Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate keys in a separate tmpfs volume #1007

Merged
merged 2 commits into from Mar 16, 2018
Merged

Conversation

@squaremo
Copy link
Member

squaremo commented Mar 14, 2018

In Kubernetes >= 1.10, secrets (and config-maps) will be mounted read-only. This means we cannot use the tmpfs volume used for the deploy secret as a workspace for generating new keys (and that we have to mount the secret with the right mode, since we won't be able to chmod it).

Instead, allow another tmpfs to be mounted, and use that when directed to. The new flag --ssh-keygen-dir is for providing the path; otherwise, it will use the path for the mounted secret, as before.

So we can still use stable paths, both possible stable locations of the private key (in the mounted secret or in the mounted tmpfs workspace) are mentioned in ~/.ssh/config (in the Docker image).

The example is also updated to reflect the new way of doing things, compatible with Kubernetes 1.10; existing configs will continue to work.

Fixes #1002.

In Kubernetes >= 1.10, secrets (and config-maps) will be mounted
read-only. This means we cannot use the tmpfs volume used for the
deploy secret as a workspace for generating new keys (and that we have
to mount the secret with the right mode, since we won't be able to
`chmod` it).

Instead, require _another_ tmpfs to be mounted, and use that. The new,
mandatory flag `--ssh-keygen-dir` is for providing the path. It's
mandatory so that it's harder to accidentally just use a "regular" bit
of the filesystem to generate keys and thereby put them on disk.

So we can still use stable paths, both possible stable locations of
the private key are mentioned in ~/.ssh/config (in the Docker image).
@squaremo squaremo changed the title [WIP] Generate keys in a separate tmpfs volume [RFC] Generate keys in a separate tmpfs volume Mar 14, 2018
@squaremo

This comment has been minimized.

Copy link
Member Author

squaremo commented Mar 14, 2018

@awh MBOI

For Kubernetes 1.10 and onwards, people will need to supply another,
writable tmpfs volume for us to generate keys in. But we don't need to
make it a breaking change.

This commit makes the argument `--ssh-keygen-dir` optional by
defaulting to using the path of the secret volume. This means existing
configurations won't break when deploying this code. I have made the
example deployment forward-compatible -- i.e., it will work for
Kubernetes 1.10 as well as present Kubernetes releases.
@squaremo squaremo changed the title [RFC] Generate keys in a separate tmpfs volume Generate keys in a separate tmpfs volume Mar 15, 2018
@@ -156,9 +157,9 @@ type PublicKey struct {
// ExtractPublicKey extracts and returns the public key from the specified
// private key, along with its fingerprint hashes.
func ExtractPublicKey(privateKeyPath string) (PublicKey, error) {
keyBytes, err := exec.Command("ssh-keygen", "-y", "-f", privateKeyPath).Output()
keyBytes, err := exec.Command("ssh-keygen", "-y", "-f", privateKeyPath).CombinedOutput()

This comment has been minimized.

Copy link
@squaremo

squaremo Mar 15, 2018

Author Member

This is merely to provide a better error when it fails (e.g., when the file is missing).

@squaremo squaremo requested a review from sambooo Mar 15, 2018
Copy link
Contributor

sambooo left a comment

LGTM

@squaremo squaremo merged commit 6492293 into master Mar 16, 2018
1 check passed
1 check passed
ci/circleci: build Your tests passed on CircleCI!
Details
@squaremo squaremo deleted the issue/1002-ro-key-volume branch Mar 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.