-
Notifications
You must be signed in to change notification settings - Fork 35
Expand file tree
/
Copy pathcloud-config
More file actions
174 lines (153 loc) · 5.88 KB
/
Copy pathcloud-config
File metadata and controls
174 lines (153 loc) · 5.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#cloud-config
bootcmd:
- 'echo "bootcmd executed by service: $(ps -o comm= $PPID)" > /tmp/bootcmd_proof.txt'
# Resize the partition (4 = /dev/nvme0n1p4 typically)
- growpart /dev/nvme0n1 4
runcmd:
- 'echo "runcmd executed by service: $(ps -o comm= $PPID)" > /tmp/runcmd_proof.txt'
- systemctl enable --now kubelet
- /usr/local/bin/mapt-crc-aws-fetch-secrets-workaround.sh
write_files:
- path: /opt/crc/eip
content: "{{ .PublicIP }}"
owner: root:root
permissions: '0644'
- path: /home/core/.ssh/authorized_keys
content: {{ .PubKey }}
owner: {{ .Username }}
permissions: '0600'
- path: /opt/crc/id_rsa.pub
content: {{ .PubKey }}
owner: root:root
permissions: '0644'
- content: |
CRC_SELF_SUFFICIENT=1
CRC_NETWORK_MODE_USER=0
CRC_SOURCE=mapt/snc
owner: root:root
path: /etc/sysconfig/crc-env
permissions: '0644'
- owner: root:root
path: /usr/local/bin/mapt-crc-aws-fetch-secrets-workaround.sh
permissions: '0755'
content: |
#!/bin/bash
if [[ -f /usr/local/bin/crc-aws-fetch-secrets.sh ]]; then
script=/usr/local/bin/crc-aws-fetch-secrets.sh
else
echo "crc-aws-fetch-secrets.sh not found, falling back to MAPT's copy"
script=/usr/local/bin/mapt-crc-aws-fetch-secrets.sh
fi
exec "$script" "{{ .SSMPullSecretName }}" "{{ .SSMKubeAdminPasswordName }}" "{{ .SSMDeveloperPasswordName }}"
- owner: root:root
path: /usr/local/bin/mapt-crc-aws-fetch-secrets.sh
permissions: '0755'
content: |
#!/bin/bash
set -o pipefail
set -o errexit
set -o nounset
set -o errtrace
set -x
# set -x is safe, the secrets are passed via stdin
AWS_CLI_IMG=docker.io/amazon/aws-cli
MIN_CHAR_COUNT=8 # minimum number of chars for the secret to be
# assumed valid
umask 0077 # 0600 file permission for secrets
install -d -m 0700 /opt/crc # ensure that the target directory exists
PULL_SECRETS_KEY=${1:-}
KUBEADM_PASS_KEY=${2:-}
DEVELOPER_PASS_KEY=${3:-}
if [[ -z "$PULL_SECRETS_KEY" || -z "$KUBEADM_PASS_KEY" || -z "$DEVELOPER_PASS_KEY" ]]; then
echo "ERROR: expected to receive 3 parameters: PULL_SECRETS_KEY KUBEADM_PASS_KEY DEVELOPER_PASS_KEY"
exit 1
fi
DELAY=5
TOTAL_PERIOD=$(( 3*60 ))
ATTEMPTS=$(( TOTAL_PERIOD / DELAY))
function retry_compact() {
for i in $(seq 1 $ATTEMPTS); do
# If the command succeeds (returns 0), exit the function with success.
if "$@"; then
echo "'$*' succeeded after $i attempts "
return 0
fi
echo "'$*' still failing after $i/$ATTEMPTS attempts ..."
sleep "$DELAY"
done
echo "'$*' didn't succeed after $i attempt ..."
# If the loop finishes, the command never succeeded.
return 1
}
cleanup() {
rm -f /tmp/aws-region /opt/crc/pull-secret.tmp /opt/crc/pass_kubeadmin.tmp /opt/crc/pass_developer.tmp
echo "Temp files cleanup complete."
}
# Cleanup happens automatically via trap on error or at script end
trap cleanup ERR EXIT
SECONDS=0
podman pull --quiet "$AWS_CLI_IMG"
echo "Took $SECONDS seconds to pull the $AWS_CLI_IMG"
check_imds_available_and_get_region() {
IMDS_TOKEN_COMMAND=(
curl
--connect-timeout 1
-X PUT
"http://169.254.169.254/latest/api/token"
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
-Ssf
)
if ! TOKEN=$("${IMDS_TOKEN_COMMAND[@]}"); then
echo "Couldn't fetch the token..." >&2
return 1
fi
# Then, use the token to get the region
echo "Fetching the AWS region ..."
curl -Ssf -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region > /tmp/aws-region
echo >> /tmp/aws-region # add EOL at EOF, for consistency
echo "AWS region: $(< /tmp/aws-region)"
}
(
set +x # disable the xtrace as the token would be leaked
echo "Waiting for the AWS IMDS service to be available ..."
SECONDS=0
retry_compact check_imds_available_and_get_region
echo "Took $SECONDS for the IMDS service to become available."
)
save_secret() {
name=$1
key=$2
dest=$3
# --log-driver=none avoids that the journal captures the stdout
# logs of podman and leaks the passwords in the journal ...
if ! podman run \
--name "cloud-init-fetch-$name" \
--env AWS_REGION="$(< /tmp/aws-region)" \
--log-driver=none \
--rm \
"$AWS_CLI_IMG" \
ssm get-parameter \
--name "$key" \
--with-decryption \
--query "Parameter.Value" \
--output text \
> "${dest}.tmp"
then
rm -f "${dest}.tmp"
echo "ERROR: failed to get the '$name' secret ... (fetched from $key)"
return 1
fi
char_count=$(wc -c < "${dest}.tmp")
if (( char_count < MIN_CHAR_COUNT )); then
echo "ERROR: the content of the '$name' secret is too short ... (fetched from $key)"
rm -f "${dest}.tmp"
return 1
fi
mv "${dest}.tmp" "${dest}" # atomic creation of the file
return 0
}
# execution will abort if 'retry_compact' fails.
retry_compact save_secret "pull-secrets" "$PULL_SECRETS_KEY" /opt/crc/pull-secret
retry_compact save_secret "kubeadmin-pass" "$KUBEADM_PASS_KEY" /opt/crc/pass_kubeadmin
retry_compact save_secret "developer-pass" "$DEVELOPER_PASS_KEY" /opt/crc/pass_developer
exit 0