[Chart] SSH private key support

- Support optionally mounting a SSH private key
  to allow Drydock to interact with remote hosts via
  ssh (e.g. virsh)

Change-Id: Ib83bc53a46497af6d05f4d87595f1000d3178ec0

Makefile

@@ -60,7 +60,7 @@ lint: pep8 helm_lint
 .PHONY: dry-run
 dry-run: clean
 	tools/helm_tk.sh $(HELM)
-	$(HELM) template charts/drydock
+	$(HELM) template --set manifests.secret_ssh_key=true --set conf.ssh.private_key=foo charts/drydock
 
 # Make targets intended for use by the primary targets above.
 

charts/drydock/templates/configmap-etc.yaml

@@ -75,5 +75,11 @@ data:
 {{- else -}}
 {{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}
+{{ if .Values.manifests.secret_ssh_key }}
+  ssh-config: |+
+{{- range $option, $val := .Values.conf.ssh.config }}
+    {{ $option }}={{ $val }}
+{{ end }}
+{{- end }}
 ...
 {{- end }}

charts/drydock/templates/deployment.yaml

@@ -73,7 +73,27 @@ spec:
               subPath: policy.yaml
               mountPath: /etc/drydock/policy.yaml
               readOnly: true
+{{- if .Values.manifests.secret_ssh_key }}
+            - name: root-ssh
+              mountPath: /root/.ssh
+            - name: priv-key
+              subPath: PRIVATE_KEY
+              mountPath: /root/.ssh/id_rsa
+              readOnly: true
+            - name: drydock-etc
+              subPath: ssh-config
+              mountPath: /root/.ssh/config
+              readOnly: true
+{{- end }}
       volumes:
+{{- if .Values.manifests.secret_ssh_key }}
+        - name: root-ssh
+          emptyDir: {}
+        - name: priv-key
+          secret:
+            secretName: {{ .Release.Name }}-{{ .Values.secrets.ssh_key }}
+            defaultMode: 0400
+{{- end }}
         - name: etc-drydock
           emptyDir: {}
         - name: drydock-etc

charts/drydock/templates/secret-ssh-key.yaml

@@ -0,0 +1,28 @@
+{{/*
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_ssh_key }}
+{{- $secretName := .Values.secrets.ssh_key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-{{ $secretName }}
+type: Opaque
+data:
+  PRIVATE_KEY: |-
+{{ .Values.conf.ssh.private_key | b64enc | indent 4 }}
+...
+{{- end }}

charts/drydock/values.yaml

@@ -113,6 +113,7 @@ manifests:
   job_drydock_db_sync: true
   secret_keystone: true
   secret_database: true
+  secret_ssh_key: false
   configmap_etc: true
   configmap_bin: true
   service_drydock: true
@@ -233,9 +234,20 @@ secrets:
   postgresql:
     admin: drydock-postgresql-admin
     user: drydock-postgresql-user
+  ssh_key: ssh-private-key
 
 # Settings for drydock.conf
 conf:
+  ssh:
+    # A SSH private key strings to mount
+    # to allow Drydock access virsh over SSH
+    # The corresponding public key should be
+    # added to a authorized_keys file to a user
+    # in the libvirt group on the hypervisors
+    private_key: null
+    config:
+      UserKnownHostsFile: '/dev/null'
+      StrictHostKeyChecking: 'no'
   uwsgi:
     threads: 1
     workers: 1
@@ -255,6 +267,7 @@ conf:
       oob_driver:
         - 'drydock_provisioner.drivers.oob.pyghmi_driver.driver.PyghmiDriver'
         - 'drydock_provisioner.drivers.oob.manual_driver.driver.ManualDriver'
+        - 'drydock_provisioner.drivers.oob.libvirt_driver.driver.LibvirtDriver'
       node_driver: 'drydock_provisioner.drivers.node.maasdriver.driver.MaasNodeDriver'
     timeouts:
       drydock_timeout: 5