fix: prefer SSH_KEY_PRIVATE and validate keypair fingerprint

2026-02-28 17:40:25 +00:00
parent c94c1f61d8
commit 03fff813ac
3 changed files with 19 additions and 6 deletions
--- a/.gitea/workflows/kubeadm-bootstrap.yml
+++ b/.gitea/workflows/kubeadm-bootstrap.yml
@@ -32,9 +32,9 @@ jobs:
      - name: Create SSH key
        run: |
          install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
          if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
          fi

          if [ -z "$KEY_CONTENT" ]; then
--- a/.gitea/workflows/kubeadm-reset.yml
+++ b/.gitea/workflows/kubeadm-reset.yml
@@ -32,9 +32,9 @@ jobs:
      - name: Create SSH key
        run: |
          install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
          if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
          fi

          if [ -z "$KEY_CONTENT" ]; then
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -75,9 +75,9 @@ jobs:
      - name: Create SSH key
        run: |
          install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
          if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
          fi

          if [ -z "$KEY_CONTENT" ]; then
@@ -88,6 +88,19 @@ jobs:
          printf '%s\n' "$KEY_CONTENT" | tr -d '\r' > ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519

+      - name: Verify SSH keypair match
+        run: |
+          PRIV_FP="$(ssh-keygen -y -f ~/.ssh/id_ed25519 | ssh-keygen -lf - | awk '{print $2}')"
+          PUB_FP="$(printf '%s\n' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r' | ssh-keygen -lf - | awk '{print $2}')"
+
+          echo "private fingerprint: $PRIV_FP"
+          echo "public  fingerprint: $PUB_FP"
+
+          if [ "$PRIV_FP" != "$PUB_FP" ]; then
+            echo "SSH_KEY_PRIVATE does not match SSH_KEY_PUBLIC. Update secrets with the same keypair."
+            exit 1
+          fi
+
      - name: Create kubeadm inventory from Terraform outputs
        env:
          KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }}