++++++++++------- .../{configmap-ssh.yaml => secret-ssh.yaml} | 4 +- nova/values.yaml | 27 ++++------- nova/values_overrides/ssh.yaml | 34 ++++++++++++++ 8 files changed, 112 insertions(+), 51 deletions(-) create mode 100644 nova/templates/bin/_ssh-init.sh.tpl rename nova/templates/{configmap-ssh.yaml => secret-ssh.yaml} (83%) mode change 100755 => 100644 create mode 100644 nova/values_overrides/ssh.yaml diff --git a/nova/Chart.yaml b/nova/Chart.yaml index 5f44f43dcf..86696caf8f 100644 --- a/nova/Chart.yaml +++ b/nova/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Nova name: nova -version: 0.1.1 +version: 0.1.2 home: https://docs.openstack.org/nova/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png sources: diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl new file mode 100644 index 0000000000..be2e33a418 --- /dev/null +++ b/nova/templates/bin/_ssh-init.sh.tpl @@ -0,0 +1,31 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +mkdir -p ~nova/.ssh +chown -R nova:nova ~nova/.ssh + +cat > ~nova/.ssh/config < /tmp/sshd_config_extend <> /etc/ssh/sshd_config + rm /tmp/sshd_config_extend exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml index 6c2d3bde66..13622c5b99 100644 --- a/nova/templates/configmap-bin.yaml +++ b/nova/templates/configmap-bin.yaml @@ -85,6 +85,8 @@ data: {{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} nova-console-proxy-init-assets.sh: | {{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + ssh-init.sh: | +{{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} ssh-start.sh: | {{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} cell-setup.sh: | diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 7e5d14aa79..38b9b0d9fe 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -217,6 +217,30 @@ spec: - name: tf-plugin-bin mountPath: /opt/plugin/bin {{- end }} + {{- if .Values.network.ssh.enabled }} + - name: nova-compute-ssh-init +{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + terminationMessagePath: /var/log/termination-log + env: + - name: SSH_PORT + value: {{ .Values.network.ssh.port | quote }} + command: + - /tmp/ssh-init.sh + volumeMounts: + - name: varlibnova + mountPath: /var/lib/nova + - name: nova-ssh + mountPath: /tmp/nova-ssh/authorized_keys + subPath: public-key + - name: nova-ssh + mountPath: /tmp/nova-ssh/id_rsa + subPath: private-key + - name: nova-bin + mountPath: /tmp/ssh-init.sh + subPath: ssh-init.sh + readOnly: true + {{- end }} containers: - name: nova-compute {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} @@ -302,9 +326,6 @@ spec: mountPath: /root/.ssh/config subPath: ssh-config readOnly: true - - name: nova-ssh - mountPath: /root/.ssh/id_rsa - subPath: ssh-key-private {{- if .Values.conf.ceph.enabled }} - name: etcceph mountPath: /etc/ceph @@ -382,7 +403,7 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} - {{- if .Values.network.sshd.enabled }} + {{- if .Values.network.ssh.enabled }} - name: nova-compute-ssh {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} @@ -391,7 +412,7 @@ spec: privileged: true env: - name: KEY_TYPES - value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }} + value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }} - name: SSH_PORT value: {{ .Values.network.ssh.port | quote }} {{- if .Values.manifests.certificates }} @@ -404,18 +425,8 @@ spec: - /tmp/ssh-start.sh terminationMessagePath: /var/log/termination-log volumeMounts: - - name: pod-tmp - mountPath: /tmp - name: varlibnova mountPath: /var/lib/nova - - name: varliblibvirt - mountPath: /var/lib/libvirt - - name: nova-ssh - mountPath: /root/.ssh/id_rsa.pub - subPath: ssh-key-public - - name: nova-ssh - mountPath: /root/.ssh/authorized_keys - subPath: ssh-key-public - name: nova-bin mountPath: /tmp/ssh-start.sh subPath: ssh-start.sh @@ -433,10 +444,13 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 + + {{- if .Values.network.ssh.enabled }} - name: nova-ssh secret: secretName: nova-ssh - defaultMode: 0400 + defaultMode: 0644 + {{ end }} {{- if .Values.conf.ceph.enabled }} - name: etcceph hostPath: diff --git a/nova/templates/configmap-ssh.yaml b/nova/templates/secret-ssh.yaml old mode 100755 new mode 100644 similarity index 83% rename from nova/templates/configmap-ssh.yaml rename to nova/templates/secret-ssh.yaml index 270122fc1a..4811b2e28b --- a/nova/templates/configmap-ssh.yaml +++ b/nova/templates/secret-ssh.yaml @@ -22,8 +22,8 @@ metadata: name: nova-ssh type: Opaque data: - ssh-key-private: {{ .Values.conf.ssh_private | b64enc }} -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }} + private-key: {{ .Values.network.ssh.private_key | b64enc }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.network.ssh.public_key "key" "public-key" "format" "Secret" ) | indent 2 }} {{- end }} {{- end }} diff --git a/nova/values.yaml b/nova/values.yaml index d906e105e0..3a509b5bc5 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -261,11 +261,16 @@ network: enabled: false port: 30682 ssh: - name: "nova-ssh" - port: 8022 - sshd: enabled: false - from_subnet: 0.0.0.0/24 + port: 8022 + from_subnet: 0.0.0.0/0 + key_types: + - rsa + - dsa + - ecdsa + - ed25519 + private_key: 'null' + public_key: 'null' dependencies: dynamic: @@ -514,13 +519,6 @@ console: # IF blank, search default routing interface vncserver_proxyclient_interface: -ssh: - key_types: - - rsa - - dsa - - ecdsa - - ed25519 - ceph_client: configmap: ceph-etc user_secret_name: pvc-ceph-client-key @@ -608,13 +606,6 @@ conf: user: "cinder" keyring: null secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337 - ssh: | - Host * - StrictHostKeyChecking no - UserKnownHostsFile /dev/null - Port {{ .Values.network.ssh.port }} - ssh_private: 'null' - ssh_public: 'null' rally_tests: run_tempest: false clean_up: | diff --git a/nova/values_overrides/ssh.yaml b/nova/values_overrides/ssh.yaml new file mode 100644 index 0000000000..af27ac6e70 --- /dev/null +++ b/nova/values_overrides/ssh.yaml @@ -0,0 +1,34 @@ +--- +network: + ssh: + enabled: true + private_key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfgGkoPxu6jVqyBTGDlhGqoFFaTymMOH3pDRzrzXCVodqrtv1heBAyi7L63+MZ+m/facDDo43hWzhFLmmMgD00AS7L+VH+oeEwKVCfq0HN3asKLadpweBQVAkGX7PzjRKF25qj6J7iVpKAf1NcnJCsWL3b+wC9mwK7TmupOmWra8BrfP7Fvek1RLx3lwk+ZZ9lUlm6o+jwXn/9rCEFa7ywkGpdrPRBNHQshGjDlJPi15boXIKxOmoZ/DszkJq7iLYQnwa4Kdb0dJ9OE/l2LLBiEpkMlTnwXA7QCS5jEHXwW78b4BOZvqrFflga+YldhDmkyRRfnhcF5Ok2zQmx9Q+t root@openstack-helm + public_key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA34BpKD8buo1asgUxg5YRqqBRWk8pjDh96Q0c681wlaHaq7b9 + YXgQMouy+t/jGfpv32nAw6ON4Vs4RS5pjIA9NAEuy/lR/qHhMClQn6tBzd2rCi2n + acHgUFQJBl+z840Shduao+ie4laSgH9TXJyQrFi92/sAvZsCu05rqTplq2vAa3z+ + xb3pNUS8d5cJPmWfZVJZuqPo8F5//awhBWu8sJBqXaz0QTR0LIRow5ST4teW6FyC + sTpqGfw7M5Cau4i2EJ8GuCnW9HSfThP5diywYhKZDJU58FwO0AkuYxB18Fu/G+AT + mb6qxX5YGvmJXYQ5pMkUX54XBeTpNs0JsfUPrQIDAQABAoIBAFkEFd3XtL2KSxMY + Cm50OLkSfRRQ7yVP4qYNePVZr3uJKUS27xgA78KR7UkKHrNcEW6T+hhxbbLR2AmF + wLga40VxKyhGNqgJ5Vx/OAM//Ed4AAVfxYvTkfmsXqPRPiTEjRoPKvoZTh6riFHx + ZExAd0aNWaDhyZu6v03GoA6YmaG53CLhUpDjIEpAHT8Q5fiukvpvFNAkSpSU3wWW + YD14S5BTXx8Z7v5mNgbxzDIST9P6oGm9jOoMJJCxu3KVF5Xh6k23DP1wukiWNypJ + b7dzfE8/NZUZ15Du4g1ZXHZyOATwN+4GQi1tV+oB1o6wI6829lpIMlsmqHhrw867 + 942SmakCgYEA9R1xFEEVRavBGIUeg/NMbFP+Ssl2DljAdnmcOASCxAFqCx6y3WSK + P2xWTD/MCG/uz627EVp+lfbapZimm171rUMpVCqTa5tH+LZ+Lbl+rjoLwSWVqySK + MGyIEzpPLq5PrpGdUghZNsGAG7kgTarJM5SYyA+Esqr8AADjDrZdmzcCgYEA6W1C + h9nU5i04UogndbkOiDVDWn0LnjUnVDTmhgGhbJDLtx4/hte/zGK7+mKl561q3Qmm + xY0s8cSQCX1ULHyrgzS9rc0k42uvuRWgpKKKT5IrjiA91HtfcVM1r9hxa2/dw4wk + WbAoaqpadjQAKoB4PNYzRfvITkv/9O+JSyK5BjsCgYEA5p9C68momBrX3Zgyc/gQ + qcQFeJxAxZLf0xjs0Q/9cSnbeobxx7h3EuF9+NP1xuJ6EVDmt5crjzHp2vDboUgh + Y1nToutENXSurOYXpjHnbUoUETCpt5LzqkgTZ/Pu2H8NXbSIDszoE8rQHEV8jVbp + Y+ymK2XedrTF0cMD363aONUCgYEAy5J4+kdUL+VyADAz0awxa0KgWdNCBZivkvWL + sYTMhgUFVM7xciTIZXQaIjRUIeeQkfKv2gvUDYlyYIRHm4Cih4vAfEmziQ7KMm0V + K1+BpgGBMLMXmS57PzblVFU8HQlzau3Wac2CgfvNZtbU6jweIFhiYP9DYl1PfQpG + PxuqJy8CgYBERsjdYfnyGMnFg3DVwgv/W/JspX201jMhQW2EW1OGDf7RQV+qTUnU + 2NRGN9QbVYUvdwuRPd7C9wXQfLzXf0/E67oYg6fHHGTBNMjSq56qhZ2dSZnyQCxI + UZu0B4/1A5493Mypxp8c2fPhBdfzjTA5latsr75U26OMPxCxgFxm1A== + -----END RSA PRIVATE KEY-----