Skip to content

fix(k3s-cluster): bootstrap user SSH key on first connection (closes #30)#39

Merged
jfreed-dev merged 2 commits into
mainfrom
fix/30-ssh-bootstrap
May 18, 2026
Merged

fix(k3s-cluster): bootstrap user SSH key on first connection (closes #30)#39
jfreed-dev merged 2 commits into
mainfrom
fix/30-ssh-bootstrap

Conversation

@jfreed-dev

Copy link
Copy Markdown
Member

Summary

When both ssh_key and ssh_password are supplied for a node, add a one-shot password-auth bootstrap that pushes the public key (derived from ssh_key via tls_public_key) into ~/.ssh/authorized_keys before any other step runs. The k3s install resources depend on the bootstrap, so by the time they connect the key is already authorized.

Idempotent — grep -qxF checks before appending.

Why

Right after flash-nodes finishes, Armbian only has the default root / 1234 creds. The user's private key isn't authorized yet, so the k3s install steps fail immediately with ssh: unable to authenticate ... no supported methods remain. Workaround was a manual sshpass ssh-copy-id loop. This makes the module self-bootstrapping when the user opts in by supplying both auth methods.

Compatibility

  • Only ssh_key set (the current docs/contract — user pre-authorizes out of band): zero change.
  • Only ssh_password set (password-forever workflow): zero change.
  • Both set (new opt-in): bootstrap runs once, then key auth takes over.

No new variables — the existing optional ssh_password field doubles as the bootstrap signal. Bootstrap resource triggers on host + the derived pubkey, so it only re-runs when those change.

Test plan

  • terraform fmt -check clean
  • terraform init + terraform validate clean
  • CI: Terraform Validate (modules/k3s-cluster) passes
  • CI: Security Scan passes
  • Manual: rerun the 2-node K3s E2E without pre-running ssh-copy-id — pass both ssh_key = file("~/.secrets/turingpi-cluster") and ssh_password = "1234"; module should bootstrap then install k3s end-to-end.

🤖 Generated with Claude Code

jfreed-dev and others added 2 commits May 18, 2026 11:31
)

Right after a flash-nodes run the Armbian image only has the default
root/1234 credentials and the user's SSH key isn't in authorized_keys
yet, so the k3s install steps fail immediately with "ssh: unable to
authenticate ... no supported methods remain".

Add a one-shot password-auth bootstrap that runs before the k3s install
when both ssh_key and ssh_password are set for a node:

  data.tls_public_key      derives the public key from var.X.ssh_key
  null_resource.bootstrap_ * connects via password, appends the public
                             key to ~/.ssh/authorized_keys (grep -qxF
                             guard makes it idempotent)
  k3s_control_plane / k3s_workers depend on the bootstrap

If only ssh_key is set (key was pre-authorized out of band — today's
contract), nothing changes. If only ssh_password is set, nothing
changes either. The new behavior only kicks in when the user opts in
by supplying both.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jfreed-dev jfreed-dev merged commit 891aed4 into main May 18, 2026
2 checks passed
@jfreed-dev jfreed-dev deleted the fix/30-ssh-bootstrap branch May 18, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant