New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
virtctl: add commands to dynamically set SSH keys and passwords on a VM #9818
Conversation
c745e24
to
3f244a1
Compare
/retest |
@akrejcir does the secret need already to exist before adding the ssh key? If so, shouldn't we create the secret together with the first key we want to add? |
Good point. Yes the secret needs to exist. We cannot change running VM, but we can create the secret for a stopped VM. /hold |
|
||
func secretContainsKey(secretData map[string][]byte, key string) bool { | ||
for _, data := range secretData { | ||
lines := strings.Split(string(data), "\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct checking the ssh key line by line? I mean we could have new lines or not but the key is the same? Shouldn't we trim the data and eliminate then \n
and then compare?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One data
entry in the Secret contains a file, that can contain multiple keys, each on it's own line.
That's why this loop checks each line separately.
What happens if the propagation method for the ssh key injection is cloud-init? Is this command not supported? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is quite a large PR. Tbh. I'd like to see it split up into smaller an easier to review PRs.
Added some comments.
IMO, if we try to reduce the code duplication into functions, the size of the pr should reasonably decrease |
45ea683
to
d4b4082
Compare
Added new functionality. Can you take another look? |
/hold cancel |
if err != nil { | ||
// TODO: Check error type and only execute second patch for some errors | ||
// Try adding the array | ||
patchData := patchToAddAccessCredentialArray(accessCredential) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When is this necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the VM has no credentials, the slice is nil
, and patch will fail, because path /spec/template/spec/accessCredentials/-
does not exist. So this second patch is used to add the array.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about clearing the password secret?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no QEMU GA command to clear a password that has been set for a user. We could clear the secret, but the VM would still have the password.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, might be worth adding a --clear
flag in a follow up.
b640227
to
f4bbf9b
Compare
e1581e8
to
f4d4cdf
Compare
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add examples to the cmds and give some context when they are working (using qemu guest propagation) or not working (using cloud init propagation)?
Also, do you think the init/updating/helper code in the test files could be deduplicated?
f4d4cdf
to
f172881
Compare
I've added usage examples. |
The command adds a SSH public key to the secret specified in the "AccessCredentials" field of a VM or VMI. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
The command removes specified key from all the secrets that are specified in the "AccessCredentials" list. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
The command modifies a secret to set the user's password. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
f172881
to
3249e02
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The descriptions of the commands could still be a little improved and IMO the unit test code could still be deduplicated but let's do it in a follow up. For now this looks good to me.
/lgtm
/retest |
1 similar comment
/retest |
|
||
keySecret, err = cli.CoreV1().Secrets(util.NamespaceTestDefault).Create(context.Background(), keySecret, metav1.CreateOptions{}) | ||
Expect(err).ToNot(HaveOccurred()) | ||
DeferCleanup(func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary? Aren't the secrets deleted by default on the namespace test cleanup?
Expect(secret.Data).To(ContainElement([]byte(testKey2))) | ||
}) | ||
|
||
It("[test_id:TODO] should add ssh key from a file", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test_id:TODO should be updated
|
||
// First, Try to add the new access credential to the existing array. | ||
_, err = cli.VirtualMachine(vm.Namespace).Patch(cmd.Context(), vm.Name, types.JSONPatchType, common.MustMarshalPatch(accessCredentialPatch), &metav1.PatchOptions{}) | ||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:any chances to check the actual error? Maybe with Contains?
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alicefr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@akrejcir: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/cherry-pick release-1.0 |
@akrejcir: new pull request created: #9969 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
Added 3 commands to
virtctl
:virtctl credentials add-ssh-key
- Adds an SSH public key to one of the secrets that are specified inAccessCredentials
field of a VM or VMI.virtctl credentials remove-ssh-key
- Removes an SSH key from one of the secretes.virtctl credentials set-password
- Sets a user's password in one of the secretes.Release note: