From 0d2c815029d9117f3a5b41c875adde5ac2d45f59 Mon Sep 17 00:00:00 2001
From: Vladimir Khlyunev <vkhlyunev@mirantis.com>
Date: Mon, 1 Apr 2019 14:14:10 +0400
Subject: [PATCH] Add team's public ssh keys from reclass to image

Change-Id: I291b5bb3a3364b7e6328783cf0859ad48584c783
---
 .../common/jobs/build-swarm-image.yaml        |  6 ++++
 .../scripts/build_base_swarm_slave_image.sh   | 10 ++++--
 .../scripts/build_mos_swarm_slave_image.sh    | 10 ++++--
 .../scripts/generate_authorized_keys.py       | 34 +++++++++++++++++++
 .../scripts/prepare_build_upload_image.sh     |  6 ++++
 5 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 maintenance-ci/common/scripts/generate_authorized_keys.py

diff --git a/maintenance-ci/common/jobs/build-swarm-image.yaml b/maintenance-ci/common/jobs/build-swarm-image.yaml
index d5c7a92..62b421f 100644
--- a/maintenance-ci/common/jobs/build-swarm-image.yaml
+++ b/maintenance-ci/common/jobs/build-swarm-image.yaml
@@ -30,6 +30,12 @@
         url: 'https://review.fuel-infra.org/tools/sustaining/'
         branches:
             - origin/master
+    - git:
+        url: 'https://gerrit.mcp.mirantis.com/salt-models/reclass-system'
+        branches:
+            - origin/master
+        basedir: reclass-system
+      #        credential-id: mcp-gerrit
 
     wrappers:
     - timestamps
diff --git a/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh b/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh
index 48f1824..bb70756 100644
--- a/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh
+++ b/maintenance-ci/common/scripts/build_base_swarm_slave_image.sh
@@ -10,7 +10,10 @@ echo "jenkins:jenkins" | chpasswd
 adduser jenkins sudo
 sh -c 'echo "jenkins ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/jenkins-user'
 mkdir /home/jenkins/.ssh
-echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDci6MBY68s3FJ9V1OP5vdtVo/daJnkNXCPSPYbCX8/d0E3UJKgE81YvsxfuKp3r1rUNwTuGnkq+VUWcbIgpQNy69OuKxQkoGsRgYTA8n4ZZcuWz+dVenP90xLYHcnyACg63HUVEp5foLvu1WzOdH2A4bHmsl0ePM5IdnFyToHj+Nhwz1NSvbK1OkQHoEcIbkbIkIa/kWY2mgEIIUgb9YmaCI96eiVtQpFPQ4k7hpdrUAkG4e0jT8JA3zQoB++S12p0d0K3SQtJ3+YATUm+rKnHchHZ/uEAgBgoOLiu99p7Aiie76jlGxZp8A/hPqU/zS61z7ER4lJeyR/pXh53Ja+1 maintenance-ci" > /home/jenkins/.ssh/authorized_keys
+if [[ -f /tmp/authorized_keys ]] ; then
+  cp /tmp/authorized_keys /home/jenkins/.ssh/authorized_keys
+fi
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDci6MBY68s3FJ9V1OP5vdtVo/daJnkNXCPSPYbCX8/d0E3UJKgE81YvsxfuKp3r1rUNwTuGnkq+VUWcbIgpQNy69OuKxQkoGsRgYTA8n4ZZcuWz+dVenP90xLYHcnyACg63HUVEp5foLvu1WzOdH2A4bHmsl0ePM5IdnFyToHj+Nhwz1NSvbK1OkQHoEcIbkbIkIa/kWY2mgEIIUgb9YmaCI96eiVtQpFPQ4k7hpdrUAkG4e0jT8JA3zQoB++S12p0d0K3SQtJ3+YATUm+rKnHchHZ/uEAgBgoOLiu99p7Aiie76jlGxZp8A/hPqU/zS61z7ER4lJeyR/pXh53Ja+1 maintenance-ci" >> /home/jenkins/.ssh/authorized_keys
 
 sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
 sed -i "s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
@@ -35,12 +38,15 @@ libyaml-dev \
 libffi-dev \
 python-dev \
 pkg-config \
-python-pip \
 ubuntu-vm-builder \
 bridge-utils \
 python-seed-client \
 sshpass
 
+curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
+python get-pip.py
+
+pip install -U setuptools wheel
 pip install virtualenv
 
 wget -O /home/jenkins/jenkins-swarm-client.jar https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/swarm-client/3.9/swarm-client-3.9.jar
diff --git a/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh b/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh
index fe97b9b..3949ea4 100644
--- a/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh
+++ b/maintenance-ci/common/scripts/build_mos_swarm_slave_image.sh
@@ -13,7 +13,10 @@ echo "jenkins:jenkins" | chpasswd
 adduser jenkins sudo
 sh -c 'echo "jenkins ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/jenkins-user'
 mkdir /home/jenkins/.ssh
-echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDci6MBY68s3FJ9V1OP5vdtVo/daJnkNXCPSPYbCX8/d0E3UJKgE81YvsxfuKp3r1rUNwTuGnkq+VUWcbIgpQNy69OuKxQkoGsRgYTA8n4ZZcuWz+dVenP90xLYHcnyACg63HUVEp5foLvu1WzOdH2A4bHmsl0ePM5IdnFyToHj+Nhwz1NSvbK1OkQHoEcIbkbIkIa/kWY2mgEIIUgb9YmaCI96eiVtQpFPQ4k7hpdrUAkG4e0jT8JA3zQoB++S12p0d0K3SQtJ3+YATUm+rKnHchHZ/uEAgBgoOLiu99p7Aiie76jlGxZp8A/hPqU/zS61z7ER4lJeyR/pXh53Ja+1 maintenance-ci" > /home/jenkins/.ssh/authorized_keys
+if [[ -f /tmp/authorized_keys ]] ; then
+  cp /tmp/authorized_keys /home/jenkins/.ssh/authorized_keys
+fi
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDci6MBY68s3FJ9V1OP5vdtVo/daJnkNXCPSPYbCX8/d0E3UJKgE81YvsxfuKp3r1rUNwTuGnkq+VUWcbIgpQNy69OuKxQkoGsRgYTA8n4ZZcuWz+dVenP90xLYHcnyACg63HUVEp5foLvu1WzOdH2A4bHmsl0ePM5IdnFyToHj+Nhwz1NSvbK1OkQHoEcIbkbIkIa/kWY2mgEIIUgb9YmaCI96eiVtQpFPQ4k7hpdrUAkG4e0jT8JA3zQoB++S12p0d0K3SQtJ3+YATUm+rKnHchHZ/uEAgBgoOLiu99p7Aiie76jlGxZp8A/hPqU/zS61z7ER4lJeyR/pXh53Ja+1 maintenance-ci" >> /home/jenkins/.ssh/authorized_keys
 
 sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
 sed -i "s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
@@ -40,7 +43,6 @@ libvirt-bin \
 libvirt-dev \
 python-dev \
 pkg-config \
-python-pip \
 python-libvirt \
 postgresql \
 postgresql-server-dev-all \
@@ -51,6 +53,9 @@ bridge-utils \
 python-seed-client \
 sshpass
 
+curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
+python get-pip.py
+
 cat > /home/jenkins/configure_libvirt_pool.sh <<EOF
 #!/bin/bash
 mkdir -p /var/lib/libvirt/images
@@ -141,6 +146,7 @@ sudo -u postgres createdb fuel_devops -O fuel_devops || true
 
 aria2c --allow-overwrite=true --seed-time=0 --enable-dht=false -d /var/lib/transmission-daemon/downloads/ http://seed.fuel-infra.org/fuelweb-release/MirantisOpenStack-9.0.iso.torrent
 
+pip install -U setuptools wheel
 pip install virtualenv
 sudo -u jenkins -H bash -c "virtualenv /home/jenkins/qa-venv-9.x
 source /home/jenkins/qa-venv-9.x/bin/activate
diff --git a/maintenance-ci/common/scripts/generate_authorized_keys.py b/maintenance-ci/common/scripts/generate_authorized_keys.py
new file mode 100644
index 0000000..d0253f0
--- /dev/null
+++ b/maintenance-ci/common/scripts/generate_authorized_keys.py
@@ -0,0 +1,34 @@
+import os
+import sys
+import yaml
+
+reclass_team_dir_path = sys.argv[1]
+ssh_keys = []
+
+team_data = yaml.load(open(os.path.join(reclass_team_dir_path,
+                                        "maintenance.yml")),
+                      Loader=yaml.Loader)
+team_members = []
+for item in team_data['classes']:
+    if "team.members" in item:
+        username = item.split(".")[-1]
+        team_members.append(username)
+
+for username in team_members:
+    data = yaml.load(
+        open(os.path.join(reclass_team_dir_path,
+                          "members",
+                          "{}.yml".format(username))),
+        Loader=yaml.Loader)
+
+    for ssh_key in data[
+        'parameters'][
+        'openssh'][
+        'server'][
+        'user'][
+        username][
+        'public_keys']:
+        ssh_keys.append(ssh_key['key'])
+
+with open("authorized_keys", "w") as f:
+    f.write("\n".join(ssh_keys))
diff --git a/maintenance-ci/common/scripts/prepare_build_upload_image.sh b/maintenance-ci/common/scripts/prepare_build_upload_image.sh
index 0df3662..469c4ff 100755
--- a/maintenance-ci/common/scripts/prepare_build_upload_image.sh
+++ b/maintenance-ci/common/scripts/prepare_build_upload_image.sh
@@ -22,6 +22,11 @@ else
   cp /tmp/xenial-server-cloudimg-amd64-disk1.img xenial-server-cloudimg-amd64-disk1.img
 fi
 
+# collect maintenance team ssh keys from reclass-system
+sudo -H pip install setuptools wheel
+sudo -H pip install pyyaml
+python maintenance-ci/common/scripts/generate_authorized_keys.py reclass-system/openssh/server/team
+
 # sometimes archive.ubuntu.com is slow as hell - xtom mirrors is faster upstream
 # mirror. also we do not want to reuse our mirrors because we need some kind of stable job
 sudo sed -i "s/security.ubuntu.com/mirrors.xtom.com/g" /etc/apt/sources.list
@@ -47,6 +52,7 @@ sudo mv /mnt/image/etc/resolv.conf /mnt/image/etc/resolv.conf.bak
 sudo cp -f /etc/resolv.conf /mnt/image/etc/resolv.conf
 
 sudo cp "${UPDATE_SCRIPT}" /mnt/image/tmp/build_image.sh
+sudo cp authorized_keys /mnt/image/tmp/authorized_keys
 sudo cat > /mnt/image/tmp/jjb_creds.sh <<EOF
 JJB_USER=${JJB_USER}
 JJB_PASS=${JJB_PASS}
-- 
2.45.2