Add nova-compute-ssh

Change-Id: Ia555bb69182441d5f17040504efc7d1d524e59ec
This commit is contained in:
okozachenko 2020-09-22 20:27:16 +03:00
parent 20b6b9a236
commit 74b119db35
8 changed files with 112 additions and 51 deletions

View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Nova description: OpenStack-Helm Nova
name: nova name: nova
version: 0.1.1 version: 0.1.2
home: https://docs.openstack.org/nova/latest/ home: https://docs.openstack.org/nova/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
sources: sources:

View File

@ -0,0 +1,31 @@
#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
mkdir -p ~nova/.ssh
chown -R nova:nova ~nova/.ssh
cat > ~nova/.ssh/config <<EOF
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
port $SSH_PORT
IdentitiesOnly yes
EOF
cp /tmp/nova-ssh/* ~nova/.ssh/
chmod 600 ~nova/.ssh/id_rsa

View File

@ -25,25 +25,14 @@ for KEY_TYPE in $KEY_TYPES; do
done done
IFS='' IFS=''
mkdir -p ~nova/.ssh subnet_address="{{- .Values.network.ssh.from_subnet -}}"
if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then
chown nova: ~nova/.ssh
fi
subnet_address="{{- .Values.network.sshd.from_subnet -}}"
cat > /tmp/sshd_config_extend <<EOF cat > /tmp/sshd_config_extend <<EOF
# This Match block prevents Password Authentication for root user
Match User root
PasswordAuthentication no PasswordAuthentication no
# This Match Block is used to allow Root Login exceptions over the
# internal subnet used by Nova Migrations
Match Address $subnet_address Match Address $subnet_address
PermitRootLogin without-password PermitRootLogin without-password
EOF EOF
cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
rm /tmp/sshd_config_extend rm /tmp/sshd_config_extend
exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT

View File

@ -85,6 +85,8 @@ data:
{{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
nova-console-proxy-init-assets.sh: | nova-console-proxy-init-assets.sh: |
{{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
ssh-init.sh: |
{{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
ssh-start.sh: | ssh-start.sh: |
{{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
cell-setup.sh: | cell-setup.sh: |

View File

@ -217,6 +217,30 @@ spec:
- name: tf-plugin-bin - name: tf-plugin-bin
mountPath: /opt/plugin/bin mountPath: /opt/plugin/bin
{{- end }} {{- end }}
{{- if .Values.network.ssh.enabled }}
- name: nova-compute-ssh-init
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
terminationMessagePath: /var/log/termination-log
env:
- name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }}
command:
- /tmp/ssh-init.sh
volumeMounts:
- name: varlibnova
mountPath: /var/lib/nova
- name: nova-ssh
mountPath: /tmp/nova-ssh/authorized_keys
subPath: public-key
- name: nova-ssh
mountPath: /tmp/nova-ssh/id_rsa
subPath: private-key
- name: nova-bin
mountPath: /tmp/ssh-init.sh
subPath: ssh-init.sh
readOnly: true
{{- end }}
containers: containers:
- name: nova-compute - name: nova-compute
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -302,9 +326,6 @@ spec:
mountPath: /root/.ssh/config mountPath: /root/.ssh/config
subPath: ssh-config subPath: ssh-config
readOnly: true readOnly: true
- name: nova-ssh
mountPath: /root/.ssh/id_rsa
subPath: ssh-key-private
{{- if .Values.conf.ceph.enabled }} {{- if .Values.conf.ceph.enabled }}
- name: etcceph - name: etcceph
mountPath: /etc/ceph mountPath: /etc/ceph
@ -382,7 +403,7 @@ spec:
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.network.sshd.enabled }} {{- if .Values.network.ssh.enabled }}
- name: nova-compute-ssh - name: nova-compute-ssh
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -391,7 +412,7 @@ spec:
privileged: true privileged: true
env: env:
- name: KEY_TYPES - name: KEY_TYPES
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }} value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
- name: SSH_PORT - name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }} value: {{ .Values.network.ssh.port | quote }}
{{- if .Values.manifests.certificates }} {{- if .Values.manifests.certificates }}
@ -404,18 +425,8 @@ spec:
- /tmp/ssh-start.sh - /tmp/ssh-start.sh
terminationMessagePath: /var/log/termination-log terminationMessagePath: /var/log/termination-log
volumeMounts: volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: varlibnova - name: varlibnova
mountPath: /var/lib/nova mountPath: /var/lib/nova
- name: varliblibvirt
mountPath: /var/lib/libvirt
- name: nova-ssh
mountPath: /root/.ssh/id_rsa.pub
subPath: ssh-key-public
- name: nova-ssh
mountPath: /root/.ssh/authorized_keys
subPath: ssh-key-public
- name: nova-bin - name: nova-bin
mountPath: /tmp/ssh-start.sh mountPath: /tmp/ssh-start.sh
subPath: ssh-start.sh subPath: ssh-start.sh
@ -433,10 +444,13 @@ spec:
secret: secret:
secretName: {{ $configMapName }} secretName: {{ $configMapName }}
defaultMode: 0444 defaultMode: 0444
{{- if .Values.network.ssh.enabled }}
- name: nova-ssh - name: nova-ssh
secret: secret:
secretName: nova-ssh secretName: nova-ssh
defaultMode: 0400 defaultMode: 0644
{{ end }}
{{- if .Values.conf.ceph.enabled }} {{- if .Values.conf.ceph.enabled }}
- name: etcceph - name: etcceph
hostPath: hostPath:

View File

@ -22,8 +22,8 @@ metadata:
name: nova-ssh name: nova-ssh
type: Opaque type: Opaque
data: data:
ssh-key-private: {{ .Values.conf.ssh_private | b64enc }} private-key: {{ .Values.network.ssh.private_key | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.network.ssh.public_key "key" "public-key" "format" "Secret" ) | indent 2 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -261,11 +261,16 @@ network:
enabled: false enabled: false
port: 30682 port: 30682
ssh: ssh:
name: "nova-ssh"
port: 8022
sshd:
enabled: false enabled: false
from_subnet: 0.0.0.0/24 port: 8022
from_subnet: 0.0.0.0/0
key_types:
- rsa
- dsa
- ecdsa
- ed25519
private_key: 'null'
public_key: 'null'
dependencies: dependencies:
dynamic: dynamic:
@ -514,13 +519,6 @@ console:
# IF blank, search default routing interface # IF blank, search default routing interface
vncserver_proxyclient_interface: vncserver_proxyclient_interface:
ssh:
key_types:
- rsa
- dsa
- ecdsa
- ed25519
ceph_client: ceph_client:
configmap: ceph-etc configmap: ceph-etc
user_secret_name: pvc-ceph-client-key user_secret_name: pvc-ceph-client-key
@ -608,13 +606,6 @@ conf:
user: "cinder" user: "cinder"
keyring: null keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337 secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
ssh: |
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Port {{ .Values.network.ssh.port }}
ssh_private: 'null'
ssh_public: 'null'
rally_tests: rally_tests:
run_tempest: false run_tempest: false
clean_up: | clean_up: |

View File

@ -0,0 +1,34 @@
---
network:
ssh:
enabled: true
private_key: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfgGkoPxu6jVqyBTGDlhGqoFFaTymMOH3pDRzrzXCVodqrtv1heBAyi7L63+MZ+m/facDDo43hWzhFLmmMgD00AS7L+VH+oeEwKVCfq0HN3asKLadpweBQVAkGX7PzjRKF25qj6J7iVpKAf1NcnJCsWL3b+wC9mwK7TmupOmWra8BrfP7Fvek1RLx3lwk+ZZ9lUlm6o+jwXn/9rCEFa7ywkGpdrPRBNHQshGjDlJPi15boXIKxOmoZ/DszkJq7iLYQnwa4Kdb0dJ9OE/l2LLBiEpkMlTnwXA7QCS5jEHXwW78b4BOZvqrFflga+YldhDmkyRRfnhcF5Ok2zQmx9Q+t root@openstack-helm
public_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA34BpKD8buo1asgUxg5YRqqBRWk8pjDh96Q0c681wlaHaq7b9
YXgQMouy+t/jGfpv32nAw6ON4Vs4RS5pjIA9NAEuy/lR/qHhMClQn6tBzd2rCi2n
acHgUFQJBl+z840Shduao+ie4laSgH9TXJyQrFi92/sAvZsCu05rqTplq2vAa3z+
xb3pNUS8d5cJPmWfZVJZuqPo8F5//awhBWu8sJBqXaz0QTR0LIRow5ST4teW6FyC
sTpqGfw7M5Cau4i2EJ8GuCnW9HSfThP5diywYhKZDJU58FwO0AkuYxB18Fu/G+AT
mb6qxX5YGvmJXYQ5pMkUX54XBeTpNs0JsfUPrQIDAQABAoIBAFkEFd3XtL2KSxMY
Cm50OLkSfRRQ7yVP4qYNePVZr3uJKUS27xgA78KR7UkKHrNcEW6T+hhxbbLR2AmF
wLga40VxKyhGNqgJ5Vx/OAM//Ed4AAVfxYvTkfmsXqPRPiTEjRoPKvoZTh6riFHx
ZExAd0aNWaDhyZu6v03GoA6YmaG53CLhUpDjIEpAHT8Q5fiukvpvFNAkSpSU3wWW
YD14S5BTXx8Z7v5mNgbxzDIST9P6oGm9jOoMJJCxu3KVF5Xh6k23DP1wukiWNypJ
b7dzfE8/NZUZ15Du4g1ZXHZyOATwN+4GQi1tV+oB1o6wI6829lpIMlsmqHhrw867
942SmakCgYEA9R1xFEEVRavBGIUeg/NMbFP+Ssl2DljAdnmcOASCxAFqCx6y3WSK
P2xWTD/MCG/uz627EVp+lfbapZimm171rUMpVCqTa5tH+LZ+Lbl+rjoLwSWVqySK
MGyIEzpPLq5PrpGdUghZNsGAG7kgTarJM5SYyA+Esqr8AADjDrZdmzcCgYEA6W1C
h9nU5i04UogndbkOiDVDWn0LnjUnVDTmhgGhbJDLtx4/hte/zGK7+mKl561q3Qmm
xY0s8cSQCX1ULHyrgzS9rc0k42uvuRWgpKKKT5IrjiA91HtfcVM1r9hxa2/dw4wk
WbAoaqpadjQAKoB4PNYzRfvITkv/9O+JSyK5BjsCgYEA5p9C68momBrX3Zgyc/gQ
qcQFeJxAxZLf0xjs0Q/9cSnbeobxx7h3EuF9+NP1xuJ6EVDmt5crjzHp2vDboUgh
Y1nToutENXSurOYXpjHnbUoUETCpt5LzqkgTZ/Pu2H8NXbSIDszoE8rQHEV8jVbp
Y+ymK2XedrTF0cMD363aONUCgYEAy5J4+kdUL+VyADAz0awxa0KgWdNCBZivkvWL
sYTMhgUFVM7xciTIZXQaIjRUIeeQkfKv2gvUDYlyYIRHm4Cih4vAfEmziQ7KMm0V
K1+BpgGBMLMXmS57PzblVFU8HQlzau3Wac2CgfvNZtbU6jweIFhiYP9DYl1PfQpG
PxuqJy8CgYBERsjdYfnyGMnFg3DVwgv/W/JspX201jMhQW2EW1OGDf7RQV+qTUnU
2NRGN9QbVYUvdwuRPd7C9wXQfLzXf0/E67oYg6fHHGTBNMjSq56qhZ2dSZnyQCxI
UZu0B4/1A5493Mypxp8c2fPhBdfzjTA5latsr75U26OMPxCxgFxm1A==
-----END RSA PRIVATE KEY-----