mirror of
https://github.com/neondatabase/autoscaling.git
synced 2025-03-14 13:59:38 +00:00
Simple SSH access into a NeonVM by running the `ssh guest-vm` from its runner pod. ## How it works 1. NeonVM Controller makes a secret for each VM. The secret has a pair of public and private keys. 2. NeonVM Controller mounts the secret on the runner pod. 3. Runner pod shares the public key with the VM by mounting a cdrom disk. Runner pod have access to the private key and have ssh client installed. 4. VM Builder sets up an SSH server inside the VM and uses the shared public as an authorized key. The SSH server is accessible through the private network bridge between the runner pod and the VM (`169.254.254.252/30`). For convenience, we add VM's IP address to runner pod's `/etc/hosts` as `guest-vm`. VM's SSH server is not supposed to be exposed to the rest of the cluster. Currently we don't enforce this and one might expose the SSH server port through `.Spec.Guest.Ports`. ## API Changes - Added `.Spec.EnableSSH` to VM resource object - Added `.Status.SSHSecretName` to VM resource object ## Migration Virtual machine migration controller requires the SSH secret to exist because we cannot unmount and mount the new secret into the VM after the live migration. If a VM's SSH secret is deleted accidentally then live migration won't be possible. We can prevent accidental deletion of SSH secrets by implementing a custom finalizer, but I leave that for another task. **Other changes:** - Removing legacy SSH stuff from Makefile, vm-examples and scripts Resolves https://github.com/neondatabase/cloud/issues/8029.