Merge pull request #607 from hidekazuna/ssh_key_name

✨ Use OpenStack key pair instead of KubeadmConfig spec

Author: k8s-ci-robot

Makefile

@@ -298,10 +298,10 @@ OPENSTACK_CLOUD_PROVIDER_CONF_B64 ?= ""
 OPENSTACK_CLOUD_YAML_B64 ?= ""
 OPENSTACK_DNS_NAMESERVERS ?= ""
 OPENSTACK_IMAGE_NAME ?= "ubuntu-1910-kube-v1.17.3"
-OPENSTACK_SSH_AUTHORIZED_KEY ?= ""
 OPENSTACK_NODE_MACHINE_FLAVOR ?= "m1.small"
 OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR ?= "m1.medium"
 CLUSTER_NAME ?= "capi-quickstart"
+OPENSTACK_SSH_KEY_NAME ?= "${CLUSTER_NAME}-key"
 OPENSTACK_CLUSTER_TEMPLATE ?= "./templates/cluster-template-without-lb.yaml"
 KUBERNETES_VERSION ?= "v1.17.3"
 CONTROL_PLANE_MACHINE_COUNT ?= "1"
@@ -368,7 +368,7 @@ create-cluster: $(CLUSTERCTL) $(KUSTOMIZE) $(ENVSUBST) ## Create a development K
 	OPENSTACK_CLOUD_YAML_B64=$(OPENSTACK_CLOUD_YAML_B64) \
 	OPENSTACK_DNS_NAMESERVERS=$(OPENSTACK_DNS_NAMESERVERS) \
 	OPENSTACK_IMAGE_NAME=$(OPENSTACK_IMAGE_NAME) \
-	OPENSTACK_SSH_AUTHORIZED_KEY="$(OPENSTACK_SSH_AUTHORIZED_KEY)" \
+	OPENSTACK_SSH_KEY_NAME=$(OPENSTACK_SSH_KEY_NAME) \
 	OPENSTACK_NODE_MACHINE_FLAVOR=$(OPENSTACK_NODE_MACHINE_FLAVOR) \
 	OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR=$(OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR) \
 	  $(CLUSTERCTL) config cluster $(CLUSTER_NAME) \

docs/configuration.md

@@ -4,7 +4,7 @@
 
 - [Required configuration](#required-configuration)
   - [Operating system image](#operating-system-image)
-  - [SSH authorized key](#ssh-authorized-key)
+  - [SSH key pair](#ssh-key-pair)
   - [OpenStack credential](#openstack-credential)
   - [Availability zone](#availability-zone)
   - [DNS server](#dns-server)
@@ -35,11 +35,15 @@ We currently depend on an up-to-date version of cloud-init otherwise the operati
 
 The image can be referenced by exposing it as an environment variable `OPENSTACK_IMAGE_NAME`.
 
-## SSH authorized key
+## SSH key pair
 
-The ssh public key is required. This key does not need to be created by OpenStack key pair.
+The SSH key pair is required. You can create one using,
 
-The public key must be exposed as an environment variable `OPENSTACK_SSH_AUTHORIZED_KEY`.
+```bash
+openstack keypair create [--public-key <file> | --private-key <file>] <name>
+```
+
+The key pair name must be exposed as an environment variable `OPENSTACK_SSH_KEY_NAME`.
 
 If you want to login to each machine by ssh, you have to configure security groups. If `spec.managedSecurityGroups` of `OpenStackCluster` set to true, two security groups will be created and added to the instances. One is `k8s-cluster-${NAMESPACE}-${CLUSTER_NAME}-secgroup-controlplane`, another is `k8s-cluster-${NAMESPACE}-${CLUSTER_NAME}-secgroup-worker`. These security group rules include the kubeadm's [Check required ports](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#check-required-ports) so that each node can not be logged in through ssh by default. Please add pre-existing security group allowing ssh port to OpenStackMachineTemplate spec. Here is an example:
 

hack/ci/e2e-conformance.sh

@@ -19,14 +19,13 @@
 set -o errexit -o nounset -o pipefail
 
 OPENSTACK_CLOUD_YAML_FILE=${OPENSTACK_CLOUD_YAML_FILE:-"/tmp/clouds.yaml"}
-OPENSTACK_SSH_AUTHORIZED_KEY_PATH=${OPENSTACK_SSH_AUTHORIZED_KEY_PATH:-"/tmp/id_rsa.pub"}
-OPENSTACK_SSH_PRIVATE_KEY_PATH=${OPENSTACK_SSH_PRIVATE_KEY_PATH:-"/tmp/id_rsa"}
 OPENSTACK_IMAGE_NAME="ubuntu-1910-kube-v1.17.3"
 OPENSTACK_DNS_NAMESERVERS=${OPENSTACK_DNS_NAMESERVERS:-"192.168.200.1"}
 OPENSTACK_NODE_MACHINE_FLAVOR=${OPENSTACK_NODE_MACHINE_FLAVOR:-"m1.small"}
 OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR=${OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR:-"m1.medium"}
 OPENSTACK_CLUSTER_TEMPLATE=${OPENSTACK_CLUSTER_TEMPLATE:-"./templates/cluster-template-without-lb.yaml"}
 CLUSTER_NAME=${CLUSTER_NAME:-"capi-quickstart"}
+OPENSTACK_SSH_KEY_NAME=${OPENSTACK_SSH_KEY_NAME:-"${CLUSTER_NAME}-key"}
 KUBERNETES_VERSION=${KUBERNETES_VERSION:-"v1.18.6"}
 TIMESTAMP=$(date +"%Y-%m-%dT%H:%M:%SZ")
 
@@ -119,13 +118,14 @@ dump_capo_logs() {
 
     openstack console log show "${node}" > "${dir}/console.log" || true
 
-    PROXY_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=30 -x -W %h:22 -i ${OPENSTACK_SSH_PRIVATE_KEY_PATH} capo@${jump_node}"
+    ssh_key_pem="/tmp/${OPENSTACK_SSH_KEY_NAME}.pem"
+    PROXY_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=30 -x -W %h:22 -i ${ssh_key_pem} ubuntu@${jump_node}"
     node=$(openstack port show ${node}  -f json -c fixed_ips | jq '.fixed_ips[0].ip_address' -r)
 
     ssh-to-node "${node}" "${jump_node}" "sudo chmod -R a+r /var/log" || true
-    scp -r -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=30 -o ProxyCommand="${PROXY_COMMAND}" -i ${OPENSTACK_SSH_PRIVATE_KEY_PATH} \
-      "capo@${node}:/var/log/cloud-init.log" "capo@${node}:/var/log/cloud-init-output.log" \
-      "capo@${node}:/var/log/pods" "capo@${node}:/var/log/containers" \
+    scp -r -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=30 -o ProxyCommand="${PROXY_COMMAND}" -i ${ssh_key_pem} \
+      "ubuntu@${node}:/var/log/cloud-init.log" "ubuntu@${node}:/var/log/cloud-init-output.log" \
+      "ubuntu@${node}:/var/log/pods" "ubuntu@${node}:/var/log/containers" \
       "${dir}" || true
 
     ssh-to-node "${node}" "${jump_node}" "sudo journalctl --output=short-precise -k" > "${dir}/kern.log" || true
@@ -152,11 +152,21 @@ function ssh-to-node() {
   local jump="$2"
   local cmd="$3"
 
+  ssh_key_pem="/tmp/${OPENSTACK_SSH_KEY_NAME}.pem"
   ssh_params="-o LogLevel=quiet -o ConnectTimeout=30 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
-  scp $ssh_params -i "${OPENSTACK_SSH_PRIVATE_KEY_PATH}" "${OPENSTACK_SSH_PRIVATE_KEY_PATH}" "capo@${jump}:${OPENSTACK_SSH_PRIVATE_KEY_PATH}"
-  ssh $ssh_params -i "${OPENSTACK_SSH_PRIVATE_KEY_PATH}" \
-    -o "ProxyCommand ssh $ssh_params -W %h:%p -i ${OPENSTACK_SSH_PRIVATE_KEY_PATH} capo@${jump}" \
-    capo@"${node}" "${cmd}"
+  scp $ssh_params -i $ssh_key_pem $ssh_key_pem "ubuntu@${jump}:$ssh_key_pem"
+  ssh $ssh_params -i $ssh_key_pem \
+    -o "ProxyCommand ssh $ssh_params -W %h:%p -i $ssh_key_pem ubuntu@${jump}" \
+    ubuntu@"${node}" "${cmd}"
+}
+
+create_key_pair() {
+  echo "Create key pair"
+
+  ssh-keygen -t rsa -f "/tmp/${OPENSTACK_SSH_KEY_NAME}.pem"  -N ""
+  chmod 0400 "/tmp/${OPENSTACK_SSH_KEY_NAME}.pem"
+
+  openstack keypair create --public-key "/tmp/${OPENSTACK_SSH_KEY_NAME}.pem.pub" ${OPENSTACK_SSH_KEY_NAME}
 }
 
 upload_image() {
@@ -248,20 +258,14 @@ create_cluster() {
   # actually create the cluster
   KIND_IS_UP=true
 
-  if [[ ! -f ${OPENSTACK_SSH_AUTHORIZED_KEY_PATH} ]]
-  then
-    ssh-keygen -t rsa -f ${OPENSTACK_SSH_PRIVATE_KEY_PATH}  -N ""
-    chmod 0400 ${OPENSTACK_SSH_AUTHORIZED_KEY_PATH}
-  fi
-
   # exports the b64 env vars used below
   source ${REPO_ROOT}/templates/env.rc ${OPENSTACK_CLOUD_YAML_FILE} ${CLUSTER_NAME}
 
   OPENSTACK_CLOUD_CACERT_B64=${OPENSTACK_CLOUD_CACERT_B64} \
   OPENSTACK_CLOUD_PROVIDER_CONF_B64=${OPENSTACK_CLOUD_PROVIDER_CONF_B64} \
   OPENSTACK_CLOUD_YAML_B64=${OPENSTACK_CLOUD_YAML_B64} \
   OPENSTACK_IMAGE_NAME=${OPENSTACK_IMAGE_NAME} \
-  OPENSTACK_SSH_AUTHORIZED_KEY="$(cat ${OPENSTACK_SSH_AUTHORIZED_KEY_PATH})" \
+  OPENSTACK_SSH_KEY_NAME=${OPENSTACK_SSH_KEY_NAME} \
   OPENSTACK_DNS_NAMESERVERS=${OPENSTACK_DNS_NAMESERVERS} \
   OPENSTACK_CLUSTER_TEMPLATE=${OPENSTACK_CLUSTER_TEMPLATE} \
   KUBERNETES_VERSION=${KUBERNETES_VERSION} \
@@ -397,6 +401,7 @@ main() {
   fi
 
   build
+  create_key_pair
   create_cluster
 
   if [[ -z "${SKIP_RUN_TESTS:-}" ]]; then

hack/ci/e2e-conformance/kustomization.yaml

@@ -4,23 +4,3 @@ resources:
 - cluster.yaml
 patchesStrategicMerge:
 - e2e-conformance_patch.yaml
-patchesJSON6902:
-# sets the password of the capo user to capo
-- target:
-      group: bootstrap.cluster.x-k8s.io
-      version: v1alpha3
-      kind: KubeadmConfigTemplate
-      name: capi-quickstart-md-0
-  patch: |-
-      - op: replace
-        path: /spec/template/spec/users/0/passwd
-        value: '$1$SaltSalt$JQx8irEe3sMOl/Lu8y7oZ1'
-- target:
-      group: controlplane.cluster.x-k8s.io
-      version: v1alpha3
-      kind: KubeadmControlPlane
-      name: capi-quickstart-control-plane
-  patch: |-
-      - op: replace
-        path: /spec/kubeadmConfigSpec/users/0/passwd
-        value: '$1$SaltSalt$JQx8irEe3sMOl/Lu8y7oZ1'

templates/cluster-template-external-cloud-provider.yaml

@@ -68,13 +68,6 @@ spec:
         name: '{{ local_hostname }}'
         kubeletExtraArgs:
           cloud-provider: external
-    ntp:
-      servers: []
-    users:
-    - name: capo
-      sudo: "ALL=(ALL) NOPASSWD:ALL"
-      sshAuthorizedKeys:
-      - "${OPENSTACK_SSH_AUTHORIZED_KEY}"
   version: "${KUBERNETES_VERSION}"
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
@@ -86,6 +79,7 @@ spec:
     spec:
       flavor: ${OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR}
       image: ${OPENSTACK_IMAGE_NAME}
+      sshKeyName: ${OPENSTACK_SSH_KEY_NAME}
       cloudName: ${OPENSTACK_CLOUD}
       cloudsSecret:
         name: ${CLUSTER_NAME}-cloud-config
@@ -128,6 +122,7 @@ spec:
         namespace: ${NAMESPACE}
       flavor: ${OPENSTACK_NODE_MACHINE_FLAVOR}
       image: ${OPENSTACK_IMAGE_NAME}
+      sshKeyName: ${OPENSTACK_SSH_KEY_NAME}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
 kind: KubeadmConfigTemplate
@@ -141,13 +136,6 @@ spec:
           name: '{{ local_hostname }}'
           kubeletExtraArgs:
             cloud-provider: external
-      ntp:
-        servers: []
-      users:
-      - name: capo
-        sudo: "ALL=(ALL) NOPASSWD:ALL"
-        sshAuthorizedKeys:
-        - "${OPENSTACK_SSH_AUTHORIZED_KEY}"
 ---
 apiVersion: v1
 kind: Secret

templates/cluster-template-without-lb.yaml

@@ -93,11 +93,6 @@ spec:
       encoding: base64
     ntp:
       servers: []
-    users:
-    - name: capo
-      sudo: "ALL=(ALL) NOPASSWD:ALL"
-      sshAuthorizedKeys:
-      - "${OPENSTACK_SSH_AUTHORIZED_KEY}"
   version: "${KUBERNETES_VERSION}"
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
@@ -109,6 +104,7 @@ spec:
     spec:
       flavor: ${OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR}
       image: ${OPENSTACK_IMAGE_NAME}
+      sshKeyName: ${OPENSTACK_SSH_KEY_NAME}
       cloudName: ${OPENSTACK_CLOUD}
       cloudsSecret:
         name: ${CLUSTER_NAME}-cloud-config
@@ -151,6 +147,7 @@ spec:
         namespace: ${NAMESPACE}
       flavor: ${OPENSTACK_NODE_MACHINE_FLAVOR}
       image: ${OPENSTACK_IMAGE_NAME}
+      sshKeyName: ${OPENSTACK_SSH_KEY_NAME}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
 kind: KubeadmConfigTemplate
@@ -176,13 +173,6 @@ spec:
           kubeletExtraArgs:
             cloud-config: /etc/kubernetes/cloud.conf
             cloud-provider: openstack
-      ntp:
-        servers: []
-      users:
-      - name: capo
-        sudo: "ALL=(ALL) NOPASSWD:ALL"
-        sshAuthorizedKeys:
-        - "${OPENSTACK_SSH_AUTHORIZED_KEY}"
 ---
 apiVersion: v1
 kind: Secret

templates/cluster-template.yaml

@@ -93,13 +93,6 @@ spec:
       permissions: "0600"
       content: ${OPENSTACK_CLOUD_CACERT_B64}
       encoding: base64
-    ntp:
-      servers: []
-    users:
-    - name: capo
-      sudo: "ALL=(ALL) NOPASSWD:ALL"
-      sshAuthorizedKeys:
-      - "${OPENSTACK_SSH_AUTHORIZED_KEY}"
   version: "${KUBERNETES_VERSION}"
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
@@ -111,6 +104,7 @@ spec:
     spec:
       flavor: ${OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR}
       image: ${OPENSTACK_IMAGE_NAME}
+      sshKeyName: ${OPENSTACK_SSH_KEY_NAME}
       cloudName: ${OPENSTACK_CLOUD}
       cloudsSecret:
         name: ${CLUSTER_NAME}-cloud-config
@@ -153,6 +147,7 @@ spec:
         namespace: ${NAMESPACE}
       flavor: ${OPENSTACK_NODE_MACHINE_FLAVOR}
       image: ${OPENSTACK_IMAGE_NAME}
+      sshKeyName: ${OPENSTACK_SSH_KEY_NAME}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
 kind: KubeadmConfigTemplate
@@ -178,13 +173,6 @@ spec:
           kubeletExtraArgs:
             cloud-config: /etc/kubernetes/cloud.conf
             cloud-provider: openstack
-      ntp:
-        servers: []
-      users:
-      - name: capo
-        sudo: "ALL=(ALL) NOPASSWD:ALL"
-        sshAuthorizedKeys:
-        - "${OPENSTACK_SSH_AUTHORIZED_KEY}"
 ---
 apiVersion: v1
 kind: Secret