Abstract
This spec discusses how the Tmate charm will work in order to enable debugging ssh-access to the GitHub runners.
Rationale
Due to security reasons, using tmate’s managed server is not preferred to connect self-hosted GitHub Runners to provide ssh access for debugging purposes. Furthermore, the current firewall settings do not allow for anything other than http(s) network access from/to the self-hosted GitHub runners.
To alleviate the difficulty of debugging and to better provide a trusted source for tmate server, the tmate charm will be discussed.
Specification
Tmate server can be self-hosted as a standalone server. Due to the limitations of a Juju kubernetes charm, the container is currently unable to receive a SYS_ADMIN capability. Hence, the charm will be a machine charm. The server should generate ssh configuration that the clients can use to connect to the server. The configuration includes the following information.
- Server host
- Server port
- rsa-fingerprint
- ed25519-fingerprint
The information above is used by the client in the GitHub runner host to create a .tmate.conf in the home directory which tmate uses to spawn a tmux instance. This tmux instance is the shell we see when ssh-ing into the tmate instance, a mirror to the tmux instance created on the GitHub runner.
In order to harden the security, the endpoint should only be accessible within Canonical’s VPN in which all members of Canonical should have access to. Furthermore, the user triggering the tmate workflow should add the SSH key to the Github account.
However, the suggested implementation above implies that no outside contributors can have SSH access to the tmate workflow.
Charm Configurations
Authorized_keys was originally understood as a parameter that could be passed onto the tmate-ssh-server to limit the connections to a set of authorized keys. However, it is a Github Workflow’s tmate client parameter using an -a flag (note the non-capitalized a) to create a session instance with a set of authorized keys. The tmate-ssh-server provides an -A flag (note the capitalized A) to enforce the use of authorized keys when creating a session. This means that the action must use the “limit-access-to-actor” option. Since this can be achieved with the workflow and the session is under VPN protection, this action is not necessary.
Charm integrations
ssh-info: To provide SSH-key information generated from the server to the requirer, in order to enable printing necessary information to the workflow, i.e. tmate server host and port.
Charm actions
In order to retrieve the SSH-key generated from the server, an action “get-server-config” should be available, printing the output of the ssh generation script which can be used to provide the tmate workflow with custom server configuration values.
- tmate-server-host
- tmate-server-port
- tmate-server-rsa-fingerprint
- tmate-server-ed25519-fingerprint
Traefik ingress w/ TCP port (can mitigate 80/443 problem) - not yet ready Default to use GitHub credentials
Fork the github tmate actions repository and make it work with default by reading environment variables instead of config file and set the environment variable from the charm when related - and remove all the input for the action. (Preferred) - .env file
OR Create ~/.tmate.conf in the runner and launch tmate (on the forked client)
Repository configurations
The repository should set the parameters above as repository secrets and pass it to the tmate workflow.
Other configurations
DNS server to point to the IP address of tmate charm units.