diff --git a/nova/templates/bin/_ssh-start.sh.tpl b/nova/templates/bin/_ssh-start.sh.tpl
new file mode 100644
index 0000000000..1c10cb0741
--- /dev/null
+++ b/nova/templates/bin/_ssh-start.sh.tpl
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+IFS=','
+for KEY_TYPE in $KEY_TYPES; do
+ KEY_PATH=/etc/ssh/ssh_host_${KEY_TYPE}_key
+ if [[ ! -f "${KEY_PATH}" ]]; then
+ ssh-keygen -q -t ${KEY_TYPE} -f ${KEY_PATH} -N ""
+ fi
+done
+IFS=''
+
+mkdir -p ~nova/.ssh
+
+if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then
+ chown nova: ~nova/.ssh
+fi
+
+chmod 0600 ~root/.ssh/authorized_keys
+chmod 0600 ~root/.ssh/id_rsa
+chmod 0600 ~root/.ssh/id_rsa.pub
+
+exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml
index 4a7ed6440c..bc19de69be 100644
--- a/nova/templates/configmap-bin.yaml
+++ b/nova/templates/configmap-bin.yaml
@@ -65,4 +65,6 @@ data:
{{ tuple "bin/_nova-vnc-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
nova-vnc-proxy-init.sh: |
{{ tuple "bin/_nova-vnc-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ssh-start.sh: |
+{{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml
index 442cf6f622..ee5507b4d5 100644
--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
@@ -114,4 +114,6 @@ data:
{{- tuple .Values.conf.rootwrap_filters.network "etc/rootwrap.d/_network.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
nova.conf: |+
{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova | indent 4 }}
+ ssh-config.sh: |+
+{{- tuple .Values.conf.ssh "etc/_ssh-config.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- end }}
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 6f21f03fbb..ee0c7aa7ee 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -162,6 +162,10 @@ spec:
mountPath: /etc/nova/rootwrap.d/network.filters
subPath: network.filters
readOnly: true
+ - name: nova-etc
+ mountPath: /root/.ssh/config
+ subPath: ssh-config
+ readOnly: true
{{- if .Values.ceph.enabled }}
- name: etcceph
mountPath: /etc/ceph
@@ -191,6 +195,39 @@ spec:
mountPath: /etc/machine-id
readOnly: true
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ - name: nova-compute-ssh
+ image: {{ .Values.images.compute_ssh }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ privileged: true
+ env:
+ - name: KEY_TYPES
+ value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
+ - name: SSH_PORT
+ value: {{ .Values.network.ssh.port | quote }}
+ ports:
+ - containerPort: {{ .Values.network.ssh.port }}
+ command:
+ - /tmp/ssh-start.sh
+ volumeMounts:
+ - name: varlibnova
+ mountPath: /var/lib/nova
+ - name: varliblibvirt
+ mountPath: /var/lib/libvirt
+ - name: nova-etc
+ mountPath: /root/.ssh/id_rsa
+ subPath: ssh-key-private
+ - name: nova-etc
+ mountPath: /root/.ssh/id_rsa.pub
+ subPath: ssh-key-public
+ - name: nova-etc
+ mountPath: /root/.ssh/authorized_keys
+ subPath: ssh-key-public
+ - name: nova-bin
+ mountPath: /tmp/ssh-start.sh
+ subPath: ssh-start.sh
+ readOnly: true
volumes:
- name: nova-bin
configMap:
diff --git a/nova/templates/etc/_ssh-config.tpl b/nova/templates/etc/_ssh-config.tpl
new file mode 100644
index 0000000000..ca2966bf3a
--- /dev/null
+++ b/nova/templates/etc/_ssh-config.tpl
@@ -0,0 +1,4 @@
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
+ Port {{ .Values.network.ssh.port }}
diff --git a/nova/values.yaml b/nova/values.yaml
index dccf60ded8..003d86e134 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -60,6 +60,7 @@ images:
novncproxy_assets: docker.io/kolla/ubuntu-source-nova-novncproxy:3.0.3
consoleauth: docker.io/kolla/ubuntu-source-nova-consoleauth:3.0.3
compute: docker.io/kolla/ubuntu-source-nova-compute:3.0.3
+ compute_ssh: docker.io/kolla/ubuntu-source-nova-ssh:3.0.3
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
dep_check: docker.io/kolla/ubuntu-source-kubernetes-entrypoint:4.0.0
pull_policy: "IfNotPresent"
@@ -124,6 +125,9 @@ network:
port: 36080
port: 6080
targetPort: 6080
+ ssh:
+ name: "nova-ssh"
+ port: 8022
ceph:
enabled: true
@@ -255,7 +259,17 @@ console:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
+ssh:
+ key_types:
+ - rsa
+ - dsa
+ - ecdsa
+ - ed25519
+
conf:
+ ssh:
+ override:
+ append:
rally_tests:
run_tempest: false
override:
@@ -940,6 +954,13 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
+ ssh:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
novncproxy:
requests:
memory: "128Mi"