diff --git a/README.md b/README.md index 71e2f2d..3390fa0 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,8 @@ kind: Zuul metadata: name: example-zuul spec: + # Optional user-provided ssh key + sshsecretename: "" merger: instances: 0 executor: @@ -95,6 +97,10 @@ $ oc get zuul NAME AGE example-zuul 10s +# Get zuul public key +$ oc get secret example-ssh-secret-pub -o "jsonpath={.data.id_rsa\.pub}" | base64 -d +ssh-rsa AAAAB3Nza... + $ oc get pods NAME READY STATUS RESTARTS AGE example-zuul-executor-696f969c4-6cpjv 1/1 Running 0 8s diff --git a/ansible/group_vars/all.yaml b/ansible/group_vars/all.yaml index aabe50c..b7e498f 100644 --- a/ansible/group_vars/all.yaml +++ b/ansible/group_vars/all.yaml @@ -6,6 +6,7 @@ tenants: - tenant: name: demo source: {} +sshsecretname: "{{ zuul_cluster_name }}-ssh-secret" connections: [] merger: instances: 0 @@ -20,7 +21,10 @@ zuul_app_name: "zuul" zuul_cluster_name: "{{ meta.name }}" zuul_version: "latest" #"3.7.1" -zuul_image_name_base: "docker.io/zuul/zuul" +# Use local image for https://review.openstack.org/650246 +#zuul_image_name_base: "docker.io/zuul/zuul" +zuul_image_name_base: "172.30.1.1:5000/myproject/zuul" + zuul_image_name: scheduler: "{{ zuul_image_name_base }}-scheduler:{{ zuul_version }}" merger: "{{ zuul_image_name_base }}-merger:{{ zuul_version }}" diff --git a/ansible/roles/create_config/tasks/main.yaml b/ansible/roles/create_config/tasks/main.yaml index efddc83..89476c6 100644 --- a/ansible/roles/create_config/tasks/main.yaml +++ b/ansible/roles/create_config/tasks/main.yaml @@ -25,6 +25,50 @@ - username: dGVzdHVzZXI= password: UE5xOEVFVTBxTQ== +- name: Create ssh key + when: not zuul_ssh_key + block: + - name: Create ssh key + command: "ssh-keygen -f /opt/ansible/ssh-{{ zuul_cluster_name }} -t rsa -N '' -C zuul" + args: + creates: "/opt/ansible/ssh-{{ zuul_cluster_name }}" + + - name: Create ssh secret + k8s: + state: "{{ state }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + labels: + app: "{{ zuul_app_name }}" + zuul_cluster: "{{ zuul_cluster_name }}" + name: "{{ sshsecretname }}" + namespace: "{{ namespace }}" + type: Opaque + stringData: + id_rsa: |- + {{lookup('file', '/opt/ansible/ssh-' + zuul_cluster_name) }} + + - name: Create ssh pub secret + k8s: + state: "{{ state }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + labels: + app: "{{ zuul_app_name }}" + zuul_cluster: "{{ zuul_cluster_name }}" + name: "{{ sshsecretname }}-pub" + namespace: "{{ namespace }}" + type: Opaque + stringData: + id_rsa.pub: |- + {{lookup('file', '/opt/ansible/ssh-' + zuul_cluster_name + '.pub') }} + + # TODO: cleanup key file from operator pod + - name: Create the scheduler configmap k8s: state: "{{ state }}" @@ -58,6 +102,9 @@ {% for connection in connections %} [connection {{ connection["name"] }}] + {% if connection["driver"] == "gerrit" %} + sshkey=/var/lib/zuul/ssh-secret/id_rsa + {% endif %} {% for k, v in connection.items() %}{% if k != "name" %} {{ k }}={{ v }} {% endif %}{% endfor %} @@ -105,12 +152,19 @@ listen_address=0.0.0.0 port=9000 + [executor] + # TODO: add secret map for executor ssh key + private_key_file=/var/lib/zuul/ssh-secret/id_rsa + [connection sqlreporter] driver=sql dburi=postgresql://{{ zuul_pg_user[0]["username"] | b64decode }}:{{ zuul_pg_user[0]["password"] | b64decode }}@{{ pg_cluster_name }}/zuul {% for connection in connections %} [connection {{ connection["name"] }}] + {% if connection["driver"] == "gerrit" %} + sshkey=/var/lib/zuul/ssh-secret/id_rsa + {% endif %} {% for k, v in connection.items() %}{% if k != "name" %} {{ k }}={{ v }} {% endif %}{% endfor %} diff --git a/ansible/roles/deploy/tasks/create_deployment.yaml b/ansible/roles/deploy/tasks/create_deployment.yaml index 11a09cf..3ff2cd7 100644 --- a/ansible/roles/deploy/tasks/create_deployment.yaml +++ b/ansible/roles/deploy/tasks/create_deployment.yaml @@ -39,7 +39,10 @@ readOnly: true - mountPath: "/var/lib/zuul" name: zuul-data-volume + - mountPath: "/var/lib/zuul/ssh-secret/" + name: zuul-ssh-key command: + - "/uid_entrypoint" - "zuul-{{ deployment_name }}" - "-d" volumes: @@ -48,3 +51,7 @@ name: "{{ deployment_config|default(zuul_configmap_name) }}" - name: zuul-data-volume emptyDir: {} + - name: zuul-ssh-key + secret: + secretName: "{{ sshsecretname }}" + defaultMode: 256 diff --git a/ansible/roles/get_status/tasks/main.yaml b/ansible/roles/get_status/tasks/main.yaml index aa5ad18..dfa3dcc 100644 --- a/ansible/roles/get_status/tasks/main.yaml +++ b/ansible/roles/get_status/tasks/main.yaml @@ -3,14 +3,16 @@ label_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_app_name }}" sched_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_cluster_name }}-scheduler" pg_user_query: "[?metadata.name=='{{ pg_cluster_name }}-zuul-secret'].data" + ssh_key_query: "[?metadata.name=='{{ sshsecretname }}'].data" - name: lookup k8s secrets set_fact: secrets_lookup: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, label_selector=label_selector_value) }}" -- name: lookup pg user +- name: lookup cluster secret set_fact: zuul_pg_user: "{{ secrets_lookup | json_query(pg_user_query) }}" + zuul_ssh_key: "{{ secrets_lookup | json_query(ssh_key_query) }}" - name: lookup k8s postgres cr set_fact: