*: unify handling of ssh keys

Instead of each platform implementing their own mechanism for supplying
SSH keys, use the same method everywhere. Now, instead of using AWS's
metadata service, we inject the keys directly via Ignition.

Note: The stub Ignition configs contain the SSH keys. Eventually, the
keys will need to be moved into MCO, so that they can be rotated.

Author: crawford

Documentation/design/installconfig.md

@@ -68,7 +68,6 @@ type AWS struct {
     Master                    `json:",inline" yaml:"master,omitempty"`
     Profile                   string `json:"tectonic_aws_profile,omitempty" yaml:"profile,omitempty"`
     Region                    string `json:"tectonic_aws_region,omitempty" yaml:"region,omitempty"`
-    SSHKey                    string `json:"tectonic_aws_ssh_key,omitempty" yaml:"sshKey,omitempty"`
     VPCCIDRBlock              string `json:"tectonic_aws_vpc_cidr_block,omitempty" yaml:"vpcCIDRBlock,omitempty"`
     Worker                    `json:",inline" yaml:"worker,omitempty"`
 }
@@ -106,7 +105,6 @@ type Worker struct {
 ```go
 type Libvirt struct {
     URI           string `json:"tectonic_libvirt_uri,omitempty" yaml:"uri"`
-    SSHKey        string `json:"tectonic_libvirt_ssh_key,omitempty" yaml:"sshKey"`
     QCOWImagePath string `json:"tectonic_coreos_qcow_path,omitempty" yaml:"imagePath"`
     Network       `json:",inline" yaml:"network"`
     MasterIPs     []string `json:"tectonic_libvirt_master_ips,omitempty" yaml:"masterIPs"`

config.tf

@@ -267,6 +267,15 @@ also be escaped.
 EOF
 }
 
+variable "tectonic_admin_ssh_key" {
+  type    = "string"
+  default = ""
+
+  description = <<EOF
+(optional) The admin user's SSH public key to login to the nodes.
+EOF
+}
+
 variable "tectonic_ca_cert" {
   type    = "string"
   default = ""

examples/tectonic.aws.yaml

@@ -1,6 +1,7 @@
 admin:
   email: "a@b.c"
   password: "verysecure"
+  sshKey: "ssh-ed25519 AAAA..."
 aws:
   # (optional) Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters.
   # The Tectonic Installer uses the bucket to store tectonic assets and kubeconfig.
@@ -130,9 +131,6 @@ aws:
   # The target AWS region for the cluster.
   region: eu-west-1
 
-  # Name of an SSH key located within the AWS region. Example: coreos-user.
-  sshKey:
-
   # Block of IP addresses used by the VPC.
   # This should not overlap with any other networks, such as a private datacenter connected via Direct Connect.
   vpcCIDRBlock: 10.0.0.0/16

examples/tectonic.libvirt.yaml

@@ -1,6 +1,7 @@
 admin:
   email: a@b.c
   password: verysecure
+  sshKey: "ssh-ed25519 AAAA..."
 # The base DNS domain of the cluster. It must NOT contain a trailing period. Some
 # DNS providers will automatically add this if necessary.
 #
@@ -16,7 +17,6 @@ libvirt:
     ifName: tt0
     dnsServer: 8.8.8.8
     ipRange: 192.168.124.0/24
-  sshKey: "ssh-rsa ..."
   imagePath: /path/to/image
 
 ca:

installer/pkg/config-generator/ignition.go

@@ -57,7 +57,9 @@ func (c *ConfigGenerator) GenerateIgnConfig(clusterDir string) error {
 			return err
 		}
 
-		// agentless platforms (e.g. libvirt) need to embed the ssh key
+		// XXX(crawford): The SSH key should only be added to the bootstrap
+		//                node. After that, MCO should be responsible for
+		//                distributing SSH keys.
 		c.embedUserBlock(ignCfg)
 
 		fileTargetPath := filepath.Join(clusterDir, ignFilesPath[role])
@@ -111,16 +113,14 @@ func (c *ConfigGenerator) appendCertificateAuthority(ignCfg *ignconfigtypes.Conf
 }
 
 func (c *ConfigGenerator) embedUserBlock(ignCfg *ignconfigtypes.Config) {
-	if c.Platform == config.PlatformLibvirt {
-		userBlock := ignconfigtypes.PasswdUser{
-			Name: "core",
-			SSHAuthorizedKeys: []ignconfigtypes.SSHAuthorizedKey{
-				ignconfigtypes.SSHAuthorizedKey(c.Libvirt.SSHKey),
-			},
-		}
-
-		ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
+	userBlock := ignconfigtypes.PasswdUser{
+		Name: "core",
+		SSHAuthorizedKeys: []ignconfigtypes.SSHAuthorizedKey{
+			ignconfigtypes.SSHAuthorizedKey(c.SSHKey),
+		},
 	}
+
+	ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
 }
 
 func (c *ConfigGenerator) getTNCURL(role string) string {

installer/pkg/config/aws/aws.go

@@ -30,7 +30,6 @@ type AWS struct {
 	Master                    `json:",inline" yaml:"master,omitempty"`
 	Profile                   string `json:"tectonic_aws_profile,omitempty" yaml:"profile,omitempty"`
 	Region                    string `json:"tectonic_aws_region,omitempty" yaml:"region,omitempty"`
-	SSHKey                    string `json:"tectonic_aws_ssh_key,omitempty" yaml:"sshKey,omitempty"`
 	VPCCIDRBlock              string `json:"tectonic_aws_vpc_cidr_block,omitempty" yaml:"vpcCIDRBlock,omitempty"`
 	Worker                    `json:",inline" yaml:"worker,omitempty"`
 }

installer/pkg/config/libvirt/libvirt.go

@@ -17,7 +17,6 @@ const (
 // Libvirt encompasses configuration specific to libvirt.
 type Libvirt struct {
 	URI           string `json:"tectonic_libvirt_uri,omitempty" yaml:"uri"`
-	SSHKey        string `json:"tectonic_libvirt_ssh_key,omitempty" yaml:"sshKey"`
 	QCOWImagePath string `json:"tectonic_coreos_qcow_path,omitempty" yaml:"imagePath"`
 	Network       `json:",inline" yaml:"network"`
 	MasterIPs     []string `json:"tectonic_libvirt_master_ips,omitempty" yaml:"masterIPs"`

installer/pkg/config/types.go

@@ -20,6 +20,7 @@ const (
 type Admin struct {
 	Email    string `json:"tectonic_admin_email" yaml:"email,omitempty"`
 	Password string `json:"tectonic_admin_password" yaml:"password,omitempty"`
+	SSHKey   string `json:"tectonic_admin_ssh_key,omitempty" yaml:"sshKey,omitempty"`
 }
 
 // CA related config

installer/pkg/config/validate.go

@@ -183,9 +183,6 @@ func (c *Cluster) validateLibvirt() []error {
 	if err := validate.PrefixError("libvirt imagePath is not a valid QCOW image", validate.FileHeader(c.Libvirt.QCOWImagePath, qcowMagic)); err != nil {
 		errs = append(errs, err)
 	}
-	if err := validate.PrefixError("libvirt sshKey", validate.NonEmpty(c.Libvirt.SSHKey)); err != nil {
-		errs = append(errs, err)
-	}
 	if err := validate.PrefixError("libvirt network name", validate.NonEmpty(c.Libvirt.Network.Name)); err != nil {
 		errs = append(errs, err)
 	}

installer/pkg/config/validate_test.go

@@ -605,7 +605,6 @@ func TestValidateLibvirt(t *testing.T) {
 				Libvirt: libvirt.Libvirt{
 					Network:       libvirt.Network{},
 					QCOWImagePath: "",
-					SSHKey:        "",
 					URI:           "",
 				},
 				Networking: defaultCluster.Networking,
@@ -622,7 +621,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.0.1.0/24",
 					},
 					QCOWImagePath: fInvalid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -639,7 +637,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.0.1.0/24",
 					},
 					QCOWImagePath: fValid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -656,7 +653,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.2.1.0/24",
 					},
 					QCOWImagePath: fValid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -673,7 +669,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "x",
 					},
 					QCOWImagePath: "foo",
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -690,7 +685,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "192.168.0.1/24",
 					},
 					QCOWImagePath: "foo",
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,