-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh,scp: implement ssh and scp clients #619
Conversation
cmd/ssh.go
Outdated
ip = cluster.ProviderConfig().KubernetesAPI.Endpoint | ||
} | ||
|
||
client := ssh.NewSSHClient(ip, "22", "root") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we hard code this? I know the user and port is stored in the cluster API...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be better now :)
@kris-nova ready for review |
pkg/ssh/auth/agent.go
Outdated
) | ||
|
||
// SystemAgent returns system agent if it exists. | ||
func SystemAgent() agent.Agent { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So wondering how the workflow would work here..
Should we return an error if the system agent doesnt exist?
Should we change the function name to SystemAgentIfExists()
or something?
Just think we could be a little more strict here is all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we return an error if the system agent doesnt exist?
It could be useful for debugging purposes, so I added it.
Should we change the function name to SystemAgentIfExists() or something?
Sounds better than SystemAgent
. Updated.
return nil, nil, fmt.Errorf("Unable to connect to SSH: %v", err) | ||
} | ||
|
||
masterVpnIP, err := scp.ReadBytes(client, "/tmp/.ip") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to pass in the client every time we call ReadBytes
or do we want to cache it in memory somewhere and then tell it which file to read from?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we can encapsulate it into a struct. I've updated the SCP package to try to fix this. Let me know is it any better.
ssh
andscp
packagesCloses #609
This PR implements the
ssh
package used to handle SSH connections. It comes with akubicorn ssh <cluster-name>
CLI command for connecting to the master instance of the cluster.Beside
ssh
package and command, this PR refactors thescp
package to utilize the newssh
package, as well as implements theWriteBytes
function used to send a file to the cluster.Implementation of the PR
Currently,
ssh
package is used only forkubicorn ssh
command.The
scp
package is used to download the VPN credentials, if VPN is enabled for DigitalOcean clusters.Resolving
agent
problemsThis
ssh
implementation is not dependent on theagent
package we're using currently. Instead, it implements theauth
package which handles SSH authentication.The default authentication method is password authentication. As we're connecting only one time (ensured by the
Connect
function) and then we're just reusing the same connection, user needs to enter password only once.Beside password authentication, users can also use the system SSH agent. To use the system agent, it's required to set the
KUBICORN_SSH_AGENT
environment variable (documented inenvar.md
). If the variable is set,kubicorn
will try to use system SSH agent. If error occurs (e.g. the system agent is not present or the key is not present in the agent),kubicorn
will resort to the password authentication with the appropriate error message and recommended steps to fix the issue.Notes
kubicorn ssh
command supports only SSH-ing to the master.Parts needing attention
StartInteractiveSession
-xterm
TTY. What exactly theRequestPty
function does and is it safe to usexterm
for all clusters?StartInteractiveSession
- handle terminal window changes. Without that part, if user resizes the terminal, SSH session will misbehave. I'm not sure is it okay to run this in an infinitivefor
loop in the goroutine. Do we need a timeout for goroutine here?Steps before merging PR
We want to make this actually works. I would love @kris-nova to test this before we merge the PR, so we're sure it works as intended. The easiest way to test the PR is to use the
kubicorn ssh
command.Steps after merging PR
To make this PR cleaner and easier to review, it only implements the
ssh
andscp
packages without implementing them in the code (beside for DigitalOcean VPN). When the PR is merged, we need to implement it for thekubeconfig
andinitapi
packages.After merging the PR, we can make the following changes to further improve the packages:
kubicorn ssh
command able to SSH to all nodes in the cluster.agent
package when we implement thessh
package in all places.teleport
andteleconsole
packages and offer profiles with bastion (issue teleconsole and teleport #533).