implement small changes

bootstrapper/internal/joinclient/joinclient.go

@@ -272,7 +272,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
 	}
 
 	if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.EmergencyCaKey, file.OptMkdirAll); err != nil {
-		return fmt.Errorf("writing ca key: %w", err)
+		return fmt.Errorf("writing ssh ca key: %w", err)
 	}
 
 	state := nodestate.NodeState{

cli/internal/cmd/ssh.go

@@ -25,13 +25,6 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
-var permissions = ssh.Permissions{
-	Extensions: map[string]string{
-		"permit-port-forwarding": "yes",
-		"permit-pty":             "yes",
-	},
-}
-
 // NewSSHCmd returns a new cobra.Command for the ssh command.
 func NewSSHCmd() *cobra.Command {
 	cmd := &cobra.Command{
@@ -41,7 +34,7 @@ func NewSSHCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(0),
 		RunE:  runSSH,
 	}
-	cmd.Flags().String("key", "", "The path to an existing ssh public key.")
+	cmd.Flags().String("key", "", "the path to an existing ssh public key.")
 	must(cmd.MarkFlagRequired("key"))
 	return cmd
 }
@@ -72,7 +65,7 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
 
 	// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
 	var mastersecret uri.MasterSecret
-	if err = fh.ReadJSON(fmt.Sprintf("%s.json", constants.ConstellationMasterSecretStoreName), &mastersecret); err != nil {
+	if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
 		return fmt.Errorf("reading master secret: %s", err)
 	}
 
@@ -81,12 +74,12 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
 	if err != nil {
 		return fmt.Errorf("setting up KMS: %s", err)
 	}
-	key, err := kms.GetDEK(ctx, crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
+	sshCAKeySeed, err := kms.GetDEK(ctx, crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
 	if err != nil {
 		return fmt.Errorf("retrieving key from KMS: %s", err)
 	}
 
-	ca, err := crypto.GenerateEmergencySSHCAKey(key)
+	ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
 	if err != nil {
 		return fmt.Errorf("generating ssh emergency CA key: %s", err)
 	}
@@ -109,7 +102,12 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
 		ValidAfter:      uint64(time.Now().Unix()),
 		ValidBefore:     uint64(time.Now().Add(24 * time.Hour).Unix()),
 		ValidPrincipals: []string{"root"},
-		Permissions:     permissions,
+		Permissions: ssh.Permissions{
+			Extensions: map[string]string{
+				"permit-port-forwarding": "yes",
+				"permit-pty":             "yes",
+			},
+		},
 	}
 	if err := certificate.SignCert(rand.Reader, ca); err != nil {
 		return fmt.Errorf("signing certificate: %s", err)

internal/crypto/crypto.go

@@ -65,8 +65,8 @@ func GenerateRandomBytes(length int) ([]byte, error) {
 }
 
 // GenerateEmergencySSHCAKey creates a CA that is used to sign keys for emergency ssh access.
-func GenerateEmergencySSHCAKey(key []byte) (ssh.Signer, error) {
-	_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
+func GenerateEmergencySSHCAKey(seed []byte) (ssh.Signer, error) {
+	_, priv, err := ed25519.GenerateKey(bytes.NewReader(seed))
 	if err != nil {
 		return nil, err
 	}

internal/crypto/crypto_test.go

@@ -155,9 +155,9 @@ func TestGenerateEmergencySSHCAKey(t *testing.T) {
 
 			_, err := GenerateEmergencySSHCAKey(tc.key)
 			if tc.wantErr {
-				assert.NotNil(err)
+				assert.Error(err)
 			} else {
-				assert.Nil(err)
+				assert.NoError(err)
 			}
 		})
 	}

joinservice/internal/server/server.go

@@ -103,14 +103,14 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 	}
 
 	log.Info("Requesting emergency SSH CA derivation key")
-	ssheCADerivationKey, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
+	sshCAKeySeed, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
 	if err != nil {
-		log.With(slog.Any("error", err)).Error("Failed to get emergency SSH CA derivation key")
-		return nil, status.Errorf(codes.Internal, "getting emergency SSH CA derivation key: %s", err)
+		log.With(slog.Any("error", err)).Error("Failed to get seed material to derive SSH CA key")
+		return nil, status.Errorf(codes.Internal, "getting emergency SSH CA seed material: %s", err)
 	}
-	ca, err := crypto.GenerateEmergencySSHCAKey(ssheCADerivationKey)
+	ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
 	if err != nil {
-		log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from derivation key")
+		log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from seed material")
 		return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err)
 	}
 
@@ -181,7 +181,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 		KubeletCert:              kubeletCert,
 		ControlPlaneFiles:        controlPlaneFiles,
 		KubernetesComponents:     components,
-		EmergencyCaKey:           ssh.MarshalAuthorizedKey(ca.PublicKey()),
+		AuthorizedCaPublicKey:    ssh.MarshalAuthorizedKey(ca.PublicKey()),
 	}, nil
 }
 

joinservice/joinproto/join.proto

@@ -45,8 +45,8 @@ message IssueJoinTicketResponse {
   string kubernetes_version = 9;
   // kubernetes_components is a list of components to install on the node.
   repeated components.Component kubernetes_components = 10;
-  // emergency_ca_key is an ssh ca key that can be used to connect to a node in case of an emergency.
-  bytes emergency_ca_key = 11;
+  // authorized_ca_public_key is an ssh ca key that can be used to connect to a node in case of an emergency.
+  bytes authorized_ca_public_key = 11;
 }
 
 message control_plane_cert_or_key {