Using setup with Passphrase-Protected Key

[qdzlug]

Hi,

Seeing failures when using a key that has a passphrase; key is ~/.ssh/id_rsa and it is available in ssh-agent under Mac OS X High Sierra.

Using a key w/o a passphrase works as expected.

Looking at the Triton Provider docs for terraform it looks like this should work - so I'm not exactly sure why this is failling for me.

Log is here:

setup.sh                                                                                                                                                  sh  utf-8[unix]   43% ☰  322/736  : 19  ☲ [58]trailing 
/network
  * module.kubemaster1.triton_machine.master: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubemaster2.triton_machine.master: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubemasterdb.triton_machine.mysqldb: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenode1.triton_machine.host: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenode2.triton_machine.host: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenodeetcd1.triton_machine.k8setcd: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenodeetcd2.triton_machine.k8setcd: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenodeetcd3.triton_machine.k8setcd: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenodesrvs1.triton_machine.k8sha: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenodesrvs2.triton_machine.k8sha: "networks": [DEPRECATED] Networks is deprecated, please use `nic`
  * module.kubenodesrvs3.triton_machine.k8sha: "networks": [DEPRECATED] Networks is deprecated, please use `nic`

Error running plan: 11 error(s) occurred:

* module.kubenodeetcd3.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubemasterdb.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenodesrvs1.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubemaster2.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenode2.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenodeetcd2.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenode1.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenodeetcd1.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubemaster1.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenodesrvs3.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
* module.kubenodesrvs2.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2

Happy to test as needed.

Cheers,

Jay

[madeofstars0]

I was having the same error when trying to setup a cluster manager on triton (i.e. ./triton-kubernetes.sh -c)

The final error in my console was this:

Error: Error refreshing state: 1 error(s) occurred:

* module.create_rancher.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: length too large

Reproduction Steps

Create an encrypted SSH Key (RSA 4096)

[master][~/dev/venuenext/triton-kubernetes]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/redbeard/.ssh/id_rsa): /Users/redbeard/.ssh/test1_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/redbeard/.ssh/test1_rsa.
Your public key has been saved in /Users/redbeard/.ssh/test1_rsa.pub.
The key fingerprint is:
SHA256:fk8iaboo/Ya9NDBlOq/yTbVvo+n0fiyEZx50PtynPng [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|                 |
|      o          |
|     +    . .    |
|    =   So + .   |
|     = o.o= + . .|
|   . o= B=oo.o o |
|  o o*o= *=++ E  |
|   ++o*+++++.o.. |
+----[SHA256]-----+

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E916F7FB5664C2EC83FD51D3CCBDB5E4

...
-----END RSA PRIVATE KEY-----

Add public key to Triton Account

Fingerprint: ab:54:40:a1:ee:eb:97:33:a7:bc:64:5a:23:a0:8b:58

Clone Triton Kubernetes

[~/dev/venuenext]$ git clone https://github.com/joyent/triton-kubernetes.git
Cloning into 'triton-kubernetes'...
remote: Counting objects: 570, done.
remote: Compressing objects: 100% (66/66), done.
remote: Total 570 (delta 41), reused 46 (delta 15), pack-reused 487
Receiving objects: 100% (570/570), 6.57 MiB | 2.02 MiB/s, done.
Resolving deltas: 100% (258/258), done.

Setup Dependencies

This is how I had installed terraform, kubectl, etc. I also am running minikube locally with vmware fusion. I doubt this causes the problem, but it is included here for completeness.

brew install terraform
brew install ansible
brew install wget
brew install kubectl
brew cask install minikube

[master][~/dev/venuenext/triton-kubernetes]$ terraform --version
Terraform v0.11.1

[master][~/dev/venuenext/triton-kubernetes]$ ansible --version
ansible 2.4.2.0
  config file = None
  configured module search path = [u'/Users/redbeard/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.4.2.0_1/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.14 (default, Sep 25 2017, 09:53:22) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)]

[master][~/dev/venuenext/triton-kubernetes]$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-16T03:15:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"0b9efaeb34a2fc51ff8e4d34ad9bc6375459c4a4", GitTreeState:"clean", BuildDate:"2017-11-29T22:43:34Z", GoVersion:"go1.9.1", Compiler:"gc", Platform:"linux/amd64"}

Create Triton Profile

[master][~/dev/venuenext/triton-kubernetes]$ triton profile create
A profile name. A short string to identify this profile to the `triton` command.
name: test1_rsa

The CloudAPI endpoint URL.
url: https://us-sw-1.api.joyent.com

Your account login name.
account: venuenext

The fingerprint of the SSH key you want to use to authenticate with CloudAPI.
Specify the fingerprint or the index of one of the found keys in the list
below. If the key you want to use is not listed, make sure it is either saved
in your SSH keys directory (~/.ssh) or loaded into your SSH agent.

1. Fingerprint "..." (4096-bit RSA)
   - ...
   - ...

2. Fingerprint "..." (2048-bit RSA)
   - ...

3. Fingerprint "ab:54:40:a1:ee:eb:97:33:a7:bc:64:5a:23:a0:8b:58" (4096-bit RSA)
   - in homedir (locked): $HOME/.ssh/test1_rsa (comment "[email protected]")

keyId: 3
Using key 3: ab:54:40:a1:ee:eb:97:33:a7:bc:64:5a:23:a0:8b:58

Saved profile "test1_rsa".

# Docker setup

This section will setup authentication to Triton DataCenter's Docker endpoint
using your account and key information specified above. This is only required
if you intend to use `docker` with this profile.

WARNING: Docker uses authentication via client TLS certificates that do not
support encrypted (passphrase protected) keys or SSH agents. If you continue,
this profile setup will attempt to write a copy of your SSH private key
formatted as an unencrypted TLS certificate in "~/.triton/docker" for use by
the Docker client.

Continue? [y/n] y

Enter passphrase for test1_rsa:
Setting up profile "test1_rsa" to use Docker.
Successfully setup profile "test1_rsa" to use Docker (v17.09.0-ce).

To setup environment variables to use the Docker client, run:
    eval "$(triton env --docker test1_rsa)"
    docker info
Or you can place the commands in your shell profile, e.g.:
    triton env --docker test1_rsa >> ~/.profile
[master][~/dev/venuenext/triton-kubernetes]$ eval "$(triton env --docker test1_rsa)"
[master][~/dev/venuenext/triton-kubernetes]$ triton info
login: venuenext
name: Bryan Rehbein
email: [email protected]
url: https://us-sw-1.api.joyent.com
totalDisk: 0 B
totalMemory: 0 B
instances: 0

Set Profile

[master][~/dev/venuenext/triton-kubernetes]$ eval "$(triton env --docker test1_rsa)"
[master][~/dev/venuenext/triton-kubernetes]$ triton profile set test1_rsa
[master][~/dev/venuenext/triton-kubernetes]$ triton profiles
NAME       CURR  ACCOUNT    USER  URL
env              venuenext  -     https://us-sw-1.api.joyent.com
test1_rsa  *     venuenext  -     https://us-sw-1.api.joyent.com

Create non-HA cluster

[master][~/dev/venuenext/triton-kubernetes]$ eval "$(triton env)"
[master][~/dev/venuenext/triton-kubernetes]$ ./triton-kubernetes.sh -c
Using /usr/local/bin/terraform ...

Name your Global Cluster Manager: (global-cluster) test1_rsa
Do you want to set up the Global Cluster Manager in HA mode? (yes | no) no
From below options:
Joyent-SDC-Public
Joyent-SDC-Private
Both
Which Triton networks should be used for this environment: (Joyent-SDC-Public)
From below packages:
Enter passphrase for test1_rsa:
k4-highcpu-kvm-250M
k4-highcpu-kvm-750M
k4-highcpu-kvm-1.75G
k4-highcpu-kvm-3.75G
k4-highcpu-kvm-7.75G
k4-highcpu-kvm-15.75G
k4-general-kvm-3.75G
k4-general-kvm-7.75G
k4-general-kvm-15.75G
k4-general-kvm-31.75G
k4-highram-kvm-15.75G
k4-highram-kvm-31.75G
k4-highram-kvm-63.75G
k4-bigdisk-kvm-15.75G
k4-fastdisk-kvm-31.75G
k4-bigdisk-kvm-31.75G
k4-fastdisk-kvm-63.75G
k4-bigdisk-kvm-63.75G
Which Triton package should be used for Global Cluster Manager server(s): (k4-highcpu-kvm-1.75G)
docker-engine install script: (https://releases.rancher.com/install-docker/1.12.sh)
############################################################

Cluster Manager test1_rsa will be created on Triton.
test1_rsa will be running in non-HA configuration ...
    test1_rsa-master-1 k4-highcpu-kvm-1.75G

Do you want to start the setup? (yes | no) yes

Log

Initializing modules...
- module.triton_example
  Getting source "./modules/triton-rancher-k8s"
- module.azure_example
  Getting source "./modules/azure-rancher-k8s"
- module.aws_example
  Getting source "./modules/aws-rancher-k8s"
- module.gcp_example
  Getting source "./modules/gcp-rancher-k8s"
- module.create_rancher-example
  Getting source "./modules/triton-rancher"
- module.create_rancher
  Getting source "./modules/triton-rancher"

Initializing the backend...

Successfully configured the backend "local"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (1.6.0)...
- Downloading plugin for provider "google" (1.4.0)...
- Downloading plugin for provider "rancher" (1.2.0)...
- Downloading plugin for provider "azurerm" (1.0.0)...
- Downloading plugin for provider "null" (1.0.0)...
- Downloading plugin for provider "triton" (0.4.0)...
- Downloading plugin for provider "template" (1.0.0)...
- Downloading plugin for provider "external" (1.0.0)...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.aws: version = "~> 1.6"
* provider.azurerm: version = "~> 1.0"
* provider.external: version = "~> 1.0"
* provider.google: version = "~> 1.4"
* provider.null: version = "~> 1.0"
* provider.rancher: version = "~> 1.2"
* provider.template: version = "~> 1.0"
* provider.triton: version = "~> 0.4"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
- module.triton_example
- module.azure_example
- module.aws_example
- module.gcp_example
- module.create_rancher-example
- module.create_rancher
data.template_file.install_rancher_master: Refreshing state...
data.template_file.install_rancher_mysqldb: Refreshing state...

Error: Error refreshing state: 1 error(s) occurred:

* module.create_rancher.provider.triton: Error Creating SSH Private Key Signer: Error parsing private key: asn1: structure error: length too large

No machines were created

At least there aren't any containers/kvm instances to cleanup when this fails.

[master][~/dev/venuenext/triton-kubernetes]$ triton info
Enter passphrase for test1_rsa:
login: venuenext
name: Bryan Rehbein
email: [email protected]
url: https://us-sw-1.api.joyent.com
totalDisk: 0 B
totalMemory: 0 B
instances: 0