Observed Behavior
nodeletctl expects to be provided an SSH Private Key file.- When no SSH Private Key file is provided in
cluster.yml, nodeletctl defaults to connecting with /root/.ssh/id_rsa
nodeletctl does not attempt to connect using identities in SSH Agent, before falling back to a specified file based identity.
|
SSHPrivateKeyFile: "/root/.ssh/id_rsa", |
|
sshKey, err := ioutil.ReadFile(cfg.SSHPrivateKeyFile) |
|
if err != nil { |
|
return nil, fmt.Errorf("Failed to read private key: %s", cfg.SSHPrivateKeyFile) |
|
} |
Desired Behavior
- When no SSH Private Key is provided, attempt to connect using an identity in the SSH Agent, or default to the user's default identity in their SSH config.
Why is this important
As a DevOps Engineer, I have set up my environment with an SSH Proxy Bastion Host as shown below:
network diagram
The private key in this scenario resides on my laptop, but nodectl resides on the SSH Proxy host where I am executing Ansible.
I use SSH Agent forwarding on my laptop to allow Ansible to SSH into the hosts without requiring the private key reside on the SSH Proxy host. This improves security by ensuring I don't have an over-privileged, unencrypted SSH key residing on a host inside the trusted network zone if the SSH Bastion host were to be compromised.
How to repeat my setup.
Clone this repo at tag v0.0.1
git clone --branch v0.0.1 git@github.com:platform9/infa-sandbox.git
Follow the following steps to provision an environment in an AWS account:
infra-sandbox Readme
Observed Behavior
nodeletctlexpects to be provided an SSH Private Key file.cluster.yml,nodeletctldefaults to connecting with/root/.ssh/id_rsanodeletctldoes not attempt to connect using identities in SSH Agent, before falling back to a specified file based identity.nodelet/nodeletctl/pkg/nodeletctl/nodeletctl.go
Line 248 in 7a52c3d
nodelet/nodeletctl/pkg/nodeletctl/deployer.go
Lines 57 to 60 in 7a52c3d
Desired Behavior
Why is this important
As a DevOps Engineer, I have set up my environment with an SSH Proxy Bastion Host as shown below:
network diagram
The private key in this scenario resides on my laptop, but nodectl resides on the SSH Proxy host where I am executing Ansible.
I use SSH Agent forwarding on my laptop to allow Ansible to SSH into the hosts without requiring the private key reside on the SSH Proxy host. This improves security by ensuring I don't have an over-privileged, unencrypted SSH key residing on a host inside the trusted network zone if the SSH Bastion host were to be compromised.
How to repeat my setup.
Clone this repo at tag
v0.0.1Follow the following steps to provision an environment in an AWS account:
infra-sandbox Readme