This is an automated email from the ASF dual-hosted git repository. lfrolov pushed a commit to branch DATALAB-2674 in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
commit b875dc5254b25673c09bea1093c48bda3ce54038 Author: leonidfrolov <[email protected]> AuthorDate: Wed Feb 9 12:03:19 2022 +0200 [DATALAB-2674]: added disk and image encryption with wrapped csek --- .../scripts/deploy_datalab.py | 3 +++ .../src/general/conf/datalab.ini | 2 ++ .../src/general/lib/gcp/actions_lib.py | 28 ++++++++++++++++++---- .../general/scripts/gcp/common_create_instance.py | 4 +++- .../scripts/gcp/common_create_notebook_image.py | 10 ++++---- .../general/scripts/gcp/common_prepare_notebook.py | 9 ++++--- .../src/general/scripts/gcp/dataengine_prepare.py | 17 ++++++++----- .../general/scripts/gcp/deeplearning_configure.py | 3 ++- .../src/general/scripts/gcp/jupyter_configure.py | 3 ++- .../general/scripts/gcp/jupyterlab_configure.py | 3 ++- .../src/general/scripts/gcp/project_prepare.py | 6 +++-- .../src/general/scripts/gcp/rstudio_configure.py | 3 ++- .../src/general/scripts/gcp/ssn_prepare.py | 5 ++-- .../src/general/scripts/gcp/superset_configure.py | 3 ++- .../scripts/gcp/tensor-rstudio_configure.py | 3 ++- .../src/general/scripts/gcp/tensor_configure.py | 3 ++- .../src/general/scripts/gcp/zeppelin_configure.py | 3 ++- 17 files changed, 77 insertions(+), 31 deletions(-) diff --git a/infrastructure-provisioning/scripts/deploy_datalab.py b/infrastructure-provisioning/scripts/deploy_datalab.py index f4587a8..8f55428 100644 --- a/infrastructure-provisioning/scripts/deploy_datalab.py +++ b/infrastructure-provisioning/scripts/deploy_datalab.py @@ -268,6 +268,9 @@ def build_parser(): gcp_parser.add_argument('--gcp_cmek_resource_name', type=str, default='', help='customer managed encryption key resource name ' 'e.g. projects/{project_name}/locations/{us}/keyRings/{keyring_name}/cryptoKeys/{key_name}') + gcp_parser.add_argument('--gcp_wrapped_csek', type=str, default='', + help='customer supplied encryption key for disk/image encryption in RFC 4648 base64 ' + 'encoded, RSA-wrapped 2048-bit format as rsaEncryptedKey') gcp_required_args = gcp_parser.add_argument_group('Required arguments') gcp_required_args.add_argument('--gcp_region', type=str, required=True, help='GCP region') diff --git a/infrastructure-provisioning/src/general/conf/datalab.ini b/infrastructure-provisioning/src/general/conf/datalab.ini index 681384b..1ebe64c 100644 --- a/infrastructure-provisioning/src/general/conf/datalab.ini +++ b/infrastructure-provisioning/src/general/conf/datalab.ini @@ -236,6 +236,8 @@ block_project_ssh_keys = FALSE bucket_enable_versioning = false ### gcp customer managed encryption key to use cmek_resource_name = '' +### gcp customer supplied wrapped encryption key to use +gcp_wrapped_csek = '' ### GCP region name for whole DataLab provisioning region = us-west1 ### GCP zone name for whole DataLab provisioning diff --git a/infrastructure-provisioning/src/general/lib/gcp/actions_lib.py b/infrastructure-provisioning/src/general/lib/gcp/actions_lib.py index 9bec18a..53df959 100644 --- a/infrastructure-provisioning/src/general/lib/gcp/actions_lib.py +++ b/infrastructure-provisioning/src/general/lib/gcp/actions_lib.py @@ -274,7 +274,7 @@ class GCPActions: file=sys.stdout)})) traceback.print_exc(file=sys.stdout) - def create_disk(self, instance_name, zone, size, secondary_image_name): + def create_disk(self, instance_name, zone, size, secondary_image_name, rsa_encrypted_csek=''): try: if secondary_image_name == 'None': params = {"sizeGb": size, "name": instance_name + '-secondary', @@ -283,6 +283,8 @@ class GCPActions: params = {"sizeGb": size, "name": instance_name + '-secondary', "type": "projects/{0}/zones/{1}/diskTypes/pd-ssd".format(self.project, zone), "sourceImage": secondary_image_name} + if rsa_encrypted_csek: + params['diskEncryptionKey'] = {"rsaEncryptedKey": rsa_encrypted_csek} request = self.service.disks().insert(project=self.project, zone=zone, body=params) result = request.execute() datalab.meta_lib.GCPMeta().wait_for_operation(result['name'], zone=zone) @@ -324,7 +326,7 @@ class GCPActions: network_tag, labels, static_ip='', primary_disk_size='12', secondary_disk_size='30', gpu_accelerator_type='None', gpu_accelerator_count='1', - os_login_enabled='FALSE', block_project_ssh_keys='FALSE'): + os_login_enabled='FALSE', block_project_ssh_keys='FALSE', rsa_encrypted_csek=''): key = RSA.importKey(open(ssh_key_path, 'rb').read()) ssh_key = key.publickey().exportKey("OpenSSH").decode('UTF-8') unique_index = datalab.meta_lib.GCPMeta().get_index_by_service_account_name(service_account_name) @@ -341,7 +343,7 @@ class GCPActions: "natIP": static_ip }] if instance_class == 'notebook': - GCPActions().create_disk(instance_name, zone, secondary_disk_size, secondary_image_name) + GCPActions().create_disk(instance_name, zone, secondary_disk_size, secondary_image_name, rsa_encrypted_csek) disks = [ { "name": instance_name, @@ -371,7 +373,7 @@ class GCPActions: } ] elif instance_class == 'dataengine': - GCPActions().create_disk(instance_name, zone, secondary_disk_size, secondary_image_name) + GCPActions().create_disk(instance_name, zone, secondary_disk_size, secondary_image_name, rsa_encrypted_csek) disks = [{ "name": instance_name, "tag_name": cluster_name + '-volume-primary', @@ -411,6 +413,15 @@ class GCPActions: "boot": 'true', "mode": "READ_WRITE" }] + + if service_base_name in image_name and rsa_encrypted_csek: + for disk in disks: + disk["initializeParams"]["sourceImageEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} + disk["diskEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} + elif rsa_encrypted_csek: + for disk in disks: + disk["diskEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} + instance_params = { "name": instance_name, "machineType": "zones/{}/machineTypes/{}".format(zone, instance_size), @@ -804,14 +815,21 @@ class GCPActions: file=sys.stdout)})) traceback.print_exc(file=sys.stdout) - def create_image_from_instance_disks(self, primary_image_name, secondary_image_name, instance_name, zone, labels): + def create_image_from_instance_disks(self, primary_image_name, secondary_image_name, instance_name, zone, labels, + rsa_encrypted_csek=''): primary_disk_name = "projects/{0}/zones/{1}/disks/{2}".format(self.project, zone, instance_name) secondary_disk_name = "projects/{0}/zones/{1}/disks/{2}-secondary".format(self.project, zone, instance_name) labels.update({"name": primary_image_name}) primary_params = {"name": primary_image_name, "sourceDisk": primary_disk_name, "labels": labels} + if rsa_encrypted_csek: + primary_params["imageEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} + primary_params["sourceDiskEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} primary_request = self.service.images().insert(project=self.project, body=primary_params) labels.update({"name": secondary_image_name}) secondary_params = {"name": secondary_image_name, "sourceDisk": secondary_disk_name, "labels": labels} + if rsa_encrypted_csek: + secondary_params["imageEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} + secondary_params["sourceDiskEncryptionKey"] = {"rsaEncryptedKey": rsa_encrypted_csek} secondary_request = self.service.images().insert(project=self.project, body=secondary_params) id_list=[] try: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/common_create_instance.py b/infrastructure-provisioning/src/general/scripts/gcp/common_create_instance.py index adf2bf5..1890c98 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/common_create_instance.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/common_create_instance.py @@ -52,6 +52,7 @@ parser.add_argument('--cluster_name', type=str, default='') parser.add_argument('--service_base_name', type=str, default='') parser.add_argument('--os_login_enabled', type=str, default='FALSE') parser.add_argument('--block_project_ssh_keys', type=str, default='FALSE') +parser.add_argument('--rsa_encrypted_csek', type=str, default='') args = parser.parse_args() @@ -67,7 +68,8 @@ if __name__ == "__main__": args.secondary_image_name, args.service_account_name, args.instance_class, args.network_tag, json.loads(args.labels), args.static_ip, args.primary_disk_size, args.secondary_disk_size, args.gpu_accelerator_type, - args.gpu_accelerator_count, args.os_login_enabled, args.block_project_ssh_keys) + args.gpu_accelerator_count, args.os_login_enabled, args.block_project_ssh_keys, + args.rsa_encrypted_csek) else: parser.print_help() sys.exit(2) diff --git a/infrastructure-provisioning/src/general/scripts/gcp/common_create_notebook_image.py b/infrastructure-provisioning/src/general/scripts/gcp/common_create_notebook_image.py index 1be0d2e..25c8a54 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/common_create_notebook_image.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/common_create_notebook_image.py @@ -60,16 +60,18 @@ if __name__ == "__main__": "image": image_conf['image_name'], os.environ['conf_billing_tag_key']: os.environ['conf_billing_tag_value']} image_conf['instance_name'] = '{0}-{1}-{2}-nb-{3}'.format(image_conf['service_base_name'], - image_conf['project_name'], - image_conf['endpoint_name'], - image_conf['exploratory_name']) + image_conf['project_name'], + image_conf['endpoint_name'], + image_conf['exploratory_name']) + image_conf['zone'] = os.environ['gcp_zone'] logging.info('[CREATING IMAGE]') primary_image_id = GCPMeta.get_image_by_name(image_conf['expected_primary_image_name']) if primary_image_id == '': image_id_list = GCPActions.create_image_from_instance_disks( image_conf['expected_primary_image_name'], image_conf['expected_secondary_image_name'], - image_conf['instance_name'], image_conf['zone'], image_conf['image_labels']) + image_conf['instance_name'], image_conf['zone'], image_conf['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/common_prepare_notebook.py b/infrastructure-provisioning/src/general/scripts/gcp/common_prepare_notebook.py index 4b8c104..6d8e3d3 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/common_prepare_notebook.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/common_prepare_notebook.py @@ -150,6 +150,7 @@ if __name__ == "__main__": notebook_config['gcp_os_login_enabled'] = os.environ['gcp_os_login_enabled'] notebook_config['gcp_block_project_ssh_keys'] = os.environ['gcp_block_project_ssh_keys'] + notebook_config['gcp_wrapped_csek'] = os.environ['gcp_wrapped_csek'] notebook_config['gpu_accelerator_type'] = 'None' notebook_config['gpu_accelerator_count'] = 'None' @@ -194,8 +195,9 @@ if __name__ == "__main__": params = "--instance_name {0} --region {1} --zone {2} --vpc_name {3} --subnet_name {4} --instance_size {5} " \ "--ssh_key_path {6} --initial_user {7} --service_account_name {8} --image_name {9} " \ "--secondary_image_name {10} --instance_class {11} --primary_disk_size {12} " \ - "--secondary_disk_size {13} --gpu_accelerator_type {14} --gpu_accelerator_count {15} --network_tag {16} --labels '{17}' " \ - "--service_base_name {18} --os_login_enabled {19} --block_project_ssh_keys {20}".\ + "--secondary_disk_size {13} --gpu_accelerator_type {14} --gpu_accelerator_count {15} " \ + "--network_tag {16} --labels '{17}' --service_base_name {18} --os_login_enabled {19} " \ + "--block_project_ssh_keys {20} --rsa_encrypted_csek '{21}'".\ format(notebook_config['instance_name'], notebook_config['region'], notebook_config['zone'], notebook_config['vpc_name'], notebook_config['subnet_name'], notebook_config['instance_size'], notebook_config['ssh_key_path'], notebook_config['initial_user'], @@ -204,7 +206,8 @@ if __name__ == "__main__": notebook_config['secondary_disk_size'], notebook_config['gpu_accelerator_type'], notebook_config['gpu_accelerator_count'], notebook_config['network_tag'], json.dumps(notebook_config['labels']), notebook_config['service_base_name'], - notebook_config['gcp_os_login_enabled'], notebook_config['gcp_block_project_ssh_keys']) + notebook_config['gcp_os_login_enabled'], notebook_config['gcp_block_project_ssh_keys'], + notebook_config['gcp_wrapped_csek']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_instance', params), shell=True, check=True) except: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/dataengine_prepare.py b/infrastructure-provisioning/src/general/scripts/gcp/dataengine_prepare.py index 078f442..d2cd931 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/dataengine_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/dataengine_prepare.py @@ -100,6 +100,7 @@ if __name__ == "__main__": data_engine['gcp_os_login_enabled'] = os.environ['gcp_os_login_enabled'] data_engine['gcp_block_project_ssh_keys'] = os.environ['gcp_block_project_ssh_keys'] + data_engine['gcp_wrapped_csek'] = os.environ['gcp_wrapped_csek'] data_engine['cluster_name'] = "{}-{}-{}-de-{}".format(data_engine['service_base_name'], data_engine['project_name'], data_engine['endpoint_name'], @@ -191,8 +192,9 @@ if __name__ == "__main__": params = "--instance_name {0} --region {1} --zone {2} --vpc_name {3} --subnet_name {4} --instance_size {5} " \ "--ssh_key_path {6} --initial_user {7} --service_account_name {8} --image_name {9} " \ "--secondary_image_name {10} --instance_class {11} --primary_disk_size {12} " \ - "--secondary_disk_size {13} --gpu_accelerator_type {14} --gpu_accelerator_count {15} --network_tag {16} --cluster_name {17} " \ - "--labels '{18}' --service_base_name {19} --os_login_enabled {20} --block_project_ssh_keys {21}". \ + "--secondary_disk_size {13} --gpu_accelerator_type {14} --gpu_accelerator_count {15} " \ + "--network_tag {16} --cluster_name {17} --labels '{18}' --service_base_name {19} " \ + "--os_login_enabled {20} --block_project_ssh_keys {21} --rsa_encrypted_csek '{22}'". \ format(data_engine['master_node_name'], data_engine['region'], data_engine['zone'], data_engine['vpc_name'], data_engine['subnet_name'], data_engine['master_size'], data_engine['ssh_key_path'], initial_user, data_engine['dataengine_service_account_name'], data_engine['primary_image_name'], @@ -200,7 +202,8 @@ if __name__ == "__main__": data_engine['secondary_disk_size'], data_engine['gpu_master_accelerator_type'], data_engine['gpu_master_accelerator_count'], data_engine['network_tag'], data_engine['cluster_name'], json.dumps(data_engine['master_labels']), data_engine['service_base_name'], - data_engine['gcp_os_login_enabled'], data_engine['gcp_block_project_ssh_keys']) + data_engine['gcp_os_login_enabled'], data_engine['gcp_block_project_ssh_keys'], + data_engine['gcp_wrapped_csek']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_instance', params), shell=True, check=True) except: @@ -218,8 +221,9 @@ if __name__ == "__main__": params = "--instance_name {0} --region {1} --zone {2} --vpc_name {3} --subnet_name {4} " \ "--instance_size {5} --ssh_key_path {6} --initial_user {7} --service_account_name {8} " \ "--image_name {9} --secondary_image_name {10} --instance_class {11} --primary_disk_size {12} " \ - "--secondary_disk_size {13} --gpu_accelerator_type {14} --gpu_accelerator_count {15} --network_tag {16} --cluster_name {17} " \ - "--labels '{18}' --service_base_name {19} --os_login_enabled {20} --block_project_ssh_keys {21}". \ + "--secondary_disk_size {13} --gpu_accelerator_type {14} --gpu_accelerator_count {15} " \ + "--network_tag {16} --cluster_name {17} --labels '{18}' --service_base_name {19} " \ + "--os_login_enabled {20} --block_project_ssh_keys {21} --rsa_encrypted_csek '{22}'". \ format(slave_name, data_engine['region'], data_engine['zone'], data_engine['vpc_name'], data_engine['subnet_name'], data_engine['slave_size'], data_engine['ssh_key_path'], initial_user, data_engine['dataengine_service_account_name'], @@ -228,7 +232,8 @@ if __name__ == "__main__": data_engine['secondary_disk_size'], data_engine['gpu_slave_accelerator_type'], data_engine['gpu_slave_accelerator_count'], data_engine['network_tag'], data_engine['cluster_name'], json.dumps(data_engine['slave_labels']), - data_engine['service_base_name'], data_engine['gcp_os_login_enabled'], data_engine['gcp_block_project_ssh_keys']) + data_engine['service_base_name'], data_engine['gcp_os_login_enabled'], + data_engine['gcp_block_project_ssh_keys'], data_engine['gcp_wrapped_csek']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_instance', params), shell=True, check=True) except: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/deeplearning_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/deeplearning_configure.py index be615de..6c3258d 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/deeplearning_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/deeplearning_configure.py @@ -208,7 +208,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/jupyter_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/jupyter_configure.py index 9a85703..05d7c51 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/jupyter_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/jupyter_configure.py @@ -210,7 +210,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/jupyterlab_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/jupyterlab_configure.py index 100999a..d85930d 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/jupyterlab_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/jupyterlab_configure.py @@ -208,7 +208,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/project_prepare.py b/infrastructure-provisioning/src/general/scripts/gcp/project_prepare.py index 56591cf..446c8e6 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/project_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/project_prepare.py @@ -513,6 +513,7 @@ if __name__ == "__main__": project_conf['gcp_os_login_enabled'] = os.environ['gcp_os_login_enabled'] project_conf['gcp_block_project_ssh_keys'] = os.environ['gcp_block_project_ssh_keys'] + project_conf['gcp_wrapped_csek'] = os.environ['gcp_wrapped_csek'] try: project_conf['static_ip'] = \ @@ -521,13 +522,14 @@ if __name__ == "__main__": params = "--instance_name {} --region {} --zone {} --vpc_name {} --subnet_name {} --instance_size {} " \ "--ssh_key_path {} --initial_user {} --service_account_name {} --image_name {} --instance_class {} " \ "--static_ip {} --network_tag {} --labels '{}' --service_base_name {} --os_login_enabled {} " \ - "--block_project_ssh_keys {}".format( + "--block_project_ssh_keys {} --rsa_encrypted_csek '{}'".format( project_conf['instance_name'], project_conf['region'], project_conf['zone'], project_conf['vpc_name'], project_conf['subnet_name'], project_conf['instance_size'], project_conf['ssh_key_path'], project_conf['initial_user'], project_conf['edge_service_account_name'], project_conf['image_name'], 'edge', project_conf['static_ip'], project_conf['network_tag'], json.dumps(project_conf['instance_labels']), project_conf['service_base_name'], - project_conf['gcp_os_login_enabled'], project_conf['gcp_block_project_ssh_keys']) + project_conf['gcp_os_login_enabled'], project_conf['gcp_block_project_ssh_keys'], + project_conf['gcp_wrapped_csek']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_instance', params), shell=True, check=True) except: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/rstudio_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/rstudio_configure.py index dae62df..f1ae637 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/rstudio_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/rstudio_configure.py @@ -212,7 +212,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/ssn_prepare.py b/infrastructure-provisioning/src/general/scripts/gcp/ssn_prepare.py index f485a51..54fddef 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/ssn_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/ssn_prepare.py @@ -73,6 +73,7 @@ if __name__ == "__main__": ssn_conf['allowed_ip_cidr'] = os.environ['conf_allowed_ip_cidr'] ssn_conf['gcp_os_login_enabled'] = os.environ['gcp_os_login_enabled'] ssn_conf['gcp_block_project_ssh_keys'] = os.environ['gcp_block_project_ssh_keys'] + ssn_conf['gcp_wrapped_csek'] = os.environ['gcp_wrapped_csek'] except Exception as err: datalab.fab.append_result("Failed to generate variables dictionary.", str(err)) @@ -269,13 +270,13 @@ if __name__ == "__main__": " --ssh_key_path {6} --initial_user {7} --service_account_name {8} --image_name {9}"\ " --instance_class {10} --static_ip {11} --network_tag {12} --labels '{13}' " \ "--primary_disk_size {14} --service_base_name {15} --os_login_enabled {16} " \ - "--block_project_ssh_keys {17}".\ + "--block_project_ssh_keys {17} --rsa_encrypted_csek '{18}'".\ format(ssn_conf['instance_name'], ssn_conf['region'], ssn_conf['zone'], ssn_conf['vpc_name'], ssn_conf['subnet_name'], ssn_conf['instance_size'], ssn_conf['ssh_key_path'], ssn_conf['initial_user'], ssn_conf['service_account_name'], ssn_conf['image_name'], 'ssn', ssn_conf['static_ip'], ssn_conf['network_tag'], json.dumps(ssn_conf['instance_labels']), '20', ssn_conf['service_base_name'], ssn_conf['gcp_os_login_enabled'], - ssn_conf['gcp_block_project_ssh_keys']) + ssn_conf['gcp_block_project_ssh_keys'], ssn_conf['gcp_wrapped_csek']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_instance', params), shell=True, check=True) except: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/superset_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/superset_configure.py index 709a534..8680bee 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/superset_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/superset_configure.py @@ -254,7 +254,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/tensor-rstudio_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/tensor-rstudio_configure.py index a1a990d..d29af7b 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/tensor-rstudio_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/tensor-rstudio_configure.py @@ -214,7 +214,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/tensor_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/tensor_configure.py index dd67bfa..4c3dfec 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/tensor_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/tensor_configure.py @@ -219,7 +219,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: diff --git a/infrastructure-provisioning/src/general/scripts/gcp/zeppelin_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/zeppelin_configure.py index 78a96a1..5bdc344 100644 --- a/infrastructure-provisioning/src/general/scripts/gcp/zeppelin_configure.py +++ b/infrastructure-provisioning/src/general/scripts/gcp/zeppelin_configure.py @@ -219,7 +219,8 @@ if __name__ == "__main__": logging.info("Looks like it's first time we configure notebook server. Creating images.") image_id_list = GCPActions.create_image_from_instance_disks( notebook_config['expected_primary_image_name'], notebook_config['expected_secondary_image_name'], - notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels']) + notebook_config['instance_name'], notebook_config['zone'], notebook_config['image_labels'], + os.environ['gcp_wrapped_csek']) if image_id_list and image_id_list[0] != '': logging.info("Image of primary disk was successfully created. It's ID is {}".format(image_id_list[0])) else: --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
