Generate ssh key

2019-04-05 09:52:51 +00:00 · 2019-04-05 09:52:51 +00:00 · 08344df2ed
commit 08344df2ed
parent 31a7934291
5 changed files with 75 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -77,6 +77,8 @@ kind: Zuul
 metadata:
  name: example-zuul
 spec:
+  # Optional user-provided ssh key
+  sshsecretename: ""
  merger:
    instances: 0
  executor:
@ -95,6 +97,10 @@ $ oc get zuul
 NAME           AGE
 example-zuul   10s

+# Get zuul public key
+$ oc get secret example-ssh-secret-pub -o "jsonpath={.data.id_rsa\.pub}" | base64 -d
+ssh-rsa AAAAB3Nza...
+
 $ oc get pods
 NAME                                      READY     STATUS      RESTARTS   AGE
 example-zuul-executor-696f969c4-6cpjv     1/1       Running     0          8s
--- a/ansible/group_vars/all.yaml
+++ b/ansible/group_vars/all.yaml
@ -6,6 +6,7 @@ tenants:
  - tenant:
      name: demo
      source: {}
+sshsecretname: "{{ zuul_cluster_name }}-ssh-secret"
 connections: []
 merger:
  instances: 0
@ -20,7 +21,10 @@ zuul_app_name: "zuul"
 zuul_cluster_name: "{{ meta.name }}"

 zuul_version: "latest" #"3.7.1"
-zuul_image_name_base: "docker.io/zuul/zuul"
+# Use local image for https://review.openstack.org/650246
+#zuul_image_name_base: "docker.io/zuul/zuul"
+zuul_image_name_base: "172.30.1.1:5000/myproject/zuul"
+
 zuul_image_name:
  scheduler: "{{ zuul_image_name_base }}-scheduler:{{ zuul_version }}"
  merger: "{{ zuul_image_name_base }}-merger:{{ zuul_version }}"
--- a/ansible/roles/create_config/tasks/main.yaml
+++ b/ansible/roles/create_config/tasks/main.yaml
@ -25,6 +25,50 @@
          - username: dGVzdHVzZXI=
            password: UE5xOEVFVTBxTQ==

+- name: Create ssh key
+  when: not zuul_ssh_key
+  block:
+    - name: Create ssh key
+      command: "ssh-keygen -f /opt/ansible/ssh-{{ zuul_cluster_name }} -t rsa -N '' -C zuul"
+      args:
+        creates: "/opt/ansible/ssh-{{ zuul_cluster_name }}"
+
+    - name: Create ssh secret
+      k8s:
+        state: "{{ state }}"
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            labels:
+              app: "{{ zuul_app_name }}"
+              zuul_cluster: "{{ zuul_cluster_name }}"
+            name: "{{ sshsecretname }}"
+            namespace: "{{ namespace }}"
+          type: Opaque
+          stringData:
+            id_rsa: |-
+              {{lookup('file', '/opt/ansible/ssh-' + zuul_cluster_name) }}
+
+    - name: Create ssh pub secret
+      k8s:
+        state: "{{ state }}"
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            labels:
+              app: "{{ zuul_app_name }}"
+              zuul_cluster: "{{ zuul_cluster_name }}"
+            name: "{{ sshsecretname }}-pub"
+            namespace: "{{ namespace }}"
+          type: Opaque
+          stringData:
+            id_rsa.pub: |-
+              {{lookup('file', '/opt/ansible/ssh-' + zuul_cluster_name + '.pub') }}
+
+    # TODO: cleanup key file from operator pod
+
 - name: Create the scheduler configmap
  k8s:
    state: "{{ state }}"
@ -58,6 +102,9 @@

          {% for connection in connections %}
          [connection {{ connection["name"] }}]
+          {% if connection["driver"] == "gerrit" %}
+          sshkey=/var/lib/zuul/ssh-secret/id_rsa
+          {% endif %}
          {% for k, v in connection.items() %}{% if k != "name" %}
          {{ k }}={{ v }}
          {% endif %}{% endfor %}
@ -105,12 +152,19 @@
          listen_address=0.0.0.0
          port=9000

+          [executor]
+          # TODO: add secret map for executor ssh key
+          private_key_file=/var/lib/zuul/ssh-secret/id_rsa
+
          [connection sqlreporter]
          driver=sql
          dburi=postgresql://{{ zuul_pg_user[0]["username"] | b64decode }}:{{ zuul_pg_user[0]["password"] | b64decode }}@{{ pg_cluster_name }}/zuul

          {% for connection in connections %}
          [connection {{ connection["name"] }}]
+          {% if connection["driver"] == "gerrit" %}
+          sshkey=/var/lib/zuul/ssh-secret/id_rsa
+          {% endif %}
          {% for k, v in connection.items() %}{% if k != "name" %}
          {{ k }}={{ v }}
          {% endif %}{% endfor %}
--- a/ansible/roles/deploy/tasks/create_deployment.yaml
+++ b/ansible/roles/deploy/tasks/create_deployment.yaml
@ -39,7 +39,10 @@
                readOnly: true
              - mountPath: "/var/lib/zuul"
                name: zuul-data-volume
+              - mountPath: "/var/lib/zuul/ssh-secret/"
+                name: zuul-ssh-key
              command:
+                - "/uid_entrypoint"
                - "zuul-{{ deployment_name }}"
                - "-d"
            volumes:
@ -48,3 +51,7 @@
                  name: "{{ deployment_config|default(zuul_configmap_name) }}"
              - name: zuul-data-volume
                emptyDir: {}
+              - name: zuul-ssh-key
+                secret:
+                  secretName: "{{ sshsecretname }}"
+                  defaultMode: 256
--- a/ansible/roles/get_status/tasks/main.yaml
+++ b/ansible/roles/get_status/tasks/main.yaml
@ -3,14 +3,16 @@
    label_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_app_name }}"
    sched_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_cluster_name }}-scheduler"
    pg_user_query: "[?metadata.name=='{{ pg_cluster_name }}-zuul-secret'].data"
+    ssh_key_query: "[?metadata.name=='{{ sshsecretname }}'].data"

 - name: lookup k8s secrets
  set_fact:
    secrets_lookup: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, label_selector=label_selector_value) }}"

- name: lookup pg user
+- name: lookup cluster secret
  set_fact:
    zuul_pg_user: "{{ secrets_lookup | json_query(pg_user_query) }}"
+    zuul_ssh_key: "{{ secrets_lookup | json_query(ssh_key_query) }}"

 - name: lookup k8s postgres cr
  set_fact: