Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement RFC 16 to allow emergency node access #3557

Draft
wants to merge 20 commits into
base: main
Choose a base branch
from
Draft

feat: implement RFC 16 to allow emergency node access #3557

wants to merge 20 commits into from
+163 −28

Conversation

miampf
Copy link
Contributor

@miampf miampf commented Dec 19, 2024
edited
Loading

Context

This PR aims to implement RFC 16: Node access.

Proposed change(s)

This PR only implements part of the RFC. Currently, the following is implemented:

  • The openssh-server package was added to the node image
  • OpenSSH was configured to only allow public key authentication and use a CA public key as a user certificate
    • The derivation of this certificate will be handled in another PR.
  • A new terraform variable emergency_ssh was added to allow control over load balancing ports. Currently, this is implemented (and tested) for
    • azure
    • aws
    • gcp
    • openstack

Additional info

  • The implementation of the RFC is a multi-PR process. This PR aims to be the final PR that needs to be merged. Thus, this should not be merged until everything else is implemented (e.g. key derivation, a subcommand for the cli, etc.)
  • Currently, the configuration of the OpenSSH server is not very hardened. Hardening will be done after the workflow for the user is set in stone.

Checklist

  • Run the E2E tests that are relevant to this PR's changes
  • Update docs
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@miampf miampf added dependencies Pull requests that update a dependency file feature This introduces new functionality hold This cannot be merged right now labels Dec 19, 2024
@miampf miampf requested a review from burgerdev December 19, 2024 14:13
@netlify Netlify
Copy link

netlify bot commented Dec 19, 2024
edited
Loading

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 2cb1e71
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/67a4cc2da8645e00083d710f

@miampf miampf force-pushed the miampf/basic-node-access branch from 6dd69c2 to 95f1f94 Compare December 19, 2024 14:14
@miampf miampf force-pushed the miampf/basic-node-access branch from bd15153 to 897662d Compare January 2, 2025 09:58
burgerdev
burgerdev reviewed Jan 2, 2025
View reviewed changes
image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service Outdated Show resolved Hide resolved
image/sysroot-tree/etc/ssh/sshd_config Outdated Show resolved Hide resolved
terraform/infrastructure/azure/main.tf Outdated Show resolved Hide resolved
terraform/infrastructure/azure/variables.tf Outdated Show resolved Hide resolved
@miampf miampf force-pushed the miampf/basic-node-access branch 2 times, most recently from 05eef85 to c5acd89 Compare January 7, 2025 10:20
@miampf miampf mentioned this pull request Jan 7, 2025
Merged
5 tasks
@miampf miampf force-pushed the miampf/basic-node-access branch 7 times, most recently from 607c62e to 7e9315f Compare January 16, 2025 10:41
@miampf miampf force-pushed the miampf/basic-node-access branch 2 times, most recently from b5849db to 37b42ea Compare January 21, 2025 11:20
@daniel-weisse daniel-weisse removed the dependencies Pull requests that update a dependency file label Jan 24, 2025
@miampf miampf force-pushed the miampf/basic-node-access branch 5 times, most recently from fadd6c5 to 643a93f Compare January 30, 2025 12:09
@miampf miampf force-pushed the miampf/basic-node-access branch from b226dee to df4ceab Compare February 5, 2025 12:34
miampf added 3 commits February 6, 2025 15:24
@miampf
add openssh-server and openssh package
1b0e423 
`openssh` package later removed since it is not needed for this feature
to function
@miampf
sshd config and creation of create-host-ssh-key service
0c0aa00
@miampf
tf ssh access with custom lb
1dc93d9 
changed later to use existing load balancer instead of a custom setup
@miampf miampf force-pushed the miampf/basic-node-access branch from 36d78f1 to bb0e7a1 Compare February 6, 2025 14:24
@miampf miampf force-pushed the miampf/basic-node-access branch from bb0e7a1 to 2cb1e71 Compare February 6, 2025 14:50
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Coverage report

Package Old New Trend
cli/internal/cmd 58.10% 58.10% ↔️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev left review comments

@msanft msanft Awaiting requested review from msanft msanft will be requested when the pull request is marked ready for review msanft is a code owner

@3u13r 3u13r Awaiting requested review from 3u13r 3u13r will be requested when the pull request is marked ready for review 3u13r is a code owner

@thomasten thomasten Awaiting requested review from thomasten thomasten will be requested when the pull request is marked ready for review thomasten is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
feature This introduces new functionality hold This cannot be merged right now
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@miampf @burgerdev @daniel-weisse