From 0ce8dfbb95e25df9d507af9d9538eacb9c14791e Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sun, 17 Sep 2023 23:21:42 +0200 Subject: [PATCH] Workaround to allow use of ed25519 keys on Azure * Allow passing a dummy RSA key to Azure to satisfy its obtuse requirements (recommend deleting the corresponding private key) * Then `ssh_authorized_key` can be used to provide Fedora CoreOS or Flatcar Linux with a modern ed25519 public key to set in the authorized_keys via Ignition --- CHANGES.md | 6 ++++++ azure/fedora-coreos/kubernetes/controllers.tf | 10 +++++++++- azure/fedora-coreos/kubernetes/variables.tf | 6 ++++++ azure/fedora-coreos/kubernetes/workers.tf | 1 + azure/fedora-coreos/kubernetes/workers/variables.tf | 6 ++++++ azure/fedora-coreos/kubernetes/workers/workers.tf | 6 +++++- azure/flatcar-linux/kubernetes/controllers.tf | 8 +++++++- azure/flatcar-linux/kubernetes/variables.tf | 6 ++++++ azure/flatcar-linux/kubernetes/workers.tf | 1 + azure/flatcar-linux/kubernetes/workers/variables.tf | 6 ++++++ azure/flatcar-linux/kubernetes/workers/workers.tf | 4 +++- 11 files changed, 56 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5f91cf15..6f2f6cb6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -9,6 +9,12 @@ Notable changes between versions. * Kubernetes [v1.28.2](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282) * Update Cilium from v1.14.1 to [v1.14.2](https://github.com/cilium/cilium/releases/tag/v1.14.2) +### Azure + +* Add optional `azure_authorized_key` variable + * Azure obtusely inspects public keys, requires RSA keys, and forbids more secure key formats (e.g. ed25519) + * Allow passing a dummy RSA key via `azure_authorized_key` (delete the private key) to satisfy Azure validations, then the usual `ssh_authorized_key` variable can new newer formats (e.g. ed25519) + ## v1.28.1 * Kubernetes [v1.28.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281) diff --git a/azure/fedora-coreos/kubernetes/controllers.tf b/azure/fedora-coreos/kubernetes/controllers.tf index bb396499..6381f1d0 100644 --- a/azure/fedora-coreos/kubernetes/controllers.tf +++ b/azure/fedora-coreos/kubernetes/controllers.tf @@ -1,3 +1,11 @@ +locals { + # Typhoon ssh_authorized_key supports RSA or a newer formats (e.g. ed25519). + # However, Azure requires an older RSA key to pass validations. To use a + # newer key format, pass a dummy RSA key as the azure_authorized_key and + # delete the associated private key so it's never used. + azure_authorized_key = var.azure_authorized_key == "" ? var.ssh_authorized_key : var.azure_authorized_key +} + # Discrete DNS records for each controller's private IPv4 for etcd usage resource "azurerm_dns_a_record" "etcds" { count = var.controller_count @@ -55,7 +63,7 @@ resource "azurerm_linux_virtual_machine" "controllers" { admin_username = "core" admin_ssh_key { username = "core" - public_key = var.ssh_authorized_key + public_key = local.azure_authorized_key } lifecycle { diff --git a/azure/fedora-coreos/kubernetes/variables.tf b/azure/fedora-coreos/kubernetes/variables.tf index 75c82fa9..05ae4496 100644 --- a/azure/fedora-coreos/kubernetes/variables.tf +++ b/azure/fedora-coreos/kubernetes/variables.tf @@ -82,6 +82,12 @@ variable "ssh_authorized_key" { description = "SSH public key for user 'core'" } +variable "azure_authorized_key" { + type = string + description = "Optionally, pass a dummy RSA key to satisfy Azure validations (then use an ed25519 key set above)" + default = "" +} + variable "networking" { type = string description = "Choice of networking provider (flannel, calico, or cilium)" diff --git a/azure/fedora-coreos/kubernetes/workers.tf b/azure/fedora-coreos/kubernetes/workers.tf index 808c473f..7e9e5e37 100644 --- a/azure/fedora-coreos/kubernetes/workers.tf +++ b/azure/fedora-coreos/kubernetes/workers.tf @@ -17,6 +17,7 @@ module "workers" { # configuration kubeconfig = module.bootstrap.kubeconfig-kubelet ssh_authorized_key = var.ssh_authorized_key + azure_authorized_key = var.azure_authorized_key service_cidr = var.service_cidr cluster_domain_suffix = var.cluster_domain_suffix snippets = var.worker_snippets diff --git a/azure/fedora-coreos/kubernetes/workers/variables.tf b/azure/fedora-coreos/kubernetes/workers/variables.tf index 338995c1..a27b69f8 100644 --- a/azure/fedora-coreos/kubernetes/workers/variables.tf +++ b/azure/fedora-coreos/kubernetes/workers/variables.tf @@ -73,6 +73,12 @@ variable "ssh_authorized_key" { description = "SSH public key for user 'core'" } +variable "azure_authorized_key" { + type = string + description = "Optionally, pass a dummy RSA key to satisfy Azure validations (then use an ed25519 key set above)" + default = "" +} + variable "service_cidr" { type = string description = <