Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement RFC 16 to allow emergency node access #3557

Draft
wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

feat: implement RFC 16 to allow emergency node access #3557

wants to merge 13 commits into from

Conversation

miampf
Copy link
Contributor

@miampf miampf commented Dec 19, 2024
edited
Loading

Context

This PR aims to implement RFC 16: Node access.

Proposed change(s)

This PR only implements part of the RFC. Currently, the following is implemented:

  • The openssh-server package was added to the node image
  • OpenSSH was configured to only allow public key authentication and use a CA public key as a user certificate
    • The derivation of this certificate will be handled in another PR.
  • A new terraform variable emergency_ssh was added to allow control over load balancing ports. Currently, this is implemented (and tested) for
    • azure
    • aws
    • gcp
    • openstack

Additional info

  • The implementation of the RFC is a multi-PR process. This PR aims to be the final PR that needs to be merged. Thus, this should not be merged until everything else is implemented (e.g. key derivation, a subcommand for the cli, etc.)
  • Currently, the configuration of the OpenSSH server is not very hardened. Hardening will be done after the workflow for the user is set in stone.

Checklist

  • Run the E2E tests that are relevant to this PR's changes
  • Update docs
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@miampf miampf added dependencies Pull requests that update a dependency file feature This introduces new functionality hold This cannot be merged right now labels Dec 19, 2024
@miampf miampf requested a review from burgerdev December 19, 2024 14:13
@netlify Netlify
Copy link

netlify bot commented Dec 19, 2024
edited
Loading

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 05eef85
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/6776966f0a013b00085cbb32

@miampf miampf force-pushed the miampf/basic-node-access branch from 6dd69c2 to 95f1f94 Compare December 19, 2024 14:14
@miampf miampf force-pushed the miampf/basic-node-access branch from bd15153 to 897662d Compare January 2, 2025 09:58
burgerdev
burgerdev reviewed Jan 2, 2025
View reviewed changes
image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service Outdated Show resolved Hide resolved
image/sysroot-tree/etc/ssh/sshd_config Outdated Show resolved Hide resolved
terraform/infrastructure/azure/main.tf Outdated Show resolved Hide resolved
terraform/infrastructure/azure/variables.tf Outdated Show resolved Hide resolved
@miampf miampf force-pushed the miampf/basic-node-access branch from f6e2b4a to 28da57c Compare January 2, 2025 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev left review comments

@msanft msanft Awaiting requested review from msanft msanft will be requested when the pull request is marked ready for review msanft is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file feature This introduces new functionality hold This cannot be merged right now
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@miampf @burgerdev