Merge pull request #27 from phaer/optional-private-key

make private key optional to support SSH agent usage

README.md

@@ -61,7 +61,9 @@ _The Hetzner cli `hcloud` is also useful to have, mainly for debugging without h
 ### 💡 [Do not skip] Creating the terraform.tfvars file
 
 1. Create a project in your [Hetzner Cloud Console](https://console.hetzner.cloud/), and go to **Security > API Tokens** of that project to grab the API key. Take note of the key! ✅
-2. Generate an ssh key pair for your cluster, unless you already have one that you'd like to use (ed25519 is the ideal type). Take note of the respective paths of your private and public keys! ✅
+2. Either...
+  ...generate an ssh key pair for your cluster, unless you already have one that you'd like to use (ed25519 is the ideal type). Take note of the respective paths of your private and public keys! ✅
+  ...or make sure you have got an SSH agent running and your key is loaded (`ssh-add -L` to verify) and set `private_key = null` ✅
 3. Copy `terraform.tfvars.example` to `terraform.tfvars`, and replace the values from steps 1 and 2. ✅
 4. (Optional) There are other variables in `terraform.tfvars` that could be customized, like Hetzner region, and the node counts and sizes.
 

agents.tf

@@ -27,9 +27,10 @@ resource "hcloud_server" "agents" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
@@ -38,9 +39,10 @@ resource "hcloud_server" "agents" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 

locals.tf

@@ -1,7 +1,15 @@
 locals {
   first_control_plane_network_ip = cidrhost(hcloud_network.k3s.ip_range, 2)
-  ssh_public_key                 = trimspace(file(var.public_key))
   hcloud_image_name              = "ubuntu-20.04"
+  ssh_public_key                 = trimspace(file(var.public_key))
+  # ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
+  ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
+  # ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
+  # For terraforms provisioner.connection.agent_identity, we need the public key as a string.
+  ssh_identity = var.private_key == null ? local.ssh_public_key : null
+  # ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
+  # if an ssh agent is used.
+  ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
 
   k3os_install_commands = [
     "apt install -y grub-efi grub-pc-bin mtools xorriso",

master.tf

@@ -23,9 +23,10 @@ resource "hcloud_server" "first_control_plane" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
@@ -34,16 +35,17 @@ resource "hcloud_server" "first_control_plane" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
   # Wait for k3os to be ready and fetch kubeconfig.yaml
   provisioner "local-exec" {
     command = <<-EOT
-      sleep 60 && ping ${self.ipv4_address} | grep --line-buffered "bytes from" | head -1 && sleep 100 && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${var.private_key} rancher@${self.ipv4_address}:/etc/rancher/k3s/k3s.yaml ${path.module}/kubeconfig.yaml
+      sleep 60 && ping ${self.ipv4_address} | grep --line-buffered "bytes from" | head -1 && sleep 100 && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${local.ssh_identity_file} rancher@${self.ipv4_address}:/etc/rancher/k3s/k3s.yaml ${path.module}/kubeconfig.yaml
       sed -i -e 's/127.0.0.1/${self.ipv4_address}/g' ${path.module}/kubeconfig.yaml
     EOT
   }

servers.tf

@@ -26,9 +26,10 @@ resource "hcloud_server" "control_planes" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
@@ -37,9 +38,10 @@ resource "hcloud_server" "control_planes" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }