-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #19 from jpculp/userdata-keys
Change admin container logic to use public keys from user-data
- Loading branch information
Showing
6 changed files
with
115 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,3 +11,33 @@ For more information about how the admin container fits into the Bottlerocket op | |
|
||
You'll need Docker 17.06.2 or later, for multi-stage build support. | ||
Then run `make`! | ||
|
||
## Authenticating with the Admin Container | ||
|
||
Starting from v0.6.0, users have the option to pass in their own ssh keys rather than the admin container relying on the AWS instance metadata service (IMDS). | ||
|
||
Users can add their own keys by populating the admin container's user-data with a base64-encoded JSON block. | ||
If user-data is populated then Bottlerocket will not fetch from IMDS at all, but if user-data is not set then Bottlerocket will continue to use the keys from IMDS. | ||
|
||
To use custom public keys for `.ssh/authorized_keys` and/or custom CA keys for `/etc/ssh/trusted_user_ca_keys.pub` you will want to generate a JSON-structure like this: | ||
|
||
``` | ||
{ | ||
"ssh":{ | ||
"authorized_keys":[ | ||
"ssh-rsa EXAMPLEAUTHORIZEDPUBLICKEYHERE my-key-pair" | ||
], | ||
"trusted_user_ca_keys":[ | ||
"ssh-rsa EXAMPLETRUSTEDCAPUBLICKEYHERE [email protected]" | ||
] | ||
} | ||
} | ||
``` | ||
|
||
Once you've created your JSON, you'll need to base64-encode it and set it as the value of the admin host container's user-data setting in your [instance user data toml](https://github.com/bottlerocket-os/bottlerocket#using-user-data). | ||
|
||
``` | ||
[settings.host-containers.admin] | ||
# ex: echo '{"ssh":{"authorized_keys":[]}}' | base64 | ||
user-data = "eyJzc2giOnsiYXV0aG9yaXplZF9rZXlzIjpbXX19" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
v0.5.2 | ||
v0.6.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters