OSPC-1873 Get SSH working in Database instance container (#1409)

Author: ayersek64

base-helm-configs/trove/trove-helm-overrides.yaml

@@ -80,7 +80,9 @@ conf:
       management_networks: ""
       network_driver: trove.network.neutron.NeutronDriver
       taskmanager_manager: trove.taskmanager.manager.Manager
+      use_nova_server_config_drive: true
       trove_api_workers: 2
+      trove_security_groups_support: false
       trove_volume_support: true
       volume_support: true
       volume_fstype: ext4

bin/create-secrets.sh

@@ -64,6 +64,8 @@ cinder_admin_password=$(generate_password 32)
 trove_rabbitmq_password=$(generate_password 64)
 trove_db_password=$(generate_password 32)
 trove_admin_password=$(generate_password 32)
+trove_ssh_public_key=$(ssh-keygen -qt ed25519 -N '' -C "trove_ssh" -f trove_ssh_key && cat trove_ssh_key.pub)
+trove_ssh_private_key=$(cat trove_ssh_key)
 cloudkitty_rabbitmq_password=$(generate_password 64)
 cloudkitty_db_password=$(generate_password 32)
 cloudkitty_admin_password=$(generate_password 32)
@@ -334,6 +336,21 @@ data:
 ---
 apiVersion: v1
 kind: Secret
+metadata:
+  name: trove-ssh
+  namespace: openstack
+  annotations:
+    meta.helm.sh/release-name: trove
+    meta.helm.sh/release-namespace: openstack
+  labels:
+    app.kubernetes.io/managed-by: Helm
+type: Opaque
+data:
+  public-key: $(echo $trove_ssh_public_key | base64 -w0)
+  private-key: $(echo "$trove_ssh_private_key" | base64 -w0)
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: cloudkitty-rabbitmq-password
   namespace: openstack

scripts/hyperconverged-lab-kubespray.sh

@@ -616,7 +616,15 @@ fi
 
 
 if [ "${TEST_LEVEL}" = "off" ]; then
+    # Wait for Nova and Neutron APIs to be ready before proceeding
+    waitForOpenStackAPIsReadyRemote "${SSH_USERNAME}" "${JUMP_HOST_VIP}"
+
     createPostSetupResourcesRemote "${SSH_USERNAME}" "${JUMP_HOST_VIP}" "${LAB_NAME_PREFIX}"
+
+    # Trove Setup & Installation
+    # Must be run after the flat network has been created
+    setupTrove "${SSH_USERNAME}" "${JUMP_HOST_VIP}" "${LAB_NAME_PREFIX}"
+
 else
     # Wait for Nova and Neutron APIs to be ready before proceeding
     if [ ${DISABLE_OPENSTACK} = "false" ]; then

scripts/lib/hyperconverged-common.sh

@@ -37,8 +37,9 @@ function parseCommonArgs() {
 
     if [ "${HYPERCONVERGED_CINDER_VOLUME:-false}" = "true" ]; then
         # barbican is needed for iSCSI encrypted volumes and cinder install has to be
-        #  done much later during the cinder volume setup
-        INCLUDE_LIST=("keystone" "barbican" "glance" "nova" "neutron" "placement")
+        #  done much later during the cinder volume setup; trove is also included since
+        #  cinder volume support was added to support trove develpment
+        INCLUDE_LIST=("keystone" "barbican" "glance" "nova" "neutron" "placement" "trove")
         EXCLUDE_LIST=("cinder")
     else
         INCLUDE_LIST=("keystone" "glance" "cinder" "nova" "neutron" "placement")
@@ -529,6 +530,9 @@ conf:
   trove:
     DEFAULT:
       trove_api_workers: 1
+      management_networks: <management_networks>
+      management_security_groups: <management_security_groups>
+      nova_keypair: <keypair_name>
     oslo_messaging_notifications:
       driver: noop
   trove_api_uwsgi:
@@ -1663,3 +1667,147 @@ echo "Installing Octavia"
 sudo /opt/genestack/bin/install-octavia.sh -f $OCTAVIA_HELM_FILE
 EOC
 }
+
+function setupKubeConfig() {
+    if [ ! -d ~/.kube ]; then
+        mkdir ~/.kube
+        sudo cp -i /etc/kubernetes/admin.conf ~/.kube/config 2>/dev/null || true
+        sudo chown $(id -u):$(id -g) ~/.kube/config 2>/dev/null || true
+    fi
+}
+
+function setupTrove() {
+    # Trove requires some setup that cannot be done w/ a pre-install job because the job
+    #  runs in a container that does not have access to the
+    #  /etc/genestack/helm-config/trove/trove-helm-overrides.yaml file that must be modified
+    #  so that the management_networks and management_security_groups can be assigned.
+    #  This also can't be done until openstack commands are available which doesn't happen until the
+    #  openstack setup is complete, which includes the installation of trove. Unfortunately, once the
+    #  changes are made, trove needs to have the helm upgrade run again which is done by the trove
+    #  install script.
+
+    echo "Running trove setup ..."
+
+    local ssh_user="$1"
+    local jump_host="$2"
+    local lab_prefix="$3"
+
+    {
+        declare -f setupKubeConfig
+
+        cat << JUMP_HOST_EOF
+# check if trove is installed and running, otherwise exit cleanly
+if ! grep "trove: true" /etc/genestack/openstack-components.yaml &>/dev/null; then
+    echo "Trove not installed, exiting Trove setup function for ${lab_prefix}-0"
+    exit 0
+fi
+
+echo "Running trove setup on ${lab_prefix}-0..."
+
+setupKubeConfig
+
+TROVE_SSH_KEY=\$(/usr/local/bin/kubectl get secret trove-ssh -n openstack -o jsonpath='{.data.private-key}' | base64 --decode)
+TROVE_SSH_PUBLIC_KEY=\$(/usr/local/bin/kubectl get secret trove-ssh -n openstack -o jsonpath='{.data.public-key}' | base64 --decode)
+TROVE_SSH_KEY_FILENAME="/home/${ssh_user}/.ssh/trove_ssh_key"
+TROVE_ADMIN_PASSWORD=\$(/usr/local/bin/kubectl --namespace openstack get secret trove-admin -o jsonpath='{.data.password}' | base64 -d)
+
+set -e
+# activate environment for openstack commands
+source /opt/genestack/scripts/genestack.rc
+
+echo "[JUMP_HOST] Creating Trove SSH key on ${lab_prefix}-0"
+echo "\${TROVE_SSH_KEY}" > \${TROVE_SSH_KEY_FILENAME} && chown ${ssh_user}:${ssh_user} \${TROVE_SSH_KEY_FILENAME} && chmod 600 \${TROVE_SSH_KEY_FILENAME}
+
+# create environment for trove credentials
+echo "[JUMP_HOST] Creating trove-openrc"
+cat > ~/openrc-trove << TROVE_EOF
+export OS_AUTH_URL=http://keystone-api.openstack.svc.cluster.local:5000/v3
+export OS_PROJECT_NAME=service
+export OS_TENANT_NAME=default
+export OS_PROJECT_DOMAIN_NAME=service
+export OS_USERNAME=trove
+export OS_PASSWORD=\${TROVE_ADMIN_PASSWORD}
+export OS_USER_DOMAIN_NAME=service
+export OS_REGION_NAME=RegionOne
+export OS_INTERFACE=internal
+export OS_IDENTITY_API_VERSION="3"
+TROVE_EOF
+
+# activate environment with trove credentials
+source ~/openrc-trove
+
+KEYPAIR_NAME="trove-access-keypair"
+SEC_GROUP_NAME="trove-access-secgroup"
+REMOTE_IP="0.0.0.0/0" # Adjust the CIDR to restrict access if needed
+
+if openstack keypair show \$KEYPAIR_NAME; then
+  echo "[JUMP_HOST] Keypair for access to Trove instances exists"
+else
+  echo "[JUMP_HOST] Creating Keypair for access to Trove instances"
+  echo "\${TROVE_SSH_PUBLIC_KEY}" > /tmp/trove-access-key.pub
+  openstack keypair create --public-key /tmp/trove-access-key.pub \$KEYPAIR_NAME
+fi
+
+# Check if security group exists
+if openstack security group show \$SEC_GROUP_NAME; then
+  echo "[JUMP_HOST] Security Group for access to Trove instances exists"
+else
+  echo "[JUMP_HOST] Creating Security Group for access to Trove instances"
+  openstack security group create --description "Security group for Trove instances" \$SEC_GROUP_NAME
+  openstack security group rule create --protocol icmp --remote-ip \$REMOTE_IP \$SEC_GROUP_NAME
+  openstack security group rule create --protocol tcp --dst-port 22 --remote-ip \$REMOTE_IP \$SEC_GROUP_NAME
+  openstack security group rule create --protocol tcp --dst-port 3306 --remote-ip \$REMOTE_IP \$SEC_GROUP_NAME
+fi
+
+# update helm overrides so configuration is setup to use a management network and security group
+echo "[JUMP_HOST] Updating Trove Helm overrides"
+FLAT_NETWORK_ID=\$(openstack network list -f value -c ID -c Name | grep flat | awk {'print \$1'})
+sed -i "s/<management_networks>/\$FLAT_NETWORK_ID/g" /etc/genestack/helm-configs/trove/trove-helm-overrides.yaml
+ACCESS_SECGROUP_ID=\$(openstack security group list -f value -c ID -c Name | grep trove-access-secgroup | awk {'print \$1'})
+sed -i "s/<management_security_groups>/\$ACCESS_SECGROUP_ID/g" /etc/genestack/helm-configs/trove/trove-helm-overrides.yaml
+sed -i "s/<keypair_name>/\$KEYPAIR_NAME/g" /etc/genestack/helm-configs/trove/trove-helm-overrides.yaml
+
+sudo /opt/genestack/bin/install-trove.sh
+JUMP_HOST_EOF
+    } | ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -t ${ssh_user}@${jump_host} bash
+
+    {
+        declare -f setupKubeConfig
+
+        cat << NODE_1_EOF
+if ! grep "trove: true" /etc/genestack/openstack-components.yaml &>/dev/null; then
+    echo "Trove not installed, exiting Trove setup function for ${lab_prefix}-1"
+    exit 0
+fi
+
+echo "Running trove setup on ${lab_prefix}-1..."
+
+setupKubeConfig
+
+echo "[${lab_prefix}-1] Creating Trove SSH key"
+TROVE_SSH_KEY=\$(/usr/local/bin/kubectl get secret trove-ssh -n openstack -o jsonpath='{.data.private-key}' | base64 --decode)
+TROVE_SSH_KEY_FILENAME="/home/${ssh_user}/.ssh/trove_ssh_key"
+ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -t ${ssh_user}@${lab_prefix}-1 "echo \"\${TROVE_SSH_KEY}\" > \${TROVE_SSH_KEY_FILENAME} && chown ${ssh_user}:${ssh_user} \${TROVE_SSH_KEY_FILENAME} && chmod 600 \${TROVE_SSH_KEY_FILENAME}"
+NODE_1_EOF
+    } | ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -t ${ssh_user}@${jump_host} bash
+
+    {
+        declare -f setupKubeConfig
+
+        cat << NODE_2_EOF
+if ! grep "trove: true" /etc/genestack/openstack-components.yaml &>/dev/null; then
+    echo "Trove not installed, exiting Trove setup function for ${lab_prefix}-2"
+    exit 0
+fi
+
+echo "Running trove setup on ${lab_prefix}-2..."
+
+setupKubeConfig
+
+echo "[${lab_prefix}-2] Creating Trove SSH key"
+TROVE_SSH_KEY=\$(/usr/local/bin/kubectl get secret trove-ssh -n openstack -o jsonpath='{.data.private-key}' | base64 --decode)
+TROVE_SSH_KEY_FILENAME="/home/${ssh_user}/.ssh/trove_ssh_key"
+ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -t ${ssh_user}@${lab_prefix}-2 "echo \"\${TROVE_SSH_KEY}\" > \${TROVE_SSH_KEY_FILENAME} && chown ${ssh_user}:${ssh_user} \${TROVE_SSH_KEY_FILENAME} && chmod 600 \${TROVE_SSH_KEY_FILENAME}"
+NODE_2_EOF
+    } | ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -t ${ssh_user}@${jump_host} bash
+}