Merge pull request #51 from fly-apps/ssh_auth

Do ssh_auth
fly-apps · Jan 31, 2023 · 87dfce7 · 87dfce7
2 parents 1ab7d9d + a219eb4
commit 87dfce7
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -29,7 +29,7 @@ LABEL fly.pg-version=${PG_VERSION}
 LABEL fly.pg-manager=repmgr
 
 RUN apt-get update && apt-get install --no-install-recommends -y \
-    ca-certificates iproute2 postgresql-$PG_MAJOR_VERSION-repmgr curl bash dnsutils vim procps jq pgbouncer \
+    ca-certificates iproute2 postgresql-$PG_MAJOR_VERSION-repmgr curl bash dnsutils vim procps jq pgbouncer ssh \
     && apt autoremove -y
 
 COPY --from=0 /fly/bin/* /usr/local/bin

diff --git a/pkg/flypg/node.go b/pkg/flypg/node.go
@@ -188,6 +188,11 @@ func (n *Node) Init(ctx context.Context) error {
 		}
 	}
 
+	err := WriteSSHKey()
+	if err != nil {
+		return fmt.Errorf("failed initialize ssh. %v", err)
+	}
+
 	store, err := state.NewStore()
 	if err != nil {
 		return fmt.Errorf("failed initialize cluster state store: %s", err)
@@ -240,6 +245,44 @@ func (n *Node) Init(ctx context.Context) error {
 	return nil
 }
 
+func WriteSSHKey() error {
+	err := os.Mkdir("/data/.ssh", 0700)
+	if err != nil && !os.IsExist(err) {
+		return err
+	}
+
+	key := os.Getenv("SSH_KEY")
+
+	keyFile, err := os.Create("/data/.ssh/id_rsa")
+	if err != nil {
+		return err
+	}
+	defer keyFile.Close()
+	_, err = keyFile.Write([]byte(key))
+	if err != nil {
+		return err
+	}
+
+	cert := os.Getenv("SSH_CERT")
+
+	certFile, err := os.Create("/data/.ssh/id_rsa-cert.pub")
+	if err != nil {
+		return err
+	}
+	defer certFile.Close()
+	_, err = certFile.Write([]byte(cert))
+	if err != nil {
+		return err
+	}
+
+	err = setSSHOwnership()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // PostInit are operations that should be executed against a running Postgres on boot.
 func (n *Node) PostInit(ctx context.Context) error {
 	if ZombieLockExists() {
@@ -702,6 +745,13 @@ func openConnection(parentCtx context.Context, host string, database string, cre
 	return pgx.ConnectConfig(ctx, conf)
 }
 
+func setSSHOwnership() error {
+	cmdStr := fmt.Sprintf("chmod 600 %s %s", "/data/.ssh/id_rsa", "/data/.ssh/id_rsa-cert.pub")
+	cmd := exec.Command("sh", "-c", cmdStr)
+	_, err := cmd.Output()
+	return err
+}
+
 func setDirOwnership() error {
 	pgUser, err := user.Lookup("postgres")
 	if err != nil {

diff --git a/pkg/flypg/repmgr.go b/pkg/flypg/repmgr.go
@@ -127,6 +127,7 @@ func (r *RepMgr) setDefaults() {
 		"location":                     r.Region,
 		"primary_visibility_consensus": true,
 		"failover_validation_command":  fmt.Sprintf("'/usr/local/bin/failover_validation -visible-nodes %%v -total-nodes %%t'"),
+		"ssh_options":                  "'-o \"StrictHostKeyChecking=no\"'",
 		"priority":                     100,
 	}