yorc
yorc copied to clipboard
ystia
Automatically generate ssh keys and store in Vault
Is your feature request related to a problem? Please describe. Currently, ssh keys need to either be generated and provided by the user or have to already exist on disk and in the target environment.
Describe the solution you'd like We suggest to automatically create individual ssh keys for each Environment. The keys should get stored in a vault. This would also eliminate the need for a default key, like the one that's currently in use.
Additional context We're going to implement this in some way, but would prefer to contribute, so it's easier to manage in the future. While we're at it, we would try to improve and clean up the key handling in general, by moving more of the key retrieval logic (e.g. the default key) to the sshutil package and use that everywhere in a consistent way.
For this to work, we would also need to be able to write to vaults. The current implementation only allows reading, as that's the usual behaviour in a deployment with tosca.
We propose to add SetSecret(id string, secret Secret) error method to the vault.Client in order to be able to write to vaults.
We would also extend the hashivault package to support this behaviour.
Hey @schrej,
I'm not sure to understand why Yorc itself should store the key. Do you plan to let Yorc generate the key or should it be provided someway in the TOSCA topology?
Did you investigate using the SSH engine with CA certificates or One Time Passwords?
It should be possible to provide a SSH private file to Yorc stored in Vault using the get_secret TOSCA operation (In A4C it is the key icon at the left part of a property). What's missing with this solution to fit your needs?
We want to make it easier for users to use yorc in conjunction with a4c. The idea was to automatically create ssh keys for yorc to use, so they don't have to manually deal with them. Our first approach was to have yorc generate it's own keys directly.
The keys need to be stored somewhere and as it might be useful to for users to be able to access them, we thought about storing them in vault, in a location the user can access.
After further thoughts I realise this might not fit into yorc, but should rather be implemented in a4c?
Hi @schrej,
I think using Alien to do this is a good way. Even better a plugin already exists to do it https://github.com/alien4cloud/alien4cloud-vault-plugin. It was not designed to work with Yorc but I think it should work. We have to qualify it.
Hi @loicalbertin
We have the following implementation. If you think yorc needs, we will create a merge request, as follows:
- we add a configuration for yorc to generate a ssh key for each deployment on demand (instead of using the static file, yorc.pem, for all deployments).
- yorc stores the ssh key in Vault (at the deployment path) and retrieves it when it needs.
- In the front-end, we have a special implementation that let authenticated users to control their secrets in Vault (get, delete, etc.).
Otherwise, we can close this ticket.
Best, Tri
Hi @trihoangvo I think this is an interesting usecase. Please open a PR we can discuss further on the implementation.
If keys are generated by Yorc how do you authorize them into target hosts?
As yorc isn't using userdata so far, we use to pass cloud-config to the server to add an additional public key. This way users can still add their own keys as needed. The cloud-config is fairly simple.
#cloud-config
ssh_authorized_keys:
- ssh-rsa somekeyasdf yorc
We've only done it with OpenStack so far, as that's our focus, but it should work with AWS and GCP as well.