Transparently use ssh-agent on linux/darwin

[johnmccabe]

Description

This fixes #311.

Attempt to create the ssh connection using a pre-existing ssh-agent first, this will allow users with pre-configured agents, yubikeys etc on Linux and Darwin to establish ssh connections without resorting to private keys.

If this first connection attempt fails we fall through to the existing key based auth flow.

Note that Windows is not supported in this PR as yubikeys do not currently use the ssh-agent.

NOTE this does not include an update to the join command or docs pending an OK on the install implementation.

Motivation and Context

• I have raised an issue to propose this change (required)

How Has This Been Tested?

• OSX
  • Using Yubikey, key present in ssh-agent, prompted for key pin, install completes successfully
  • Using private key file (existing flow), install completes successfully
• Windows 10
  • Using private key file (existing flow), install completes successfully

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
  • Possibly not?
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have signed-off my commits with git commit -s
• I have added tests to cover my changes.
• All new and existing tests passed.

[johnmccabe]

May be worth enabling in Windows for users with pre-configured ssh-agents.

[alexellis]

Have you got instructions for trying this out with a Yubikey?

What's the additional latency when an SSH agent isn't in use and the initial attempt fails?

Could the existing behaviour run if and only if SSH_AUTH_SOCK is undefined?

Could the new behaviour run when a flag is passed? --ssh-agent / -a

Alex

[alexellis]

@jsiebens PTAL also

[johnmccabe]

Have you got instructions for trying this out with a Yubikey?

• https://github.com/drduh/YubiKey-Guide

What's the additional latency when an SSH agent isn't in use and the initial attempt fails?

• Negligible

Could the existing behaviour run if and only if SSH_AUTH_SOCK is undefined?

• Can you clarify the use case here?

Could the new behaviour run when a flag is passed? --ssh-agent / -a

• Can you clarify the use case here? Pass the flag where, when etc

[jsiebens]

@jsiebens PTAL also

Looks good to me. In the hashi-up project, the SSH_AUTH_SOCK is used by default, without a fallback but rather displaying an error message when no identities are loaded in the agent. Implementing a fallback like this will not break the existing behaviour of k3sup.

Trying the ssh-agent first will solve a couple of issues, like #311 #255 #99

[alexellis]

Could the existing behaviour run if and only if SSH_AUTH_SOCK is undefined?

What I am trying to say is that if SSH_AUTH_SOCK is not defined as an env-var, then my understanding is that an agent isn't in use. So can we skip the agent in that case?

[alexellis]

Is this still WIP, or does it cover the Join command now? @johnmccabe

[johnmccabe]

Support for join added, verified with both a simple cluster and a multi-master HA setup.

Simple Cluster

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ ./bin/k3sup install --host k1.johnmccabe.net --user johnmccabe
Running: k3sup install
2021/03/27 18:33:50 k1.johnmccabe.net
Public IP: k1.johnmccabe.net
[INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s
Result: [INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
[INFO]  systemd: Starting k3s
 Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.

Saving file to: /home/johnmccabe/workspaces/github.com/johnmccabe/k3sup/kubeconfig

# Test your cluster with:
export KUBECONFIG=/home/johnmccabe/workspaces/github.com/johnmccabe/k3sup/kubeconfig
kubectl config set-context default
kubectl get node -o wide

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ ./bin/k3sup join --server-host k1.johnmccabe.net --host k2.johnmccabe.net --user johnmccabe
Running: k3sup join
Server IP: k1.johnmccabe.net
K10d66aa7ba7e4339b185e608598add20641c2dd97bf158627a2230026becaa8f1d::server:51f244d1e8b4f28707ac22f854b3145c
[INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-agent-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s-agent.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s-agent.service
[INFO]  systemd: Enabling k3s-agent unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service → /etc/systemd/system/k3s-agent.service.
[INFO]  systemd: Starting k3s-agent
Logs: Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service → /etc/systemd/system/k3s-agent.service.
Output: [INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-agent-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s-agent.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s-agent.service
[INFO]  systemd: Enabling k3s-agent unit
[INFO]  systemd: Starting k3s-agent

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ kubectl get nodes
NAME   STATUS   ROLES    AGE     VERSION
k1     Ready    master   2m14s   v1.19.8+k3s1
k2     Ready    <none>   110s    v1.19.8+k3s1

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ kubectl cluster-info
Kubernetes control plane is running at https://k1.johnmccabe.net:6443
CoreDNS is running at https://k1.johnmccabe.net:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://k1.johnmccabe.net:6443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

Multi-master Cluster

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ ./bin/k3sup install --host k1.johnmccabe.net --user johnmccabe --cluster
Running: k3sup install
2021/03/27 18:18:46 k1.johnmccabe.net
Public IP: k1.johnmccabe.net
[INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s
Result: [INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
[INFO]  systemd: Starting k3s
 Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.

Saving file to: /home/johnmccabe/workspaces/github.com/johnmccabe/k3sup/kubeconfig

# Test your cluster with:
export KUBECONFIG=/home/johnmccabe/workspaces/github.com/johnmccabe/k3sup/kubeconfig
kubectl config set-context default
kubectl get node -o wide

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ ./bin/k3sup join --server-host k1.johnmccabe.net --host k2.johnmccabe.net --user johnmccabe --server
Running: k3sup join
Server IP: k1.johnmccabe.net
K10113498b08a8f77980556ea4150bdcccc3799bdbf871555860f9020641495cb75::server:b2d0854f8a84a957dd9badabfcdcdb41
[INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s
Logs: Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
Output: [INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
[INFO]  systemd: Starting k3s

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ kubectl get nodes
NAME   STATUS     ROLES         AGE   VERSION
k1     Ready      etcd,master   30s   v1.19.8+k3s1
k2     NotReady   etcd,master   2s    v1.19.8+k3s1

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ kubectl cluster-info
Kubernetes control plane is running at https://k1.johnmccabe.net:6443
CoreDNS is running at https://k1.johnmccabe.net:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://k1.johnmccabe.net:6443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy

[johnmccabe]

Note that I've not attempted to refactor the SSH flows to avoid overloading the PR. There is definitely some scope for tidying the existing structure and reducing the duplication somewhat.

[johnmccabe]

Just some additional testing to complete here and it should be good. Adding the support for Krypton would be trivial (see #318).

[johnmccabe]

Tweaked error handing and tested the existing key based behaviour.

Install with key

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ ./bin/k3sup install --host k1.johnmccabe.net --user johnmccabe --ssh-key ~/.ssh/id_rsa_k3sup
Running: k3sup install
2021/03/27 20:46:09 k1.johnmccabe.net
Public IP: k1.johnmccabe.net
[INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s
Result: [INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
[INFO]  systemd: Starting k3s
 Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.

Saving file to: /home/johnmccabe/workspaces/github.com/johnmccabe/k3sup/kubeconfig

# Test your cluster with:
export KUBECONFIG=/home/johnmccabe/workspaces/github.com/johnmccabe/k3sup/kubeconfig
kubectl config set-context default
kubectl get node -o wide

Join with key

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ ./bin/k3sup join --server-host k1.johnmccabe.net --host k2.johnmccabe.net --user johnmccabe --ssh-key ~/.ssh/id_rsa_k3sup
Running: k3sup join
Server IP: k1.johnmccabe.net
K10422000e8e4dba72e09e9bae9189bdabbdaaa00974800829c23cf59076c2ab573::server:d3433b387d49fefb629aa2848dc4d625
[INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Skipping binary downloaded, installed k3s matches hash
[INFO]  Skipping /usr/local/bin/kubectl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/crictl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, already exists
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-agent-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s-agent.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s-agent.service
[INFO]  systemd: Enabling k3s-agent unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service → /etc/systemd/system/k3s-agent.service.
[INFO]  systemd: Starting k3s-agent
Logs: Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service → /etc/systemd/system/k3s-agent.service.
Output: [INFO]  Finding release for channel v1.19
[INFO]  Using v1.19.8+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.19.8+k3s1/sha256sum-amd64.txt
[INFO]  Skipping binary downloaded, installed k3s matches hash
[INFO]  Skipping /usr/local/bin/kubectl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/crictl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, already exists
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-agent-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s-agent.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s-agent.service
[INFO]  systemd: Enabling k3s-agent unit
[INFO]  systemd: Starting k3s-agent

johnmccabe@wsl:~/workspaces/github.com/johnmccabe/k3sup$ kubectl get nodes
NAME   STATUS   ROLES    AGE   VERSION
k1     Ready    master   43s   v1.19.8+k3s1
k2     Ready    <none>   18s   v1.19.8+k3s1

[alexellis]

Thanks for the tweet John. This fell off my radar for some reason.

[alexellis]

@johnmccabe

What instructions do we need in the README to prevent me getting bombarded with support requests about Yubikeys? 😄

[alexellis]

The release is ready here: https://github.com/alexellis/k3sup/releases/tag/0.11.0