Skip to content

spire: don't scan for supervisor keys during auto-launch#513

Open
cryslith wants to merge 5 commits intosipb:masterfrom
cryslith:fix-497
Open

spire: don't scan for supervisor keys during auto-launch#513
cryslith wants to merge 5 commits intosipb:masterfrom
cryslith:fix-497

Conversation

@cryslith
Copy link
Copy Markdown
Member

@cryslith cryslith commented Apr 20, 2020
edited by celskeggs
Loading

When launching an existing virtual cluster, don't attempt to
authenticate to the supervisor with the pre-keysystem method
of using the preseeded authorized ssh key.
Doing so won't work because that ssh key is no longer authorized
on the supervisor after the keysystem is set up.
(Previously, it sometimes appeared to work when the
keysystem-provided ssh keys were still loaded from a prior
auto-install.)

This also avoids unnecessarily pulling the host key
from the keysystem and verifying it using the fingerprint
displayed on the supervisor console; once the keysystem is
set up the supervisor can authenticate itself using the CA.

Checklist:

  • I have split up this change into one or more appropriately-delineated commits.
  • The first line of each commit is of the form "[component]: do something"
  • I have written a complete, multi-line commit message for each commit.
  • I have formatted any Go code that I have changed with gofmt.
  • I have written or updated appropriate documentation to cover this change.
  • I have confirmed that this change is covered by at least one appropriate test run by CI.
  • If my change includes new or modified functionality, I have tested that the changes work as expected.
  • I have assigned this issue to an appropriate reviewer. (Choose @celskeggs if you are not otherwise certain.)
  • I consider my PR complete and ready to be merged without my further input, assuming that it passes CI and code review.
  • My changes have passed CI, including an automatic Jenkins deploy.
  • My changes have passed code review.

@cryslith cryslith requested a review from celskeggs April 20, 2020 03:00
celskeggs
celskeggs previously approved these changes Apr 20, 2020
View reviewed changes
@celskeggs celskeggs added this to the Dev Cluster 7 milestone Apr 20, 2020
hyades-bors[bot] and others added 2 commits April 21, 2020 02:47
@cryslith
Merge sipb#511
ced57ff 
511: Add bors-ng configuration r=cryslith a=cryslith

- Configure bors-ng
- Run CircleCI only during bors merges
- Require branches to have linear git history

Closes sipb#491.



Co-authored-by: Lily Chung <lkdc@mit.edu>
@cryslith
spire: don't scan for supervisor keys during auto-launch
c12588f 
When launching an existing virtual cluster, don't attempt to
authenticate to the supervisor with the pre-keysystem method
of using the preseeded authorized ssh key.
Doing so won't work because that ssh key is no longer authorized
on the supervisor after the keysystem is set up.
(Previously, it sometimes appeared to work when the
keysystem-provided ssh keys were still loaded from a prior
auto-install.)

This also avoids unnecessarily pulling the host key
from the keysystem and verifying it using the fingerprint
displayed on the supervisor console; once the keysystem is
set up the supervisor can authenticate itself using the CA.
@cryslith cryslith force-pushed the fix-497 branch 2 times, most recently from 83360ac to c12588f Compare April 21, 2020 05:40
@cryslith
Copy link
Copy Markdown
Member Author

cryslith commented Apr 21, 2020

bors r+
bors r-

@hyades-bors
Copy link
Copy Markdown

hyades-bors Bot commented Apr 21, 2020

Canceled.

@cryslith
Copy link
Copy Markdown
Member Author

cryslith commented Apr 21, 2020

bors r+

(for science)

hyades-bors Bot pushed a commit that referenced this pull request Apr 21, 2020
@cryslith
Merge #513
dcc313e 
513: spire: don't scan for supervisor keys during auto-launch r=cryslith a=cryslith

When launching an existing virtual cluster, don't attempt to
authenticate to the supervisor with the pre-keysystem method
of using the preseeded authorized ssh key.
Doing so won't work because that ssh key is no longer authorized
on the supervisor after the keysystem is set up.
(Previously, it sometimes appeared to work when the
keysystem-provided ssh keys were still loaded from a prior
auto-install.)

This also avoids unnecessarily pulling the host key
from the keysystem and verifying it using the fingerprint
displayed on the supervisor console; once the keysystem is
set up the supervisor can authenticate itself using the CA.



Co-authored-by: Lily Chung <lkdc@mit.edu>
@cryslith
Copy link
Copy Markdown
Member Author

cryslith commented Apr 21, 2020

no, stop that.

bors r-

@hyades-bors
Copy link
Copy Markdown

hyades-bors Bot commented Apr 21, 2020

Canceled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@celskeggs celskeggs celskeggs left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@cryslith cryslith

Labels

micro

Projects

None yet

Milestone

Dev Cluster 7

Development

Successfully merging this pull request may close these issues.

2 participants

@cryslith @celskeggs