From 791e49c5193a3c69f23052acb17673fc3e59d0e2 Mon Sep 17 00:00:00 2001
From: Scott Hussey <sh8121@att.com>
Date: Fri, 27 Apr 2018 14:10:41 -0500
Subject: [PATCH] [Chart] support ssh private key

- Add support for optionally mounting a
  private key for the maas user to access
  remote hosts via ssh (e.g. virsh)
- Add libvirt-bin to the rack controller

Change-Id: I18efb6a6947a5a5f91800bf6494b7d9d15d8aaf2
---
 charts/maas/templates/bin/_start.sh.tpl       |  8 ++++-
 charts/maas/templates/deployment-rack.yaml    | 15 ++++++++++
 charts/maas/templates/secret-ssh-key.yaml     | 29 +++++++++++++++++++
 charts/maas/templates/statefulset-region.yaml |  2 +-
 charts/maas/values.yaml                       |  9 ++++++
 images/maas-rack-controller/Dockerfile        |  5 +++-
 6 files changed, 65 insertions(+), 3 deletions(-)
 create mode 100644 charts/maas/templates/secret-ssh-key.yaml

diff --git a/charts/maas/templates/bin/_start.sh.tpl b/charts/maas/templates/bin/_start.sh.tpl
index cff92ff..dca0617 100644
--- a/charts/maas/templates/bin/_start.sh.tpl
+++ b/charts/maas/templates/bin/_start.sh.tpl
@@ -19,4 +19,10 @@ set -ex
 # show env
 env > /tmp/env
 
-exec /bin/systemd --system
\ No newline at end of file
+if [[ -d ~maas/.ssh ]]
+then
+  chown -R maas:maas ~maas/.ssh
+fi
+chsh -s /bin/bash maas
+
+exec /bin/systemd --system
diff --git a/charts/maas/templates/deployment-rack.yaml b/charts/maas/templates/deployment-rack.yaml
index 202c78e..33494b9 100644
--- a/charts/maas/templates/deployment-rack.yaml
+++ b/charts/maas/templates/deployment-rack.yaml
@@ -87,8 +87,23 @@ spec:
               mountPath: /lib/systemd/system/register-rack-controller.service
               subPath: register-rack-controller.service
               readOnly: true
+{{- if .Values.manifests.secret_ssh_key }}
+            - name: maas-ssh
+              mountPath: /var/lib/maas/.ssh
+            - name: priv-key
+              subPath: PRIVATE_KEY
+              mountPath: /var/lib/maas/.ssh/id_rsa
+{{- end }}
 {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
       volumes:
+{{- if .Values.manifests.secret_ssh_key }}
+        - name: maas-ssh
+          emptyDir: {}
+        - name: priv-key
+          secret:
+            secretName: {{ .Release.Name}}-{{ .Values.secrets.ssh_key }}
+            defaultMode: 0400
+{{- end }}
         - name: maas-bin
           configMap:
             name: maas-bin
diff --git a/charts/maas/templates/secret-ssh-key.yaml b/charts/maas/templates/secret-ssh-key.yaml
new file mode 100644
index 0000000..2f4ef8e
--- /dev/null
+++ b/charts/maas/templates/secret-ssh-key.yaml
@@ -0,0 +1,29 @@
+
+{{/*
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_ssh_key }}
+{{- $secretName := .Values.secrets.ssh_key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name}}-{{ $secretName }}
+type: Opaque
+data:
+  PRIVATE_KEY: |-
+{{ .Values.conf.ssh.private_key | b64enc | indent 4 }}
+...
+{{- end }}
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index 4a82a53..a258d4f 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -1,5 +1,5 @@
 {{/*
-# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml
index 8b8f4bb..3e25984 100644
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@@ -66,6 +66,7 @@ manifests:
   region_statefulset: true
   rack_deployment: true
   test_maas_api: true
+  secret_ssh_key: false
 
 images:
   tags:
@@ -113,6 +114,13 @@ network:
     db_service_target: 5432
 
 conf:
+  ssh:
+    # A SSH private key strings to mount
+    # to allow MaaS access virsh over SSH
+    # The corresponding public key should be
+    # added to a authorized_keys file to a user
+    # in the libvirt group on the hypervisors
+    private_key: null
   bind:
     override:
     append:
@@ -202,6 +210,7 @@ secrets:
   maas_region:
     name: maas-region-secret
     value: 3858f62230ac3c915f300c664312c63f
+  ssh_key: ssh-private-key
 
 pod:
   affinity:
diff --git a/images/maas-rack-controller/Dockerfile b/images/maas-rack-controller/Dockerfile
index 7c4537c..9bdf0a5 100644
--- a/images/maas-rack-controller/Dockerfile
+++ b/images/maas-rack-controller/Dockerfile
@@ -16,7 +16,10 @@ RUN systemctl set-default multi-user.target
 # everything else below is to setup maas into the systemd initialized
 # container based on ubuntu 16.04
 RUN apt-get -qq update && \
-    apt-get -y install sudo software-properties-common
+    apt-get -y install \
+    sudo \
+    software-properties-common \
+    libvirt-bin
 
 # TODO(alanmeadows)
 # we need systemd 231 per https://github.com/systemd/systemd/commit/a1350640ba605cf5876b25abfee886488a33e50b