infra/codestorage/hg-ssh
2015-10-15
Parent:2f4a2a20ad6d
infra/codestorage/hg-ssh/pullkeys.sh
Pull hostkeys when pulling SSH keys. Rather than relying on Kubernetes secrets and baking public keys right in, which was bound to get fraught, we now have some graceful degradation. It defaults to automatically-generated random keys, but will try to download some keys from Google Cloud Storage for the host. If it can find some, it'll try to use those, instead.
1 #!/bin/bash
2 DOMAIN=${DOMAIN:-code.secondbit.org}
3 SSH_KEYS_BUCKET=${SSH_KEYS_BUCKET:-sshkeys.$DOMAIN}
4 SSH_HOST_KEYS_BUCKET=${SSH_HOST_KEYS_BUCKET:-hostkeys.$DOMAIN}
6 mkdir -p /tmp/sshkeys
7 mkdir -p /tmp/hostkeys
9 echo "Cleaning up..."
10 rm -rf /tmp/sshkeys/*
11 rm -rf /tmp/hostkeys/*
13 echo "Downloading keys from gs://${SSH_KEYS_BUCKET}/"
15 output=$(gsutil cp -R gs://$SSH_KEYS_BUCKET/\* /tmp/sshkeys/ 2>&1)
16 echo $output
18 keys=$(find /tmp/sshkeys -name '*.pub')
20 for key in $keys
21 do
22 dir=$(dirname $key)
23 stripped=${dir#.}
24 stripped=${stripped#/tmp/sshkeys}
25 target=${key#/tmp/sshkeys}
26 target=${target%.pub}
27 target=${target#/}
28 IFS='-' read -ra USERSPEC <<< $target
29 if [ -d "/home${USERSPEC[0]}" ]
30 then
31 echo "User ${USERSPEC[0]} already exists, skipping."
32 else
33 echo "Creating user ${USERSPEC[0]} with ID ${USERSPEC[1]}."
34 /bin/bash /usr/local/bin/helpers/create_user.sh "${USERSPEC[0]}" "${USERSPEC[1]}"
35 cat $key > /home/${USERSPEC[0]}/.ssh/authorized_keys
36 fi
37 done
39 echo "Downloading host keys from gs://${SSH_HOST_KEYS_BUCKET}/"
41 output=$(gsutil cp -R gs://$SSH_HOST_KEYS_BUCKET/\* /tmp/hostkeys/ 2>&1)
42 echo $output
44 keys=/tmp/hostkeys/*
46 for key in $keys
47 do
48 if [[ $key != *".pub" ]]
49 then
50 chmod 0700 $key
51 fi
52 target="/etc/ssh/${key##*/}"
53 echo "Moving $key to $target"
54 rm $target
55 mv $key $target
56 done
58 echo "Cleaning up..."
59 rm -rf /tmp/sshkeys/*
60 rm -rf /tmp/hostkeys/*
62 echo "SSH key pull complete."