feat: implement RFC 16 to allow emergency node access

.github/actions/e2e_emergency_ssh/action.yml

@@ -0,0 +1,68 @@
+name: Emergency ssh
+description: "Verify that an emergency ssh connection can be established."
+
+inputs:
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test emergency ssh
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        set -euo pipefail
+
+        # Activate emergency ssh access to the cluster
+        pushd ./constellation-terraform
+        echo "emergency_ssh = true" >> terraform.tfvars
+        terraform apply -auto-approve
+        lb="$(terraform output -raw loadbalancer_address)"
+        popd
+
+        # write ssh config
+        cat > ssh_config <<EOF
+        Host $lb
+          ProxyJump none
+
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile=/dev/null
+          IdentityFile ./access-key
+          PreferredAuthentications publickey
+          CertificateFile=constellation_cert.pub
+          User root
+          ProxyJump $lb
+        EOF
+
+        for i in {1..26}; do
+          if [[ "$i" -eq 26 ]]; then
+            echo "Port 22 never became reachable"
+            exit 1
+          fi
+          echo "Waiting until port 22 is reachable: $i/25"
+          if nc -z -w 25 "$lb" 22; then
+            break
+          fi
+        done
+
+        # generate and try keypair
+        ssh-keygen -t ecdsa -q -N "" -f ./access-key
+        constellation ssh --debug --key ./access-key.pub
+        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
+        for ip in $internalIPs; do
+          for i in {1..26}; do
+            if [[ "$i" -eq 26 ]]; then
+              echo "Failed to connect to $ip over $lb"
+              exit 1
+            fi
+            echo "Trying connection to $ip over $lb: $i/25"
+            if ssh -F ssh_config -o BatchMode=yes $ip true; then
+              echo "Connected to $ip successfully"
+              break
+            fi
+          done
+        done

.github/actions/e2e_test/action.yml

@@ -56,7 +56,7 @@ inputs:
     description: "Azure credentials authorized to create an IAM configuration."
     required: true
   test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
     required: true
   sonobuoyTestSuiteCmd:
     description: "The sonobuoy test suite to run."
@@ -115,7 +115,7 @@ runs:
   using: "composite"
   steps:
     - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
       shell: bash
       run: |
         echo "::error::Invalid input for test field: ${{ inputs.test }}"
@@ -149,6 +149,8 @@ runs:
 
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: terraform
 
     - name: Log in to the Container registry
       uses: ./.github/actions/container_registry_login
@@ -444,3 +446,9 @@ runs:
         s3AccessKey: ${{ inputs.s3AccessKey }}
         s3SecretKey: ${{ inputs.s3SecretKey }}
         githubToken: ${{ inputs.githubToken }}
+
+    - name: Run emergency ssh test
+      if: inputs.test == 'emergency ssh'
+      uses: ./.github/actions/e2e_emergency_ssh
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}

.github/workflows/e2e-test-weekly.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
     name: Find latest image
     runs-on: ubuntu-24.04
     permissions:
@@ -51,6 +51,33 @@ jobs:
           # Tests on main-debug refStream
           #
 
+          # Emergency SSH test on latest k8s version
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+
           # Sonobuoy full test on latest k8s version
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
@@ -138,7 +165,6 @@ jobs:
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
 
-
           # verify test on latest k8s version
           - test: "verify"
             refStream: "ref/main/stream/debug/?"

.github/workflows/e2e-test.yml

@@ -40,6 +40,7 @@ on:
           - "recover"
           - "malicious join"
           - "s3proxy"
+          - "emergency ssh"
           - "nop"
         required: true
       kubernetesVersion:

cli/internal/cmd/ssh.go

@@ -10,7 +10,6 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -28,12 +27,12 @@ import (
 func NewSSHCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "ssh",
-		Short: "Prepare your cluster for emergency ssh access",
-		Long:  "Prepare your cluster for emergency ssh access and sign a given key pair for authorization.",
+		Short: "Generate a certificate for emergency SSH access",
+		Long:  "Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster.",
 		Args:  cobra.ExactArgs(0),
 		RunE:  runSSH,
 	}
-	cmd.Flags().String("key", "", "the path to an existing ssh public key")
+	cmd.Flags().String("key", "", "the path to an existing SSH public key")
 	must(cmd.MarkFlagRequired("key"))
 	return cmd
 }
@@ -54,18 +53,10 @@ func runSSH(cmd *cobra.Command, _ []string) error {
 }
 
 func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error {
-	_, err := fh.Stat(constants.TerraformWorkingDir)
-	if os.IsNotExist(err) {
-		return fmt.Errorf("directory %q does not exist", constants.TerraformWorkingDir)
-	}
-	if err != nil {
-		return err
-	}
-
 	// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
 	var mastersecret uri.MasterSecret
-	if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
-		return fmt.Errorf("reading master secret: %s", err)
+	if err := fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
+		return fmt.Errorf("reading master secret (does %q exist?): %w", constants.MasterSecretFilename, err)
 	}
 
 	mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt}
@@ -80,7 +71,7 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 
 	ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
 	if err != nil {
-		return fmt.Errorf("generating ssh emergency CA key: %s", err)
+		return fmt.Errorf("generating SSH emergency CA key: %s", err)
 	}
 
 	debugLogger.Debug("SSH CA KEY generated", "public-key", string(ssh.MarshalAuthorizedKey(ca.PublicKey())))
@@ -103,8 +94,8 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 		ValidPrincipals: []string{"root"},
 		Permissions: ssh.Permissions{
 			Extensions: map[string]string{
-				"permit-port-forwarding": "yes",
-				"permit-pty":             "yes",
+				"permit-port-forwarding": "",
+				"permit-pty":             "",
 			},
 		},
 	}
@@ -113,10 +104,10 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 	}
 
 	debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate)))
-	if err := fh.Write(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir), ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil {
+	if err := fh.Write("constellation_cert.pub", ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil {
 		return fmt.Errorf("writing certificate: %s", err)
 	}
-	cmd.Printf("You can now connect to a node using 'ssh -F %s/ssh_config -i <your private key> <node ip>'.\nYou can obtain the private node IP via the web UI of your CSP.\n", constants.TerraformWorkingDir)
+	cmd.Printf("You can now connect to a node using the \"constellation_cert.pub\" certificate.\nLook at the documentation for a how-to guide:\n\n\thttps://docs.edgeless.systems/constellation/workflows/troubleshooting#emergency-ssh-access\n")
 
 	return nil
 }

cli/internal/cmd/ssh_test.go

@@ -8,7 +8,6 @@ package cmd
 
 import (
 	"bytes"
-	"fmt"
 	"testing"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -29,57 +28,39 @@ func TestSSH(t *testing.T) {
 		"salt": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK"
 	}
 	`
-
-	newFsWithDirectory := func() file.Handler {
-		require := require.New(t)
-		fh := file.NewHandler(afero.NewMemMapFs())
-		require.NoError(fh.MkdirAll(constants.TerraformWorkingDir))
-		return fh
-	}
-	newFsNoDirectory := func() file.Handler {
-		fh := file.NewHandler(afero.NewMemMapFs())
-		return fh
-	}
-
 	testCases := map[string]struct {
 		fh           file.Handler
 		pubKey       string
 		masterSecret string
 		wantErr      bool
 	}{
 		"everything exists": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			pubKey:       someSSHPubKey,
 			masterSecret: someMasterSecret,
 		},
 		"no public key": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
 		"no master secret": {
-			fh:      newFsWithDirectory(),
+			fh:      file.NewHandler(afero.NewMemMapFs()),
 			pubKey:  someSSHPubKey,
 			wantErr: true,
 		},
 		"malformed public key": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			pubKey:       "asdf",
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
 		"malformed master secret": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			masterSecret: "asdf",
 			pubKey:       someSSHPubKey,
 			wantErr:      true,
 		},
-		"directory does not exist": {
-			fh:           newFsNoDirectory(),
-			pubKey:       someSSHPubKey,
-			masterSecret: someMasterSecret,
-			wantErr:      true,
-		},
 	}
 
 	for name, tc := range testCases {
@@ -104,7 +85,7 @@ func TestSSH(t *testing.T) {
 				assert.Error(err)
 			} else {
 				assert.NoError(err)
-				cert, err := tc.fh.Read(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir))
+				cert, err := tc.fh.Read("constellation_cert.pub")
 				require.NoError(err)
 				_, _, _, _, err = ssh.ParseAuthorizedKey(cert)
 				require.NoError(err)

docs/docs/reference/cli.md

@@ -39,7 +39,7 @@ Commands:
     * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile
 * [version](#constellation-version): Display version of this CLI
 * [init](#constellation-init): Initialize the Constellation cluster
-* [ssh](#constellation-ssh): Prepare your cluster for emergency ssh access
+* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access
 
 ## constellation config
 
@@ -845,11 +845,11 @@ constellation init [flags]
 
 ## constellation ssh
 
-Prepare your cluster for emergency ssh access
+Generate a certificate for emergency SSH access
 
 ### Synopsis
 
-Prepare your cluster for emergency ssh access and sign a given key pair for authorization.
+Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster.
 
 ```
 constellation ssh [flags]
@@ -859,7 +859,7 @@ constellation ssh [flags]
 
 ```
   -h, --help         help for ssh
-      --key string   the path to an existing ssh public key
+      --key string   the path to an existing SSH public key
 ```
 
 ### Options inherited from parent commands