From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001
From: Thiago Brito <thiago.brito@windriver.com>
Date: Fri, 7 Jan 2022 15:59:41 -0300
Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser

On _ssh-init.sh.tpl, despite one change the runAsUser for the
nova-compute container on the securityContext, the ssh keys are always
being copied into the 'nova' user's folder. This change fixes it by
getting the correct user defined on the securityContext and copying the
keys to its correct folder.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
---
 nova/templates/bin/_ssh-init.sh.tpl   | 13 ++++++++-----
 nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
 nova/values.yaml                      |  4 +++-
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
index be2e33a4..fbd96f04 100644
--- a/nova/templates/bin/_ssh-init.sh.tpl
+++ b/nova/templates/bin/_ssh-init.sh.tpl
@@ -16,10 +16,13 @@ limitations under the License.

 set -ex

-mkdir -p ~nova/.ssh
-chown -R nova:nova ~nova/.ssh
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})

-cat > ~nova/.ssh/config <<EOF
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
 Host *
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
@@ -27,5 +30,5 @@ Host *
   IdentitiesOnly yes
 EOF

-cp /tmp/nova-ssh/* ~nova/.ssh/
-chmod 600 ~nova/.ssh/id_rsa
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 4c690d61..2b23e334 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -104,6 +104,7 @@ spec:
               mountPath: /var/lib/nova
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- if .Values.conf.ceph.enabled }}
         - name: ceph-perms
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -119,6 +120,7 @@ spec:
               mountPath: /tmp
             - name: etcceph
               mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- if empty .Values.conf.ceph.cinder.keyring }}
         - name: ceph-admin-keyring-placement
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -141,6 +143,7 @@ spec:
               subPath: key
               readOnly: true
             {{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         - name: ceph-keyring-placement
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -169,6 +172,7 @@ spec:
               mountPath: /etc/ceph/ceph.conf.template
               subPath: ceph.conf
               readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         {{- if eq .Values.console.console_kind "novnc"}}
         - name: nova-compute-vnc-init
@@ -187,6 +191,7 @@ spec:
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         {{- if eq .Values.console.console_kind "spice"}}
         - name: nova-compute-spice-init
@@ -205,6 +210,7 @@ spec:
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
         {{- if ( has "tungstenfabric" .Values.network.backend ) }}
         - name: tungstenfabric-compute-init
@@ -217,15 +223,19 @@ spec:
               mountPath: /opt/plugin
             - name: tf-plugin-bin
               mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- end }}
         {{- if .Values.network.ssh.enabled }}
         - name: nova-compute-ssh-init
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           terminationMessagePath: /var/log/termination-log
           env:
             - name: SSH_PORT
               value: {{ .Values.network.ssh.port | quote }}
+            - name: NOVA_USER_UID
+              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
           command:
             - /tmp/ssh-init.sh
           volumeMounts:
@@ -241,14 +251,13 @@ spec:
               mountPath: /tmp/ssh-init.sh
               subPath: ssh-init.sh
               readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- end }}
       containers:
         - name: nova-compute
 {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          securityContext:
-            privileged: true
           env:
           {{- if .Values.conf.ceph.enabled }}
             - name: CEPH_CINDER_USER
@@ -431,8 +440,6 @@ spec:
 {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          securityContext:
-            privileged: true
           env:
             - name: KEY_TYPES
               value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
@@ -455,6 +462,7 @@ spec:
               subPath: ssh-start.sh
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
       volumes:
         - name: pod-tmp
diff --git a/nova/values.yaml b/nova/values.yaml
index cdb14575..72dd0d11 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2155,8 +2155,10 @@ pod:
           readOnlyRootFilesystem: true
           privileged: true
         nova_compute_ssh:
-          readOnlyRootFilesystem: true
           privileged: true
+          runAsUser: 0
+        nova_compute_ssh_init:
+          runAsUser: 0
         nova_api_metadata_init:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
--
2.17.1