Manage own ssh key to access the machines and switch to deployadm user

* create own ssh keys * create separated deployadm user for deployment * update GitLab CI => used rather a separated user for deplyment (conflict with default user, also cloud-init could fail)

Manage own ssh key to access the machines and switch to deployadm user
48f5014e · František Dvořák · 63a9d47c · 48f5014e · 48f5014e · 48f5014e
Commit 48f5014e authored Feb 18, 2021 by František Dvořák
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -25,9 +25,6 @@ terraform-single:
    - rm -fv clouds.yaml testsuite.auto.tfvars
    - ln -sfv $CLOUDS_YAML clouds.yaml
    - ln -sfv $TERRAFORM_CONFIG testsuite.auto.tfvars
-    - install -d -m 0700 ~/.ssh
-    - eval $(ssh-agent -s)
-    - ssh-add $SSH_KEY
    # https://github.com/terraform-provider-openstack/terraform-provider-openstack/issues/1160
    - touch ./secure.yml
  cache:
@@ -38,8 +35,10 @@ terraform-single:
      - "*.tfstate"
  script:
    - ./launch.sh -var type=hadoop-single -var flavor=standard.large -var n=0 -var domain=terra1 -var image=$IMAGE
-    - ansible -i ./inventory -m synchronize -a 'src=image/tests dest=/home/debian/ mode=push' master
+    - eval $(ssh-agent -s)
-    - ansible -i ./inventory --become-user=debian -m command -a 'sh -xe ~/tests/run-tests.sh' master
+    - ssh-add ./ssh-key.terra1.txt
+    - ansible -i ./inventory --become-user=debian -m synchronize -a 'src=image/tests dest=/home/debian/ mode=push' master
+    - ansible -i ./inventory --become-user=debian -m shell -a 'cd; sh -xe ~/tests/run-tests.sh' master
    - terraform destroy -auto-approve
  rules:
    - if: '$JOB =~ /all|test-single/'
@@ -58,8 +57,10 @@ terraform-cluster:
      - "*.tfstate"
  script:
    - ./launch.sh -var type=hadoop -var domain=terra2 -var image=$IMAGE
-    - ansible -i ./inventory -m synchronize -a 'src=image/tests dest=/home/debian/ mode=push' master
+    - eval $(ssh-agent -s)
-    - ansible -i ./inventory --become-user=debian -m command -a 'sh -xe ~/tests/run-tests.sh' master
+    - ssh-add ./ssh-key.terra2.txt
+    - ansible -i ./inventory --become-user=debian -m synchronize -a 'src=image/tests dest=/home/debian/ mode=push' master
+    - ansible -i ./inventory --become-user=debian -m shell -a 'cd; sh -xe ~/tests/run-tests.sh' master
    - terraform destroy -auto-approve
  rules:
    - if: '$JOB =~ /all|test-cluster/'


--- a/deploy.tf
+++ b/deploy.tf
@@ -12,6 +12,11 @@ terraform {
 locals {
 	ord = ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"]
+	keyfile = "ssh-key.${var.domain}.txt"
+}
+data "openstack_compute_keypair_v2" "userkey" {
+	name = var.ssh
 }
 data "template_file" "user_data_common" {
@@ -40,6 +45,7 @@ data "template_cloudinit_config" "ctx" {
 #cloud-config
 %{ if count.index != 0 ~}
 fs_setup:
 %{ for i in range(0, var.volumes) ~}
  - label: DATA${i + 1}
@@ -47,15 +53,48 @@ fs_setup:
    device: /dev/sd${local.ord[i + 1]}
    partition: none
 %{ endfor ~}
 mounts:
 %{ for i in range(0, var.volumes) ~}
  - [ LABEL=DATA${i + 1}, /data/${i + 1} ]
 %{ endfor ~}
 %{ endif ~}
+users:
+  - default
+  - name: deployadm
+    gecos: Deploy Admin
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${openstack_compute_keypair_v2.localkey.public_key}
+    sudo:
+      - ALL=(ALL) NOPASSWD:ALL
+%{ if count.index == 0 ~}
+write_files:
+  - path: /home/deployadm/.ssh/id_rsa
+    owner: deployadm:deployadm
+    permissions: '0600'
+    content: |
+      ${indent(6, openstack_compute_keypair_v2.localkey.private_key)~}
+%{ endif ~}
+runcmd:
+  - chown -R deployadm:deployadm /home/deployadm
 EOT
 	}
 }
+resource "openstack_compute_keypair_v2" "localkey" {
+	name = var.domain
+}
+resource "local_file" "localkey" {
+    filename = local.keyfile
+	file_permission = "0600"
+    sensitive_content = openstack_compute_keypair_v2.localkey.private_key
+}
 resource "openstack_compute_instance_v2" "server" {
 	count = var.n + 1
 	name = data.template_file.user_data_common[count.index].vars.host


--- a/launch.sh
+++ b/launch.sh
@@ -2,14 +2,6 @@
 TERRAFORM="`PATH=$PATH:. which terraform`"
-if ! ssh-add -l >/dev/null; then
-	cat <<EOF
-The ssh agent with ssh key required. Add key using:
-  ssh-add SSH_KEY_FILE
-EOF
-	exit 1
-fi
 if [ ! -s ./secrets.auto.tfvars ]; then
 	touch ./secrets.auto.tfvars
 	chmod 0600 ./secrets.auto.tfvars
@@ -29,9 +21,15 @@ $TERRAFORM apply -auto-approve "$@"
 touch config.json; chmod 0600 config.json
 $TERRAFORM output -json > config.json
+eval $(ssh-agent -s)
+trap "kill $SSH_AGENT_PID" INT TERM
+ssh-add ssh-key.*.txt
 if [ -z "$NO_DEPLOYMENT" ]; then
 	./orchestrate.py
 else
 	./orchestrate.py files ping init wait
 	./orchestrate.py -n deployment
 fi
+kill $SSH_AGENT_PID
--- a/orchestrate.py
+++ b/orchestrate.py
@@ -84,7 +84,7 @@ hosts = j['hosts']['value']
 public_hosts = j['public_hosts']['value']
 master_hostname = config['master_hostname']
 master_ip = public_hosts[master_hostname]
-user = config['image_user']
+user = 'deployadm'
 secrets = config['secrets']
 t = config.get('type', None)
 ssh = [args.ssh] + args.ssh_opts.split(r' ')