Remove need to mount ssh keys in the manager container (openshift#192)

* Remove GetKubeConfig from the machine actuator `GetKubeConfig` is only needed in the deployer, therefore we can do away with the code we have in the machine actuator. This helps with issues openshift#174 and openshift#175 * Don't mount sshkeys on the manager's pod We've removed the last use for the sshkeys secret/mount in the manager's POD, which means we can now remove this code and stop mounting these keys. Fixes openshift#175 * Remove KeyPair related functions from the machine service We're not managing keypairs from the actuator anymore. The functions that used to manage keypairs have been removed in this commit.
shiftstack · Apr 22, 2024 · c0e8dbf · c0e8dbf
1 parent 53d4c05
commit c0e8dbf
Show file tree

Hide file tree

Showing 6 changed files with 1 addition and 112 deletions.
diff --git a/cmd/clusterctl/examples/openstack/centos/provider-components.yaml.template b/cmd/clusterctl/examples/openstack/centos/provider-components.yaml.template
@@ -1,13 +1,3 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: machine-controller-sshkeys
-  namespace: openstack-provider-system
-data:
-  user: $MACHINE_CONTROLLER_SSH_USER
-  private: $MACHINE_CONTROLLER_SSH_PRIVATE
-  public: $MACHINE_CONTROLLER_SSH_PUBLIC
 ---
 apiVersion: v1
 kind: Secret

diff --git a/cmd/clusterctl/examples/openstack/generate-yaml.sh b/cmd/clusterctl/examples/openstack/generate-yaml.sh
@@ -212,9 +212,6 @@ OS=$(uname)
 if [[ "$OS" =~ "Linux" ]]; then
   OPENSTACK_CLOUD_CONFIG=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN"|base64 -w0)
   OPENSTACK_CLOUD_PROVIDER_CONF=$(echo "$OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN"|base64 -w0)
-  MACHINE_CONTROLLER_SSH_USER=$(echo -n $MACHINE_CONTROLLER_SSH_PLAIN|base64 -w0)
-  MACHINE_CONTROLLER_SSH_PUBLIC=$(cat "$MACHINE_CONTROLLER_SSH_HOME$MACHINE_CONTROLLER_SSH_PUBLIC_FILE"|base64 -w0)
-  MACHINE_CONTROLLER_SSH_PRIVATE=$(cat "$MACHINE_CONTROLLER_SSH_HOME$MACHINE_CONTROLLER_SSH_PRIVATE_FILE"|base64 -w0)
   MASTER_USER_DATA=$(echo "$MASTER_USER_DATA_PLAIN" \
     | sed -e "s/\$OPENSTACK_CLOUD_PROVIDER_CONF/$OPENSTACK_CLOUD_PROVIDER_CONF/" \
     | base64 -w0)
@@ -224,9 +221,6 @@ if [[ "$OS" =~ "Linux" ]]; then
 elif [[ "$OS" =~ "Darwin" ]]; then
   OPENSTACK_CLOUD_CONFIG=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN"|base64)
   OPENSTACK_CLOUD_PROVIDER_CONF=$(echo "$OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN"|base64)
-  MACHINE_CONTROLLER_SSH_USER=$(printf $MACHINE_CONTROLLER_SSH_PLAIN|base64)
-  MACHINE_CONTROLLER_SSH_PUBLIC=$(cat "$MACHINE_CONTROLLER_SSH_HOME$MACHINE_CONTROLLER_SSH_PUBLIC_FILE"|base64)
-  MACHINE_CONTROLLER_SSH_PRIVATE=$(cat "$MACHINE_CONTROLLER_SSH_HOME$MACHINE_CONTROLLER_SSH_PRIVATE_FILE"|base64)
   MASTER_USER_DATA=$(echo "$MASTER_USER_DATA_PLAIN" \
     | sed -e "s/\$OPENSTACK_CLOUD_PROVIDER_CONF/$OPENSTACK_CLOUD_PROVIDER_CONF/" \
     | base64)

diff --git a/cmd/clusterctl/examples/openstack/ubuntu/provider-components.yaml.template b/cmd/clusterctl/examples/openstack/ubuntu/provider-components.yaml.template
@@ -1,13 +1,3 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: machine-controller-sshkeys
-  namespace: openstack-provider-system
-data:
-  user: $MACHINE_CONTROLLER_SSH_USER
-  private: $MACHINE_CONTROLLER_SSH_PRIVATE
-  public: $MACHINE_CONTROLLER_SSH_PUBLIC
 ---
 apiVersion: v1
 kind: Secret

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -64,8 +64,6 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /etc/kubernetes
-        - name: sshkeys
-          mountPath: /etc/sshkeys
         - name: cloud-config
           mountPath: /etc/openstack
         - name: kubeadm
@@ -89,10 +87,6 @@ spec:
       - name: config
         hostPath:
           path: /etc/kubernetes
-      - name: sshkeys
-        secret:
-          secretName: machine-controller-sshkeys
-          defaultMode: 256
       - name: cloud-config
         secret:
           secretName: cloud-config

diff --git a/pkg/cloud/openstack/clients/machineservice.go b/pkg/cloud/openstack/clients/machineservice.go
@@ -51,19 +51,6 @@ type Instance struct {
 	servers.Server
 }
 
-type SshKeyPair struct {
-	Name string `json:"name"`
-
-	// PublicKey is the public key from this pair, in OpenSSH format.
-	// "ssh-rsa AAAAB3Nz..."
-	PublicKey string `json:"public_key"`
-
-	// PrivateKey is the private key from this pair, in PEM format.
-	// "-----BEGIN RSA PRIVATE KEY-----\nMIICXA..."
-	// It is only present if this KeyPair was just returned from a Create call.
-	PrivateKey string `json:"private_key"`
-}
-
 type InstanceListOpts struct {
 	// Name of the image in URL format.
 	Image string `q:"image"`
@@ -329,27 +316,6 @@ func (is *InstanceService) GetInstance(resourceId string) (instance *Instance, e
 	return serverToInstance(server), err
 }
 
-func (is *InstanceService) CreateKeyPair(name, publicKey string) error {
-	opts := keypairs.CreateOpts{
-		Name:      name,
-		PublicKey: publicKey,
-	}
-	_, err := keypairs.Create(is.computeClient, opts).Extract()
-	return err
-}
-
-func (is *InstanceService) GetKeyPairList() ([]keypairs.KeyPair, error) {
-	page, err := keypairs.List(is.computeClient).AllPages()
-	if err != nil {
-		return nil, err
-	}
-	return keypairs.ExtractKeyPairs(page)
-}
-
-func (is *InstanceService) DeleteKeyPair(name string) error {
-	return keypairs.Delete(is.computeClient, name).ExtractErr()
-}
-
 func serverToInstance(server *servers.Server) *Instance {
 	return &Instance{*server}
 }
diff --git a/pkg/cloud/openstack/machine/actuator.go b/pkg/cloud/openstack/machine/actuator.go
@@ -21,9 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"os"
 	"reflect"
-	"strings"
 	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -42,9 +40,7 @@ import (
 )
 
 const (
-	SshPrivateKeyPath = "/etc/sshkeys/private"
-	SshPublicKeyPath  = "/etc/sshkeys/public"
-	CloudConfigPath   = "/etc/cloud/cloud_config.yaml"
+	CloudConfigPath = "/etc/cloud/cloud_config.yaml"
 
 	UserDataKey = "userData"
 
@@ -54,12 +50,6 @@ const (
 	TokenTTL = 60 * time.Minute
 )
 
-type SshCreds struct {
-	user           string
-	privateKeyPath string
-	publicKey      string
-}
-
 type OpenstackClient struct {
 	params openstack.ActuatorParams
 	scheme *runtime.Scheme
@@ -293,41 +283,6 @@ func getIPFromInstance(instance *clients.Instance) (string, error) {
 	return "", fmt.Errorf("extract IP from instance err")
 }
 
-func (oc *OpenstackClient) GetKubeConfig(cluster *clusterv1.Cluster, master *clusterv1.Machine) (string, error) {
-	if _, err := os.Stat(SshPublicKeyPath); err != nil {
-		klog.Infof("Can't get the KubeConfig file as the public ssh key could not be found: %v\n", SshPublicKeyPath)
-		return "", nil
-	}
-
-	if _, err := os.Stat(SshPrivateKeyPath); err != nil {
-		klog.Infof("Can't get the KubeConfig file as the private ssh key could not be found: %v\n", SshPrivateKeyPath)
-		return "", nil
-	}
-
-	ip, err := oc.GetIP(cluster, master)
-	if err != nil {
-		return "", err
-	}
-
-	machineSpec, err := openstackconfigv1.MachineSpecFromProviderSpec(master.Spec.ProviderSpec)
-	if err != nil {
-		return "", err
-	}
-
-	result := strings.TrimSpace(util.ExecCommand(
-		"ssh", "-i", SshPrivateKeyPath,
-		"-o", "StrictHostKeyChecking no",
-		"-o", "UserKnownHostsFile /dev/null",
-		"-o", "BatchMode=yes",
-		fmt.Sprintf("%s@%s", machineSpec.SshUserName, ip),
-		"echo STARTFILE; sudo cat /etc/kubernetes/admin.conf"))
-	parts := strings.Split(result, "STARTFILE")
-	if len(parts) != 2 {
-		return "", nil
-	}
-	return strings.TrimSpace(parts[1]), nil
-}
-
 // If the OpenstackClient has a client for updating Machine objects, this will set
 // the appropriate reason/message on the Machine.Status. If not, such as during
 // cluster installation, it will operate as a no-op. It also returns the