Fix nova-compute-ssh init to execute as runAsUser

On _ssh-init.sh.tpl, despite one change the runAsUser for the nova-compute container on the securityContext, the ssh keys are always being copied into the 'nova' user's folder. This change fixes it by getting the correct user defined on the securityContext and copying the keys to its correct folder. Signed-off-by: Thiago Brito <thiago.brito@windriver.com> Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
2022-01-07 15:59:41 -03:00 · 2022-01-07 15:59:41 -03:00 · c63b1920d5
commit c63b1920d5
parent 12afaa53ee
5 changed files with 25 additions and 11 deletions
--- a/nova/Chart.yaml
+++ b/nova/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nova
 name: nova
-version: 0.2.25
+version: 0.2.26
 home: https://docs.openstack.org/nova/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
 sources:
--- a/nova/templates/bin/_ssh-init.sh.tpl
+++ b/nova/templates/bin/_ssh-init.sh.tpl
@ -16,10 +16,13 @@ limitations under the License.

 set -ex

-mkdir -p ~nova/.ssh
-chown -R nova:nova ~nova/.ssh
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})

-cat > ~nova/.ssh/config <<EOF
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
 Host *
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
@ -27,5 +30,5 @@ Host *
  IdentitiesOnly yes
 EOF

-cp /tmp/nova-ssh/* ~nova/.ssh/
-chmod 600 ~nova/.ssh/id_rsa
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@ -104,6 +104,7 @@ spec:
              mountPath: /var/lib/nova
            - name: pod-shared
              mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{- if .Values.conf.ceph.enabled }}
        - name: ceph-perms
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -119,6 +120,7 @@ spec:
              mountPath: /tmp
            - name: etcceph
              mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{- if empty .Values.conf.ceph.cinder.keyring }}
        - name: ceph-admin-keyring-placement
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -141,6 +143,7 @@ spec:
              subPath: key
              readOnly: true
            {{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{ end }}
        - name: ceph-keyring-placement
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -169,6 +172,7 @@ spec:
              mountPath: /etc/ceph/ceph.conf.template
              subPath: ceph.conf
              readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{ end }}
        {{- if eq .Values.console.console_kind "novnc"}}
        - name: nova-compute-vnc-init
@ -187,6 +191,7 @@ spec:
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{ end }}
        {{- if eq .Values.console.console_kind "spice"}}
        - name: nova-compute-spice-init
@ -205,6 +210,7 @@ spec:
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{ end }}
        {{- if ( has "tungstenfabric" .Values.network.backend ) }}
        - name: tungstenfabric-compute-init
@ -217,15 +223,19 @@ spec:
              mountPath: /opt/plugin
            - name: tf-plugin-bin
              mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{- end }}
        {{- if .Values.network.ssh.enabled }}
        - name: nova-compute-ssh-init
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          terminationMessagePath: /var/log/termination-log
          env:
            - name: SSH_PORT
              value: {{ .Values.network.ssh.port | quote }}
+            - name: NOVA_USER_UID
+              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
          command:
            - /tmp/ssh-init.sh
          volumeMounts:
@ -241,14 +251,13 @@ spec:
              mountPath: /tmp/ssh-init.sh
              subPath: ssh-init.sh
              readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{- end }}
      containers:
        - name: nova-compute
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          securityContext:
-            privileged: true
          env:
          {{- if .Values.conf.ceph.enabled }}
            - name: CEPH_CINDER_USER
@ -431,8 +440,6 @@ spec:
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          securityContext:
-            privileged: true
          env:
            - name: KEY_TYPES
              value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
@ -455,6 +462,7 @@ spec:
              subPath: ssh-start.sh
              readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
        {{ end }}
      volumes:
        - name: pod-tmp
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -2155,8 +2155,10 @@ pod:
          readOnlyRootFilesystem: true
          privileged: true
        nova_compute_ssh:
-          readOnlyRootFilesystem: true
          privileged: true
+          runAsUser: 0
+        nova_compute_ssh_init:
+          runAsUser: 0
        nova_api_metadata_init:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
--- a/releasenotes/notes/nova.yaml
+++ b/releasenotes/notes/nova.yaml
@ -46,4 +46,5 @@ nova:
  - 0.2.23 Add option to enable extra wait for cell-setup-init
  - 0.2.24 Fix nova-bootstrap job labels
  - 0.2.25 Add check for compute nodes
+  - 0.2.26 Fix _ssh-start.sh.tpl to copy the ssh keys to the user on the security context
 ...