fix(ssh): remove auto-generated SSH CA option#371
Conversation
An auto-generated CA regenerates its identity on every restart, so it cannot be distributed to clients. Require an explicit manual or Vault CA whenever SSH is enabled, failing fast at config validation and Helm render.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #371 +/- ##
==========================================
+ Coverage 86.17% 86.18% +0.01%
==========================================
Files 40 40
Lines 2828 2816 -12
==========================================
- Hits 2437 2427 -10
+ Misses 265 264 -1
+ Partials 126 125 -1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR removes the auto-generated in-memory SSH CA behavior and makes an explicitly configured SSH CA mandatory (manual key file or Vault) whenever SSH is enabled, ensuring stable SSH host identity across restarts/replicas.
Changes:
- Enforce “CA required” in Go config validation and in SSH CA construction (no more auto-generated fallback).
- Update Go unit tests to provide a manual CA config where needed and to assert missing-CA errors.
- Update Helm chart behavior/tests/snapshots to fail rendering when
ssh.enabled: truewithout a configured CA, and refresh related documentation.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/sshhandler/proxy_test.go | Adds a manual CA config to keep SSH handler tests passing under the new requirement. |
| internal/sshhandler/config_test.go | Updates config creation test to include manual CA. |
| internal/sshhandler/ca.go | Removes auto-generated CA fallback; returns ErrMissingCAConfig when CA is unset. |
| internal/sshhandler/ca_test.go | Removes auto-generated CA test; updates expectations for missing CA config. |
| internal/proxy/proxy_test.go | Updates proxy tests to include a manual CA config. |
| internal/config/config.go | Updates SSH CA validation to require exactly one of manual/vault; introduces ErrMissingCAConfig. |
| internal/config/config_test.go | Updates validation tests to expect an error when CA config is missing. |
| deploy/gateway/values.yaml | Updates values documentation to state CA is required when SSH is enabled. |
| deploy/gateway/tests/snapshot_test.yaml | Adds manual CA values so snapshot rendering remains valid. |
| deploy/gateway/tests/gateway-configmap_test.yaml | Removes test that asserted SSH config could be rendered without a CA. |
| deploy/gateway/tests/deployment_test.yaml | Updates tests to assert render failure when SSH enabled without CA; adjusts other cases to include Vault config. |
| deploy/gateway/tests/snapshot/snapshot_test.yaml.snap | Updates rendered snapshot to include manual CA secret/mount/configmap content. |
| deploy/gateway/templates/deployment.yaml | Changes Helm rendering guard to fail when SSH is enabled and CA is missing. |
| CLAUDE.md | Updates SSH security documentation to remove auto-generated CA option. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
93440d2 to
fd5bb57
Compare
Related Tickets & Documents
Changes
ssh.ca(manualorvault) is now required when SSH is enabledssh.enabledis true andssh.cais unset (previously only whenreplicaCount > 1)Notes
The auto-generated CA lived only in memory, so its identity changed on every restart and
across replicas, causing host-key mismatch warnings. Requiring an explicit CA keeps it stable.