fix(manila): switch to pubkey auth
diff --git a/release-please-config.json b/release-please-config.json
index ac4fb3c..6cf3256 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -4,6 +4,7 @@
"release-type": "python",
"draft": true,
"extra-files": [
+ "roles/defaults/defaults/main.yml",
"galaxy.yml"
]
}
diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml
index c2f7d58..082c1ed 100644
--- a/roles/defaults/defaults/main.yml
+++ b/roles/defaults/defaults/main.yml
@@ -1,3 +1,19 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+atmosphere_version: 1.1.0 # x-release-please-version
+
# Ingress
atmosphere_ingress_class_name: atmosphere
atmosphere_ingress_cluster_issuer: atmosphere
diff --git a/roles/manila/defaults/main.yml b/roles/manila/defaults/main.yml
index aaaf37d..ef67bad 100644
--- a/roles/manila/defaults/main.yml
+++ b/roles/manila/defaults/main.yml
@@ -26,10 +26,13 @@
manila_flavor_name: m1.manila
manila_flavor_vcpus: 2
manila_flavor_ram: 2048
-manila_flavor_disk: 0
+manila_flavor_disk: 20
-# Service instance Image
+# Service instance image
manila_image_name: manila-service-image
-manila_image_url: https://tarballs.opendev.org/openstack/manila-image-elements/images/manila-service-image-master.qcow2
+manila_image_url: "https://object-storage.public.mtl1.vexxhost.net/swift/v1/b98c5fdfb9be4e39a34b93d0b425ac2b/atmosphere-images/manila-{{ atmosphere_version }}.qcow2" # noqa yaml[line-length]
manila_image_container_format: bare
-manila_image_disk_format: raw
+manila_image_disk_format: qcow2
+
+# Service instance authentication
+manila_ssh_key: "{{ undef('You must provide a private SSH key using manila_ssh_key') }}"
diff --git a/roles/manila/tasks/generate_public_key.yml b/roles/manila/tasks/generate_public_key.yml
new file mode 100644
index 0000000..290b075
--- /dev/null
+++ b/roles/manila/tasks/generate_public_key.yml
@@ -0,0 +1,58 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Generate public key for SSH private key
+ become: false
+ delegate_to: localhost
+ block:
+ - name: Generate temporary file for SSH public key
+ changed_when: false
+ ansible.builtin.tempfile:
+ state: file
+ prefix: manila_ssh_key_
+ register: _manila_ssh_key_tempfile
+ # NOTE(mnaser): It's important to add a trailing newline at the end of this
+ # string or else `ssh-keygen` will not be happy.
+ - name: Write contents of current private SSH key
+ changed_when: false
+ ansible.builtin.copy:
+ dest: "{{ _manila_ssh_key_tempfile.path }}"
+ content: "{{ manila_ssh_key }}\n"
+ mode: "0600"
+ - name: Generate public key for SSH private key
+ changed_when: false
+ community.crypto.openssh_keypair:
+ path: "{{ _manila_ssh_key_tempfile.path }}"
+ regenerate: never
+ register: _manila_ssh_publickey
+ always:
+ - name: Delete temporary file for public SSH key
+ changed_when: false
+ ansible.builtin.file:
+ path: "{{ _manila_ssh_key_tempfile.path }}"
+ state: absent
+
+- name: Create secret with the SSH keys
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "{{ manila_helm_release_name }}-ssh-keys"
+ namespace: "{{ manila_helm_release_namespace }}"
+ type: Opaque
+ data:
+ id_rsa: "{{ manila_ssh_key | b64encode }}"
+ id_rsa.pub: "{{ _manila_ssh_publickey.public_key | b64encode }}"
diff --git a/roles/manila/tasks/main.yml b/roles/manila/tasks/main.yml
index 067a66a..ea9f188 100644
--- a/roles/manila/tasks/main.yml
+++ b/roles/manila/tasks/main.yml
@@ -16,6 +16,10 @@
ansible.builtin.import_tasks:
file: generate_resources.yml
+- name: Generate public key for SSH private key
+ ansible.builtin.import_tasks:
+ file: generate_public_key.yml
+
- name: Deploy Helm chart
run_once: true
kubernetes.core.helm:
diff --git a/roles/manila/vars/main.yml b/roles/manila/vars/main.yml
index 456d41b..8667a14 100644
--- a/roles/manila/vars/main.yml
+++ b/roles/manila/vars/main.yml
@@ -17,11 +17,23 @@
images:
tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('manila') }}"
pod:
+ mounts:
+ manila_share:
+ manila_share:
+ volumeMounts:
+ - name: ssh-keys
+ mountPath: /etc/manila/ssh-keys
+ volumes:
+ - name: ssh-keys
+ secret:
+ secretName: "{{ manila_helm_release_name }}-ssh-keys"
replicas:
api: 3
scheduler: 3
bootstrap:
- enabled: false
+ structured:
+ flavors: null
+ images: null
dependencies:
static:
share:
@@ -37,6 +49,8 @@
generic:
connect_share_server_to_tenant_network: true
limit_ssh_access: true
+ path_to_private_key: /etc/manila/ssh-keys/id_rsa
+ path_to_public_key: /etc/manila/ssh-keys/id_rsa.pub
service_image_name: "{{ manila_image_name }}"
service_instance_flavor_id: "{{ _manila_flavor.id }}"
oslo_messaging_no tifications: