rke/hosts/dialer.go

package hosts

import (
	"fmt"
	"net"
	"net/http"
	"strings"
	"time"

	"k8s.io/client-go/transport"

	v3 "github.com/rancher/rke/types"
	"golang.org/x/crypto/ssh"
)

const (
	DockerDialerTimeout = 50
)

type DialerFactory func(h *Host) (func(network, address string) (net.Conn, error), error)

type dialer struct {
	signer          ssh.Signer
	sshKeyString    string
	sshCertString   string
	sshAddress      string
	username        string
	netConn         string
	dockerSocket    string
	useSSHAgentAuth bool
	bastionDialer   *dialer
}

type DialersOptions struct {
	DockerDialerFactory    DialerFactory
	LocalConnDialerFactory DialerFactory
	K8sWrapTransport       transport.WrapperFunc
}

func GetDialerOptions(d, l DialerFactory, w transport.WrapperFunc) DialersOptions {
	return DialersOptions{
		DockerDialerFactory:    d,
		LocalConnDialerFactory: l,
		K8sWrapTransport:       w,
	}
}

func newDialer(h *Host, kind string) (*dialer, error) {
	// Check for Bastion host connection
	var bastionDialer *dialer
	if len(h.BastionHost.Address) > 0 {
		bastionDialer = &dialer{
			sshAddress:      fmt.Sprintf("%s:%s", h.BastionHost.Address, h.BastionHost.Port),
			username:        h.BastionHost.User,
			sshKeyString:    h.BastionHost.SSHKey,
			sshCertString:   h.BastionHost.SSHCert,
			netConn:         "tcp",
			useSSHAgentAuth: h.SSHAgentAuth,
		}
		if bastionDialer.sshKeyString == "" && !bastionDialer.useSSHAgentAuth {
			var err error
			bastionDialer.sshKeyString, err = privateKeyPath(h.BastionHost.SSHKeyPath)
			if err != nil {
				return nil, err
			}

			if bastionDialer.sshCertString == "" && len(h.BastionHost.SSHCertPath) > 0 {
				bastionDialer.sshCertString, err = certificatePath(h.BastionHost.SSHCertPath)
				if err != nil {
					return nil, err
				}
			}
		}
	}

	dialer := &dialer{
		sshAddress:      fmt.Sprintf("%s:%s", h.Address, h.Port),
		username:        h.User,
		dockerSocket:    h.DockerSocket,
		sshKeyString:    h.SSHKey,
		sshCertString:   h.SSHCert,
		netConn:         "unix",
		useSSHAgentAuth: h.SSHAgentAuth,
		bastionDialer:   bastionDialer,
	}

	if dialer.sshKeyString == "" && !dialer.useSSHAgentAuth {
		var err error
		dialer.sshKeyString, err = privateKeyPath(h.SSHKeyPath)
		if err != nil {
			return nil, err
		}

		if dialer.sshCertString == "" && len(h.SSHCertPath) > 0 {
			dialer.sshCertString, err = certificatePath(h.SSHCertPath)
			if err != nil {
				return nil, err
			}
		}
	}

	switch kind {
	case "network", "health":
		dialer.netConn = "tcp"
	}

	if len(dialer.dockerSocket) == 0 {
		dialer.dockerSocket = "/var/run/docker.sock"
	}

	return dialer, nil
}

func SSHFactory(h *Host) (func(network, address string) (net.Conn, error), error) {
	dialer, err := newDialer(h, "docker")
	return dialer.Dial, err
}

func LocalConnFactory(h *Host) (func(network, address string) (net.Conn, error), error) {
	dialer, err := newDialer(h, "network")
	return dialer.Dial, err
}

func (d *dialer) DialDocker(network, addr string) (net.Conn, error) {
	return d.Dial(network, addr)
}

func (d *dialer) DialLocalConn(network, addr string) (net.Conn, error) {
	return d.Dial(network, addr)
}

func (d *dialer) Dial(network, addr string) (net.Conn, error) {
	var conn *ssh.Client
	var err error
	if d.bastionDialer != nil {
		conn, err = d.getBastionHostTunnelConn()
	} else {
		conn, err = d.getSSHTunnelConnection()
	}
	if err != nil {
		if strings.Contains(err.Error(), "no key found") {
			return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Please check if the configured key or specified key file is a valid SSH Private Key. Error: %v", d.sshAddress, err)
		} else if strings.Contains(err.Error(), "no supported methods remain") {
			return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Please check if you are able to SSH to the node using the specified SSH Private Key and if you have configured the correct SSH username. Error: %v", d.sshAddress, err)
		} else if strings.Contains(err.Error(), "cannot decode encrypted private keys") {
			return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Using encrypted private keys is only supported using ssh-agent. Please configure the option `ssh_agent_auth: true` in the configuration file or use --ssh-agent-auth as a parameter when running RKE. This will use the `SSH_AUTH_SOCK` environment variable. Error: %v", d.sshAddress, err)
		} else if strings.Contains(err.Error(), "operation timed out") {
			return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Please check if the node is up and is accepting SSH connections or check network policies and firewall rules. Error: %v", d.sshAddress, err)
		}
		return nil, fmt.Errorf("Failed to dial ssh using address [%s]: %v", d.sshAddress, err)
	}

	// Docker Socket....
	if d.netConn == "unix" {
		addr = d.dockerSocket
		network = d.netConn
	}

	remote, err := conn.Dial(network, addr)
	if err != nil {
		if strings.Contains(err.Error(), "connect failed") {
			return nil, fmt.Errorf("Unable to access the service on %s. The service might be still starting up. Error: %v", addr, err)
		} else if strings.Contains(err.Error(), "administratively prohibited") {
			return nil, fmt.Errorf("Unable to access the Docker socket (%s). Please check if the configured user can execute `docker ps` on the node, and if the SSH server version is at least version 6.7 or higher. If you are using RedHat/CentOS, you can't use the user `root`. Please refer to the documentation for more instructions. Error: %v", addr, err)
		}
		return nil, fmt.Errorf("Failed to dial to %s: %v", addr, err)
	}
	return remote, err
}

func (d *dialer) getSSHTunnelConnection() (*ssh.Client, error) {
	cfg, err := getSSHConfig(d.username, d.sshKeyString, d.sshCertString, d.useSSHAgentAuth)
	if err != nil {
		return nil, fmt.Errorf("Error configuring SSH: %v", err)
	}
	// Establish connection with SSH server
	return ssh.Dial("tcp", d.sshAddress, cfg)
}

func (h *Host) newHTTPClient(dialerFactory DialerFactory) (*http.Client, error) {
	factory := dialerFactory
	if factory == nil {
		factory = SSHFactory
	}

	dialer, err := factory(h)
	if err != nil {
		return nil, err
	}
	dockerDialerTimeout := time.Second * DockerDialerTimeout
	return &http.Client{
		Transport: &http.Transport{
			Dial:                  dialer,
			TLSHandshakeTimeout:   dockerDialerTimeout,
			IdleConnTimeout:       dockerDialerTimeout,
			ResponseHeaderTimeout: dockerDialerTimeout,
		},
	}, nil
}

func (d *dialer) getBastionHostTunnelConn() (*ssh.Client, error) {
	bastionCfg, err := getSSHConfig(d.bastionDialer.username, d.bastionDialer.sshKeyString, d.bastionDialer.sshCertString, d.bastionDialer.useSSHAgentAuth)
	if err != nil {
		return nil, fmt.Errorf("Error configuring SSH for bastion host [%s]: %v", d.bastionDialer.sshAddress, err)
	}
	bastionClient, err := ssh.Dial("tcp", d.bastionDialer.sshAddress, bastionCfg)
	if err != nil {
		return nil, fmt.Errorf("Failed to connect to the bastion host [%s]: %v", d.bastionDialer.sshAddress, err)
	}
	conn, err := bastionClient.Dial(d.bastionDialer.netConn, d.sshAddress)
	if err != nil {
		return nil, fmt.Errorf("Failed to connect to the host [%s]: %v", d.sshAddress, err)
	}
	cfg, err := getSSHConfig(d.username, d.sshKeyString, d.sshCertString, d.useSSHAgentAuth)
	if err != nil {
		return nil, fmt.Errorf("Error configuring SSH for host [%s]: %v", d.sshAddress, err)
	}
	newClientConn, channels, sshRequest, err := ssh.NewClientConn(conn, d.sshAddress, cfg)
	if err != nil {
		return nil, fmt.Errorf("Failed to establish new ssh client conn [%s]: %v", d.sshAddress, err)
	}
	return ssh.NewClient(newClientConn, channels, sshRequest), nil
}

func BastionHostWrapTransport(bastionHost v3.BastionHost) (transport.WrapperFunc, error) {

	bastionDialer := &dialer{
		sshAddress:      fmt.Sprintf("%s:%s", bastionHost.Address, bastionHost.Port),
		username:        bastionHost.User,
		sshKeyString:    bastionHost.SSHKey,
		sshCertString:   bastionHost.SSHCert,
		netConn:         "tcp",
		useSSHAgentAuth: bastionHost.SSHAgentAuth,
	}

	if bastionDialer.sshKeyString == "" && !bastionDialer.useSSHAgentAuth {
		var err error
		bastionDialer.sshKeyString, err = privateKeyPath(bastionHost.SSHKeyPath)
		if err != nil {
			return nil, err
		}

	}

	if bastionDialer.sshCertString == "" && len(bastionHost.SSHCertPath) > 0 {
		var err error
		bastionDialer.sshCertString, err = certificatePath(bastionHost.SSHCertPath)
		if err != nil {
			return nil, err
		}

	}
	return func(rt http.RoundTripper) http.RoundTripper {
		if ht, ok := rt.(*http.Transport); ok {
			ht.DialContext = nil
			ht.DialTLS = nil
			ht.Dial = bastionDialer.Dial
		}
		return rt
	}, nil
}
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`package hosts`

			`import (`
			`"fmt"`
			`"net"`
			`"net/http"`
Better guidance on SSH errors 2018-07-11 15:22:38 +00:00			`"strings"`
Set timeouts for docker dialer 2018-03-27 21:07:16 +00:00			`"time"`
Set up kubernetes components 2017-10-29 09:45:21 +00:00
Remove references to rancher/types 2020-07-11 16:24:19 +00:00			`"k8s.io/client-go/transport"`

			`v3 "github.com/rancher/rke/types"`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`"golang.org/x/crypto/ssh"`
			`)`

Set timeouts for docker dialer 2018-03-27 21:07:16 +00:00			`const (`
Add dind mode to rke 2018-07-10 19:21:27 +00:00			`DockerDialerTimeout = 50`
Set timeouts for docker dialer 2018-03-27 21:07:16 +00:00			`)`

Add Dialer Factory 2017-12-16 03:38:15 +00:00			`type DialerFactory func(h *Host) (func(network, address string) (net.Conn, error), error)`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00
Add Dialer Factory 2017-12-16 03:38:15 +00:00			`type dialer struct {`
Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`signer ssh.Signer`
			`sshKeyString string`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`sshCertString string`
Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`sshAddress string`
			`username string`
			`netConn string`
			`dockerSocket string`
			`useSSHAgentAuth bool`
Bastion host 2018-05-08 22:30:50 +00:00			`bastionDialer *dialer`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`}`

Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`type DialersOptions struct {`
			`DockerDialerFactory DialerFactory`
			`LocalConnDialerFactory DialerFactory`
Update to new certs package since latest k8s dropped it 2019-08-19 17:53:15 +00:00			`K8sWrapTransport transport.WrapperFunc`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`}`

Update to new certs package since latest k8s dropped it 2019-08-19 17:53:15 +00:00			`func GetDialerOptions(d, l DialerFactory, w transport.WrapperFunc) DialersOptions {`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`return DialersOptions{`
			`DockerDialerFactory: d,`
			`LocalConnDialerFactory: l,`
			`K8sWrapTransport: w,`
			`}`
			`}`

Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`func newDialer(h Host, kind string) (dialer, error) {`
Bastion host 2018-05-08 22:30:50 +00:00			`// Check for Bastion host connection`
			`var bastionDialer *dialer`
			`if len(h.BastionHost.Address) > 0 {`
			`bastionDialer = &dialer{`
			`sshAddress: fmt.Sprintf("%s:%s", h.BastionHost.Address, h.BastionHost.Port),`
			`username: h.BastionHost.User,`
			`sshKeyString: h.BastionHost.SSHKey,`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`sshCertString: h.BastionHost.SSHCert,`
Bastion host 2018-05-08 22:30:50 +00:00			`netConn: "tcp",`
			`useSSHAgentAuth: h.SSHAgentAuth,`
			`}`
Skip check for private key if using ssh agent 2018-08-28 19:44:06 +00:00			`if bastionDialer.sshKeyString == "" && !bastionDialer.useSSHAgentAuth {`
Better error when ssh_key_path can't be opened 2018-06-25 19:01:02 +00:00			`var err error`
			`bastionDialer.sshKeyString, err = privateKeyPath(h.BastionHost.SSHKeyPath)`
			`if err != nil {`
			`return nil, err`
			`}`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00
			`if bastionDialer.sshCertString == "" && len(h.BastionHost.SSHCertPath) > 0 {`
			`bastionDialer.sshCertString, err = certificatePath(h.BastionHost.SSHCertPath)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`
Bastion host 2018-05-08 22:30:50 +00:00			`}`
			`}`

Add Dialer Factory 2017-12-16 03:38:15 +00:00			`dialer := &dialer{`
Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`sshAddress: fmt.Sprintf("%s:%s", h.Address, h.Port),`
			`username: h.User,`
			`dockerSocket: h.DockerSocket,`
			`sshKeyString: h.SSHKey,`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`sshCertString: h.SSHCert,`
Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`netConn: "unix",`
			`useSSHAgentAuth: h.SSHAgentAuth,`
Bastion host 2018-05-08 22:30:50 +00:00			`bastionDialer: bastionDialer,`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
Set up kubernetes components 2017-10-29 09:45:21 +00:00
Skip check for private key if using ssh agent 2018-08-28 19:44:06 +00:00			`if dialer.sshKeyString == "" && !dialer.useSSHAgentAuth {`
Better error when ssh_key_path can't be opened 2018-06-25 19:01:02 +00:00			`var err error`
			`dialer.sshKeyString, err = privateKeyPath(h.SSHKeyPath)`
			`if err != nil {`
			`return nil, err`
			`}`

Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`if dialer.sshCertString == "" && len(h.SSHCertPath) > 0 {`
			`dialer.sshCertString, err = certificatePath(h.SSHCertPath)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-19 22:18:27 +00:00			`}`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00
			`switch kind {`
			`case "network", "health":`
			`dialer.netConn = "tcp"`
			`}`

			`if len(dialer.dockerSocket) == 0 {`
			`dialer.dockerSocket = "/var/run/docker.sock"`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-19 22:18:27 +00:00			`}`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00
			`return dialer, nil`
			`}`

			`func SSHFactory(h *Host) (func(network, address string) (net.Conn, error), error) {`
			`dialer, err := newDialer(h, "docker")`
			`return dialer.Dial, err`
			`}`

			`func LocalConnFactory(h *Host) (func(network, address string) (net.Conn, error), error) {`
			`dialer, err := newDialer(h, "network")`
			`return dialer.Dial, err`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-19 22:18:27 +00:00			`}`

			`func (d *dialer) DialDocker(network, addr string) (net.Conn, error) {`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`return d.Dial(network, addr)`
			`}`

			`func (d *dialer) DialLocalConn(network, addr string) (net.Conn, error) {`
			`return d.Dial(network, addr)`
			`}`

			`func (d *dialer) Dial(network, addr string) (net.Conn, error) {`
Bastion host 2018-05-08 22:30:50 +00:00			`var conn *ssh.Client`
			`var err error`
			`if d.bastionDialer != nil {`
			`conn, err = d.getBastionHostTunnelConn()`
			`} else {`
			`conn, err = d.getSSHTunnelConnection()`
			`}`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`if err != nil {`
Better guidance on SSH errors 2018-07-11 15:22:38 +00:00			`if strings.Contains(err.Error(), "no key found") {`
			`return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Please check if the configured key or specified key file is a valid SSH Private Key. Error: %v", d.sshAddress, err)`
			`} else if strings.Contains(err.Error(), "no supported methods remain") {`
			`return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Please check if you are able to SSH to the node using the specified SSH Private Key and if you have configured the correct SSH username. Error: %v", d.sshAddress, err)`
			`} else if strings.Contains(err.Error(), "cannot decode encrypted private keys") {`
			return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Using encrypted private keys is only supported using ssh-agent. Please configure the option `ssh_agent_auth: true` in the configuration file or use --ssh-agent-auth as a parameter when running RKE. This will use the `SSH_AUTH_SOCK` environment variable. Error: %v", d.sshAddress, err)
Add better error when node is unreachable 2018-07-27 18:36:33 +00:00			`} else if strings.Contains(err.Error(), "operation timed out") {`
			`return nil, fmt.Errorf("Unable to access node with address [%s] using SSH. Please check if the node is up and is accepting SSH connections or check network policies and firewall rules. Error: %v", d.sshAddress, err)`
Better guidance on SSH errors 2018-07-11 15:22:38 +00:00			`}`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`return nil, fmt.Errorf("Failed to dial ssh using address [%s]: %v", d.sshAddress, err)`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`}`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00
			`// Docker Socket....`
			`if d.netConn == "unix" {`
			`addr = d.dockerSocket`
			`network = d.netConn`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`}`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00
			`remote, err := conn.Dial(network, addr)`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`if err != nil {`
Add distinction between failed to dial errors 2018-07-20 18:39:57 +00:00			`if strings.Contains(err.Error(), "connect failed") {`
			`return nil, fmt.Errorf("Unable to access the service on %s. The service might be still starting up. Error: %v", addr, err)`
			`} else if strings.Contains(err.Error(), "administratively prohibited") {`
			return nil, fmt.Errorf("Unable to access the Docker socket (%s). Please check if the configured user can execute `docker ps` on the node, and if the SSH server version is at least version 6.7 or higher. If you are using RedHat/CentOS, you can't use the user `root`. Please refer to the documentation for more instructions. Error: %v", addr, err)
			`}`
			`return nil, fmt.Errorf("Failed to dial to %s: %v", addr, err)`
Set up kubernetes components 2017-10-29 09:45:21 +00:00			`}`
			`return remote, err`
			`}`
Add Dialer Factory 2017-12-16 03:38:15 +00:00
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`func (d dialer) getSSHTunnelConnection() (ssh.Client, error) {`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`cfg, err := getSSHConfig(d.username, d.sshKeyString, d.sshCertString, d.useSSHAgentAuth)`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-19 22:18:27 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("Error configuring SSH: %v", err)`
			`}`
			`// Establish connection with SSH server`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`return ssh.Dial("tcp", d.sshAddress, cfg)`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-19 22:18:27 +00:00			`}`

Add Dialer Factory 2017-12-16 03:38:15 +00:00			`func (h Host) newHTTPClient(dialerFactory DialerFactory) (http.Client, error) {`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`factory := dialerFactory`
			`if factory == nil {`
Add Dialer Factory 2017-12-16 03:38:15 +00:00			`factory = SSHFactory`
			`}`

			`dialer, err := factory(h)`
			`if err != nil {`
			`return nil, err`
			`}`
Set timeouts for docker dialer 2018-03-27 21:07:16 +00:00			`dockerDialerTimeout := time.Second * DockerDialerTimeout`
Add Dialer Factory 2017-12-16 03:38:15 +00:00			`return &http.Client{`
			`Transport: &http.Transport{`
Set timeouts for docker dialer 2018-03-27 21:07:16 +00:00			`Dial: dialer,`
			`TLSHandshakeTimeout: dockerDialerTimeout,`
			`IdleConnTimeout: dockerDialerTimeout,`
			`ResponseHeaderTimeout: dockerDialerTimeout,`
Add Dialer Factory 2017-12-16 03:38:15 +00:00			`},`
			`}, nil`
			`}`
Bastion host 2018-05-08 22:30:50 +00:00
			`func (d dialer) getBastionHostTunnelConn() (ssh.Client, error) {`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`bastionCfg, err := getSSHConfig(d.bastionDialer.username, d.bastionDialer.sshKeyString, d.bastionDialer.sshCertString, d.bastionDialer.useSSHAgentAuth)`
Bastion host 2018-05-08 22:30:50 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("Error configuring SSH for bastion host [%s]: %v", d.bastionDialer.sshAddress, err)`
			`}`
			`bastionClient, err := ssh.Dial("tcp", d.bastionDialer.sshAddress, bastionCfg)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to connect to the bastion host [%s]: %v", d.bastionDialer.sshAddress, err)`
			`}`
			`conn, err := bastionClient.Dial(d.bastionDialer.netConn, d.sshAddress)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to connect to the host [%s]: %v", d.sshAddress, err)`
			`}`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`cfg, err := getSSHConfig(d.username, d.sshKeyString, d.sshCertString, d.useSSHAgentAuth)`
Bastion host 2018-05-08 22:30:50 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("Error configuring SSH for host [%s]: %v", d.sshAddress, err)`
			`}`
			`newClientConn, channels, sshRequest, err := ssh.NewClientConn(conn, d.sshAddress, cfg)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to establish new ssh client conn [%s]: %v", d.sshAddress, err)`
			`}`
			`return ssh.NewClient(newClientConn, channels, sshRequest), nil`
			`}`

Update to new certs package since latest k8s dropped it 2019-08-19 17:53:15 +00:00			`func BastionHostWrapTransport(bastionHost v3.BastionHost) (transport.WrapperFunc, error) {`
Bastion host 2018-05-08 22:30:50 +00:00
			`bastionDialer := &dialer{`
			`sshAddress: fmt.Sprintf("%s:%s", bastionHost.Address, bastionHost.Port),`
			`username: bastionHost.User,`
			`sshKeyString: bastionHost.SSHKey,`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`sshCertString: bastionHost.SSHCert,`
Bastion host 2018-05-08 22:30:50 +00:00			`netConn: "tcp",`
			`useSSHAgentAuth: bastionHost.SSHAgentAuth,`
			`}`

fix ssh agent auth with bastion host 2019-09-26 14:06:40 +00:00			`if bastionDialer.sshKeyString == "" && !bastionDialer.useSSHAgentAuth {`
Better error when ssh_key_path can't be opened 2018-06-25 19:01:02 +00:00			`var err error`
			`bastionDialer.sshKeyString, err = privateKeyPath(bastionHost.SSHKeyPath)`
			`if err != nil {`
			`return nil, err`
			`}`

Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`}`

			`if bastionDialer.sshCertString == "" && len(bastionHost.SSHCertPath) > 0 {`
			`var err error`
			`bastionDialer.sshCertString, err = certificatePath(bastionHost.SSHCertPath)`
			`if err != nil {`
			`return nil, err`
			`}`

Bastion host 2018-05-08 22:30:50 +00:00			`}`
			`return func(rt http.RoundTripper) http.RoundTripper {`
			`if ht, ok := rt.(*http.Transport); ok {`
			`ht.DialContext = nil`
			`ht.DialTLS = nil`
			`ht.Dial = bastionDialer.Dial`
			`}`
			`return rt`
Better error when ssh_key_path can't be opened 2018-06-25 19:01:02 +00:00			`}, nil`
Bastion host 2018-05-08 22:30:50 +00:00			`}`