*: unify handling of ssh keys

Documentation/design/installconfig.md

@@ -68,7 +68,6 @@ type AWS struct {
     Master                    `json:",inline" yaml:"master,omitempty"`
     Profile                   string `json:"tectonic_aws_profile,omitempty" yaml:"profile,omitempty"`
     Region                    string `json:"tectonic_aws_region,omitempty" yaml:"region,omitempty"`
-    SSHKey                    string `json:"tectonic_aws_ssh_key,omitempty" yaml:"sshKey,omitempty"`
     VPCCIDRBlock              string `json:"tectonic_aws_vpc_cidr_block,omitempty" yaml:"vpcCIDRBlock,omitempty"`
     Worker                    `json:",inline" yaml:"worker,omitempty"`
 }
@@ -106,7 +105,6 @@ type Worker struct {
 ```go
 type Libvirt struct {
     URI           string `json:"tectonic_libvirt_uri,omitempty" yaml:"uri"`
-    SSHKey        string `json:"tectonic_libvirt_ssh_key,omitempty" yaml:"sshKey"`
     QCOWImagePath string `json:"tectonic_coreos_qcow_path,omitempty" yaml:"imagePath"`
     Network       `json:",inline" yaml:"network"`
     MasterIPs     []string `json:"tectonic_libvirt_master_ips,omitempty" yaml:"masterIPs"`

config.tf

@@ -267,6 +267,15 @@ also be escaped.
 EOF
 }
 
+variable "tectonic_admin_ssh_key" {
+  type    = "string"
+  default = ""
+
+  description = <<EOF
+(optional) The admin user's SSH public key to login to the nodes.
+EOF
+}
+
 variable "tectonic_ca_cert" {
   type    = "string"
   default = ""

examples/tectonic.aws.yaml

@@ -1,6 +1,7 @@
 admin:
   email: "[email protected]"
   password: "verysecure"
+  sshKey: "ssh-ed25519 AAAA..."
 aws:
   # (optional) Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters.
   # The Tectonic Installer uses the bucket to store tectonic assets and kubeconfig.
@@ -130,9 +131,6 @@ aws:
   # The target AWS region for the cluster.
   region: eu-west-1
 
-  # Name of an SSH key located within the AWS region. Example: coreos-user.
-  sshKey:
-
   # Block of IP addresses used by the VPC.
   # This should not overlap with any other networks, such as a private datacenter connected via Direct Connect.
   vpcCIDRBlock: 10.0.0.0/16

examples/tectonic.libvirt.yaml

@@ -1,6 +1,7 @@
 admin:
   email: [email protected]
   password: verysecure
+  sshKey: "ssh-ed25519 AAAA..."
 # The base DNS domain of the cluster. It must NOT contain a trailing period. Some
 # DNS providers will automatically add this if necessary.
 #
@@ -16,7 +17,6 @@ libvirt:
     ifName: tt0
     dnsServer: 8.8.8.8
     ipRange: 192.168.124.0/24
-  sshKey: "ssh-rsa ..."
   imagePath: /path/to/image
 
 ca:

installer/pkg/config-generator/ignition.go

@@ -57,7 +57,9 @@ func (c *ConfigGenerator) GenerateIgnConfig(clusterDir string) error {
 			return err
 		}
 
-		// agentless platforms (e.g. libvirt) need to embed the ssh key
+		// XXX(crawford): The SSH key should only be added to the bootstrap
+		//                node. After that, MCO should be responsible for
+		//                distributing SSH keys.
 		c.embedUserBlock(ignCfg)
 
 		fileTargetPath := filepath.Join(clusterDir, ignFilesPath[role])
@@ -111,16 +113,14 @@ func (c *ConfigGenerator) appendCertificateAuthority(ignCfg *ignconfigtypes.Conf
 }
 
 func (c *ConfigGenerator) embedUserBlock(ignCfg *ignconfigtypes.Config) {
-	if c.Platform == config.PlatformLibvirt {
-		userBlock := ignconfigtypes.PasswdUser{
-			Name: "core",
-			SSHAuthorizedKeys: []ignconfigtypes.SSHAuthorizedKey{
-				ignconfigtypes.SSHAuthorizedKey(c.Libvirt.SSHKey),
-			},
-		}
-
-		ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
+	userBlock := ignconfigtypes.PasswdUser{
+		Name: "core",
+		SSHAuthorizedKeys: []ignconfigtypes.SSHAuthorizedKey{
+			ignconfigtypes.SSHAuthorizedKey(c.SSHKey),
+		},
 	}
+
+	ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
 }
 
 func (c *ConfigGenerator) getTNCURL(role string) string {

installer/pkg/config/aws/aws.go

@@ -30,7 +30,6 @@ type AWS struct {
 	Master                    `json:",inline" yaml:"master,omitempty"`
 	Profile                   string `json:"tectonic_aws_profile,omitempty" yaml:"profile,omitempty"`
 	Region                    string `json:"tectonic_aws_region,omitempty" yaml:"region,omitempty"`
-	SSHKey                    string `json:"tectonic_aws_ssh_key,omitempty" yaml:"sshKey,omitempty"`
 	VPCCIDRBlock              string `json:"tectonic_aws_vpc_cidr_block,omitempty" yaml:"vpcCIDRBlock,omitempty"`
 	Worker                    `json:",inline" yaml:"worker,omitempty"`
 }

installer/pkg/config/libvirt/libvirt.go

@@ -17,7 +17,6 @@ const (
 // Libvirt encompasses configuration specific to libvirt.
 type Libvirt struct {
 	URI           string `json:"tectonic_libvirt_uri,omitempty" yaml:"uri"`
-	SSHKey        string `json:"tectonic_libvirt_ssh_key,omitempty" yaml:"sshKey"`
 	QCOWImagePath string `json:"tectonic_coreos_qcow_path,omitempty" yaml:"imagePath"`
 	Network       `json:",inline" yaml:"network"`
 	MasterIPs     []string `json:"tectonic_libvirt_master_ips,omitempty" yaml:"masterIPs"`

installer/pkg/config/types.go

@@ -20,6 +20,7 @@ const (
 type Admin struct {
 	Email    string `json:"tectonic_admin_email" yaml:"email,omitempty"`
 	Password string `json:"tectonic_admin_password" yaml:"password,omitempty"`
+	SSHKey   string `json:"tectonic_admin_ssh_key,omitempty" yaml:"sshKey,omitempty"`
 }
 
 // CA related config

installer/pkg/config/validate.go

@@ -183,9 +183,6 @@ func (c *Cluster) validateLibvirt() []error {
 	if err := validate.PrefixError("libvirt imagePath is not a valid QCOW image", validate.FileHeader(c.Libvirt.QCOWImagePath, qcowMagic)); err != nil {
 		errs = append(errs, err)
 	}
-	if err := validate.PrefixError("libvirt sshKey", validate.NonEmpty(c.Libvirt.SSHKey)); err != nil {
-		errs = append(errs, err)
-	}
 	if err := validate.PrefixError("libvirt network name", validate.NonEmpty(c.Libvirt.Network.Name)); err != nil {
 		errs = append(errs, err)
 	}

installer/pkg/config/validate_test.go

@@ -605,7 +605,6 @@ func TestValidateLibvirt(t *testing.T) {
 				Libvirt: libvirt.Libvirt{
 					Network:       libvirt.Network{},
 					QCOWImagePath: "",
-					SSHKey:        "",
 					URI:           "",
 				},
 				Networking: defaultCluster.Networking,
@@ -622,7 +621,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.0.1.0/24",
 					},
 					QCOWImagePath: fInvalid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -639,7 +637,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.0.1.0/24",
 					},
 					QCOWImagePath: fValid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -656,7 +653,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.2.1.0/24",
 					},
 					QCOWImagePath: fValid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -673,7 +669,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "x",
 					},
 					QCOWImagePath: "foo",
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -690,7 +685,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "192.168.0.1/24",
 					},
 					QCOWImagePath: "foo",
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,

modules/aws/etcd/nodes.tf

@@ -88,7 +88,6 @@ resource "aws_instance" "etcd_node" {
 
   iam_instance_profile   = "${aws_iam_instance_profile.etcd.name}"
   instance_type          = "${var.ec2_type}"
-  key_name               = "${var.ssh_key}"
   subnet_id              = "${element(var.subnets, count.index)}"
   user_data              = "${data.ignition_config.tnc.*.rendered[count.index]}"
   vpc_security_group_ids = ["${var.sg_ids}"]

modules/aws/etcd/variables.tf

@@ -33,11 +33,6 @@ It is passed through to the Terraform aws provider: https://www.terraform.io/doc
 EOF
 }
 
-variable "ssh_key" {
-  type    = "string"
-  default = ""
-}
-
 variable "subnets" {
   type = "list"
 }

modules/aws/master-asg/master.tf

@@ -48,7 +48,6 @@ resource "aws_launch_configuration" "master_conf" {
   instance_type               = "${var.ec2_type}"
   image_id                    = "${coalesce(var.ec2_ami, module.ami.id)}"
   name_prefix                 = "${var.cluster_name}-master-"
-  key_name                    = "${var.ssh_key}"
   security_groups             = ["${var.master_sg_ids}"]
   iam_instance_profile        = "${aws_iam_instance_profile.master_profile.arn}"
   associate_public_ip_address = "${var.public_endpoints}"

modules/aws/master-asg/variables.tf

@@ -101,10 +101,6 @@ variable "root_volume_type" {
   description = "The type of volume for the root block device."
 }
 
-variable "ssh_key" {
-  type = "string"
-}
-
 variable "subnet_ids" {
   type = "list"
 }

modules/aws/worker-asg/variables.tf

@@ -1,7 +1,3 @@
-variable "ssh_key" {
-  type = "string"
-}
-
 variable "container_linux_channel" {
   type = "string"
 }

modules/aws/worker-asg/worker.tf

@@ -14,7 +14,6 @@ resource "aws_launch_configuration" "worker_conf" {
   instance_type        = "${var.ec2_type}"
   image_id             = "${coalesce(var.ec2_ami, module.ami.id)}"
   name_prefix          = "${var.cluster_name}-worker-"
-  key_name             = "${var.ssh_key}"
   security_groups      = ["${var.sg_ids}"]
   iam_instance_profile = "${aws_iam_instance_profile.worker_profile.arn}"
   user_data            = "${var.user_data_ign}"

steps/assets/aws/main.tf

@@ -18,6 +18,7 @@ module assets_base {
 
   tectonic_admin_email             = "${var.tectonic_admin_email}"
   tectonic_admin_password          = "${var.tectonic_admin_password}"
+  tectonic_admin_ssh_key           = "${var.tectonic_admin_ssh_key}"
   tectonic_base_domain             = "${var.tectonic_base_domain}"
   tectonic_cluster_cidr            = "${var.tectonic_cluster_cidr}"
   tectonic_cluster_id              = "${var.tectonic_cluster_id}"

steps/assets/libvirt/main.tf

@@ -14,6 +14,9 @@ module assets_base {
 
   ingress_kind = "haproxy-router"
 
+  tectonic_admin_email             = "${var.tectonic_admin_email}"
+  tectonic_admin_password          = "${var.tectonic_admin_password}"
+  tectonic_admin_ssh_key           = "${var.tectonic_admin_ssh_key}"
   tectonic_base_domain             = "${var.tectonic_base_domain}"
   tectonic_cluster_name            = "${var.tectonic_cluster_name}"
   tectonic_container_images        = "${var.tectonic_container_images}"
@@ -24,11 +27,9 @@ module assets_base {
   tectonic_networking              = "${var.tectonic_networking}"
   tectonic_license_path            = "${var.tectonic_license_path}"
   tectonic_pull_secret_path        = "${var.tectonic_pull_secret_path}"
-  tectonic_admin_email             = "${var.tectonic_admin_email}"
   tectonic_update_channel          = "${var.tectonic_update_channel}"
   tectonic_platform                = "${var.tectonic_platform}"
   tectonic_versions                = "${var.tectonic_versions}"
-  tectonic_admin_password          = "${var.tectonic_admin_password}"
   tectonic_cluster_id              = "${var.tectonic_cluster_id}"
   tectonic_container_linux_channel = "${var.tectonic_container_linux_channel}"
   tectonic_container_linux_version = "${var.tectonic_container_linux_version}"
@@ -50,7 +51,7 @@ data "ignition_user" "core" {
   name = "core"
 
   ssh_authorized_keys = [
-    "${var.tectonic_libvirt_ssh_key}",
+    "${var.tectonic_admin_ssh_key}",
   ]
 }
 

steps/etcd/aws/etcd.tf

@@ -64,7 +64,6 @@ module "etcd" {
   root_volume_type        = "${var.tectonic_aws_etcd_root_volume_type}"
   s3_bucket               = "${local.s3_bucket}"
   sg_ids                  = "${concat(var.tectonic_aws_etcd_extra_sg_ids, list(local.sg_id))}"
-  ssh_key                 = "${var.tectonic_aws_ssh_key}"
   subnets                 = ["${local.subnet_ids_workers}"]
   etcd_iam_role           = "${var.tectonic_aws_etcd_iam_role_name}"
   ec2_ami                 = "${var.tectonic_aws_ec2_ami_override}"

steps/etcd/libvirt/main.tf

@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system" #XXX fixme
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 module "defaults" {

steps/joining_workers/aws/workers.tf

@@ -33,7 +33,6 @@ module "workers" {
   root_volume_size             = "${var.tectonic_aws_worker_root_volume_size}"
   root_volume_type             = "${var.tectonic_aws_worker_root_volume_type}"
   sg_ids                       = "${concat(var.tectonic_aws_worker_extra_sg_ids, list(local.sg_id))}"
-  ssh_key                      = "${var.tectonic_aws_ssh_key}"
   subnet_ids                   = "${local.subnet_ids}"
   worker_iam_role              = "${var.tectonic_aws_worker_iam_role_name}"
   ec2_ami                      = "${var.tectonic_aws_ec2_ami_override}"

steps/joining_workers/libvirt/workers.tf

@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system"
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 resource "libvirt_volume" "worker" {

steps/masters/aws/main.tf

@@ -43,7 +43,6 @@ module "masters" {
   root_volume_iops             = "${var.tectonic_aws_master_root_volume_iops}"
   root_volume_size             = "${var.tectonic_aws_master_root_volume_size}"
   root_volume_type             = "${var.tectonic_aws_master_root_volume_type}"
-  ssh_key                      = "${var.tectonic_aws_ssh_key}"
   subnet_ids                   = "${local.subnet_ids}"
   ec2_ami                      = "${var.tectonic_aws_ec2_ami_override}"
   user_data_ign                = "${file("${path.cwd}/${var.tectonic_ignition_master}")}"

steps/masters/libvirt/main.tf

@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system"
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 locals {

steps/tnc_dns/libvirt/main.tf

@@ -1,6 +1,6 @@
 # Sets up the libvirt domain name
 resource "null_resource" "tnc_dns" {
   provisioner "local-exec" {
-    command = "virsh -c qemu:///system net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${var.tectonic_libvirt_master_ips[0]}'><hostname>${var.tectonic_cluster_name}-api</hostname><hostname>${var.tectonic_cluster_name}-tnc</hostname></host>\" --live --config"
+    command = "virsh -c ${var.tectonic_libvirt_uri} net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${var.tectonic_libvirt_master_ips[0]}'><hostname>${var.tectonic_cluster_name}-api</hostname><hostname>${var.tectonic_cluster_name}-tnc</hostname></host>\" --live --config"
   }
 }

steps/topology/libvirt/main.tf

@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system" #XXX fixme
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 # Create the bridge for libvirt
@@ -34,6 +34,6 @@ locals {
 # This is currently limited to the first worker, due to an issue with net-update, even though libvirt supports multiple a-records
 resource "null_resource" "console_dns" {
   provisioner "local-exec" {
-    command = "virsh -c qemu:///system net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${local.first_worker_ip}'><hostname>${var.tectonic_cluster_name}</hostname></host>\" --live --config"
+    command = "virsh -c ${var.tectonic_libvirt_uri} net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${local.first_worker_ip}'><hostname>${var.tectonic_cluster_name}</hostname></host>\" --live --config"
   }
 }

steps/variables-aws.tf

@@ -15,11 +15,6 @@ EOF
   type = "string"
 }
 
-variable "tectonic_aws_ssh_key" {
-  type        = "string"
-  description = "Name of an SSH key located within the AWS region. Example: coreos-user."
-}
-
 variable "tectonic_aws_master_ec2_type" {
   type        = "string"
   description = "Instance size for the master node(s). Example: `t2.medium`."

steps/variables-libvirt.tf

@@ -1,6 +1,6 @@
-variable "tectonic_libvirt_ssh_key" {
+variable "tectonic_libvirt_uri" {
   type        = "string"
-  description = "Contents of an SSH key to install for the core user"
+  description = "libvirt connection URI"
 }
 
 variable "tectonic_libvirt_network_name" {