Azure DevOps: SSH-RSA is deprecated 💥 #4726
Comments
|
Not sure how is this a Flux issue if SHA2 keys get the same error, please contact Azure support. |
|
@uidmehdi @stefanprodan. We had the same issue after the changes Microsoft announced for ssh-rsa deprecation. After adding a rsa-sha2-512 key last week, we thought the issue was resolved. However, this morning started happening again.
|
|
To migrate off RSA-SHA a Flux bootstrapped cluster with Azure DevOps there are two options:
If someone with access to Azure DevOps can test the following procedures it would be great. Migrate to RSA SHA-2Assuming you have bootstrap Flux with a SSH key as described in https://fluxcd.io/flux/installation/bootstrap/azure-devops/ Configure RSA SHA-2 SSH KeysGenerate a RSA SHA-2 public private key pair with: ssh-keygen -t rsa-sha2-512Upload the public key to Azure DevOps. Rotate the private key in the kubectl -n flux-system delete secret flux-system
flux -n flux-system create secret git flux-system \
--url=sssh://[email protected]/v3/<org-name>/<project-name>/<repo-name> \
--private-key-file=<path-to-private-key> \
--password=<key-passphrase>Configure RSA SHA-2 Host KeysClone the Azure DevOps repository locally and add the following patch to the apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256
target:
kind: Deployment
name: (source-controller|image-automation-controller)Note Even if Azure DevOps advertises the host key as Commit and push change to the Azure DevOps repository. Force apply changesIf Flux is currently failing to pull the changes from Azure DevOps, you can apply the manifests directly on the cluster with: kubectl apply -k clusters/<your-cluster>/flux-systemWait for source-controller to restart, then test the new keys with: flux reconcile source git flux-systemMigrate from SSH to HTTP/SGenerate an personal access token in the Azure portal. Delete the kubectl -n flux-system delete secret flux-systemFinally run bootstrap using the PAT and the HTTP/S address of the repo: echo <DEVOPS-PAT> | flux bootstrap git \
--token-auth=true \
--url=https://dev.azure.com/<org>/<project>/_git/<repository> \
--branch=main \
--path=clusters/<your-cluster-name> |
stefanprodan
changed the title
stefanprodan
changed the title
|
Thanks @stefanprodan . That's exactly how I deployed the key last week and earlier today I configured the kustomization.yaml file same as above. Is there a way to see what algorithm the source controller pod is using? Otherwise, we will have to wait to start erroring out again. |
|
Well looks like Azure DevOps advertises a single host key: $ ssh-keyscan ssh.dev.azure.com
# ssh.dev.azure.com:22 SSH-2.0-SSHBlackbox.10
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8HTesting the key for RSA-SHA2 in fluxcd/pkg/ssh works: func TestAzureDevOps(t *testing.T) {
g := NewWithT(t)
knownHosts, err := ScanHostKey("ssh.dev.azure.com:22", time.Second, []string{"rsa-sha2-256", "rsa-sha2-512"}, false)
t.Log(string(knownHosts))
g.Expect(err).NotTo(HaveOccurred())
}@psdonas after you've set the SSH private key to |
|
@stefanprodan yes, I got the same error after deploying the rsa-sha2-512 key in cluster. |
|
If with a rsa-sha2-512 key still errors out and with Azure DevOps advertising a single rsa-sha host key, this feels like a major issue on their side, there is nothing we can do in Flux to fix this. In any case, there is always the option to switch from SSH to HTTP/S and Azure PAT like so: kubectl -n flux-system delete secret flux-system
echo <DEVOPS-PAT> | flux bootstrap git \
--token-auth=true \
--url=https://dev.azure.com/<org>/<project>/_git/<repository> \
--branch=main \
--path=clusters/my-cluster |
|
@stefanprodan @psdonas, Thanks for providing more details and testing. I've got errors as well during the brown out session yesterday although rsa-sha2-512 keys were deployed. Just applied the patch and waiting for the next brown out session. |
@stefanprodan , isn't it that Doesn't flux assume it should use |
|
@bondido as posted here #4726 (comment) the Flux SSH host key scanner finds all 3 algos. The patch posted here #4726 (comment) configures Flux source-controller to prioritise SHA-2 over SHA-1 and hopefully this will solve the issue with Azure blocking Flux. Please test and confirm if it works for you when your cluster enters the brown out session. |
|
Thanks @stefanprodan |
|
Validated that ssh works with Azure dev ops repos if ssh-keygen is used to pre-create ssh keys and use with flux. |
|
@dipti-pai can you confirm that there is no need for |
|
A brownout session happened again and I believe the patch is needed. Make sure to apply it for |
|
@uidmehdi is right. I received an error during the brown out period last night too, but only for |
@stefanprodan "--ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256" is needed. |
|
Thanks everyone for testing the fix. We've updated the procedure on how to bootstrap Azure DevOps via SSH here: https://fluxcd.io/flux/installation/bootstrap/azure-devops/#bootstrap-using-ssh-keys |
|
I believe an rsa key can be used for any of the three signatures. It is really the client that needs to select one of those. Can anybody confirm that it is not required to regenerate an rsa key pair? |
It's in line with the ssh-keygen -t docs I think. They specify that the sha2 signature specification applies to generating certificates signed by a ca (-s flag). Normal openssh ppk pairs are raw keys and not certificates so they don't contain the signature info. This is added in-flight during key negotiations and so the signature algo is chosen from the host key algorithms. This is how I understand how it works after working on this since the brownouts started however I'm not an openssh expert so if anyone is feel free to chime in and correct me. |
|
Hi, flux managed by Terraform. Several days ago if run terraform for flux there is the error during terraform plan: ssh key generated by cmd: |
|
@stefanprodan thank you for the reference, but I haven't caught what should be added in a terraform configuration of flux bootstrap resource? e.g. below what is configured now. As you can see the patch is added: |
|
@adhoc-am after we release Flux v2.3, you'll be able to set the host key algos in the provider like so: provider "flux" {
ssh = {
hostkey_algos = ["rsa-sha2-512", "rsa-sha2-256"]
}
} |
|
@stefanprodan Thank you and BR! |
Describe the bug
I'm seeing errors stating that source reconciliation is failing with the following error:
failed to checkout and determine revision: unable to list remote for 'ssh://[email protected]/v3/<organization_name>/<project_name>/<repo_name>': unknown error: remote: Command git-upload-pack: You’re using ssh-rsa that is about to be deprecated and your request has been blocked intentionally. Any SSH session using SSH-RSA is subject to brown out (failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://aka.ms/ado-ssh-rsa-deprecation.Steps to reproduce
flux create source git flux-system --url=ssh://[email protected]/v3/<organization_name>/<project_name>/<repo_name> --branch=main --ssh-key-algorithm=rsa --ssh-rsa-bits=4096 --interval=1mExpected behavior
Source reconciliation should succeed
Screenshots and recordings
No response
OS / Distro
Kubernetes
Flux version
v2.2.3
Flux check
► checking prerequisites
✔ Kubernetes 1.27.9 >=1.26.0-0
► checking version in cluster
✔ distribution: flux-v2.2.3
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► digprvtstgwecr.azurecr.io/fluxcd/helm-controller:v0.37.4
✔ image-automation-controller: deployment ready
► digprvtstgwecr.azurecr.io/fluxcd/image-automation-controller:v0.37.1
✔ image-reflector-controller: deployment ready
► digprvtstgwecr.azurecr.io/fluxcd/image-reflector-controller:v0.31.2
✔ kustomize-controller: deployment ready
► digprvtstgwecr.azurecr.io/fluxcd/kustomize-controller:v1.2.2
✔ notification-controller: deployment ready
► digprvtstgwecr.azurecr.io/fluxcd/notification-controller:v1.2.4
✔ source-controller: deployment ready
► digprvtstgwecr.azurecr.io/fluxcd/source-controller:v1.2.4
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1beta2
✔ helmreleases.helm.toolkit.fluxcd.io/v2beta2
✔ helmrepositories.source.toolkit.fluxcd.io/v1beta2
✔ imagepolicies.image.toolkit.fluxcd.io/v1beta2
✔ imagerepositories.image.toolkit.fluxcd.io/v1beta2
✔ imageupdateautomations.image.toolkit.fluxcd.io/v1beta1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed
Git provider
Azure DevOps
Container Registry provider
No response
Additional context
I have also tried to create a new ssh key
ssh-keygen -t rsa-sha2-256and a secret usingflux create secret git flux-system -n flux-system --private-key-file=<path-to-generated-private-key> --url=ssh://[email protected]/v3/<organization_name>/<project_name>/<repo_name>and referencing it in the source manifest by I get similar errorCode of Conduct
The text was updated successfully, but these errors were encountered: