Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-11 15:39:33 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add azure jump host hack script

Browse Source 
Signed-off-by: Malte Poll <mp@edgeless.systems>
This commit is contained in:
Malte Poll 2022-07-15 14:48:35 +02:00 committed by Malte Poll
parent a931f6692f
commit d3466da393
4 changed files with 329 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
hack/azure-jump-host/README.md Normal file
View File

@ -0,0 +1,9 @@
# Creating a Jump Host for Azure
Constellation on Azure does not allow direct access to every node.
For debugging purposes, you can create a jump host that can be used to access the nodes in your cluster.
```shell-session
# execute the following command in your constellation workspace AFTER constellation create
"$(git rev-parse --show-toplevel)/hack/azure-jump-host/jump-host-create"
```

33
hack/azure-jump-host/jump-host-create Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
set -e
set -o pipefail
SCRIPTDIR="$( dirname -- $(realpath "${BASH_SOURCE}"); )";
RG=$(jq -r .azureresourcegroup constellation-state.json)
SUBNET=$(jq -r .azuresubnet constellation-state.json)
VNET=${SUBNET%"/subnets/nodeNetwork"}
PUBKEY=$(cat ~/.ssh/id_rsa.pub)
DEPLOYMENT_NAME=jump-host
VM_NAME=jump-host
az deployment group create \
-o none \
--name "${DEPLOYMENT_NAME}" \
--resource-group "${RG}" \
--template-file "${SCRIPTDIR}/template.json" \
--parameters "@${SCRIPTDIR}/parameters.json" \
--parameters "{ \"virtualNetworkId\": { \"value\": \"${VNET}\" } }" \
--parameters "{ \"subnetRef\": { \"value\": \"${SUBNET}\" } }" \
--parameters "{ \"adminPublicKey\": { \"value\": \"${PUBKEY}\" } }"
az deployment group wait --created --name "${DEPLOYMENT_NAME}" --resource-group "${RG}"
PUBIP=$(az vm list-ip-addresses --resource-group "${RG}" --name "${VM_NAME}" --query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" --output tsv)
echo "Jump host created. Cleanup by deleteing the resource group."
echo "Connect to the jump host with the following command:"
echo -e "ssh azureuser@${PUBIP}\n"
echo "Expose any nodes's debugd port locally:"
echo -e "NODEIP=<IP OF CONSTELLATION NODE> && \n\
ssh -M -S debugd -fNT -L \"4000:\${NODEIP}:4000\" azureuser@${PUBIP} && \n\
./cdbg deploy --ips localhost && \n\
ssh -S debugd -O exit azureuser@${PUBIP}\n"
echo "Connect to any constellation node using the following command:"
echo "ssh -J azureuser@${PUBIP} <USER>@<IP OF CONSTELLATION NODE>"

83
hack/azure-jump-host/parameters.json Normal file
View File

@ -0,0 +1,83 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"value": "northeurope"
},
"networkInterfaceName": {
"value": "jump-host814"
},
"networkSecurityGroupName": {
"value": "jump-host-nsg"
},
"networkSecurityGroupRules": {
"value": [
{
"name": "SSH",
"properties": {
"priority": 300,
"protocol": "TCP",
"access": "Allow",
"direction": "Inbound",
"sourceAddressPrefix": "*",
"sourcePortRange": "*",
"destinationAddressPrefix": "*",
"destinationPortRange": "22"
}
}
]
},
"virtualNetworkId": {
"value": null
},
"subnetRef": {
"value": null
},
"publicIpAddressName": {
"value": "jump-host-ip"
},
"publicIpAddressType": {
"value": "Dynamic"
},
"publicIpAddressSku": {
"value": "Basic"
},
"pipDeleteOption": {
"value": "Detach"
},
"virtualMachineName": {
"value": "jump-host"
},
"virtualMachineComputerName": {
"value": "jump-host"
},
"osDiskType": {
"value": "Premium_LRS"
},
"osDiskDeleteOption": {
"value": "Delete"
},
"virtualMachineSize": {
"value": "Standard_DC2ads_v5"
},
"nicDeleteOption": {
"value": "Detach"
},
"adminUsername": {
"value": "azureuser"
},
"adminPublicKey": {
"value": null
},
"securityType": {
"value": "ConfidentialVM"
},
"secureBoot": {
"value": true
},
"vTPM": {
"value": true
}
}
}

204
hack/azure-jump-host/template.json Normal file
View File

@ -0,0 +1,204 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"networkInterfaceName": {
"type": "string"
},
"networkSecurityGroupName": {
"type": "string"
},
"networkSecurityGroupRules": {
"type": "array"
},
"virtualNetworkId": {
"type": "string"
},
"subnetRef": {
"type": "string"
},
"publicIpAddressName": {
"type": "string"
},
"publicIpAddressType": {
"type": "string"
},
"publicIpAddressSku": {
"type": "string"
},
"pipDeleteOption": {
"type": "string"
},
"virtualMachineName": {
"type": "string"
},
"virtualMachineComputerName": {
"type": "string"
},
"osDiskType": {
"type": "string"
},
"osDiskDeleteOption": {
"type": "string"
},
"virtualMachineSize": {
"type": "string"
},
"nicDeleteOption": {
"type": "string"
},
"adminUsername": {
"type": "string"
},
"adminPublicKey": {
"type": "secureString"
},
"securityType": {
"type": "string"
},
"secureBoot": {
"type": "bool"
},
"vTPM": {
"type": "bool"
}
},
"variables": {
"nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
"vnetId": "[parameters('virtualNetworkId')]",
"vnetName": "[last(split(variables('vnetId'), '/'))]"
},
"resources": [
{
"name": "[parameters('networkInterfaceName')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-03-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]",
"[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[parameters('subnetRef')]"
},
"privateIPAllocationMethod": "Dynamic",
"publicIpAddress": {
"id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
"properties": {
"deleteOption": "[parameters('pipDeleteOption')]"
}
}
}
}
],
"networkSecurityGroup": {
"id": "[variables('nsgId')]"
}
}
},
{
"name": "[parameters('networkSecurityGroupName')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-02-01",
"location": "[parameters('location')]",
"properties": {
"securityRules": "[parameters('networkSecurityGroupRules')]"
}
},
{
"name": "[parameters('publicIpAddressName')]",
"type": "Microsoft.Network/publicIpAddresses",
"apiVersion": "2020-08-01",
"location": "[parameters('location')]",
"properties": {
"publicIpAllocationMethod": "[parameters('publicIpAddressType')]"
},
"sku": {
"name": "[parameters('publicIpAddressSku')]"
}
},
{
"name": "[parameters('virtualMachineName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('virtualMachineSize')]"
},
"storageProfile": {
"osDisk": {
"createOption": "fromImage",
"managedDisk": {
"storageAccountType": "[parameters('osDiskType')]",
"securityProfile": {
"securityEncryptionType": "DiskWithVMGuestState"
}
},
"deleteOption": "[parameters('osDiskDeleteOption')]"
},
"imageReference": {
"publisher": "canonical",
"offer": "0001-com-ubuntu-confidential-vm-focal",
"sku": "20_04-lts-cvm",
"version": "latest"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]",
"properties": {
"deleteOption": "[parameters('nicDeleteOption')]"
}
}
]
},
"osProfile": {
"computerName": "[parameters('virtualMachineComputerName')]",
"adminUsername": "[parameters('adminUsername')]",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
"keyData": "[parameters('adminPublicKey')]"
}
]
}
}
},
"securityProfile": {
"securityType": "[parameters('securityType')]",
"uefiSettings": {
"secureBootEnabled": "[parameters('secureBoot')]",
"vTpmEnabled": "[parameters('vTPM')]"
}
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
}
}
}
],
"outputs": {
"adminUsername": {
"type": "string",
"value": "[parameters('adminUsername')]"
}
}
}