josh
b23ef64ee1
Generate a fresh ed25519 key pair at rebuild time, inject the public key into the Proxmox answer file, use the private key for cluster join over SSH, then remove the key from both the remote host and the database. This eliminates the need to manage static SSH keys in config/secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
40 lines
775 B
Go
40 lines
775 B
Go
package orchestrator
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"crypto/rand"
|
|
"encoding/pem"
|
|
"fmt"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
)
|
|
|
|
type KeyPair struct {
|
|
PrivateKey string
|
|
PublicKey string
|
|
}
|
|
|
|
func GenerateEphemeralKey() (*KeyPair, error) {
|
|
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("generate ed25519 key: %w", err)
|
|
}
|
|
|
|
sshPub, err := ssh.NewPublicKey(pub)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("ssh public key: %w", err)
|
|
}
|
|
pubStr := string(ssh.MarshalAuthorizedKey(sshPub))
|
|
|
|
privBytes, err := ssh.MarshalPrivateKey(priv, "")
|
|
if err != nil {
|
|
return nil, fmt.Errorf("marshal private key: %w", err)
|
|
}
|
|
privStr := string(pem.EncodeToMemory(privBytes))
|
|
|
|
return &KeyPair{
|
|
PrivateKey: privStr,
|
|
PublicKey: pubStr,
|
|
}, nil
|
|
}
|