-
Notifications
You must be signed in to change notification settings - Fork 663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2 provider: Add support for specifying ssh keypair #2390
Conversation
Signed-off-by: Josetxu <jmp@icij.org>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Huh, I just have been reminded that this driver has no schema so we cannot valiate the keys 🤕 I don't understand where the task that generates the SSH key is for this driver (for example, here is the Hetzner one:
Lines 13 to 29 in 6c34d80
- name: Create SSH key | |
user: | |
name: "{{ lookup('env', 'USER') }}" | |
generate_ssh_key: true | |
ssh_key_file: "{{ ssh_path }}" | |
force: true | |
register: generated_ssh_key | |
- name: Register the SSH key name | |
set_fact: | |
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}" | |
- name: Register SSH key for test instance(s) | |
hcloud_ssh_key: | |
name: "{{ ssh_key_name }}" | |
public_key: "{{ generated_ssh_key.ssh_public_key }}" | |
state: present |
Hi @decentral1se, the problem is that each job uses a different ssh key path, so they are not aware of the existence of previous keys. With my PR I implement the functionality of a global ssh testing key. This is how I see the race condition. Lines 39 to 42 in 6c34d80
Tests if a keypair exist locally, beware that Line 30 in 6c34d80
So each role will have a different Then if the ssh key doesn't exist in the Lines 44 to 48 in 6c34d80
Then asks AWS to generate a keypair Lines 50 to 53 in 6c34d80
And persists it into the Lines 55 to 60 in 6c34d80
So Imagine the first role is being tested, the ssh key is generated by AWS and is now about to launch the instance. That's when the second role starts to be tested. as it's Now the role 1 launches the instance with the AWS Lines 71 to 73 in 6c34d80
But as it's the ssh keypair of the role 2, once it tries to Cheers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Solid detective work @jmpsf!
LGTM.
Right now each time a molecule job is run with the ec2 provider, a new key ssh key is created into AWS with the name
molecule_key
.This means that if several CI jobs are run at the same time, they will have a racing condition, and one of them is going to fail because it can't connect to the created instance.
So in this PR, I add the opportunity to use a specific ssh private key, instead of generating one each job.
As there can be multiple platforms I've decided to set up the configuration in the
molecule.yml
under thedriver
section.Changes are backward compatible and shouldn't affect current users.
PR Type