From c63b1920d50ef5b856784f650dd868263cf45d36 Mon Sep 17 00:00:00 2001
From: Thiago Brito <thiago.brito@windriver.com>
Date: Fri, 7 Jan 2022 15:59:41 -0300
Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser

On _ssh-init.sh.tpl, despite one change the runAsUser for the
nova-compute container on the securityContext, the ssh keys are always
being copied into the 'nova' user's folder. This change fixes it by
getting the correct user defined on the securityContext and copying the
keys to its correct folder.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
---
 nova/Chart.yaml                       |  2 +-
 nova/templates/bin/_ssh-init.sh.tpl   | 13 ++++++++-----
 nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
 nova/values.yaml                      |  4 +++-
 releasenotes/notes/nova.yaml          |  1 +
 5 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/nova/Chart.yaml b/nova/Chart.yaml
index fba86e1f48..75b90a8a83 100644
--- a/nova/Chart.yaml
+++ b/nova/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nova
 name: nova
-version: 0.2.25
+version: 0.2.26
 home: https://docs.openstack.org/nova/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
 sources:
diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
index be2e33a418..9032933d2a 100644
--- a/nova/templates/bin/_ssh-init.sh.tpl
+++ b/nova/templates/bin/_ssh-init.sh.tpl
@@ -16,10 +16,13 @@ limitations under the License.
 
 set -ex
 
-mkdir -p ~nova/.ssh
-chown -R nova:nova ~nova/.ssh
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
 
-cat > ~nova/.ssh/config <<EOF
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
 Host *
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
@@ -27,5 +30,5 @@ Host *
   IdentitiesOnly yes
 EOF
 
-cp /tmp/nova-ssh/* ~nova/.ssh/
-chmod 600 ~nova/.ssh/id_rsa
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 4c690d617c..2b23e334d3 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -104,6 +104,7 @@ spec:
               mountPath: /var/lib/nova
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- if .Values.conf.ceph.enabled }}
         - name: ceph-perms
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -119,6 +120,7 @@ spec:
               mountPath: /tmp
             - name: etcceph
               mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- if empty .Values.conf.ceph.cinder.keyring }}
         - name: ceph-admin-keyring-placement
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -141,6 +143,7 @@ spec:
               subPath: key
               readOnly: true
             {{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         - name: ceph-keyring-placement
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -169,6 +172,7 @@ spec:
               mountPath: /etc/ceph/ceph.conf.template
               subPath: ceph.conf
               readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         {{- if eq .Values.console.console_kind "novnc"}}
         - name: nova-compute-vnc-init
@@ -187,6 +191,7 @@ spec:
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         {{- if eq .Values.console.console_kind "spice"}}
         - name: nova-compute-spice-init
@@ -205,6 +210,7 @@ spec:
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         {{- if ( has "tungstenfabric" .Values.network.backend ) }}
         - name: tungstenfabric-compute-init
@@ -217,15 +223,19 @@ spec:
               mountPath: /opt/plugin
             - name: tf-plugin-bin
               mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- end }}
         {{- if .Values.network.ssh.enabled }}
         - name: nova-compute-ssh-init
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           terminationMessagePath: /var/log/termination-log
           env:
             - name: SSH_PORT
               value: {{ .Values.network.ssh.port | quote }}
+            - name: NOVA_USER_UID
+              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
           command:
             - /tmp/ssh-init.sh
           volumeMounts:
@@ -241,14 +251,13 @@ spec:
               mountPath: /tmp/ssh-init.sh
               subPath: ssh-init.sh
               readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- end }}
       containers:
         - name: nova-compute
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          securityContext:
-            privileged: true
           env:
           {{- if .Values.conf.ceph.enabled }}
             - name: CEPH_CINDER_USER
@@ -431,8 +440,6 @@ spec:
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          securityContext:
-            privileged: true
           env:
             - name: KEY_TYPES
               value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
@@ -455,6 +462,7 @@ spec:
               subPath: ssh-start.sh
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
       volumes:
         - name: pod-tmp
diff --git a/nova/values.yaml b/nova/values.yaml
index cdb1457520..72dd0d1130 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2155,8 +2155,10 @@ pod:
           readOnlyRootFilesystem: true
           privileged: true
         nova_compute_ssh:
-          readOnlyRootFilesystem: true
           privileged: true
+          runAsUser: 0
+        nova_compute_ssh_init:
+          runAsUser: 0
         nova_api_metadata_init:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
diff --git a/releasenotes/notes/nova.yaml b/releasenotes/notes/nova.yaml
index a9696b48f4..399d86cca7 100644
--- a/releasenotes/notes/nova.yaml
+++ b/releasenotes/notes/nova.yaml
@@ -46,4 +46,5 @@ nova:
   - 0.2.23 Add option to enable extra wait for cell-setup-init
   - 0.2.24 Fix nova-bootstrap job labels
   - 0.2.25 Add check for compute nodes
+  - 0.2.26 Fix _ssh-start.sh.tpl to copy the ssh keys to the user on the security context
 ...