From 56f9a7ddc55a0942856780ec973fc23ee652d6ab Mon Sep 17 00:00:00 2001
From: Zack Cerza <zack@redhat.com>
Date: Fri, 29 Jul 2022 13:42:48 -0600
Subject: [PATCH] containers: Use secrets for SSH keys, not env vars

---
 containers/testnode/Dockerfile          | 2 +-
 containers/testnode/testnode_start.sh   | 4 ++--
 containers/teuthology-dev/Dockerfile    | 7 +++----
 containers/teuthology-dev/teuthology.sh | 5 +----
 4 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/containers/testnode/Dockerfile b/containers/testnode/Dockerfile
index 016d32117a..355b6951f8 100644
--- a/containers/testnode/Dockerfile
+++ b/containers/testnode/Dockerfile
@@ -14,7 +14,7 @@ COPY testnode_start.sh /
 COPY testnode_stop.sh /
 COPY testnode_sudoers /etc/sudoers.d/teuthology
 RUN \
-    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' && \
+    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' && \
     sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config && \
     mkdir -p /root/.ssh && \
     chmod 700 /root/.ssh && \
diff --git a/containers/testnode/testnode_start.sh b/containers/testnode/testnode_start.sh
index d29c3b6d0a..46d44179eb 100755
--- a/containers/testnode/testnode_start.sh
+++ b/containers/testnode/testnode_start.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/bash
 set -x
-echo "$SSH_PUBKEY" > /root/.ssh/authorized_keys
-echo "$SSH_PUBKEY" > /home/ubuntu/.ssh/authorized_keys
+cat /run/secrets/id_rsa.pub >> /root/.ssh/authorized_keys
+cat /run/secrets/id_rsa.pub >> /home/ubuntu/.ssh/authorized_keys
 chown ubuntu /home/ubuntu/.ssh/authorized_keys
 payload="{\"name\": \"$(hostname)\", \"machine_type\": \"testnode\", \"up\": true, \"locked\": false, \"os_type\": \"ubuntu\", \"os_version\": \"20.04\"}"
 for i in $(seq 1 5); do
diff --git a/containers/teuthology-dev/Dockerfile b/containers/teuthology-dev/Dockerfile
index f350b31dbd..c2566a0455 100644
--- a/containers/teuthology-dev/Dockerfile
+++ b/containers/teuthology-dev/Dockerfile
@@ -1,5 +1,4 @@
 FROM ubuntu:latest
-ARG SSH_PRIVKEY_FILE=id_ed25519
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && \
     apt-get install -y \
@@ -36,8 +35,8 @@ COPY containers/teuthology-dev/ansible_inventory/hosts /etc/ansible/
 COPY containers/teuthology-dev/ansible_inventory/secrets /etc/ansible/
 RUN \
     mkdir $HOME/.ssh && \
-    touch $HOME/.ssh/${SSH_PRIVKEY_FILE} && \
-    chmod 600 $HOME/.ssh/${SSH_PRIVKEY_FILE} && \
+    touch $HOME/.ssh/id_rsa && \
+    chmod 600 $HOME/.ssh/id_rsa && \
     echo "StrictHostKeyChecking=no" > $HOME/.ssh/config && \
     echo "UserKnownHostsFile=/dev/null" >> $HOME/.ssh/config
-ENTRYPOINT /teuthology.sh
\ No newline at end of file
+ENTRYPOINT /teuthology.sh
diff --git a/containers/teuthology-dev/teuthology.sh b/containers/teuthology-dev/teuthology.sh
index 0378f93d44..7f8eed6501 100755
--- a/containers/teuthology-dev/teuthology.sh
+++ b/containers/teuthology-dev/teuthology.sh
@@ -1,11 +1,8 @@
 #!/usr/bin/bash
 set -e
-# We don't want -x yet, in case the private key is sensitive
-if [ -n "$SSH_PRIVKEY_FILE" ]; then
-    echo "$SSH_PRIVKEY" > $HOME/.ssh/$SSH_PRIVKEY_FILE
-fi
 source /teuthology/virtualenv/bin/activate
 set -x
+cat /run/secrets/id_rsa > $HOME/.ssh/id_rsa
 if [ -n "$TESTNODES" ]; then
     for node in $(echo $TESTNODES | tr , ' '); do
         teuthology-update-inventory -m $MACHINE_TYPE $node
-- 
2.39.5