Implement SSH key rotation. (#155)

* Implement SSH key rotation.

* No need for timeout context.

* Disable cache for secrets.

* Directly write from spec to fs.

* Update shoot access regularly.

* Pin.

controllers/firewall_controller.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 	"reflect"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -22,6 +24,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	firewallv2 "github.com/metal-stack/firewall-controller-manager/api/v2"
+	"github.com/metal-stack/firewall-controller-manager/api/v2/helper"
 	firewallv1 "github.com/metal-stack/firewall-controller/api/v1"
 	"github.com/metal-stack/firewall-controller/pkg/network"
 	"github.com/metal-stack/firewall-controller/pkg/nftables"
@@ -37,7 +40,8 @@ type FirewallReconciler struct {
 	Log      logr.Logger
 	Scheme   *runtime.Scheme
 
-	Updater *updater.Updater
+	Updater      *updater.Updater
+	TokenUpdater *helper.ShootAccessTokenUpdater
 
 	FirewallName string
 	Namespace    string
@@ -101,6 +105,9 @@ func (r *FirewallReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 			return ctrl.Result{}, err
 		}
 	}
+	if r.TokenUpdater != nil && f.Status.ShootAccess != nil {
+		r.TokenUpdater.UpdateShootAccess(f.Status.ShootAccess)
+	}
 
 	r.Log.Info("reconciling network settings")
 
@@ -120,6 +127,11 @@ func (r *FirewallReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		errs = append(errs, err)
 	}
 
+	r.Log.Info("reconciling ssh keys")
+	if err := r.reconcileSSHKeys(f); err != nil {
+		errs = append(errs, err)
+	}
+
 	if len(errs) > 0 {
 		r.recordFirewallEvent(f, corev1.EventTypeWarning, "Error", errors.Join(errs...).Error())
 		return ctrl.Result{}, errors.Join(errs...)
@@ -274,3 +286,18 @@ func (r *FirewallReconciler) reconcileFirewallService(ctx context.Context, s fir
 
 	return nil
 }
+
+func (r *FirewallReconciler) reconcileSSHKeys(fw *firewallv2.Firewall) error {
+	const (
+		authorizedKeysPath = "/home/metal/.ssh/authorized_keys"
+	)
+
+	content := strings.Join(fw.Spec.SSHPublicKeys, "\n")
+
+	err := os.WriteFile(authorizedKeysPath, []byte(content), 0600)
+	if err != nil {
+		return fmt.Errorf("unable to write authorized keys file: %w", err)
+	}
+
+	return nil
+}

go.mod

@@ -11,10 +11,10 @@ require (
 	github.com/google/go-cmp v0.5.9
 	github.com/google/nftables v0.1.0
 	github.com/ks2211/go-suricata v0.0.0-20200823200910-986ce1470707
-	github.com/metal-stack/firewall-controller-manager v0.2.0
+	github.com/metal-stack/firewall-controller-manager v0.2.2
 	github.com/metal-stack/gardener-extension-provider-metal v0.20.3
-	github.com/metal-stack/metal-go v0.22.3
-	github.com/metal-stack/metal-lib v0.11.6
+	github.com/metal-stack/metal-go v0.22.6
+	github.com/metal-stack/metal-lib v0.11.10
 	github.com/metal-stack/metal-networker v0.33.0
 	github.com/metal-stack/v v1.0.3
 	github.com/miekg/dns v1.1.53
@@ -30,7 +30,7 @@ require (
 )
 
 require (
-	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -39,13 +39,13 @@ require (
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
+	github.com/go-openapi/errors v0.20.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/spec v0.20.8 // indirect
+	github.com/go-openapi/spec v0.20.9 // indirect
 	github.com/go-openapi/strfmt v0.21.7 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -54,7 +54,7 @@ require (
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -78,16 +78,16 @@ require (
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	go.mongodb.org/mongo-driver v1.11.3 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
+	go.mongodb.org/mongo-driver v1.11.7 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/oauth2 v0.6.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/term v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/net v0.11.0 // indirect
+	golang.org/x/oauth2 v0.9.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.9.0 // indirect
+	golang.org/x/term v0.9.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.7.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect