-
Notifications
You must be signed in to change notification settings - Fork 288
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Check machine configs have an SSH key for upgrade (#6542)
This was already an implicit need, due how the capi spec generation is written, but the error produced wasn't clear and it also happen too late in the upgrade workflow. Now we throw an error during preflight validations.
- Loading branch information
Showing
8 changed files
with
276 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
package providers | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/pkg/errors" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/runtime" | ||
|
||
"github.com/aws/eks-anywhere/pkg/api/v1alpha1" | ||
"github.com/aws/eks-anywhere/pkg/cluster" | ||
eksaerrors "github.com/aws/eks-anywhere/pkg/errors" | ||
"github.com/aws/eks-anywhere/pkg/validation" | ||
) | ||
|
||
// ValidateSSHKeyPresentForUpgrade checks that all machine configs in the cluster spec | ||
// contain at least one SSH key. | ||
func ValidateSSHKeyPresentForUpgrade(_ context.Context, spec *cluster.Spec) error { | ||
machines := make([]machineWithUsers, 0) | ||
|
||
// We don't add snow since SnowMachineConfig's don't have []User | ||
|
||
machines = appendMachinesWithUsers(machines, spec.VSphereMachineConfigs) | ||
machines = appendMachinesWithUsers(machines, spec.CloudStackMachineConfigs) | ||
machines = appendMachinesWithUsers(machines, spec.NutanixMachineConfigs) | ||
machines = appendMachinesWithUsers(machines, spec.TinkerbellMachineConfigs) | ||
|
||
if err := validateAtLeastOneSSHKey(machines); err != nil { | ||
return validation.WithRemediation(err, "Please include at least one SSH key per machine config. If your keys were autogenerated during the create cluster operation, make sure you include them in your cluster config for all lifecycle operations") | ||
} | ||
|
||
return nil | ||
} | ||
|
||
type machineWithUsers interface { | ||
metav1.Object | ||
runtime.Object | ||
Users() []v1alpha1.UserConfiguration | ||
} | ||
|
||
func validateAtLeastOneSSHKey(machines []machineWithUsers) error { | ||
var errs []error | ||
|
||
Machines: | ||
for _, m := range machines { | ||
for _, user := range m.Users() { | ||
for _, key := range user.SshAuthorizedKeys { | ||
if key != "" { | ||
continue Machines | ||
} | ||
} | ||
} | ||
|
||
errs = append(errs, | ||
errors.Errorf( | ||
"%s %s is invalid: it should contain at least one SSH key", | ||
m.GetName(), | ||
m.GetObjectKind().GroupVersionKind().Kind, | ||
), | ||
) | ||
} | ||
|
||
return eksaerrors.NewAggregate(errs) | ||
} | ||
|
||
func appendMachinesWithUsers[O machineWithUsers](m []machineWithUsers, addMap map[string]O) []machineWithUsers { | ||
for _, machine := range addMap { | ||
m = append(m, machine) | ||
} | ||
|
||
return m | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
package providers_test | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"strings" | ||
"testing" | ||
|
||
. "github.com/onsi/gomega" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
|
||
anywherev1 "github.com/aws/eks-anywhere/pkg/api/v1alpha1" | ||
"github.com/aws/eks-anywhere/pkg/cluster" | ||
"github.com/aws/eks-anywhere/pkg/providers" | ||
) | ||
|
||
func TestValidateSSHKeyPresentForUpgrade(t *testing.T) { | ||
testCases := []struct { | ||
name string | ||
config *cluster.Config | ||
want []string | ||
}{ | ||
{ | ||
name: "all machines have keys", | ||
config: &cluster.Config{ | ||
VSphereMachineConfigs: map[string]*anywherev1.VSphereMachineConfig{ | ||
"machine1": { | ||
Spec: anywherev1.VSphereMachineConfigSpec{ | ||
Users: []anywherev1.UserConfiguration{ | ||
{ | ||
Name: "user1", | ||
}, | ||
{ | ||
Name: "user2", | ||
SshAuthorizedKeys: []string{ | ||
"mykey", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
"machine2": { | ||
Spec: anywherev1.VSphereMachineConfigSpec{ | ||
Users: []anywherev1.UserConfiguration{ | ||
{ | ||
Name: "user1", | ||
SshAuthorizedKeys: []string{""}, | ||
}, | ||
{ | ||
Name: "user2", | ||
SshAuthorizedKeys: []string{ | ||
"mykey", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
name: "all machines are missing keys", | ||
config: &cluster.Config{ | ||
VSphereMachineConfigs: map[string]*anywherev1.VSphereMachineConfig{ | ||
"machine1": { | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "VSphereMachineConfig", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "machine1", | ||
}, | ||
Spec: anywherev1.VSphereMachineConfigSpec{ | ||
Users: []anywherev1.UserConfiguration{ | ||
{ | ||
Name: "user1", | ||
}, | ||
{ | ||
Name: "user2", | ||
SshAuthorizedKeys: []string{""}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
"machine2": { | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "VSphereMachineConfig", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "machine2", | ||
}, | ||
Spec: anywherev1.VSphereMachineConfigSpec{ | ||
Users: []anywherev1.UserConfiguration{ | ||
{ | ||
Name: "user1", | ||
SshAuthorizedKeys: []string{""}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
CloudStackMachineConfigs: map[string]*anywherev1.CloudStackMachineConfig{ | ||
"machine1": { | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "CloudStackMachineConfig", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "machine1", | ||
}, | ||
}, | ||
}, | ||
NutanixMachineConfigs: map[string]*anywherev1.NutanixMachineConfig{ | ||
"machine1": { | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "NutanixMachineConfig", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "machine1", | ||
}, | ||
}, | ||
}, | ||
TinkerbellMachineConfigs: map[string]*anywherev1.TinkerbellMachineConfig{ | ||
"machine1": { | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "TinkerbellMachineConfig", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "machine1", | ||
}, | ||
}, | ||
}, | ||
}, | ||
want: []string{ | ||
"machine1 VSphereMachineConfig is invalid: it should contain at least one SSH key", | ||
"machine2 VSphereMachineConfig is invalid: it should contain at least one SSH key", | ||
"machine1 CloudStackMachineConfig is invalid: it should contain at least one SSH key", | ||
"machine1 NutanixMachineConfig is invalid: it should contain at least one SSH key", | ||
"machine1 TinkerbellMachineConfig is invalid: it should contain at least one SSH key", | ||
}, | ||
}, | ||
} | ||
for _, tc := range testCases { | ||
t.Run(tc.name, func(t *testing.T) { | ||
ctx := context.Background() | ||
g := NewWithT(t) | ||
spec := &cluster.Spec{ | ||
Config: tc.config, | ||
} | ||
|
||
if len(tc.want) == 0 { | ||
g.Expect(providers.ValidateSSHKeyPresentForUpgrade(ctx, spec)).To(Succeed()) | ||
} else { | ||
g.Expect(providers.ValidateSSHKeyPresentForUpgrade(ctx, spec)).To( | ||
MatchError(fmt.Sprintf("[%s]", strings.Join(tc.want, ", "))), | ||
) | ||
} | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters