Skip to content

Commit

Permalink
Merge pull request #24 from stackhpc/azimuth-helm
Browse files Browse the repository at this point in the history
Moved secret generation from scripts to helm
  • Loading branch information
sd109 authored Aug 16, 2023
2 parents 9cde995 + 7c5b6c4 commit e839442
Show file tree
Hide file tree
Showing 14 changed files with 132 additions and 53 deletions.
39 changes: 0 additions & 39 deletions generate-secrets.sh

This file was deleted.

3 changes: 3 additions & 0 deletions image/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ LABEL org.opencontainers.image.source="https://github.com/stackhpc/slurm-docker-
ARG SLURM_TAG=slurm-23.02
ARG GOSU_VERSION=1.11

COPY kubernetes.repo /etc/yum.repos.d/kubernetes.repo

RUN set -ex \
&& yum makecache \
&& yum -y update \
Expand Down Expand Up @@ -46,6 +48,7 @@ RUN set -ex \
openssh-server \
apptainer \
ondemand \
kubectl \
&& yum clean all \
&& rm -rf /var/cache/yum

Expand Down
12 changes: 12 additions & 0 deletions image/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,18 @@ then
exit 1
fi

elif [ "$1" = "generate-keys-hook" ]
then
mkdir -p ./temphostkeys/etc/ssh
ssh-keygen -A -f ./temphostkeys
kubectl create secret generic host-keys-secret \
--dry-run=client \
--from-file=./temphostkeys/etc/ssh \
-o yaml | \
kubectl apply -f -

exit 0

elif [ "$1" = "debug" ]
then
start_munge --foreground
Expand Down
6 changes: 6 additions & 0 deletions image/kubernetes.repo
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
enabled=1
gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
8 changes: 8 additions & 0 deletions slurm-cluster-chart/templates/database-auth-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: database-auth-secret
annotations:
helm.sh/hook: pre-install
data:
password: {{ randAlphaNum 32 | b64enc }}
22 changes: 22 additions & 0 deletions slurm-cluster-chart/templates/generate-keys-hook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: batch/v1
kind: Job
metadata:
name: generate-keys-hook
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded
"helm.sh/hook-weight": "3"
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 0
template:
metadata:
name: generate-keys-hook
spec:
serviceAccountName: secret-generator-account
restartPolicy: Never
containers:
- name: generate-keys-hook
image: {{ .Values.slurmImage }}
args:
- generate-keys-hook
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#Only applied if sshPublicKey provided in values.yaml, if not assumes you have run publish-keys.sh prior to helm release
{{ if .Values.sshPublicKey }}
apiVersion: v1
kind: ConfigMap
metadata:
name: helm-authorized-keys-configmap
data:
authorized_keys: {{ .Values.sshPublicKey }}
{{ end }}
11 changes: 6 additions & 5 deletions slurm-cluster-chart/templates/login.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,7 @@ spec:
name: login
env:
- name: ROCKY_OOD_PASS
valueFrom:
secretKeyRef:
name: htdbm-secret
key: password
value: {{ .Values.openOnDemand.password }}
ports:
- containerPort: 22
- containerPort: 80
Expand Down Expand Up @@ -83,7 +80,11 @@ spec:
defaultMode: 0400
- name: authorized-keys
configMap:
name: {{ .Values.configmaps.authorizedKeys }}
{{ if .Values.sshPublicKey }}
name: helm-authorized-keys-configmap
{{ else }}
name: authorized-keys-configmap
{{ end }}
- name: cluster-config
configMap:
name: cluster-config
Expand Down
8 changes: 8 additions & 0 deletions slurm-cluster-chart/templates/munge-key-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: munge-key-secret
annotations:
helm.sh/hook: pre-install
data:
munge.key: {{ randAscii 128 | b64enc }}
2 changes: 1 addition & 1 deletion slurm-cluster-chart/templates/mysql-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ spec:
value: "yes"
- name: MYSQL_USER
value: "slurm"
image: {{ .Values.sqlImage }}
image: {{ .Values.database.image }}
name: mysql
ports:
- containerPort: 3306
Expand Down
28 changes: 28 additions & 0 deletions slurm-cluster-chart/templates/secret-generator-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-generator-role
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "1"
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["get","apply","create", "patch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: secret-generator-rolebinding
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "2"
subjects:
- kind: ServiceAccount
name: secret-generator-account
roleRef:
kind: Role
name: secret-generator-role
apiGroup: rbac.authorization.k8s.io
11 changes: 11 additions & 0 deletions slurm-cluster-chart/templates/secret-generator-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: secret-generator-account
annotations:
"kubernetes.io/enforce-mountable-secrets": "true"
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "0"
automountServiceAccountToken: True
secrets:
- name: host-keys-secret
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ spec:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.databaseStorage }}
storage: {{ .Values.database.storage }}
24 changes: 17 additions & 7 deletions slurm-cluster-chart/values.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
slurmImage: ghcr.io/stackhpc/slurm-docker-cluster:7c0e2d9
slurmImage: ghcr.io/stackhpc/slurm-docker-cluster:d3daba4

login:
# Deployment resource name
Expand Down Expand Up @@ -53,17 +53,27 @@ rooknfs:



sqlImage: mariadb:10.10

databaseStorage: 100Mi
# Values for Slurm's database container
database:
#Database image to be used
image: mariadb:10.10
#Storage requested by the var-lib-mysql volume backing the database
storage: 100Mi

# Configmap resource names
configmaps:
authorizedKeys: authorized-keys-configmap
slurmConf: slurm-conf-configmap
slurmdbdConf: slurmdbd-conf-configmap
sshdConfig: sshd-config-configmap

# Public key used for ssh access to the login node
# If let undefined, assumes you have run the provided publish-keys.sh script to publish your public key prior to deployment
sshPublicKey:

# Secret resource names
secrets:
databaseAuth: database-auth-secret
mungeKey: munge-key-secret


openOnDemand:
#Password for default Open OnDemand user 'rocky'
password: password

0 comments on commit e839442

Please sign in to comment.