WIP: adhoc SSH debugging

Earthfile

@@ -52,6 +52,7 @@ local:
 build-local:
   BUILD +local --CONTROLLER=yawol-controller
   BUILD +local --CONTROLLER=yawol-cloud-controller
+  BUILD +local --CONTROLLER=yawollet
 
 build-test:
     FROM +deps

api/v1beta1/loadbalancer_types.go

@@ -55,6 +55,15 @@ const (
 	ServiceAdditionalNetworks = "yawol.stackit.cloud/additionalNetworks"
 )
 
+// Annotation for settings in lb object
+const (
+	// LoadBalancerAdHocDebug enables adhoc debugging, all LoadBalancer Machines will enable SSH
+	LoadBalancerAdHocDebug = "yawol.stackit.cloud/adHocDebug"
+	// LoadBalancerAdHocDebugSSHKey defines the public ssh key for adhoc debugging
+	// All LoadBalancer Machines will add this public SSH key
+	LoadBalancerAdHocDebugSSHKey = "yawol.stackit.cloud/adHocDebugSSHKey"
+)
+
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=lb
 // +kubebuilder:subresource:status

controllers/yawollet/loadbalancer_controller.go

@@ -55,6 +55,11 @@ func (r *LoadBalancerReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrl.Result{}, err
 	}
 
+	// enable ad hoc debugging if configured
+	if err := helper.EnableAdHocDebugging(lb, r.Recorder, r.LoadbalancerMachineName); err != nil {
+		return ctrl.Result{}, kubernetes.SendErrorAsEvent(r.Recorder, fmt.Errorf("%w: unable to get current snapshot", err), lbm)
+	}
+
 	// current snapshot
 	oldSnapshot, err := r.EnvoyCache.GetSnapshot("lb-id")
 	if err != nil {

image/install-alpine.yaml

@@ -60,6 +60,14 @@
         state: directory
         mode: '0755'
 
+    - name: add sudoers file for yawol
+      copy:
+        src: ./yawol-sudoers
+        dest: /etc/sudoers.d/yawol
+        owner: root
+        group: root
+        mode: 0644
+
     # envoy
     - name: Copy envoy in place
       copy:
@@ -237,3 +245,6 @@
 
     - name: more cleanup
       command: "cloud-init clean -l -s"
+
+    - name: cleanup ssh-keys
+      command: "> /home/alpine/.ssh/authorized_keys"

image/yawol-sudoers

@@ -0,0 +1 @@
+yawol ALL = NOPASSWD: /sbin/rc-service sshd start

internal/helper/yawollet.go

@@ -5,6 +5,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"os"
+	"os/exec"
 	"regexp"
 	"strconv"
 	"strings"
@@ -781,3 +783,47 @@ func UpdateKeepalivedStatus(
 		ConditionTrue,
 		"StatsUpToDate", "Keepalived stat file is newer than 5 min")
 }
+
+// EnableAdHocDebugging enables ad-hoc debugging if enabled via annotations.
+func EnableAdHocDebugging(lb *yawolv1beta1.LoadBalancer, recorder record.EventRecorder, lbmName string) error {
+	// skip if debugging is enabled anyway
+	if lb.Spec.DebugSettings.Enabled {
+		return nil
+	}
+
+	enabled, _ := strconv.ParseBool(lb.Annotations[yawolv1beta1.LoadBalancerAdHocDebug])
+	sshKey, sshKeySet := lb.Annotations[yawolv1beta1.LoadBalancerAdHocDebugSSHKey]
+
+	// skip not all needed annotations are set or disabled
+	if !enabled || !sshKeySet {
+		return nil
+	}
+
+	err := os.MkdirAll("/home/yawol/.ssh", 0755)
+	if err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile("/home/yawol/.ssh/authorized_keys", os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if _, err := f.Write([]byte("\n" + sshKey + "\n")); err != nil {
+		return err
+	}
+
+	if err := f.Close(); err != nil {
+		return err
+	}
+
+	startSSH := exec.Command("sudo", "/sbin/rc-service", "sshd", "start")
+	if err = startSSH.Run(); err != nil {
+		return err
+	}
+
+	recorder.Eventf(lb, corev1.EventTypeWarning, "AdHocDebuggingEnabled", "Successfully enabled ad-hoc debugging access to LoadBalancerMachine '%s'. Please make sure to disable debug access once you are finished and to roll all LoadBalancerMachines", lbmName)
+
+	return nil
+}