Add nova-compute-ssh

Change-Id: Ia555bb69182441d5f17040504efc7d1d524e59ec
2020-09-22 20:27:16 +03:00 · 2020-09-22 20:27:16 +03:00 · 74b119db35
commit 74b119db35
parent 20b6b9a236
8 changed files with 112 additions and 51 deletions
--- a/nova/Chart.yaml
+++ b/nova/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nova
 name: nova
-version: 0.1.1
+version: 0.1.2
 home: https://docs.openstack.org/nova/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
 sources:
--- a/nova/templates/bin/_ssh-init.sh.tpl
+++ b/nova/templates/bin/_ssh-init.sh.tpl
@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+mkdir -p ~nova/.ssh
+chown -R nova:nova ~nova/.ssh
+
+cat > ~nova/.ssh/config <<EOF
+Host *
+  StrictHostKeyChecking no
+  UserKnownHostsFile /dev/null
+  port $SSH_PORT
+  IdentitiesOnly yes
+EOF
+
+cp /tmp/nova-ssh/* ~nova/.ssh/
+chmod 600 ~nova/.ssh/id_rsa
--- a/nova/templates/bin/_ssh-start.sh.tpl
+++ b/nova/templates/bin/_ssh-start.sh.tpl
@ -25,25 +25,14 @@ for KEY_TYPE in $KEY_TYPES; do
 done
 IFS=''

-mkdir -p ~nova/.ssh
-
-if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then
-    chown nova: ~nova/.ssh
-fi
-
-subnet_address="{{- .Values.network.sshd.from_subnet -}}"
+subnet_address="{{- .Values.network.ssh.from_subnet -}}"
 cat > /tmp/sshd_config_extend <<EOF
-
-# This Match block prevents Password Authentication for root user
-Match User root
 PasswordAuthentication no
-
-# This Match Block is used to allow Root Login exceptions over the
-# internal subnet used by Nova Migrations
 Match Address $subnet_address
    PermitRootLogin without-password
 EOF
 cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
+
 rm /tmp/sshd_config_extend

 exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
--- a/nova/templates/configmap-bin.yaml
+++ b/nova/templates/configmap-bin.yaml
@ -85,6 +85,8 @@ data:
 {{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  nova-console-proxy-init-assets.sh: |
 {{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ssh-init.sh: |
+{{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  ssh-start.sh: |
 {{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  cell-setup.sh: |
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@ -217,6 +217,30 @@ spec:
            - name: tf-plugin-bin
              mountPath: /opt/plugin/bin
        {{- end }}
+        {{- if .Values.network.ssh.enabled }}
+        - name: nova-compute-ssh-init
+{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          terminationMessagePath: /var/log/termination-log
+          env:
+            - name: SSH_PORT
+              value: {{ .Values.network.ssh.port | quote }}
+          command:
+            - /tmp/ssh-init.sh
+          volumeMounts:
+            - name: varlibnova
+              mountPath: /var/lib/nova
+            - name: nova-ssh
+              mountPath: /tmp/nova-ssh/authorized_keys
+              subPath: public-key
+            - name: nova-ssh
+              mountPath: /tmp/nova-ssh/id_rsa
+              subPath: private-key
+            - name: nova-bin
+              mountPath: /tmp/ssh-init.sh
+              subPath: ssh-init.sh
+              readOnly: true
+        {{- end }}
      containers:
        - name: nova-compute
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -302,9 +326,6 @@ spec:
              mountPath: /root/.ssh/config
              subPath: ssh-config
              readOnly: true
-            - name: nova-ssh
-              mountPath: /root/.ssh/id_rsa
-              subPath: ssh-key-private
            {{- if .Values.conf.ceph.enabled }}
            - name: etcceph
              mountPath: /etc/ceph
@ -382,7 +403,7 @@ spec:
            {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
-        {{- if .Values.network.sshd.enabled }}
+        {{- if .Values.network.ssh.enabled }}
        - name: nova-compute-ssh
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -391,7 +412,7 @@ spec:
            privileged: true
          env:
            - name: KEY_TYPES
-              value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
            - name: SSH_PORT
              value: {{ .Values.network.ssh.port | quote }}
 {{- if .Values.manifests.certificates }}
@ -404,18 +425,8 @@ spec:
            - /tmp/ssh-start.sh
          terminationMessagePath: /var/log/termination-log
          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
            - name: varlibnova
              mountPath: /var/lib/nova
-            - name: varliblibvirt
-              mountPath: /var/lib/libvirt
-            - name: nova-ssh
-              mountPath: /root/.ssh/id_rsa.pub
-              subPath: ssh-key-public
-            - name: nova-ssh
-              mountPath: /root/.ssh/authorized_keys
-              subPath: ssh-key-public
            - name: nova-bin
              mountPath: /tmp/ssh-start.sh
              subPath: ssh-start.sh
@ -433,10 +444,13 @@ spec:
          secret:
            secretName: {{ $configMapName }}
            defaultMode: 0444
+
+        {{- if .Values.network.ssh.enabled }}
        - name: nova-ssh
          secret:
            secretName: nova-ssh
-            defaultMode: 0400
+            defaultMode: 0644
+        {{ end }}
        {{- if .Values.conf.ceph.enabled }}
        - name: etcceph
          hostPath:
--- a/nova/templates/configmap-ssh.yaml
+++ b/nova/templates/configmap-ssh.yaml
@ -22,8 +22,8 @@ metadata:
  name: nova-ssh
 type: Opaque
 data:
-  ssh-key-private: {{ .Values.conf.ssh_private | b64enc }}
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }}
+  private-key: {{ .Values.network.ssh.private_key | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.network.ssh.public_key "key" "public-key" "format" "Secret" ) | indent 2 }}

 {{- end }}
 {{- end }}
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -261,11 +261,16 @@ network:
      enabled: false
      port: 30682
  ssh:
-    name: "nova-ssh"
-    port: 8022
-  sshd:
    enabled: false
-    from_subnet: 0.0.0.0/24
+    port: 8022
+    from_subnet: 0.0.0.0/0
+    key_types:
+      - rsa
+      - dsa
+      - ecdsa
+      - ed25519
+    private_key: 'null'
+    public_key: 'null'

 dependencies:
  dynamic:
@ -514,13 +519,6 @@ console:
      # IF blank, search default routing interface
      vncserver_proxyclient_interface:

-ssh:
-  key_types:
-    - rsa
-    - dsa
-    - ecdsa
-    - ed25519
-
 ceph_client:
  configmap: ceph-etc
  user_secret_name: pvc-ceph-client-key
@ -608,13 +606,6 @@ conf:
      user: "cinder"
      keyring: null
      secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
-  ssh: |
-    Host *
-      StrictHostKeyChecking no
-      UserKnownHostsFile /dev/null
-      Port {{ .Values.network.ssh.port }}
-  ssh_private: 'null'
-  ssh_public: 'null'
  rally_tests:
    run_tempest: false
    clean_up: |
--- a/nova/values_overrides/ssh.yaml
+++ b/nova/values_overrides/ssh.yaml
@ -0,0 +1,34 @@
+---
+network:
+  ssh:
+    enabled: true
+    private_key: |
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfgGkoPxu6jVqyBTGDlhGqoFFaTymMOH3pDRzrzXCVodqrtv1heBAyi7L63+MZ+m/facDDo43hWzhFLmmMgD00AS7L+VH+oeEwKVCfq0HN3asKLadpweBQVAkGX7PzjRKF25qj6J7iVpKAf1NcnJCsWL3b+wC9mwK7TmupOmWra8BrfP7Fvek1RLx3lwk+ZZ9lUlm6o+jwXn/9rCEFa7ywkGpdrPRBNHQshGjDlJPi15boXIKxOmoZ/DszkJq7iLYQnwa4Kdb0dJ9OE/l2LLBiEpkMlTnwXA7QCS5jEHXwW78b4BOZvqrFflga+YldhDmkyRRfnhcF5Ok2zQmx9Q+t root@openstack-helm
+    public_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEA34BpKD8buo1asgUxg5YRqqBRWk8pjDh96Q0c681wlaHaq7b9
+      YXgQMouy+t/jGfpv32nAw6ON4Vs4RS5pjIA9NAEuy/lR/qHhMClQn6tBzd2rCi2n
+      acHgUFQJBl+z840Shduao+ie4laSgH9TXJyQrFi92/sAvZsCu05rqTplq2vAa3z+
+      xb3pNUS8d5cJPmWfZVJZuqPo8F5//awhBWu8sJBqXaz0QTR0LIRow5ST4teW6FyC
+      sTpqGfw7M5Cau4i2EJ8GuCnW9HSfThP5diywYhKZDJU58FwO0AkuYxB18Fu/G+AT
+      mb6qxX5YGvmJXYQ5pMkUX54XBeTpNs0JsfUPrQIDAQABAoIBAFkEFd3XtL2KSxMY
+      Cm50OLkSfRRQ7yVP4qYNePVZr3uJKUS27xgA78KR7UkKHrNcEW6T+hhxbbLR2AmF
+      wLga40VxKyhGNqgJ5Vx/OAM//Ed4AAVfxYvTkfmsXqPRPiTEjRoPKvoZTh6riFHx
+      ZExAd0aNWaDhyZu6v03GoA6YmaG53CLhUpDjIEpAHT8Q5fiukvpvFNAkSpSU3wWW
+      YD14S5BTXx8Z7v5mNgbxzDIST9P6oGm9jOoMJJCxu3KVF5Xh6k23DP1wukiWNypJ
+      b7dzfE8/NZUZ15Du4g1ZXHZyOATwN+4GQi1tV+oB1o6wI6829lpIMlsmqHhrw867
+      942SmakCgYEA9R1xFEEVRavBGIUeg/NMbFP+Ssl2DljAdnmcOASCxAFqCx6y3WSK
+      P2xWTD/MCG/uz627EVp+lfbapZimm171rUMpVCqTa5tH+LZ+Lbl+rjoLwSWVqySK
+      MGyIEzpPLq5PrpGdUghZNsGAG7kgTarJM5SYyA+Esqr8AADjDrZdmzcCgYEA6W1C
+      h9nU5i04UogndbkOiDVDWn0LnjUnVDTmhgGhbJDLtx4/hte/zGK7+mKl561q3Qmm
+      xY0s8cSQCX1ULHyrgzS9rc0k42uvuRWgpKKKT5IrjiA91HtfcVM1r9hxa2/dw4wk
+      WbAoaqpadjQAKoB4PNYzRfvITkv/9O+JSyK5BjsCgYEA5p9C68momBrX3Zgyc/gQ
+      qcQFeJxAxZLf0xjs0Q/9cSnbeobxx7h3EuF9+NP1xuJ6EVDmt5crjzHp2vDboUgh
+      Y1nToutENXSurOYXpjHnbUoUETCpt5LzqkgTZ/Pu2H8NXbSIDszoE8rQHEV8jVbp
+      Y+ymK2XedrTF0cMD363aONUCgYEAy5J4+kdUL+VyADAz0awxa0KgWdNCBZivkvWL
+      sYTMhgUFVM7xciTIZXQaIjRUIeeQkfKv2gvUDYlyYIRHm4Cih4vAfEmziQ7KMm0V
+      K1+BpgGBMLMXmS57PzblVFU8HQlzau3Wac2CgfvNZtbU6jweIFhiYP9DYl1PfQpG
+      PxuqJy8CgYBERsjdYfnyGMnFg3DVwgv/W/JspX201jMhQW2EW1OGDf7RQV+qTUnU
+      2NRGN9QbVYUvdwuRPd7C9wXQfLzXf0/E67oYg6fHHGTBNMjSq56qhZ2dSZnyQCxI
+      UZu0B4/1A5493Mypxp8c2fPhBdfzjTA5latsr75U26OMPxCxgFxm1A==
+      -----END RSA PRIVATE KEY-----