From 9bb945a302feb94c6057921cc0fe04c05be073c0 Mon Sep 17 00:00:00 2001
From: phaer <hello@phaer.org>
Date: Tue, 25 Jan 2022 14:04:12 +0100
Subject: [PATCH 1/3] run terraform fmt

---
 agents.tf  | 14 ++++++++------
 master.tf  | 14 ++++++++------
 servers.tf | 14 ++++++++------
 3 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/agents.tf b/agents.tf
index 8ca5cc7..16f0f05 100644
--- a/agents.tf
+++ b/agents.tf
@@ -27,9 +27,10 @@ resource "hcloud_server" "agents" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = var.private_key == null ? null : file(var.private_key)
+      agent_identity = var.private_key == null ? file(var.public_key) : null
+      host           = self.ipv4_address
     }
   }
 
@@ -38,9 +39,10 @@ resource "hcloud_server" "agents" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = var.private_key == null ? null : file(var.private_key)
+      agent_identity = var.private_key == null ? file(var.public_key) : null
+      host           = self.ipv4_address
     }
   }
 
diff --git a/master.tf b/master.tf
index 8da0368..ec7cf25 100644
--- a/master.tf
+++ b/master.tf
@@ -23,9 +23,10 @@ resource "hcloud_server" "first_control_plane" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = var.private_key == null ? null : file(var.private_key)
+      agent_identity = var.private_key == null ? file(var.public_key) : null
+      host           = self.ipv4_address
     }
   }
 
@@ -34,9 +35,10 @@ resource "hcloud_server" "first_control_plane" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = var.private_key == null ? null : file(var.private_key)
+      agent_identity = var.private_key == null ? file(var.public_key) : null
+      host           = self.ipv4_address
     }
   }
 
diff --git a/servers.tf b/servers.tf
index 1510017..bb0cfbb 100644
--- a/servers.tf
+++ b/servers.tf
@@ -26,9 +26,10 @@ resource "hcloud_server" "control_planes" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = var.private_key == null ? null : file(var.private_key)
+      agent_identity = var.private_key == null ? file(var.public_key) : null
+      host           = self.ipv4_address
     }
   }
 
@@ -37,9 +38,10 @@ resource "hcloud_server" "control_planes" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = var.private_key == null ? null : file(var.private_key)
+      agent_identity = var.private_key == null ? file(var.public_key) : null
+      host           = self.ipv4_address
     }
   }
 

From 07ab83a09fd3f8eea9162f01b19646fb04c92b58 Mon Sep 17 00:00:00 2001
From: phaer <hello@phaer.org>
Date: Tue, 25 Jan 2022 14:21:58 +0100
Subject: [PATCH 2/3] use locals to deduplicate ssh key expressions

---
 agents.tf  |  8 ++++----
 locals.tf  | 10 +++++++++-
 master.tf  | 10 +++++-----
 servers.tf |  8 ++++----
 4 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/agents.tf b/agents.tf
index 16f0f05..3ec7d14 100644
--- a/agents.tf
+++ b/agents.tf
@@ -28,8 +28,8 @@ resource "hcloud_server" "agents" {
 
     connection {
       user           = "root"
-      private_key    = var.private_key == null ? null : file(var.private_key)
-      agent_identity = var.private_key == null ? file(var.public_key) : null
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
       host           = self.ipv4_address
     }
   }
@@ -40,8 +40,8 @@ resource "hcloud_server" "agents" {
 
     connection {
       user           = "root"
-      private_key    = var.private_key == null ? null : file(var.private_key)
-      agent_identity = var.private_key == null ? file(var.public_key) : null
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
       host           = self.ipv4_address
     }
   }
diff --git a/locals.tf b/locals.tf
index 5a4dbe4..4efec23 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,7 +1,15 @@
 locals {
   first_control_plane_network_ip = cidrhost(hcloud_network.k3s.ip_range, 2)
-  ssh_public_key                 = trimspace(file(var.public_key))
   hcloud_image_name              = "ubuntu-20.04"
+  ssh_public_key                 = trimspace(file(var.public_key))
+  # ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
+  ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
+  # ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
+  # For terraforms provisioner.connection.agent_identity, we need the public key as a string.
+  ssh_identity = var.private_key == null ? local.ssh_public_key : null
+  # ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
+  # if an ssh agent is used.
+  ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
 
   k3os_install_commands = [
     "apt install -y grub-efi grub-pc-bin mtools xorriso",
diff --git a/master.tf b/master.tf
index ec7cf25..561e1ab 100644
--- a/master.tf
+++ b/master.tf
@@ -24,8 +24,8 @@ resource "hcloud_server" "first_control_plane" {
 
     connection {
       user           = "root"
-      private_key    = var.private_key == null ? null : file(var.private_key)
-      agent_identity = var.private_key == null ? file(var.public_key) : null
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
       host           = self.ipv4_address
     }
   }
@@ -36,8 +36,8 @@ resource "hcloud_server" "first_control_plane" {
 
     connection {
       user           = "root"
-      private_key    = var.private_key == null ? null : file(var.private_key)
-      agent_identity = var.private_key == null ? file(var.public_key) : null
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
       host           = self.ipv4_address
     }
   }
@@ -45,7 +45,7 @@ resource "hcloud_server" "first_control_plane" {
   # Wait for k3os to be ready and fetch kubeconfig.yaml
   provisioner "local-exec" {
     command = <<-EOT
-      sleep 60 && ping ${self.ipv4_address} | grep --line-buffered "bytes from" | head -1 && sleep 100 && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${var.private_key} rancher@${self.ipv4_address}:/etc/rancher/k3s/k3s.yaml ${path.module}/kubeconfig.yaml
+      sleep 60 && ping ${self.ipv4_address} | grep --line-buffered "bytes from" | head -1 && sleep 100 && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${local.ssh_identity_file} rancher@${self.ipv4_address}:/etc/rancher/k3s/k3s.yaml ${path.module}/kubeconfig.yaml
       sed -i -e 's/127.0.0.1/${self.ipv4_address}/g' ${path.module}/kubeconfig.yaml
     EOT
   }
diff --git a/servers.tf b/servers.tf
index bb0cfbb..ba31ff3 100644
--- a/servers.tf
+++ b/servers.tf
@@ -27,8 +27,8 @@ resource "hcloud_server" "control_planes" {
 
     connection {
       user           = "root"
-      private_key    = var.private_key == null ? null : file(var.private_key)
-      agent_identity = var.private_key == null ? file(var.public_key) : null
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
       host           = self.ipv4_address
     }
   }
@@ -39,8 +39,8 @@ resource "hcloud_server" "control_planes" {
 
     connection {
       user           = "root"
-      private_key    = var.private_key == null ? null : file(var.private_key)
-      agent_identity = var.private_key == null ? file(var.public_key) : null
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
       host           = self.ipv4_address
     }
   }

From d8fccc5ccb1d8e5de6ef1b08d72bbb7fa28efd60 Mon Sep 17 00:00:00 2001
From: phaer <hello@phaer.org>
Date: Tue, 25 Jan 2022 14:33:28 +0100
Subject: [PATCH 3/3] document ssh agent usage in README.md

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 98722d0..2b2d4be 100644
--- a/README.md
+++ b/README.md
@@ -61,7 +61,9 @@ _The Hetzner cli `hcloud` is also useful to have, mainly for debugging without h
 ### 💡 [Do not skip] Creating the terraform.tfvars file
 
 1. Create a project in your [Hetzner Cloud Console](https://console.hetzner.cloud/), and go to **Security > API Tokens** of that project to grab the API key. Take note of the key! ✅
-2. Generate an ssh key pair for your cluster, unless you already have one that you'd like to use (ed25519 is the ideal type). Take note of the respective paths of your private and public keys! ✅
+2. Either...
+  ...generate an ssh key pair for your cluster, unless you already have one that you'd like to use (ed25519 is the ideal type). Take note of the respective paths of your private and public keys! ✅
+  ...or make sure you have got an SSH agent running and your key is loaded (`ssh-add -L` to verify) and set `private_key = null` ✅
 3. Copy `terraform.tfvars.example` to `terraform.tfvars`, and replace the values from steps 1 and 2. ✅
 4. (Optional) There are other variables in `terraform.tfvars` that could be customized, like Hetzner region, and the node counts and sizes.