fix(provisioner): close SSH client before reassign, close pipe reader (#659)

ArangoGutierrez · web-flow · commit 6e63f127315f · 2026-02-13T18:52:04.000+01:00
provision() overwrote p.Client with a new SSH connection without closing the old one, leaking TCP sockets and goroutines. Also close the io.Pipe reader after wg.Wait() for completeness. Audit findings #14 (MEDIUM), #29 (LOW). Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
@@ -220,6 +220,12 @@ func (p *Provisioner) resetConnection() error {
 func (p *Provisioner) provision() error {
 	var err error
 
+	// Close existing client before creating new connection
+	if p.Client != nil {
+		_ = p.Client.Close()
+		p.Client = nil
+	}
+
 	// Create a new ssh connection
 	p.Client, err = connectOrDie(p.KeyPath, p.UserName, p.HostUrl)
 	if err != nil {
@@ -263,6 +269,7 @@ func (p *Provisioner) provision() error {
 
 	_ = writer.Close()
 	wg.Wait()
+	_ = reader.Close()
 
 	select {
 	case copyErr := <-copyErrCh:
