zuul/zuul-operator
Code Issues Proposed changes

Generate ssh key

Browse Source
This commit is contained in:
Tristan Cacqueray 2019-04-05 09:52:51 +00:00
parent 31a7934291
commit 08344df2ed
5 changed files with 75 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -77,6 +77,8 @@ kind: Zuul
metadata: metadata:
name: example-zuul name: example-zuul
spec: spec:
# Optional user-provided ssh key
sshsecretename: ""
merger: merger:
instances: 0 instances: 0
executor: executor:
@ -95,6 +97,10 @@ $ oc get zuul
NAME AGE NAME AGE
example-zuul 10s example-zuul 10s
# Get zuul public key
$ oc get secret example-ssh-secret-pub -o "jsonpath={.data.id_rsa\.pub}" | base64 -d
ssh-rsa AAAAB3Nza...
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
example-zuul-executor-696f969c4-6cpjv 1/1 Running 0 8s example-zuul-executor-696f969c4-6cpjv 1/1 Running 0 8s

6
ansible/group_vars/all.yaml
View File

@ -6,6 +6,7 @@ tenants:
- tenant: - tenant:
name: demo name: demo
source: {} source: {}
sshsecretname: "{{ zuul_cluster_name }}-ssh-secret"
connections: [] connections: []
merger: merger:
instances: 0 instances: 0
@ -20,7 +21,10 @@ zuul_app_name: "zuul"
zuul_cluster_name: "{{ meta.name }}" zuul_cluster_name: "{{ meta.name }}"
zuul_version: "latest" #"3.7.1" zuul_version: "latest" #"3.7.1"
zuul_image_name_base: "docker.io/zuul/zuul" # Use local image for https://review.openstack.org/650246
#zuul_image_name_base: "docker.io/zuul/zuul"
zuul_image_name_base: "172.30.1.1:5000/myproject/zuul"
zuul_image_name: zuul_image_name:
scheduler: "{{ zuul_image_name_base }}-scheduler:{{ zuul_version }}" scheduler: "{{ zuul_image_name_base }}-scheduler:{{ zuul_version }}"
merger: "{{ zuul_image_name_base }}-merger:{{ zuul_version }}" merger: "{{ zuul_image_name_base }}-merger:{{ zuul_version }}"

54
ansible/roles/create_config/tasks/main.yaml
View File

@ -25,6 +25,50 @@
- username: dGVzdHVzZXI= - username: dGVzdHVzZXI=
password: UE5xOEVFVTBxTQ== password: UE5xOEVFVTBxTQ==
- name: Create ssh key
when: not zuul_ssh_key
block:
- name: Create ssh key
command: "ssh-keygen -f /opt/ansible/ssh-{{ zuul_cluster_name }} -t rsa -N '' -C zuul"
args:
creates: "/opt/ansible/ssh-{{ zuul_cluster_name }}"
- name: Create ssh secret
k8s:
state: "{{ state }}"
definition:
apiVersion: v1
kind: Secret
metadata:
labels:
app: "{{ zuul_app_name }}"
zuul_cluster: "{{ zuul_cluster_name }}"
name: "{{ sshsecretname }}"
namespace: "{{ namespace }}"
type: Opaque
stringData:
id_rsa: |-
{{lookup('file', '/opt/ansible/ssh-' + zuul_cluster_name) }}
- name: Create ssh pub secret
k8s:
state: "{{ state }}"
definition:
apiVersion: v1
kind: Secret
metadata:
labels:
app: "{{ zuul_app_name }}"
zuul_cluster: "{{ zuul_cluster_name }}"
name: "{{ sshsecretname }}-pub"
namespace: "{{ namespace }}"
type: Opaque
stringData:
id_rsa.pub: |-
{{lookup('file', '/opt/ansible/ssh-' + zuul_cluster_name + '.pub') }}
# TODO: cleanup key file from operator pod
- name: Create the scheduler configmap - name: Create the scheduler configmap
k8s: k8s:
state: "{{ state }}" state: "{{ state }}"
@ -58,6 +102,9 @@
{% for connection in connections %} {% for connection in connections %}
[connection {{ connection["name"] }}] [connection {{ connection["name"] }}]
{% if connection["driver"] == "gerrit" %}
sshkey=/var/lib/zuul/ssh-secret/id_rsa
{% endif %}
{% for k, v in connection.items() %}{% if k != "name" %} {% for k, v in connection.items() %}{% if k != "name" %}
{{ k }}={{ v }} {{ k }}={{ v }}
{% endif %}{% endfor %} {% endif %}{% endfor %}
@ -105,12 +152,19 @@
listen_address=0.0.0.0 listen_address=0.0.0.0
port=9000 port=9000
[executor]
# TODO: add secret map for executor ssh key
private_key_file=/var/lib/zuul/ssh-secret/id_rsa
[connection sqlreporter] [connection sqlreporter]
driver=sql driver=sql
dburi=postgresql://{{ zuul_pg_user[0]["username"] | b64decode }}:{{ zuul_pg_user[0]["password"] | b64decode }}@{{ pg_cluster_name }}/zuul dburi=postgresql://{{ zuul_pg_user[0]["username"] | b64decode }}:{{ zuul_pg_user[0]["password"] | b64decode }}@{{ pg_cluster_name }}/zuul
{% for connection in connections %} {% for connection in connections %}
[connection {{ connection["name"] }}] [connection {{ connection["name"] }}]
{% if connection["driver"] == "gerrit" %}
sshkey=/var/lib/zuul/ssh-secret/id_rsa
{% endif %}
{% for k, v in connection.items() %}{% if k != "name" %} {% for k, v in connection.items() %}{% if k != "name" %}
{{ k }}={{ v }} {{ k }}={{ v }}
{% endif %}{% endfor %} {% endif %}{% endfor %}

7
ansible/roles/deploy/tasks/create_deployment.yaml
View File

@ -39,7 +39,10 @@
readOnly: true readOnly: true
- mountPath: "/var/lib/zuul" - mountPath: "/var/lib/zuul"
name: zuul-data-volume name: zuul-data-volume
- mountPath: "/var/lib/zuul/ssh-secret/"
name: zuul-ssh-key
command: command:
- "/uid_entrypoint"
- "zuul-{{ deployment_name }}" - "zuul-{{ deployment_name }}"
- "-d" - "-d"
volumes: volumes:
@ -48,3 +51,7 @@
name: "{{ deployment_config|default(zuul_configmap_name) }}" name: "{{ deployment_config|default(zuul_configmap_name) }}"
- name: zuul-data-volume - name: zuul-data-volume
emptyDir: {} emptyDir: {}
- name: zuul-ssh-key
secret:
secretName: "{{ sshsecretname }}"
defaultMode: 256

4
ansible/roles/get_status/tasks/main.yaml
View File

@ -3,14 +3,16 @@
label_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_app_name }}" label_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_app_name }}"
sched_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_cluster_name }}-scheduler" sched_selector_value: "zuul_cluster={{ zuul_cluster_name }},app={{ zuul_cluster_name }}-scheduler"
pg_user_query: "[?metadata.name=='{{ pg_cluster_name }}-zuul-secret'].data" pg_user_query: "[?metadata.name=='{{ pg_cluster_name }}-zuul-secret'].data"
ssh_key_query: "[?metadata.name=='{{ sshsecretname }}'].data"
- name: lookup k8s secrets - name: lookup k8s secrets
set_fact: set_fact:
secrets_lookup: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, label_selector=label_selector_value) }}" secrets_lookup: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, label_selector=label_selector_value) }}"
- name: lookup pg user - name: lookup cluster secret
set_fact: set_fact:
zuul_pg_user: "{{ secrets_lookup | json_query(pg_user_query) }}" zuul_pg_user: "{{ secrets_lookup | json_query(pg_user_query) }}"
zuul_ssh_key: "{{ secrets_lookup | json_query(ssh_key_query) }}"
- name: lookup k8s postgres cr - name: lookup k8s postgres cr
set_fact: set_fact: