AzureMachinePool/AzureManagedControlPlane: generate ssh key when is not set

Author: cpanato

exp/api/v1alpha3/azuremachinepool_default.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+)
+
+// SetDefaultSSHPublicKey sets the default SSHPublicKey for an AzureMachinePool
+func (amp *AzureMachinePool) SetDefaultSSHPublicKey() error {
+	sshKeyData := amp.Spec.Template.SSHPublicKey
+	if sshKeyData == "" {
+		privateKey, perr := rsa.GenerateKey(rand.Reader, 2048)
+		if perr != nil {
+			return errors.Wrap(perr, "Failed to generate private key")
+		}
+
+		publicRsaKey, perr := ssh.NewPublicKey(&privateKey.PublicKey)
+		if perr != nil {
+			return errors.Wrap(perr, "Failed to generate public key")
+		}
+		amp.Spec.Template.SSHPublicKey = base64.StdEncoding.EncodeToString(ssh.MarshalAuthorizedKey(publicRsaKey))
+	}
+
+	return nil
+}

exp/api/v1alpha3/azuremachinepool_default_test.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestAzureMachinePool_SetDefaultSSHPublicKey(t *testing.T) {
+	g := NewWithT(t)
+
+	type test struct {
+		amp *AzureMachinePool
+	}
+
+	existingPublicKey := "testpublickey"
+	publicKeyExistTest := test{amp: createMachinePoolWithSSHPublicKey(t, existingPublicKey)}
+	publicKeyNotExistTest := test{amp: createMachinePoolWithSSHPublicKey(t, "")}
+
+	err := publicKeyExistTest.amp.SetDefaultSSHPublicKey()
+	g.Expect(err).To(BeNil())
+	g.Expect(publicKeyExistTest.amp.Spec.Template.SSHPublicKey).To(Equal(existingPublicKey))
+
+	err = publicKeyNotExistTest.amp.SetDefaultSSHPublicKey()
+	g.Expect(err).To(BeNil())
+	g.Expect(publicKeyNotExistTest.amp.Spec.Template.SSHPublicKey).NotTo(BeEmpty())
+}
+
+func createMachinePoolWithSSHPublicKey(t *testing.T, sshPublicKey string) *AzureMachinePool {
+	return hardcodedAzureMachinePoolWithSSHKey(sshPublicKey)
+}
+
+func hardcodedAzureMachinePoolWithSSHKey(sshPublicKey string) *AzureMachinePool {
+	return &AzureMachinePool{
+		Spec: AzureMachinePoolSpec{
+			Template: AzureMachineTemplate{
+				SSHPublicKey: sshPublicKey,
+			},
+		},
+	}
+}

exp/api/v1alpha3/azuremachinepool_webhook.go

@@ -45,6 +45,11 @@ var _ webhook.Defaulter = &AzureMachinePool{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (amp *AzureMachinePool) Default() {
 	azuremachinepoollog.Info("default", "name", amp.Name)
+
+	err := amp.SetDefaultSSHPublicKey()
+	if err != nil {
+		azuremachinepoollog.Error(err, "SetDefaultSshPublicKey failed")
+	}
 }
 
 // +kubebuilder:webhook:verbs=create;update,path=/validate-exp-cluster-x-k8s-io-x-k8s-io-v1alpha3-azuremachinepool,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=exp.cluster.x-k8s.io.x-k8s.io,resources=azuremachinepools,versions=v1alpha3,name=vazuremachinepool.kb.io,sideEffects=None
@@ -74,6 +79,7 @@ func (amp *AzureMachinePool) Validate() error {
 	validators := []func() error{
 		amp.ValidateImage,
 		amp.ValidateTerminateNotificationTimeout,
+		amp.ValidateSSHKey,
 	}
 
 	var errs []error
@@ -100,6 +106,7 @@ func (amp *AzureMachinePool) ValidateImage() error {
 			return agg
 		}
 	}
+
 	return nil
 }
 
@@ -118,3 +125,17 @@ func (amp *AzureMachinePool) ValidateTerminateNotificationTimeout() error {
 
 	return nil
 }
+
+// ValidateSSHKey validates an SSHKey
+func (amp *AzureMachinePool) ValidateSSHKey() error {
+	if amp.Spec.Template.SSHPublicKey != "" {
+		sshKey := amp.Spec.Template.SSHPublicKey
+		if errs := infrav1.ValidateSSHKey(sshKey, field.NewPath("sshKey")); len(errs) > 0 {
+			agg := kerrors.NewAggregate(errs.ToAggregate().Errors())
+			azuremachinepoollog.Info("Invalid sshKey: %s", agg.Error())
+			return agg
+		}
+	}
+
+	return nil
+}

exp/api/v1alpha3/azuremachinepool_webhook_test.go

@@ -0,0 +1,220 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"testing"
+
+	"github.com/Azure/go-autorest/autorest/to"
+	. "github.com/onsi/gomega"
+	"golang.org/x/crypto/ssh"
+
+	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1alpha3"
+)
+
+var (
+	validSSHPublicKey = generateSSHPublicKey(true)
+)
+
+func TestAzureMachinePool_ValidateCreate(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name    string
+		amp     *AzureMachinePool
+		wantErr bool
+	}{
+		{
+			name:    "azuremachinepool with marketplace image - full",
+			amp:     createMachinePoolWithtMarketPlaceImage(t, "PUB1234", "OFFER1234", "SKU1234", "1.0.0", to.IntPtr(10)),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachinepool with marketplace image - missing publisher",
+			amp:     createMachinePoolWithtMarketPlaceImage(t, "", "OFFER1234", "SKU1234", "1.0.0", to.IntPtr(10)),
+			wantErr: true,
+		},
+		{
+			name:    "azuremachinepool with shared gallery image - full",
+			amp:     createMachinePoolWithSharedImage(t, "SUB123", "RG123", "NAME123", "GALLERY1", "1.0.0", to.IntPtr(10)),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachinepool with marketplace image - missing subscription",
+			amp:     createMachinePoolWithSharedImage(t, "", "RG123", "NAME123", "GALLERY1", "1.0.0", to.IntPtr(10)),
+			wantErr: true,
+		},
+		{
+			name:    "azuremachinepool with image by - with id",
+			amp:     createMachinePoolWithImageByID(t, "ID123", to.IntPtr(10)),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachinepool with image by - without id",
+			amp:     createMachinePoolWithImageByID(t, "", to.IntPtr(10)),
+			wantErr: true,
+		},
+		{
+			name:    "azuremachinepool with valid SSHPublicKey",
+			amp:     createMachinePoolWithSSHPublicKey(t, validSSHPublicKey),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachinepool with invalid SSHPublicKey",
+			amp:     createMachinePoolWithSSHPublicKey(t, "invalid ssh key"),
+			wantErr: true,
+		},
+		{
+			name:    "azuremachinepool with wrong terminate notification",
+			amp:     createMachinePoolWithSharedImage(t, "SUB123", "RG123", "NAME123", "GALLERY1", "1.0.0", to.IntPtr(35)),
+			wantErr: true,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.amp.ValidateCreate()
+			if tc.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+		})
+	}
+}
+
+func TestAzureMachinePool_ValidateUpdate(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name    string
+		oldAMP  *AzureMachinePool
+		amp     *AzureMachinePool
+		wantErr bool
+	}{
+		{
+			name:    "azuremachine with valid SSHPublicKey",
+			oldAMP:  createMachinePoolWithSSHPublicKey(t, ""),
+			amp:     createMachinePoolWithSSHPublicKey(t, validSSHPublicKey),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachine with invalid SSHPublicKey",
+			oldAMP:  createMachinePoolWithSSHPublicKey(t, ""),
+			amp:     createMachinePoolWithSSHPublicKey(t, "invalid ssh key"),
+			wantErr: true,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.amp.ValidateUpdate(tc.oldAMP)
+			if tc.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+		})
+	}
+}
+
+func TestAzureMachine_Default(t *testing.T) {
+	g := NewWithT(t)
+
+	type test struct {
+		amp *AzureMachinePool
+	}
+
+	existingPublicKey := validSSHPublicKey
+	publicKeyExistTest := test{amp: createMachinePoolWithSSHPublicKey(t, existingPublicKey)}
+	publicKeyNotExistTest := test{amp: createMachinePoolWithSSHPublicKey(t, "")}
+
+	publicKeyExistTest.amp.Default()
+	g.Expect(publicKeyExistTest.amp.Spec.Template.SSHPublicKey).To(Equal(existingPublicKey))
+
+	publicKeyNotExistTest.amp.Default()
+	g.Expect(publicKeyNotExistTest.amp.Spec.Template.SSHPublicKey).NotTo((BeEmpty()))
+}
+
+func createMachinePoolWithtMarketPlaceImage(t *testing.T, publisher, offer, sku, version string, terminateNotificationTimeout *int) *AzureMachinePool {
+	image := &infrav1.Image{
+		Marketplace: &infrav1.AzureMarketplaceImage{
+			Publisher: publisher,
+			Offer:     offer,
+			SKU:       sku,
+			Version:   version,
+		},
+	}
+
+	return &AzureMachinePool{
+		Spec: AzureMachinePoolSpec{
+			Template: AzureMachineTemplate{
+				Image:                        image,
+				SSHPublicKey:                 validSSHPublicKey,
+				TerminateNotificationTimeout: terminateNotificationTimeout,
+			},
+		},
+	}
+}
+
+func createMachinePoolWithSharedImage(t *testing.T, subscriptionID, resourceGroup, name, gallery, version string, terminateNotificationTimeout *int) *AzureMachinePool {
+	image := &infrav1.Image{
+		SharedGallery: &infrav1.AzureSharedGalleryImage{
+			SubscriptionID: subscriptionID,
+			ResourceGroup:  resourceGroup,
+			Name:           name,
+			Gallery:        gallery,
+			Version:        version,
+		},
+	}
+
+	return &AzureMachinePool{
+		Spec: AzureMachinePoolSpec{
+			Template: AzureMachineTemplate{
+				Image:                        image,
+				SSHPublicKey:                 validSSHPublicKey,
+				TerminateNotificationTimeout: terminateNotificationTimeout,
+			},
+		},
+	}
+}
+
+func createMachinePoolWithImageByID(t *testing.T, imageID string, terminateNotificationTimeout *int) *AzureMachinePool {
+	image := &infrav1.Image{
+		ID: &imageID,
+	}
+
+	return &AzureMachinePool{
+		Spec: AzureMachinePoolSpec{
+			Template: AzureMachineTemplate{
+				Image:                        image,
+				SSHPublicKey:                 validSSHPublicKey,
+				TerminateNotificationTimeout: terminateNotificationTimeout,
+			},
+		},
+	}
+}
+
+func generateSSHPublicKey(b64Enconded bool) string {
+	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
+	publicRsaKey, _ := ssh.NewPublicKey(&privateKey.PublicKey)
+	if b64Enconded {
+		return base64.StdEncoding.EncodeToString(ssh.MarshalAuthorizedKey(publicRsaKey))
+	}
+	return string(ssh.MarshalAuthorizedKey(publicRsaKey))
+}