Use SSH certificates for connection to tail logs (#184)

rbishop · sfc-gh-rbishop · will · web-flow · commit c0171a0c7661 · 2025-10-29T19:54:00.000Z
SSH certificates have the benefit of having time range validity builtin.

Testing:
- Verified cb logs and cb scopes work

Co-authored-by: Richard Bishop &lt;richard.bishop@snowflake.com&gt;
Co-authored-by: Will Leinweber &lt;will@users.noreply.github.com&gt;
diff --git a/src/cb/logs.cr b/src/cb/logs.cr
@@ -20,7 +20,12 @@ module CB
 
       socket = TCPSocket.new(tk.host, 22, connect_timeout: 1)
       ssh = SSH2::Session.new(socket)
-      ssh.login_with_data("cormorant", tk.private_key, tk.public_key)
+
+      if tk.certificate.presence
+        ssh.login_with_data("cormorant", tk.private_key, tk.certificate.to_s)
+      else
+        ssh.login_with_data("cormorant", tk.private_key, tk.public_key)
+      end
 
       ch = ssh.open_session
       ch.shell
diff --git a/src/cb/tempkey.cr b/src/cb/tempkey.cr
@@ -1,5 +1,5 @@
 module CB
-  record Tempkey, host : String, private_key : String, public_key : String, cluster_id : String, team_id : String, expires_at : Time do
+  record Tempkey, host : String, private_key : String, public_key : String, certificate : String?, cluster_id : String, team_id : String, expires_at : Time do
     Cacheable.include key: cluster_id
 
     def self.for_cluster(cluster_id : Identifier, client) : Tempkey
