Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 28fcddc459d020bebf32d1385e2c89fb86e42085^! / . / cloud / shepherd / equinix / manager
commit28fcddc459d020bebf32d1385e2c89fb86e42085[log] [tgz]
authorTim Windelschmidt <tim@monogon.tech>Wed Apr 19 15:34:25 2023 +0200
committerTim Windelschmidt <tim@monogon.tech>Wed Apr 19 14:12:57 2023 +0000
treec8339f063a6b3c12dd64973698e4b49694635ee1
parentae00468363b0006ecf1ae90ed3833bbe54820df5 [diff]
c/s/e/manager: add UseProjectKeys flag

When ProjectSSHKeys is set inside a DeviceCreateRequest, only the given SSH keys are added. For debug purposes it is useful to leave it empty and fall back to the default behaviour of equinix which adds all keys that are defined inside the project

Change-Id: I5f4a0d4b3bdc4b183653afd715b4104af2c2a701
Reviewed-on: https://review.monogon.dev/c/monogon/+/1569
Reviewed-by: Serge Bazanski <serge@monogon.tech>
Tested-by: Jenkins CI

diff --git a/cloud/shepherd/equinix/manager/provisioner.go b/cloud/shepherd/equinix/manager/provisioner.go
index 2bd1e97..0557dbf 100644
--- a/cloud/shepherd/equinix/manager/provisioner.go
+++ b/cloud/shepherd/equinix/manager/provisioner.go

@@ -50,6 +50,10 @@
 	//
 	// 20 is decent starting point.
 	ReservationChunkSize uint
+
+	// UseProjectKeys defines if the provisioner adds all ssh keys defined inside
+	// the used project to every new machine. This is only used for debug purposes.
+	UseProjectKeys bool
 }
 
 func (p *ProvisionerConfig) RegisterFlags() {
@@ -59,6 +63,7 @@
 	flagLimiter(&p.DeviceCreationLimiter, "provisioner_device_creation_rate", "5s,1", "Rate limiting for Equinix device/machine creation")
 	flag.BoolVar(&p.Assimilate, "provisioner_assimilate", false, "Assimilate matching machines in Equinix project into BMDB as Provided. Only to be used when manually testing.")
 	flag.UintVar(&p.ReservationChunkSize, "provisioner_reservation_chunk_size", 20, "How many machines will the provisioner attempt to create in a single reconciliation loop iteration")
+	flag.BoolVar(&p.UseProjectKeys, "provisioner_use_project_keys", false, "Add all Equinix project keys to newly provisioned machines, not just the provisioner's managed key. Debug/development only.")
 }
 
 // Provisioner implements the server provisioning logic. Provisioning entails
@@ -397,6 +402,11 @@
 		HardwareReservationID: rsv.ID,
 		ProjectSSHKeys:        []string{kid},
 	}
+	if pr.config.UseProjectKeys {
+		klog.Warningf("INSECURE: Machines will be created with ALL PROJECT SSH KEYS!")
+		req.ProjectSSHKeys = nil
+	}
+
 	nd, err := pr.cl.CreateDevice(ctx, req)
 	if err != nil {
 		return fmt.Errorf("while creating new device within Equinix: %w", err)