From d28af1ffaeb3a21f50965534268816ffc6c27d7f Mon Sep 17 00:00:00 2001 From: Sean Eagan Date: Tue, 22 Jun 2021 16:05:46 -0500 Subject: [PATCH] Configure ssh from jump host to VMs The SipCluster CRs reference an ssh-private-keys Secret which did not exist. This is used to ssh into the VMs from within the Sip jump hosts. This change adds the Secret and sources its content from the ssh keys generated for the target cluster. Once we have a pattern for generating secrets for sub-clusters in place we should generate separate ssh key pairs for each sub-cluster. Signed-off-by: Sean Eagan Change-Id: I7eb997e6328bba0fdc49f5b9b5a8c097fc24e143 --- .../lma/provide-infra/kustomization.yaml | 3 ++- .../replacements/kustomization.yaml | 3 ++- .../provide-infra/replacements/secrets.yaml | 22 +++++++++++++++++++ .../ssh-private-keys-secret.yaml | 8 +++++++ .../provide-infra/kustomization.yaml | 3 ++- .../replacements/kustomization.yaml | 3 ++- .../provide-infra/replacements/secrets.yaml | 22 +++++++++++++++++++ .../ssh-private-keys-secret.yaml | 8 +++++++ .../workers/replacements/kustomization.yaml | 1 + 9 files changed, 69 insertions(+), 4 deletions(-) create mode 100644 manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/secrets.yaml create mode 100644 manifests/type/multi-tenant/sub-clusters/lma/provide-infra/ssh-private-keys-secret.yaml create mode 100644 manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/secrets.yaml create mode 100644 manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/ssh-private-keys-secret.yaml diff --git a/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/kustomization.yaml index 09d988063..ae9f961e4 100644 --- a/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/kustomization.yaml @@ -1,5 +1,6 @@ resources: - # - ../../../../../function/dex-aio + # - ../../../../../function/dex-aio + - ssh-private-keys-secret.yaml - sipcluster.yaml - namespace.yaml namespace: lma-infra diff --git a/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/kustomization.yaml index ee723aad8..5b829f386 100644 --- a/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/kustomization.yaml @@ -1,3 +1,4 @@ resources: - networking.yaml - - versions.yaml \ No newline at end of file + - versions.yaml + - secrets.yaml diff --git a/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/secrets.yaml b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/secrets.yaml new file mode 100644 index 000000000..70587cddb --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/secrets.yaml @@ -0,0 +1,22 @@ +# These rules inject env vars into the k8scontrol function. +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: lma-provide-infra-secrets-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +- source: + objref: + kind: VariableCatalogue + name: generated-secrets + fieldref: "{.sshKeys.privateKey}" + target: + objref: + kind: Secret + namespace: lma-infra + name: ssh-private-keys + fieldrefs: + - "data.ssh-privatekey%REPLACEMENT_SSH_PRIVATEKEY%" diff --git a/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/ssh-private-keys-secret.yaml b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/ssh-private-keys-secret.yaml new file mode 100644 index 000000000..0df82f6ad --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/provide-infra/ssh-private-keys-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ssh-private-keys +type: kubernetes.io/ssh-auth +data: + ssh-privatekey: REPLACEMENT_SSH_PRIVATEKEY + diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/kustomization.yaml index 7d075abd0..13196bc25 100644 --- a/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/kustomization.yaml @@ -1,5 +1,6 @@ resources: - # - ../../../../../function/dex-aio + # - ../../../../../function/dex-aio + - ssh-private-keys-secret.yaml - sipcluster.yaml - namespace.yaml namespace: wordpress-infra diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/kustomization.yaml index ee723aad8..5b829f386 100644 --- a/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/kustomization.yaml @@ -1,3 +1,4 @@ resources: - networking.yaml - - versions.yaml \ No newline at end of file + - versions.yaml + - secrets.yaml diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/secrets.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/secrets.yaml new file mode 100644 index 000000000..978033199 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/secrets.yaml @@ -0,0 +1,22 @@ +# These rules inject env vars into the k8scontrol function. +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: wordpress-provide-infra-secrets-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +- source: + objref: + kind: VariableCatalogue + name: generated-secrets + fieldref: "{.sshKeys.privateKey}" + target: + objref: + kind: Secret + namespace: wordpress-infra + name: ssh-private-keys + fieldrefs: + - "data.ssh-privatekey%REPLACEMENT_SSH_PRIVATEKEY%" diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/ssh-private-keys-secret.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/ssh-private-keys-secret.yaml new file mode 100644 index 000000000..0df82f6ad --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/ssh-private-keys-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ssh-private-keys +type: kubernetes.io/ssh-auth +data: + ssh-privatekey: REPLACEMENT_SSH_PRIVATEKEY + diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/workers/replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/workers/replacements/kustomization.yaml index 287984ceb..afac84a46 100644 --- a/manifests/type/multi-tenant/sub-clusters/wordpress/workers/replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/workers/replacements/kustomization.yaml @@ -1,2 +1,3 @@ resources: - ../../../../../sub-cluster/workers/replacements + \ No newline at end of file