ssh,scp: implement ssh and scp clients #619
Conversation
cmd/ssh.go
Outdated
| ip = cluster.ProviderConfig().KubernetesAPI.Endpoint | ||
| } | ||
|
|
||
| client := ssh.NewSSHClient(ip, "22", "root") |
There was a problem hiding this comment.
Should we hard code this? I know the user and port is stored in the cluster API...
There was a problem hiding this comment.
It should be better now :)
xmudrii
changed the title
xmudrii
changed the title
|
@kris-nova ready for review |
pkg/ssh/auth/agent.go
Outdated
| ) | ||
|
|
||
| // SystemAgent returns system agent if it exists. | ||
| func SystemAgent() agent.Agent { |
There was a problem hiding this comment.
So wondering how the workflow would work here..
Should we return an error if the system agent doesnt exist?
Should we change the function name to SystemAgentIfExists() or something?
Just think we could be a little more strict here is all
There was a problem hiding this comment.
Should we return an error if the system agent doesnt exist?
It could be useful for debugging purposes, so I added it.
Should we change the function name to SystemAgentIfExists() or something?
Sounds better than SystemAgent. Updated.
| return nil, nil, fmt.Errorf("Unable to connect to SSH: %v", err) | ||
| } | ||
|
|
||
| masterVpnIP, err := scp.ReadBytes(client, "/tmp/.ip") |
There was a problem hiding this comment.
Do we want to pass in the client every time we call ReadBytes or do we want to cache it in memory somewhere and then tell it which file to read from?
There was a problem hiding this comment.
I guess we can encapsulate it into a struct. I've updated the SCP package to try to fix this. Let me know is it any better.
sshandscppackagesCloses #609
This PR implements the
sshpackage used to handle SSH connections. It comes with akubicorn ssh <cluster-name>CLI command for connecting to the master instance of the cluster.Beside
sshpackage and command, this PR refactors thescppackage to utilize the newsshpackage, as well as implements theWriteBytesfunction used to send a file to the cluster.Implementation of the PR
Currently,
sshpackage is used only forkubicorn sshcommand.The
scppackage is used to download the VPN credentials, if VPN is enabled for DigitalOcean clusters.Resolving
agentproblemsThis
sshimplementation is not dependent on theagentpackage we're using currently. Instead, it implements theauthpackage which handles SSH authentication.The default authentication method is password authentication. As we're connecting only one time (ensured by the
Connectfunction) and then we're just reusing the same connection, user needs to enter password only once.Beside password authentication, users can also use the system SSH agent. To use the system agent, it's required to set the
KUBICORN_SSH_AGENTenvironment variable (documented inenvar.md). If the variable is set,kubicornwill try to use system SSH agent. If error occurs (e.g. the system agent is not present or the key is not present in the agent),kubicornwill resort to the password authentication with the appropriate error message and recommended steps to fix the issue.Notes
kubicorn sshcommand supports only SSH-ing to the master.Parts needing attention
StartInteractiveSession-xtermTTY. What exactly theRequestPtyfunction does and is it safe to usextermfor all clusters?StartInteractiveSession- handle terminal window changes. Without that part, if user resizes the terminal, SSH session will misbehave. I'm not sure is it okay to run this in an infinitiveforloop in the goroutine. Do we need a timeout for goroutine here?Steps before merging PR
We want to make this actually works. I would love @kris-nova to test this before we merge the PR, so we're sure it works as intended. The easiest way to test the PR is to use the
kubicorn sshcommand.Steps after merging PR
To make this PR cleaner and easier to review, it only implements the
sshandscppackages without implementing them in the code (beside for DigitalOcean VPN). When the PR is merged, we need to implement it for thekubeconfigandinitapipackages.After merging the PR, we can make the following changes to further improve the packages:
kubicorn sshcommand able to SSH to all nodes in the cluster.agentpackage when we implement thesshpackage in all places.teleportandteleconsolepackages and offer profiles with bastion (issue teleconsole and teleport #533).