In this article, we will look how we can use a Action-Based Extendibility (ABX) action to fetch Gitlab or Github SSH Keys and use them in a VMware Cloud Assembly Blueprint Deployment.
Update Log:
Lab Environment
The full lab logical design can be seen HERE.
Introduction
When building Cloud Assembly blueprints there are multiple methods that you can specify what type of remote access would be possible to the machine after it has bene provisioned. You can set these via the remoteAccess property in your blueprint YAML code.
One of the popular ways is to use publicPrivateKey as a remoteAccess authentication method and supply the SSH Key in the YAML.
- my-vm:
- type: Cloud.Machine
- properties:
- remoteAccess:
- authentication: publicPrivateKey
- sshKey: SSH KEY GOES HERE
Lets see how we can dynamically supply this key during poisoning time.
Issue and Solution
Problem with the above approach is that you have to preconfigure the ssh key value in every yaml blueprint you manage. What if we want to pull the ssh key value from a git repository like Gitlab or Github or any other URL for that matter.
We cannot dynamically specify the value in the YAML but we can build an Action-Based Extensibility (ABX) action to fetch the value and inject it the YAML during provisioning.
Action-Based Extensibility uses streamlined scripts of code within Cloud Assembly to automate extensibility actions.
Action-Based Extensibility provides a lightweight and flexible run-time engine interface where you can define small scriptable actions and configure them to initiate on particular events provided by the Event Broker Service (EBS).
You can create these extensibility action scripts of code within Cloud Assembly and assign them to subscriptions. Similarly to workflows, the extensibility action script triggers when a event specified by a subscription occurs. Extensibility action scripts are used for more lightweight and simple automation of tasks and steps. They are also hosted on the cloud as opposed workflows which are hosted on-prem using a vRealize Orchestrator client and server.
Lets see how we can do this.
First lest specify the remote access method in our blueprint yaml and give a null value for the ssh key:
- my-vm:
- type: Cloud.Machine
- properties:
- remoteAccess:
- authentication: publicPrivateKey
- sshKey: null
Navigate to the Extensibility tab in Cloud Assembly.
Navigate to Actions and click New Action
Provide the following value:
- Name: Give it a name
- Project: Attach it to your project that contains your blueprint yaml.
- Template: custom script
- Runtime: python 3
Copy and paste the following script in the scrip filed:
- #-----------------------------------------------------------------------#
- # Created by Spas Kaloferov #
- # www.kaloferov.com #
- #-----------------------------------------------------------------------#
- import requests
- def handler(context, inputs):
- # Modify the URL to point to your Gitlab, Github or any other URL that holds the ssh key
- response = requests.get('https://github.com/KaloferovLab.keys')
- # Set encodding to UTF-8
- response.encoding = 'utf-8'
- # Remove new line breaks from the text
- ssh_key = response.text.replace("\n","")
- print(ssh_key)
- # Read the sshKey value from the Properties section fo the blueprint payload
- old_key = inputs["customProperties"]["sshKey"]
- new_key = ssh_key
- # Create outputs and assing new key valye
- outputs = {}
- outputs["customProperties"] = inputs["customProperties"]
- outputs["customProperties"]["sshKey"] = new_key
- print("Setting machine sshKey value from {0} to {1}".format(old_key, new_key))
- return outputs
Replace the response URL with the URL holing your ssh key.
On the right side provide the fallowing values:
- Main function: handler
- Inputs: customProperties : [“sshKey”]
- Dependency: requests
Save the action.
Go to the Subscriptions tab and create a new Subscription.
Provide the following values:
- Name: give it a name
- Event Topic: compute.allocaiton.pre
- Runnable Item: the action you created
- Blocking: Enable
Save the subscription.
Trigger a deployment of the blueprint
Monitor the action run and wait until it has completed.
Now you should be able to login via SSH to the machine you’ve just deployed.
Final Step
If all went well, go grab a beer.
DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.
This is great and I’ll definately use this a lot for myself, but the key is still hardcoded i the script. I’ts perfect for a blueprint/project where updating the key in github is enough. For it to be a bit more reuseable between other blueprints/deployment, etc what about having a custom field (powered abx) where user at deployment time from sb have the option to put an github username or just paste the ssh key into a field? Maybe I’m missing the point, though just a thought.