From 3c08bc44f2d9906ebc3bbe761b195f1b8ece6c2b Mon Sep 17 00:00:00 2001 From: Fabien Boucher Date: Tue, 17 Oct 2023 15:32:39 +0000 Subject: [PATCH] nodepool-builder: add the Zuul SSH public key on pod filesystem Change-Id: Ibd931eed485d22b1fd1f59a76a701faef0907875 --- controllers/nodepool.go | 23 ++++++++++++++++++++++- doc/user/nodepool_config_repository.md | 3 +++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/controllers/nodepool.go b/controllers/nodepool.go index 03516929..cb173dc7 100644 --- a/controllers/nodepool.go +++ b/controllers/nodepool.go @@ -58,6 +58,7 @@ var configScriptVolumeMount = apiv1.VolumeMount{ Name: "nodepool-tooling-vol", SubPath: "generate-config.sh", MountPath: "/usr/local/bin/generate-config.sh", + ReadOnly: true, } func (r *SFController) setNodepoolTooling() { @@ -359,6 +360,19 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume, }, }, }, + { + Name: "zuul-ssh-key", + VolumeSource: apiv1.VolumeSource{ + Secret: &apiv1.SecretVolumeSource{ + SecretName: "zuul-ssh-key", + Items: []apiv1.KeyToPath{{ + Key: "pub", + Path: "pub", + }}, + DefaultMode: &mod, + }, + }, + }, base.MkVolumeCM("nodepool-builder-extra-config-vol", "nodepool-builder-extra-config-config-map"), statsdExporterVolume, @@ -383,12 +397,18 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume, Name: "nodepool-tooling-vol", SubPath: "dib-ansible.py", MountPath: "/usr/local/bin/dib-ansible", + ReadOnly: true, }, { Name: "nodepool-builder-ssh-key", MountPath: "/var/lib/nodepool-ssh-key", ReadOnly: true, }, + { + Name: "zuul-ssh-key", + MountPath: "/var/lib/zuul-ssh-key", + ReadOnly: true, + }, { Name: "nodepool-tooling-vol", SubPath: "ssh_config", @@ -399,6 +419,7 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume, Name: "nodepool-builder-extra-config-vol", SubPath: "logging.yaml", MountPath: "/etc/nodepool-logging/logging.yaml", + ReadOnly: true, }, } @@ -416,7 +437,7 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume, "statsd_mapping": utils.Checksum([]byte(nodepoolStatsdMappingConfig)), // When the Secret ResourceVersion field change (when edited) we force a nodepool-builder restart "nodepool-providers-secrets": string(nodepoolProvidersSecrets.ResourceVersion), - "serial": "9", + "serial": "10", } initContainer := base.MkContainer("nodepool-builder-init", base.BusyboxImage) diff --git a/doc/user/nodepool_config_repository.md b/doc/user/nodepool_config_repository.md index bab1d5d7..75fd923d 100644 --- a/doc/user/nodepool_config_repository.md +++ b/doc/user/nodepool_config_repository.md @@ -149,6 +149,9 @@ Here are the available variables and their meaning: - qcow2_type: is a boolean specifying if the built image format is `qcow2`. - raw_type: is a boolean specifying if the built image format is `raw`. +> Zuul needs to authenticate via SSH onto Virtual Machines spawned from built cloud images. Thus, the Zuul SSH public key should be added as +an authorized key for the user Zuul will connect to. The Zuul SSH public key is available on the `nodepool-builder` into the file +`/var/lib/zuul-ssh-key/pub`. A cloud image build playbook can read that file to prepare a cloud image. Finally we need an `inventory.yaml` file. It must be defined into `nodepool/dib-ansible/inventory.yaml`: