Automatically set ssh_public_key and ssh_private_key from local id_ed25519 keypair #1331
Conversation
There was a problem hiding this comment.
@jaumebarber Appreciate this, it's an interesting idea. However, I'm not sure if it's best practice. @kube-hetzner/core What's your thought on this folks?
mysticaltech
requested review from
Silvest89,
M4t7e,
aleksasiriski and
valkenburg-prevue-ch
| # ssh_agent_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use. | ||
| # For terraforms provisioner.connection.agent_identity, we need the public key as a string. | ||
| ssh_agent_identity = var.ssh_private_key == null ? var.ssh_public_key : null | ||
| ssh_agent_identity = var.ssh_private_key == null ? local.ssh_private_key : var.ssh_public_key != null ? var.ssh_public_key : null |
There was a problem hiding this comment.
@jaumebarber No private keys should be passed here under any circumstance. It's either null or the public key.
|
I think this should, if at all, be "opt in". I would not want terraform to start reading everyone's Could it be that this desire comes from wanting to have a solution where you do not have to pass the explicit key to use for each ssh command? If so, please have a look at |
|
No @valkenburg-prevue-ch, it's actually not about not having to specify an ssh key when logging into cluster servers, it's more of an example on how to not having to set any keys by default if you do not want to, (because it's a bit unconfy to set them as default within the variable, but then being careful about them before commiting, so you don't push them by mistake and so on and so forth, instead, they just come from your local, and you never pass them literally to your repo, wouldn't that be a bit more secure?) but still you can do it within var.ssh_public_key and var.ssh_private_key, because it overrides. I hear what you say about id_ed25519 being your unique identity online more than just a key, but my intention was only to think of it as an example, actually you can just erase your id_ed25519 and just generate a new id_ed25519 if you wish, or just change id_255519 in the repo by whichever cluster specific key you wanna have there for it to take and use in the cluster. You are right, I hadn't thought about the plain text thing in the state and so on, and I might be a little ignorant on this matter, actually I've checked the state and you're right, it's there, but I'm thinking, is it not there right now anyways no matter how you pass it? I think I'm basically doing the same the repo does. Sorry long text, I hope I have explained myself well enough and I very much look forward for your insights ;) |
jaumebarber
force-pushed
the
auto-set-ssh-keypair
branch
from
5a03e40 to
bdac35d
Compare
Automatically set ssh_public_key and ssh_private_key from local id_ed25519 keypair
Provided that the user has previously generated ssh id_ed25519 keys within
ssh-keygen -t ed25519, these will automatically be added to the cluster so that it is accessible right away from the local machine.