CC-6583: Add support for SSH TrustedUserCAKeys (#11702)

Author: gpanders

.changeset/brave-plants-dream.md

@@ -0,0 +1,16 @@
+---
+"@cloudflare/containers-shared": minor
+"@cloudflare/workers-utils": minor
+"wrangler": minor
+---
+
+Add support for trusted_user_ca_keys in Wrangler
+
+You can now configure SSH trusted user CA keys for containers. Add the following to your wrangler.toml:
+
+```toml
+[[containers.trusted_user_ca_keys]]
+public_key = "ssh-ed25519 AAAAC3..."
+```
+
+This allows you to specify CA public keys that can be used to verify SSH user certificates.

packages/containers-shared/src/client/index.ts

@@ -193,7 +193,7 @@ export { SecretNotFound } from "./models/SecretNotFound";
 export type { SSHPublicKey } from "./models/SSHPublicKey";
 export type { SSHPublicKeyID } from "./models/SSHPublicKeyID";
 export type { SSHPublicKeyItem } from "./models/SSHPublicKeyItem";
-export type { SSHPublicKeyItemV3 } from "./models/SSHPublicKeyItemV3";
+export type { UserSSHPublicKey } from "./models/UserSSHPublicKey";
 export { SSHPublicKeyNotFoundError } from "./models/SSHPublicKeyNotFoundError";
 export type { UnAuthorizedError } from "./models/UnAuthorizedError";
 export type { UnixTimestamp } from "./models/UnixTimestamp";

packages/containers-shared/src/client/models/DeploymentV2.ts

@@ -27,7 +27,7 @@ import type { Observability } from "./Observability";
 import type { Placement } from "./Placement";
 import type { Ref } from "./Ref";
 import type { SSHPublicKeyID } from "./SSHPublicKeyID";
-import type { SSHPublicKeyItemV3 } from "./SSHPublicKeyItemV3";
+import type { UserSSHPublicKey } from "./UserSSHPublicKey";
 import type { WranglerSSHConfig } from "./WranglerSSHConfig";
 
 /**
@@ -44,7 +44,7 @@ export type DeploymentV2 = {
 	image: Image;
 	location: DeploymentLocation;
 	wrangler_ssh?: WranglerSSHConfig;
-	authorized_keys?: Array<SSHPublicKeyItemV3>;
+	authorized_keys?: Array<UserSSHPublicKey>;
 	/**
 	 * A list of SSH public key IDs from the account
 	 */

packages/containers-shared/src/client/models/ModifyUserDeploymentConfiguration.ts

@@ -18,7 +18,7 @@ import type { Observability } from "./Observability";
 import type { Port } from "./Port";
 import type { ProvisionerConfiguration } from "./ProvisionerConfiguration";
 import type { SSHPublicKeyID } from "./SSHPublicKeyID";
-import type { SSHPublicKeyItemV3 } from "./SSHPublicKeyItemV3";
+import type { UserSSHPublicKey } from "./UserSSHPublicKey";
 import type { WranglerSSHConfig } from "./WranglerSSHConfig";
 
 /**
@@ -27,7 +27,8 @@ import type { WranglerSSHConfig } from "./WranglerSSHConfig";
 export type ModifyUserDeploymentConfiguration = {
 	image?: Image;
 	wrangler_ssh?: WranglerSSHConfig;
-	authorized_keys?: Array<SSHPublicKeyItemV3>;
+	authorized_keys?: Array<UserSSHPublicKey>;
+	trusted_user_ca_keys?: Array<UserSSHPublicKey>;
 	/**
 	 * A list of SSH public key IDs from the account
 	 */

packages/containers-shared/src/client/models/UserDeploymentConfiguration.ts

@@ -18,7 +18,7 @@ import type { Observability } from "./Observability";
 import type { Port } from "./Port";
 import type { ProvisionerConfiguration } from "./ProvisionerConfiguration";
 import type { SSHPublicKeyID } from "./SSHPublicKeyID";
-import type { SSHPublicKeyItemV3 } from "./SSHPublicKeyItemV3";
+import type { UserSSHPublicKey } from "./UserSSHPublicKey";
 import type { WranglerSSHConfig } from "./WranglerSSHConfig";
 
 /**
@@ -27,7 +27,8 @@ import type { WranglerSSHConfig } from "./WranglerSSHConfig";
 export type UserDeploymentConfiguration = {
 	image: Image;
 	wrangler_ssh?: WranglerSSHConfig;
-	authorized_keys?: Array<SSHPublicKeyItemV3>;
+	authorized_keys?: Array<UserSSHPublicKey>;
+	trusted_user_ca_keys?: Array<UserSSHPublicKey>;
 	/**
 	 * A list of SSH public key IDs from the account
 	 */

…/src/client/models/SSHPublicKeyItemV3.ts …ed/src/client/models/UserSSHPublicKey.tspackages/containers-shared/src/client/models/SSHPublicKeyItemV3.ts renamed to packages/containers-shared/src/client/models/UserSSHPublicKey.ts packages/containers-shared/src/client/models/SSHPublicKeyItemV3.ts renamed to packages/containers-shared/src/client/models/UserSSHPublicKey.ts

@@ -5,9 +5,9 @@
 import type { SSHPublicKey } from "./SSHPublicKey";
 
 /**
- * An SSH public key attached to a specific application or account.
+ * SSH public key provided by the user
  */
-export type SSHPublicKeyItemV3 = {
-	name: string;
+export type UserSSHPublicKey = {
+	name?: string;
 	public_key: SSHPublicKey;
 };

packages/containers-shared/src/types.ts

@@ -2,7 +2,7 @@ import type {
 	ApplicationAffinityColocation,
 	InstanceType,
 	SchedulingPolicy,
-	SSHPublicKeyItemV3,
+	UserSSHPublicKey,
 	WranglerSSHConfig,
 } from "./client";
 import type { ApplicationAffinityHardwareGeneration } from "./client/models/ApplicationAffinityHardwareGeneration";
@@ -79,7 +79,8 @@ export type SharedContainerConfig = {
 	rollout_kind: "full_auto" | "full_manual" | "none";
 	rollout_active_grace_period: number;
 	wrangler_ssh?: WranglerSSHConfig;
-	authorized_keys?: Array<SSHPublicKeyItemV3>;
+	authorized_keys?: Array<UserSSHPublicKey>;
+	trusted_user_ca_keys?: Array<UserSSHPublicKey>;
 	constraints: {
 		regions?: string[];
 		cities?: string[];

packages/workers-utils/src/config/environment.ts

@@ -190,6 +190,11 @@ export type ContainerApp = {
 	 */
 	authorized_keys?: { name: string; public_key: string }[];
 
+	/**
+	 * Trusted user CA keys to put in the container's trusted_user_ca_keys file.
+	 */
+	trusted_user_ca_keys?: { name?: string; public_key: string }[];
+
 	/**
 	 * @deprecated Use top level `containers` fields instead.
 	 * `configuration.image` should be `image`

packages/workers-utils/src/config/validation.ts

@@ -3059,6 +3059,7 @@ function validateContainerApp(
 					"instance_type",
 					"wrangler_ssh",
 					"authorized_keys",
+					"trusted_user_ca_keys",
 					"configuration",
 					"constraints",
 					"affinities",
@@ -3104,15 +3105,6 @@ function validateContainerApp(
 						`${field}.wrangler_ssh.port must be a number between 1 and 65535 inclusive`
 					);
 				}
-
-				if (
-					!("authorized_keys" in containerAppOptional) &&
-					containerAppOptional.wrangler_ssh.enabled
-				) {
-					diagnostics.errors.push(
-						`${field}.authorized_keys must be provided if wrangler ssh is enabled`
-					);
-				}
 			}
 
 			if ("authorized_keys" in containerAppOptional) {
@@ -3142,6 +3134,35 @@ function validateContainerApp(
 				}
 			}
 
+			if ("trusted_user_ca_keys" in containerAppOptional) {
+				if (!Array.isArray(containerAppOptional.trusted_user_ca_keys)) {
+					diagnostics.errors.push(
+						`${field}.trusted_user_ca_keys must be an array`
+					);
+				} else {
+					for (const index in containerAppOptional.trusted_user_ca_keys) {
+						const fieldPath = `${field}.trusted_user_ca_keys[${index}]`;
+						const key = containerAppOptional.trusted_user_ca_keys[index];
+
+						if (!isOptionalProperty(key, "name", "string")) {
+							diagnostics.errors.push(`${fieldPath}.name must be a string`);
+						}
+
+						if (!isRequiredProperty(key, "public_key", "string")) {
+							diagnostics.errors.push(
+								`${fieldPath}.public_key must be a string`
+							);
+						}
+
+						if (!key.public_key.toLowerCase().startsWith("ssh-ed25519")) {
+							diagnostics.errors.push(
+								`${fieldPath}.public_key is a unsupported key type. Please provide a ED25519 public key.`
+							);
+						}
+					}
+				}
+			}
+
 			// Instance Type validation: When present, the instance type should be either (1) a string
 			// representing a predefined instance type or (2) an object that optionally defines vcpu,
 			// memory, and disk.

packages/wrangler/src/__tests__/containers/config.test.ts

@@ -788,6 +788,12 @@ describe("getNormalizedContainerOptions", () => {
 								"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0chNcjRotdsxXTwPPNoqVCGn4EcEWdUkkBPNm/v4gm",
 						},
 					],
+					trusted_user_ca_keys: [
+						{
+							public_key:
+								"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0chNcjRotdsxXTwPPNoqVCGn4EcEWdUkkBPNm/v4gm",
+						},
+					],
 				},
 			],
 			durable_objects: {