sopsed for kube-aws ssh key

[Vince-Cercury]

What would be the recommended way to store and share ssh key of our kube-aws coreos boxes. Would this tool help or should we use sops directly? Any pointer on best practice and docs to do so?

[mumoshu]

Hi @VinceMD!

More concretely, do you mean the private key of the EC2 key pair associated to the EC2 instances of worker/controller/etcd, right?

If that's the case, I haven't integrated this tool for that yet.

So, I want to discuss a bit more about this.

Would it be nice if:

• You have mykeypairname.pem which is the private key of the key pair
• Running e.g. $this_tool run ssh for the first time or possibly $this_tool init ssh, with a declaration of the ssh vault like the below on top of #2:

bin/myssh:

#!/usr/bin/env bash

set -e

# mykeypair.pem is decrypted automatically by `$this_tool run myssh $ip`
ssh -i mykeypair.pem core@$1

And .${this_tool}.yaml:

vaults:
  mysshenv-for-testcluster:
    enabled_if:
    - [ "$SOPSED_COMMAND" == "bin/myssh" ];
    files:
    # Running `$this_tool run myssh` for first time or `$this_tool init myssh` encrypts the `mykeypair.pem`, removes it, and store it inside the vault `.$this_tool/myssh.yaml`
    - mykeypair.pem

Note that:

• vault is a yaml containing all the encrypted files for the vault
• $this_tool is going to be sopsed - I'm still figuring out what name it should be

WDYT?

[mumoshu]

I've played a bit with vaulted and turned out it has a very nice U/X around your use-case.

Basically, you run vaulted add myvault to create a myvault and then interactively prompt you to add any of:

• envvar
• ssh key
• aws credential

which is encrypted by a passphrase you provide.

That seems much simpler than requiring you to write a yaml file containing what should be included in the vault beforehand.

[mumoshu]

One more interesting part of vaulted is that, when you run a command via vaulted, it runs a new bash session along with a new ssh-agent. The ssh-agent is pre-populated with a ssh key decrypted from your vault. No need to provide a plain-text ssh key under your project root like I've suggested above for this tool. Neat.

[Vince-Cercury]

@mumoshu "More concretely, do you mean the private key of the EC2 key pair associated to the EC2 instances of worker/controller/etcd, right?" -> yes exactly

I think it would be great if all those tools (sopsed+vaulted) become standard with kube-aws and the documentation. For beginners to start with a set of good practices.

I'll try Vaulted

[Vince-Cercury]

@mumoshu I was hoping we could use the same tool and rely on KMS key instead of password protect. Vaulted seem similar to ansible-vault

Ive added my pem file to vaulted.

How do I ssh to my Kubernetes EC2 from there?