Cert/key related improvements to gate-multinode
* Adds new config option GATE_SSH_KEYS to enable user provided SSH key-pair. This applies to both virtmgr and access to virtual nodes * Adds new config option USE_EXISTING_SECRETS to use already existing manifests for certificates and SSH key files Change-Id: Ic77c7f5cc526dacc137dfe5b97b8fa32e728324e
This commit is contained in:
parent
919b447886
commit
2eb94c51ab
|
@ -140,6 +140,11 @@ collect_ssh_key() {
|
|||
ssh_keypair_declare
|
||||
fi
|
||||
|
||||
if [[ "${USE_EXISTING_SECRETS}" ]]; then
|
||||
log "Using existing manifests for secrets"
|
||||
return 0
|
||||
fi
|
||||
|
||||
cat << EOF > ${GATE_DEPOT}/airship_ubuntu_ssh_key.yaml
|
||||
---
|
||||
schema: deckhand/Certificate/v1
|
||||
|
|
|
@ -20,6 +20,14 @@ export UPSTREAM_DNS=${UPSTREAM_DNS:-"8.8.8.8 8.8.4.4"}
|
|||
export NTP_POOLS=${NTP_POOLS:-"0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org"}
|
||||
export NTP_SERVERS=${NTP_SERVERS:-""}
|
||||
|
||||
# key-pair used for drydock/maas auth towards libvirt and access to
|
||||
# the virtual nodes; auto-generated if no value provided
|
||||
export GATE_SSH_KEY=${GATE_SSH_KEY:-""}
|
||||
|
||||
# skip generation of certificates, and other security manifests
|
||||
# auto-generated by default
|
||||
export USE_EXISTING_SECRETS=${USE_EXISTING_SECRETS:-""}
|
||||
|
||||
export SHIPYARD_PASSWORD=${SHIPYARD_OS_PASSWORD:-'password18'}
|
||||
export AIRSHIP_KEYSTONE_URL=${AIRSHIP_KEYSTONE_URL:-'http://keystone.gate.local:80/v3'}
|
||||
|
||||
|
|
|
@ -41,8 +41,16 @@ ssh_config_declare() {
|
|||
ssh_keypair_declare() {
|
||||
log Validating SSH keypair exists
|
||||
if [ ! -s "${SSH_CONFIG_DIR}/id_rsa" ]; then
|
||||
log Generating SSH keypair
|
||||
ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}"
|
||||
if [[ "${GATE_SSH_KEY}" ]]; then
|
||||
log "Using existing SSH keys for VMs"
|
||||
cp "${GATE_SSH_KEY}" "${SSH_CONFIG_DIR}/id_rsa"
|
||||
chmod 600 "${SSH_CONFIG_DIR}/id_rsa"
|
||||
|
||||
cp "${GATE_SSH_KEY}.pub" "${SSH_CONFIG_DIR}/id_rsa.pub"
|
||||
else
|
||||
log Generating SSH keypair
|
||||
ssh-keygen -N '' -f "${SSH_CONFIG_DIR}/id_rsa" &>> "${LOG_FILE}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -301,22 +301,35 @@ make_virtmgr_account() {
|
|||
gen_libvirt_key() {
|
||||
log Removing any existing virtmgr SSH keys
|
||||
sudo rm -rf ~virtmgr/.ssh
|
||||
log Generating new SSH keypair for virtmgr
|
||||
sudo mkdir -p ~virtmgr/.ssh
|
||||
sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}"
|
||||
|
||||
if [[ "${GATE_SSH_KEY}" ]]; then
|
||||
log "Using existing SSH keys for virtmgr"
|
||||
cp "${GATE_SSH_KEY}" ~virtmgr/.ssh/airship_gate
|
||||
cp "${GATE_SSH_KEY}.pub" ~virtmgr/.ssh/airship_gate.pub
|
||||
else
|
||||
log "Generating new SSH keypair for virtmgr"
|
||||
sudo ssh-keygen -N '' -b 2048 -t rsa -f ~virtmgr/.ssh/airship_gate &>> "${LOG_FILE}"
|
||||
fi
|
||||
}
|
||||
|
||||
# Install private key into site definition
|
||||
install_libvirt_key() {
|
||||
export PUB_KEY=$(sudo cat ~virtmgr/.ssh/airship_gate.pub)
|
||||
|
||||
mkdir -p ${TEMP_DIR}/tmp
|
||||
envsubst < "${TEMPLATE_DIR}/authorized_keys.sub" > ${TEMP_DIR}/tmp/virtmgr.authorized_keys
|
||||
sudo cp ${TEMP_DIR}/tmp/virtmgr.authorized_keys ~virtmgr/.ssh/authorized_keys
|
||||
sudo chown -R virtmgr ~virtmgr/.ssh
|
||||
sudo chmod 700 ~virtmgr/.ssh
|
||||
sudo chmod 600 ~virtmgr/.ssh/authorized_keys
|
||||
mkdir -p "${GATE_DEPOT}"
|
||||
|
||||
if [[ "${USE_EXISTING_SECRETS}" ]]; then
|
||||
log "Using existing manifests for secrets"
|
||||
return 0
|
||||
fi
|
||||
|
||||
mkdir -p "${GATE_DEPOT}"
|
||||
cat << EOF > ${GATE_DEPOT}/airship_drydock_kvm_ssh_key.yaml
|
||||
---
|
||||
schema: deckhand/CertificateKey/v1
|
||||
|
|
|
@ -17,6 +17,14 @@ do
|
|||
fi
|
||||
done
|
||||
|
||||
CERTS_PATH="/certs/*.yaml"
|
||||
KEYS_PATH="/gate/*.yaml"
|
||||
if [[ "${USE_EXISTING_SECRETS}" ]]
|
||||
then
|
||||
CERTS_PATH=""
|
||||
KEYS_PATH=""
|
||||
fi
|
||||
|
||||
log Building scripts
|
||||
docker run --rm -t \
|
||||
-w /config \
|
||||
|
@ -31,4 +39,5 @@ docker run --rm -t \
|
|||
build-all \
|
||||
--validators \
|
||||
-o /scripts \
|
||||
/config/*.yaml /certs/*.yaml /gate/*.yaml
|
||||
/config/*.yaml ${CERTS_PATH} ${KEYS_PATH}
|
||||
|
||||
|
|
|
@ -30,6 +30,12 @@ GATE_FILES=($(find "${GATE_DEPOT}" -name '*.yaml' | xargs -n 1 basename | xargs
|
|||
mkdir -p "${CERT_DEPOT}"
|
||||
chmod 777 "${CERT_DEPOT}"
|
||||
|
||||
if [[ "${USE_EXISTING_SECRETS}" ]]
|
||||
then
|
||||
log Certificates already provided by manifests
|
||||
exit 0
|
||||
fi
|
||||
|
||||
log Generating certificates
|
||||
docker run --rm -t \
|
||||
-w /tmp \
|
||||
|
|
|
@ -57,9 +57,15 @@ ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/site"
|
|||
rsync_cmd "${DEFINITION_DEPOT}"/*.yaml "${BUILD_NAME}:${BUILD_WORK_DIR}/site/"
|
||||
|
||||
sleep 120
|
||||
|
||||
check_configdocs_result "$(shipyard_cmd create configdocs design --directory=${BUILD_WORK_DIR}/site --replace)"
|
||||
|
||||
# Skip certs/gate if already part of site manifests
|
||||
if [[ "${USE_EXISTING_SECRETS}" ]]
|
||||
then
|
||||
OMIT_CERTS=1
|
||||
OMIT_GATE=1
|
||||
fi
|
||||
|
||||
if [[ "${OMIT_CERTS}" == "0" ]]
|
||||
then
|
||||
ssh_cmd "${BUILD_NAME}" mkdir -p "${BUILD_WORK_DIR}/certs"
|
||||
|
|
Loading…
Reference in New Issue