Configuring Managed services to set the SSH keys and known hosts in provider terraform pod
To download and execute any terraform module that is stored in a repository and protected by a private key, you need to set private SSH keys and known hosts under /home/terraform/.ssh folder in the cam-provider-terraform pod. The /home/terraform folder in provider terraform is a read only directory hence you cannot create any files or folder under the directory. The following process helps you to create the private keys and known host files that
are required to download and execute the external terraform modules.
Create secret that contains private keys and known hosts
You must first create a secret that contains the content of your private key and known host file. You can use the following command to create it.
oc -n <namespace> create secret generic <secret_name> --from-file=id_rsa=<path-to-private-ssh-key-file> --from-file=known_hosts=<<path-to-knownhosts-file>
Alternately, you can define the secret in a yaml file mysshkey.yaml as follows:
###############################################################################
# Licensed Materials - Property of IBM.
# Copyright IBM Corporation 2022. All Rights Reserved.
# U.S. Government Users Restricted Rights - Use, duplication or disclosure
# restricted by GSA ADP Schedule Contract with IBM Corp.
#
# Contributors:
# IBM Corporation - initial API and implementation
###############################################################################
apiVersion: v1
kind: Secret
metadata:
name: <secret_name>
namespace: <namespace>
data:
id_rsa: <base64 encoded private key content>
known_hosts: <base64 encoded known hosts content>
type: Opaque
Execute the following command to create the secret:
oc create -f mysshkey.yaml
Procedure to add the key files to provider terraform pod
Once the secret is created, you can add the key and known host files to the cam-provider-terraform pod either during installation of Infrastructure Automation or after installation.
-
To add the key files during installation, you must set the customization parameters under
spec.manageservicesection in the install yaml as follows:cat << EOF | oc apply -f - kind: IAConfig apiVersion: aiops.ibm.com/v1alpha1 metadata: name: ibm-ia-installer namespace: cp4aiops spec: imagePullSecret: ibm-entitlement-key infraAutoComposableComponents: - enabled: <Set true to install Infrastructure Management component of {{site.data.keyword.infra_automation}} false otherwise> name: ibm-management-im-install spec: {} - enabled: <Set true to install Managed services component of {{site.data.keyword.infra_automation}} false otherwise> name: ibm-management-cam-install spec: manageservice: camProviderTerraform: terraformSSHDir: terraformSSHDirSecret: <ssh_secret_name> license: accept: <Set true to accept the license> storageClass: <Storage Class name that supports RWO> storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)> EOFNote: If Infrastructure Automation is installed with IBM Cloud Pak for AIOps, then set
storageClassandstorageClassLargeBlockto the same classes that IBM Cloud Pak for AIOps uses. -
To set the key files after installation, do the following:
-
In Red Hat OpenShift Container Platform console, navigate to your installed
ManagedServicecustom resource YAML. -
Find the string
terraformSSHDirSecretin the YAML. -
Set the secret name of your ssh key and known host file as the value for
terraformSSHDirSecret. If your secret name isterraform-ssh-secret, then your modified YAML looks as follows:camProviderTerraform: isolateRuntime: true replicaCount: 1 runtime: replicaCount: 1 terraformSSHDir: terraformSSHDirSecret: terraform-ssh-secret -
Save the changes.
-
Your
cam-provider-terraformpod is restarted. To verify thecam-provider-terraformpod changes, you can list the key files usingls /home/terraform/.ssh. This should display the ssh key and known host files.
-
Note: After you change the contents of the secret, ensure to restart the cam-provider-terraform pod to reflect the changes.