virtctl: add commands to dynamically set SSH keys and passwords on a VM #9818
Conversation
kubevirt-bot
added
release-note
akrejcir
force-pushed
the
virtctl-credentials
branch
from
c745e24
to
3f244a1
Compare
|
/retest |
|
@akrejcir does the secret need already to exist before adding the ssh key? If so, shouldn't we create the secret together with the first key we want to add? |
|
Good point. Yes the secret needs to exist. We cannot change running VM, but we can create the secret for a stopped VM. /hold |
kubevirt-bot
added
the
do-not-merge/hold
|
|
||
| func secretContainsKey(secretData map[string][]byte, key string) bool { | ||
| for _, data := range secretData { | ||
| lines := strings.Split(string(data), "\n") |
There was a problem hiding this comment.
Is it correct checking the ssh key line by line? I mean we could have new lines or not but the key is the same? Shouldn't we trim the data and eliminate then \n and then compare?
There was a problem hiding this comment.
One data entry in the Secret contains a file, that can contain multiple keys, each on it's own line.
That's why this loop checks each line separately.
|
What happens if the propagation method for the ssh key injection is cloud-init? Is this command not supported? |
IMO, if we try to reduce the code duplication into functions, the size of the pr should reasonably decrease |
kubevirt-bot
added
the
needs-rebase
akrejcir
force-pushed
the
virtctl-credentials
branch
2 times, most recently
from
45ea683
to
d4b4082
Compare
kubevirt-bot
removed
the
needs-rebase
|
Added new functionality. Can you take another look? |
|
/hold cancel |
kubevirt-bot
removed
the
do-not-merge/hold
| if err != nil { | ||
| // TODO: Check error type and only execute second patch for some errors | ||
| // Try adding the array | ||
| patchData := patchToAddAccessCredentialArray(accessCredential) |
There was a problem hiding this comment.
If the VM has no credentials, the slice is nil, and patch will fail, because path /spec/template/spec/accessCredentials/- does not exist. So this second patch is used to add the array.
There was a problem hiding this comment.
What about clearing the password secret?
There was a problem hiding this comment.
There is no QEMU GA command to clear a password that has been set for a user. We could clear the secret, but the VM would still have the password.
There was a problem hiding this comment.
ACK, might be worth adding a --clear flag in a follow up.
akrejcir
force-pushed
the
virtctl-credentials
branch
3 times, most recently
from
b640227
to
f4bbf9b
Compare
akrejcir
force-pushed
the
virtctl-credentials
branch
2 times, most recently
from
e1581e8
to
f4d4cdf
Compare
|
/retest |
akrejcir
force-pushed
the
virtctl-credentials
branch
from
f4d4cdf
to
f172881
Compare
|
I've added usage examples. |
The command adds a SSH public key to the secret specified in the "AccessCredentials" field of a VM or VMI. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
The command removes specified key from all the secrets that are specified in the "AccessCredentials" list. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
The command modifies a secret to set the user's password. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
akrejcir
force-pushed
the
virtctl-credentials
branch
from
f172881
to
3249e02
Compare
|
/retest |
1 similar comment
|
/retest |
|
|
||
| keySecret, err = cli.CoreV1().Secrets(util.NamespaceTestDefault).Create(context.Background(), keySecret, metav1.CreateOptions{}) | ||
| Expect(err).ToNot(HaveOccurred()) | ||
| DeferCleanup(func() { |
There was a problem hiding this comment.
Is this necessary? Aren't the secrets deleted by default on the namespace test cleanup?
| Expect(secret.Data).To(ContainElement([]byte(testKey2))) | ||
| }) | ||
|
|
||
| It("[test_id:TODO] should add ssh key from a file", func() { |
|
|
||
| // First, Try to add the new access credential to the existing array. | ||
| _, err = cli.VirtualMachine(vm.Namespace).Patch(cmd.Context(), vm.Name, types.JSONPatchType, common.MustMarshalPatch(accessCredentialPatch), &metav1.PatchOptions{}) | ||
| if err != nil { |
There was a problem hiding this comment.
nit:any chances to check the actual error? Maybe with Contains?
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alicefr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
@akrejcir: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required |
|
/cherry-pick release-1.0 |
|
@akrejcir: new pull request created: #9969 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
Added 3 commands to
virtctl:virtctl credentials add-ssh-key- Adds an SSH public key to one of the secrets that are specified inAccessCredentialsfield of a VM or VMI.virtctl credentials remove-ssh-key- Removes an SSH key from one of the secretes.virtctl credentials set-password- Sets a user's password in one of the secretes.Release note: