diff --git a/nova/templates/bin/_ssh-start.sh.tpl b/nova/templates/bin/_ssh-start.sh.tpl new file mode 100644 index 0000000000..1c10cb0741 --- /dev/null +++ b/nova/templates/bin/_ssh-start.sh.tpl @@ -0,0 +1,40 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +IFS=',' +for KEY_TYPE in $KEY_TYPES; do + KEY_PATH=/etc/ssh/ssh_host_${KEY_TYPE}_key + if [[ ! -f "${KEY_PATH}" ]]; then + ssh-keygen -q -t ${KEY_TYPE} -f ${KEY_PATH} -N "" + fi +done +IFS='' + +mkdir -p ~nova/.ssh + +if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then + chown nova: ~nova/.ssh +fi + +chmod 0600 ~root/.ssh/authorized_keys +chmod 0600 ~root/.ssh/id_rsa +chmod 0600 ~root/.ssh/id_rsa.pub + +exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml index 4a7ed6440c..bc19de69be 100644 --- a/nova/templates/configmap-bin.yaml +++ b/nova/templates/configmap-bin.yaml @@ -65,4 +65,6 @@ data: {{ tuple "bin/_nova-vnc-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} nova-vnc-proxy-init.sh: | {{ tuple "bin/_nova-vnc-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + ssh-start.sh: | +{{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 442cf6f622..ee5507b4d5 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -114,4 +114,6 @@ data: {{- tuple .Values.conf.rootwrap_filters.network "etc/rootwrap.d/_network.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} nova.conf: |+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova | indent 4 }} + ssh-config.sh: |+ +{{- tuple .Values.conf.ssh "etc/_ssh-config.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- end }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 6f21f03fbb..ee0c7aa7ee 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -162,6 +162,10 @@ spec: mountPath: /etc/nova/rootwrap.d/network.filters subPath: network.filters readOnly: true + - name: nova-etc + mountPath: /root/.ssh/config + subPath: ssh-config + readOnly: true {{- if .Values.ceph.enabled }} - name: etcceph mountPath: /etc/ceph @@ -191,6 +195,39 @@ spec: mountPath: /etc/machine-id readOnly: true {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} + - name: nova-compute-ssh + image: {{ .Values.images.compute_ssh }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + privileged: true + env: + - name: KEY_TYPES + value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }} + - name: SSH_PORT + value: {{ .Values.network.ssh.port | quote }} + ports: + - containerPort: {{ .Values.network.ssh.port }} + command: + - /tmp/ssh-start.sh + volumeMounts: + - name: varlibnova + mountPath: /var/lib/nova + - name: varliblibvirt + mountPath: /var/lib/libvirt + - name: nova-etc + mountPath: /root/.ssh/id_rsa + subPath: ssh-key-private + - name: nova-etc + mountPath: /root/.ssh/id_rsa.pub + subPath: ssh-key-public + - name: nova-etc + mountPath: /root/.ssh/authorized_keys + subPath: ssh-key-public + - name: nova-bin + mountPath: /tmp/ssh-start.sh + subPath: ssh-start.sh + readOnly: true volumes: - name: nova-bin configMap: diff --git a/nova/templates/etc/_ssh-config.tpl b/nova/templates/etc/_ssh-config.tpl new file mode 100644 index 0000000000..ca2966bf3a --- /dev/null +++ b/nova/templates/etc/_ssh-config.tpl @@ -0,0 +1,4 @@ +Host * + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + Port {{ .Values.network.ssh.port }} diff --git a/nova/values.yaml b/nova/values.yaml index dccf60ded8..003d86e134 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -60,6 +60,7 @@ images: novncproxy_assets: docker.io/kolla/ubuntu-source-nova-novncproxy:3.0.3 consoleauth: docker.io/kolla/ubuntu-source-nova-consoleauth:3.0.3 compute: docker.io/kolla/ubuntu-source-nova-compute:3.0.3 + compute_ssh: docker.io/kolla/ubuntu-source-nova-ssh:3.0.3 bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 dep_check: docker.io/kolla/ubuntu-source-kubernetes-entrypoint:4.0.0 pull_policy: "IfNotPresent" @@ -124,6 +125,9 @@ network: port: 36080 port: 6080 targetPort: 6080 + ssh: + name: "nova-ssh" + port: 8022 ceph: enabled: true @@ -255,7 +259,17 @@ console: # IF blank, search default routing interface vncserver_proxyclient_interface: +ssh: + key_types: + - rsa + - dsa + - ecdsa + - ed25519 + conf: + ssh: + override: + append: rally_tests: run_tempest: false override: @@ -940,6 +954,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + ssh: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" novncproxy: requests: memory: "128Mi"