Merge pull request #7096 from austinmoore-/no-ssh-key

Configuration to specify no SSH key
kubernetes · Jan 15, 2020 · dbfd7f1 · dbfd7f1
2 parents 8c6b74d + 4a88f7b
commit dbfd7f1
Show file tree

Hide file tree

Showing 22 changed files with 2,302 additions and 85 deletions.
diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md
@@ -797,6 +797,13 @@ spec:
   sshKeyName: myexistingkey
 ```
 
+If you want to create your instance without any SSH keys you can set this to an empty string:
+```yaml
+spec:
+  sshKeyName: ""
+```
+
+
 ### useHostCertificates
 
 Self-signed certificates towards Cloud APIs. In some cases Cloud APIs do have self-signed certificates.

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -119,7 +119,7 @@ type ClusterSpec struct {
 	// HTTPProxy defines connection information to support use of a private cluster behind an forward HTTP Proxy
 	EgressProxy *EgressProxySpec `json:"egressProxy,omitempty"`
 	// SSHKeyName specifies a preexisting SSH key to use
-	SSHKeyName string `json:"sshKeyName,omitempty"`
+	SSHKeyName *string `json:"sshKeyName,omitempty"`
 	// KubernetesAPIAccess is a list of the CIDRs that can access the Kubernetes API endpoint (master HTTPS)
 	KubernetesAPIAccess []string `json:"kubernetesApiAccess,omitempty"`
 	// IsolateMasters determines whether we should lock down masters so that they are not on the pod network.

diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go
@@ -136,7 +136,7 @@ type ClusterSpec struct {
 	// HTTPProxy defines connection information to support use of a private cluster behind an forward HTTP Proxy
 	EgressProxy *EgressProxySpec `json:"egressProxy,omitempty"`
 	// SSHKeyName specifies a preexisting SSH key to use
-	SSHKeyName string `json:"sshKeyName,omitempty"`
+	SSHKeyName *string `json:"sshKeyName,omitempty"`
 	// EtcdClusters stores the configuration for each cluster
 	EtcdClusters []*EtcdClusterSpec `json:"etcdClusters,omitempty"`
 	// Component configurations

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
@@ -117,7 +117,7 @@ type ClusterSpec struct {
 	// HTTPProxy defines connection information to support use of a private cluster behind an forward HTTP Proxy
 	EgressProxy *EgressProxySpec `json:"egressProxy,omitempty"`
 	// SSHKeyName specifies a preexisting SSH key to use
-	SSHKeyName string `json:"sshKeyName,omitempty"`
+	SSHKeyName *string `json:"sshKeyName,omitempty"`
 	// KubernetesAPIAccess determines the permitted access to the API endpoints (master HTTPS)
 	// Currently only a single CIDR is supported (though a richer grammar could be added in future)
 	KubernetesAPIAccess []string `json:"kubernetesApiAccess,omitempty"`

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
diff --git a/pkg/model/awsmodel/autoscalinggroup.go b/pkg/model/awsmodel/autoscalinggroup.go
@@ -232,9 +232,10 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
 		})
 	}
 
-	// @step: attach the ssh key to the instancegroup
-	if t.SSHKey, err = b.LinkToSSHKey(); err != nil {
-		return nil, err
+	if b.AWSModelContext.UseSSHKey() {
+		if t.SSHKey, err = b.LinkToSSHKey(); err != nil {
+			return nil, err
+		}
 	}
 
 	// @step: add the instancegroup userdata

diff --git a/pkg/model/context.go b/pkg/model/context.go
@@ -351,6 +351,13 @@ func (m *KopsModelContext) UseEtcdTLS() bool {
 	return false
 }
 
+// UseSSHKey returns true if SSHKeyName from the cluster spec is not set to an empty string (""). Setting SSHKeyName
+// to an empty string indicates that an SSH key should not be set on instances.
+func (m *KopsModelContext) UseSSHKey() bool {
+	sshKeyName := m.Cluster.Spec.SSHKeyName
+	return sshKeyName == nil || *sshKeyName != ""
+}
+
 // KubernetesVersion parses the semver version of kubernetes, from the cluster spec
 func (m *KopsModelContext) KubernetesVersion() semver.Version {
 	// TODO: Remove copy-pasting c.f. https://github.com/kubernetes/kops/blob/master/pkg/model/components/context.go#L32

diff --git a/pkg/model/names.go b/pkg/model/names.go
@@ -149,17 +149,17 @@ func (b *KopsModelContext) LinkToIAMInstanceProfile(ig *kops.InstanceGroup) (*aw
 // If an SSH key name is provided in the cluster configuration, it will use that instead.
 func (c *KopsModelContext) SSHKeyName() (string, error) {
 	// use configured SSH key name if present
-	name := c.Cluster.Spec.SSHKeyName
-	if name != "" {
-		return name, nil
+	sshKeyName := c.Cluster.Spec.SSHKeyName
+	if sshKeyName != nil && *sshKeyName != "" {
+		return *sshKeyName, nil
 	}
 
 	fingerprint, err := pki.ComputeOpenSSHKeyFingerprint(string(c.SSHPublicKeys[0]))
 	if err != nil {
 		return "", err
 	}
 
-	name = "kubernetes." + c.Cluster.ObjectMeta.Name + "-" + fingerprint
+	name := "kubernetes." + c.Cluster.ObjectMeta.Name + "-" + fingerprint
 	return name, nil
 }
 

diff --git a/pkg/model/sshkey.go b/pkg/model/sshkey.go
@@ -30,6 +30,10 @@ type SSHKeyModelBuilder struct {
 var _ fi.ModelBuilder = &SSHKeyModelBuilder{}
 
 func (b *SSHKeyModelBuilder) Build(c *fi.ModelBuilderContext) error {
+	if !b.UseSSHKey() {
+		return nil
+	}
+
 	name, err := b.SSHKeyName()
 	if err != nil {
 		return err

diff --git a/protokube/pkg/gossip/mesh/mesh.pb.go b/protokube/pkg/gossip/mesh/mesh.pb.go