Enhancement | Enable using SSH Agent Forwarding

[estenrye]

Observed Behavior

• nodeletctl expects to be provided an SSH Private Key file.
• When no SSH Private Key file is provided in cluster.yml, nodeletctl defaults to connecting with /root/.ssh/id_rsa
• nodeletctl does not attempt to connect using identities in SSH Agent, before falling back to a specified file based identity.

nodelet/nodeletctl/pkg/nodeletctl/nodeletctl.go

Line 248 in 7a52c3d

SSHPrivateKeyFile: "/root/.ssh/id_rsa",

nodelet/nodeletctl/pkg/nodeletctl/deployer.go

Lines 57 to 60 in 7a52c3d

	sshKey, err := ioutil.ReadFile(cfg.SSHPrivateKeyFile)
	if err != nil {
	return nil, fmt.Errorf("Failed to read private key: %s", cfg.SSHPrivateKeyFile)
	}

Desired Behavior

• When no SSH Private Key is provided, attempt to connect using an identity in the SSH Agent, or default to the user's default identity in their SSH config.

Why is this important

As a DevOps Engineer, I have set up my environment with an SSH Proxy Bastion Host as shown below:

network diagram

The private key in this scenario resides on my laptop, but nodectl resides on the SSH Proxy host where I am executing Ansible.

I use SSH Agent forwarding on my laptop to allow Ansible to SSH into the hosts without requiring the private key reside on the SSH Proxy host. This improves security by ensuring I don't have an over-privileged, unencrypted SSH key residing on a host inside the trusted network zone if the SSH Bastion host were to be compromised.

How to repeat my setup.

Clone this repo at tag v0.0.1

git clone --branch v0.0.1 git@github.com:platform9/infa-sandbox.git

Follow the following steps to provision an environment in an AWS account:

infra-sandbox Readme