Merge "nodepool-builder: add the Zuul SSH public key on pod filesystem"

softwarefactory-project · Oct 25, 2023 · 7f51e92 · 7f51e92
2 parents c11e655 + 3c08bc4
commit 7f51e92
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/controllers/nodepool.go b/controllers/nodepool.go
@@ -58,6 +58,7 @@ var configScriptVolumeMount = apiv1.VolumeMount{
 	Name:      "nodepool-tooling-vol",
 	SubPath:   "generate-config.sh",
 	MountPath: "/usr/local/bin/generate-config.sh",
+	ReadOnly:  true,
 }
 
 func (r *SFController) setNodepoolTooling() {
@@ -359,6 +360,19 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 				},
 			},
 		},
+		{
+			Name: "zuul-ssh-key",
+			VolumeSource: apiv1.VolumeSource{
+				Secret: &apiv1.SecretVolumeSource{
+					SecretName: "zuul-ssh-key",
+					Items: []apiv1.KeyToPath{{
+						Key:  "pub",
+						Path: "pub",
+					}},
+					DefaultMode: &mod,
+				},
+			},
+		},
 		base.MkVolumeCM("nodepool-builder-extra-config-vol",
 			"nodepool-builder-extra-config-config-map"),
 		statsdExporterVolume,
@@ -383,12 +397,18 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 			Name:      "nodepool-tooling-vol",
 			SubPath:   "dib-ansible.py",
 			MountPath: "/usr/local/bin/dib-ansible",
+			ReadOnly:  true,
 		},
 		{
 			Name:      "nodepool-builder-ssh-key",
 			MountPath: "/var/lib/nodepool-ssh-key",
 			ReadOnly:  true,
 		},
+		{
+			Name:      "zuul-ssh-key",
+			MountPath: "/var/lib/zuul-ssh-key",
+			ReadOnly:  true,
+		},
 		{
 			Name:      "nodepool-tooling-vol",
 			SubPath:   "ssh_config",
@@ -399,6 +419,7 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 			Name:      "nodepool-builder-extra-config-vol",
 			SubPath:   "logging.yaml",
 			MountPath: "/etc/nodepool-logging/logging.yaml",
+			ReadOnly:  true,
 		},
 	}
 
@@ -416,7 +437,7 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 		"statsd_mapping":         utils.Checksum([]byte(nodepoolStatsdMappingConfig)),
 		// When the Secret ResourceVersion field change (when edited) we force a nodepool-builder restart
 		"nodepool-providers-secrets": string(nodepoolProvidersSecrets.ResourceVersion),
-		"serial":                     "9",
+		"serial":                     "10",
 	}
 
 	initContainer := base.MkContainer("nodepool-builder-init", base.BusyboxImage)

diff --git a/doc/user/nodepool_config_repository.md b/doc/user/nodepool_config_repository.md
@@ -149,6 +149,9 @@ Here are the available variables and their meaning:
 - qcow2_type: is a boolean specifying if the built image format is `qcow2`.
 - raw_type: is a boolean specifying if the built image format is `raw`.
 
+> Zuul needs to authenticate via SSH onto Virtual Machines spawned from built cloud images. Thus, the Zuul SSH public key should be added as
+an authorized key for the user Zuul will connect to. The Zuul SSH public key is available on the `nodepool-builder` into the file
+`/var/lib/zuul-ssh-key/pub`. A cloud image build playbook can read that file to prepare a cloud image.
 
 Finally we need an `inventory.yaml` file. It must be defined into `nodepool/dib-ansible/inventory.yaml`: