[Bug]: Cannot Remove Additional SSH Public Keys

by ADMIN 48 views

Introduction

Managing SSH keys is an essential aspect of securing your infrastructure, especially when working with cloud providers and container orchestration platforms like Kubernetes. However, when using Terraform to provision your infrastructure, you may encounter issues with removing additional SSH public keys. In this article, we will explore the issue of not being able to remove additional SSH public keys using Terraform and discuss the preferred way to manage SSH keys after the initial setup.

Description

When attempting to remove an SSH public key from the ssh_additional_public_keys list in Terraform, the plan remains empty, and adding a new SSH key to the list has no effect on the plan. This behavior suggests that the ssh_additional_public_keys option is only used for the initial setup, and any changes made to this list after the initial setup are ignored.

Kube.tf File

The kube.tf file is the primary configuration file for the Terraform module, and it contains the necessary settings for provisioning the Kubernetes cluster. The relevant section of the file is shown below:

module "k3s" {
  providers = { hcloud = hcloud }

  hcloud_token = local.secrets.hcloud.token

  source = "kube-hetzner/kube-hetzner/hcloud"
  version = "2.16.0"

  ssh_public_key = file(local.ssh_public_key)
  ssh_private_key = data.sops_file.ssh_private_key.raw

  ssh_additional_public_keys = [
    file("../../ssh-keys/a.pub"),
    file("../../ssh-keys/b.pub"),
    file("../../ssh-keys/c.pub"),
  ]

  # ...
}

In this code snippet, the ssh_additional_public_keys list is populated with three SSH public keys, which are loaded from files using the file() function.

Preferred Way to Manage SSH Keys

Based on the behavior observed, it appears that the ssh_additional_public_keys option is only used for the initial setup. To manage SSH keys after the initial setup, you can use the following approaches:

1. Use the ssh_public_key Option

Instead of using the ssh_additional_public_keys option, you can use the ssh_public_key option to specify a single SSH public key. This key will be used for all future connections to the cluster.

module "k3s" {
  providers = { hcloud = hcloud }

  hcloud_token = local.secrets.hcloud.token

  source = "kube-hetzner/kube-hetzner/hcloud"
  version = "2.16.0"

  ssh_public_key = file(local.ssh_public_key)
  ssh_private_key = data.sops_file.ssh_private_key.raw

  # ...
}

2. Use a Separate Terraform Module

You can create a separate Terraform module to manage SSH keys. This module can be used to add or remove SSH keys from the cluster without affecting the main kube.tf file.

# File: ssh_keys.tf

module "ssh_keys" {
  source = file("./ssh_keys_module")

  ssh_public_key = file(local.ssh_public_key)
  ssh_private_key = data.sops_file.ssh_private_key.raw

  ssh_additional_public_keys =    file("../../ssh-keys/a.pub"),
    file("../../ssh-keys/b.pub"),
    file("../../ssh-keys/c.pub"),
  ]
}

3. Use a Configuration Management Tool

You can use a configuration management tool like Ansible or Puppet to manage SSH keys on the cluster nodes. This approach allows you to decouple the SSH key management from the Terraform configuration.

Conclusion

In conclusion, the ssh_additional_public_keys option in Terraform appears to be only used for the initial setup. To manage SSH keys after the initial setup, you can use the ssh_public_key option, create a separate Terraform module, or use a configuration management tool. By following these approaches, you can ensure that your SSH key management is secure and efficient.

Troubleshooting Tips

If you encounter issues with removing additional SSH public keys, try the following troubleshooting tips:

  • Verify that the ssh_additional_public_keys list is correctly populated with the desired SSH public keys.
  • Check that the ssh_public_key option is not being used in conjunction with the ssh_additional_public_keys option.
  • Ensure that the Terraform configuration is up-to-date and that the ssh_additional_public_keys option is not being overridden by a previous configuration.
  • Try removing the SSH public key from the ssh_additional_public_keys list and then re-running the Terraform plan to see if the issue persists.

Q&A: Troubleshooting and Best Practices

Q: What is the purpose of the ssh_additional_public_keys option in Terraform?

A: The ssh_additional_public_keys option is used to specify additional SSH public keys that can be used to connect to the cluster. However, based on the behavior observed, it appears that this option is only used for the initial setup.

Q: Why can't I remove additional SSH public keys from the ssh_additional_public_keys list?

A: The ssh_additional_public_keys option is only used for the initial setup, and any changes made to this list after the initial setup are ignored. To manage SSH keys after the initial setup, you can use the ssh_public_key option, create a separate Terraform module, or use a configuration management tool.

Q: How do I use the ssh_public_key option to manage SSH keys?

A: To use the ssh_public_key option, simply specify a single SSH public key using the file() function. This key will be used for all future connections to the cluster.

module "k3s" {
  providers = { hcloud = hcloud }

  hcloud_token = local.secrets.hcloud.token

  source = "kube-hetzner/kube-hetzner/hcloud"
  version = "2.16.0"

  ssh_public_key = file(local.ssh_public_key)
  ssh_private_key = data.sops_file.ssh_private_key.raw

  # ...
}

Q: Can I use a separate Terraform module to manage SSH keys?

A: Yes, you can create a separate Terraform module to manage SSH keys. This module can be used to add or remove SSH keys from the cluster without affecting the main kube.tf file.

# File: ssh_keys.tf

module "ssh_keys" {
  source = file("./ssh_keys_module")

  ssh_public_key = file(local.ssh_public_key)
  ssh_private_key = data.sops_file.ssh_private_key.raw

  ssh_additional_public_keys =    file("../../ssh-keys/a.pub"),
    file("../../ssh-keys/b.pub"),
    file("../../ssh-keys/c.pub"),
  ]
}

Q: Can I use a configuration management tool to manage SSH keys?

A: Yes, you can use a configuration management tool like Ansible or Puppet to manage SSH keys on the cluster nodes. This approach allows you to decouple the SSH key management from the Terraform configuration.

Q: What are some troubleshooting tips for removing additional SSH public keys?

A: Here are some troubleshooting tips to help you resolve the issue with removing additional SSH public keys:

  • Verify that the ssh_additional_public_keys list is correctly populated with the desired SSH public keys.
  • Check that the ssh_public_key option is not being used in conjunction with the ssh_additional_public_keys option.
  • Ensure that the Terraform configuration is up-to-date and that the ssh_additional_public_keys option is not being overridden by a previous configuration.
  • Try removing the SSH public key from the ssh_additional_public_keys list and then re-running the Terraform plan to see if the issue persists.

Q: How can I prevent this issue from occurring in the future?

A: To prevent this issue from occurring in the future, make sure to use the ssh_public_key option or create a separate Terraform module to manage SSH keys. Additionally, ensure that the Terraform configuration is up-to-date and that the ssh_additional_public_keys option is not being overridden by a previous configuration.

By following these troubleshooting tips and best practices, you can resolve the issue with removing additional SSH public keys in Terraform and ensure that your SSH key management is secure and efficient.