Skip to content

Add ssh key check for autoscaler#731

Merged
vitobotta merged 2 commits into
vitobotta:mainfrom
privatecoder:add-ssh-key-check
Feb 28, 2026
Merged

Add ssh key check for autoscaler#731
vitobotta merged 2 commits into
vitobotta:mainfrom
privatecoder:add-ssh-key-check

Conversation

@privatecoder

@privatecoder privatecoder commented Feb 8, 2026

Copy link
Copy Markdown
Contributor

Attempted goal

  1. Set up a dev cluster with autoscaling nodes
  2. Be able to ssh into autoscaled nodes

Issues

• Could not ssh into autoscaled nodes, because the ssh key was not added to authorized_keys on the node
• After investigating I found that yout tool sets HCLOUD_SSH_KEY in the cluster‑autoscaler deployment to
settings.cluster_name so the autoscaler injects that key when it creates nodes.
• As I added the key before under a slightly different name, this did not work

Solution

Added a check, so that if any worker pool has autoscaling.enabled: true and addons.cluster_autoscaler.enabled: true, it:

  • Finds the SSH key by fingerprint or name.
  • If the key found has a different name than cluster_name, it aborts with a clear error that autoscaler won’t work.
  • If no key exists yet, it lets create proceed (hetzner‑k3s will create it).

If it fails, it prints:

[Configuration] - Cluster autoscaler requires an SSH key named 'dev' in Hetzner. A key with the same fingerprint exists as 'dev1', so hetzner-k3s will not create 'dev'. Autoscaled nodes will be created without SSH keys. Rename or delete the existing key, or change cluster_name.

@privatecoder privatecoder mentioned this pull request Feb 8, 2026
Closed
@vitobotta

vitobotta commented Feb 28, 2026

Copy link
Copy Markdown
Owner

This looks good. A couple of suggestions:

  1. I'd place the validation in a separate validator class - other validators are in separate files (e.g., kubectl_presence.cr, helm_presence.cr). This could be autoscaler_ssh_key.cr for consistency.

  2. The Hetzner API call adds latency to all creates and this validation runs even for clusters without autoscaling. An early returns when the autoscaling is not in use would (either the autoscaler is disabled or no node pools have autoscaling enabled).

WDYT?

@vitobotta

vitobotta commented Feb 28, 2026

Copy link
Copy Markdown
Owner

Actually no worries, I'll do it now since I want to make a new release.

@vitobotta
Refactor autoscaler SSH key validation into separate validator class
c030bc5 
- Move SSH key validation to dedicated autoscaler_ssh_key.cr validator
- Add early return when autoscaling is not in use to avoid API calls
- Check both cluster_autoscaler enabled and node pools with autoscaling
@sonarqubecloud

sonarqubecloud Bot commented Feb 28, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@vitobotta vitobotta merged commit c030bc5 into vitobotta:main Feb 28, 2026
6 checks passed
@vitobotta

vitobotta commented Feb 28, 2026

Copy link
Copy Markdown
Owner

Merged. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@privatecoder @vitobotta