Support SSH, reading secrets from vault passwords

* trim vaultpass from files
* expand the ExporterHost variables
* add a runCommand

Author: mangelajo

cmd/apply.go

@@ -22,6 +22,8 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/jumpstarter-dev/jumpstarter-lab-config/internal/config"
+	"github.com/jumpstarter-dev/jumpstarter-lab-config/internal/exporter/ssh"
+	"github.com/jumpstarter-dev/jumpstarter-lab-config/internal/templating"
 )
 
 var applyCmd = &cobra.Command{
@@ -47,12 +49,30 @@ var applyCmd = &cobra.Command{
 		}
 
 		cfg.Validate()
+		tapplier, err := templating.NewTemplateApplier(cfg, nil)
+		if err != nil {
+			return fmt.Errorf("error creating template applier %w", err)
+		}
 
 		if dryRun {
-			fmt.Println("Detected changes to apply:")
-			fmt.Println()
-			// TODO: Implement dry-run logic to detect changes
-			fmt.Println("⚠️ Dry-run mode: no changes will be applied")
+			for _, host := range cfg.Loaded.ExporterHosts {
+				hostCopy := host.DeepCopy()
+				err = tapplier.Apply(hostCopy)
+				if err != nil {
+					return fmt.Errorf("error applying template for %s: %w", host.Name, err)
+				}
+				fmt.Printf("Exporter host: %s\n", hostCopy.Name)
+				hostSsh, err := ssh.NewSSHHostManager(hostCopy)
+				if err != nil {
+					return fmt.Errorf("error creating SSH host manager for %s: %w", host.Name, err)
+				}
+				status, err := hostSsh.Status()
+				if err != nil {
+					return fmt.Errorf("error getting status for %s: %w", host.Name, err)
+				}
+				fmt.Printf("Status: %s\n", status)
+			}
+
 		} else {
 			fmt.Println("Applying changes:")
 			fmt.Println()

internal/exporter/ssh/ssh.go

@@ -2,6 +2,7 @@ package ssh
 
 import (
 	"fmt"
+	"io"
 	"log"
 	"net"
 	"os"
@@ -21,6 +22,13 @@ type HostManager interface {
 	Apply() error
 }
 
+// CommandResult represents the result of running a command via SSH
+type CommandResult struct {
+	Stdout   string
+	Stderr   string
+	ExitCode int
+}
+
 type SSHHostManager struct {
 	ExporterHost *v1alpha1.ExporterHost `json:"exporterHost,omitempty"`
 	sshClient    *ssh.Client
@@ -54,10 +62,88 @@ func NewSSHHostManager(exporterHost *v1alpha1.ExporterHost) (HostManager, error)
 }
 
 func (m *SSHHostManager) Status() (string, error) {
-	if m.ExporterHost.Spec.Management.SSH.Host == "" {
-		return "", fmt.Errorf("SSH host is not configured for exporter %s", m.ExporterHost.Name)
+	result, err := m.runCommand("ls -la")
+	if err != nil {
+		return "", fmt.Errorf("failed to run status command for %q: %w", m.ExporterHost.Name, err)
 	}
-	return "Not implemented yet", nil
+
+	// For now, return a simple status based on exit code
+	if result.ExitCode == 0 {
+		return "ok", nil
+	}
+	return fmt.Sprintf("error (exit code: %d)", result.ExitCode), nil
+}
+
+// runCommand executes a command on the remote host and returns the result
+func (m *SSHHostManager) runCommand(command string) (*CommandResult, error) {
+	if m.sshClient == nil {
+		return nil, fmt.Errorf("sshClient is not initialized")
+	}
+	session, err := m.sshClient.NewSession()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create SSH session for %q: %w", m.ExporterHost.Name, err)
+	}
+	defer func() {
+		if closeErr := session.Close(); closeErr != nil {
+			log.Printf("Failed to close SSH session for %q: %v", m.ExporterHost.Name, closeErr)
+		}
+	}()
+
+	stdout, err := session.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create stdout pipe for %q: %w", m.ExporterHost.Name, err)
+	}
+
+	stderr, err := session.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create stderr pipe for %q: %w", m.ExporterHost.Name, err)
+	}
+
+	// Capture stdout and stderr
+	var stdoutBytes, stderrBytes []byte
+	var stdoutErr, stderrErr error
+	var wg sync.WaitGroup
+
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		stdoutBytes, stdoutErr = io.ReadAll(stdout)
+	}()
+	go func() {
+		defer wg.Done()
+		stderrBytes, stderrErr = io.ReadAll(stderr)
+	}()
+
+	// Run the command
+	err = session.Run(command)
+
+	// Wait for stdout and stderr to be read
+	wg.Wait()
+
+	// Check for errors in reading stdout/stderr
+	if stdoutErr != nil {
+		return nil, fmt.Errorf("failed to read stdout for %q: %w", m.ExporterHost.Name, stdoutErr)
+	}
+	if stderrErr != nil {
+		return nil, fmt.Errorf("failed to read stderr for %q: %w", m.ExporterHost.Name, stderrErr)
+	}
+
+	// Get exit code
+	exitCode := 0
+	if err != nil {
+		if exitErr, ok := err.(*ssh.ExitError); ok {
+			exitCode = exitErr.ExitStatus()
+		} else {
+			// If it's not an exit error, return the error
+			return nil, fmt.Errorf("failed to run command for %q: %w", m.ExporterHost.Name, err)
+		}
+	}
+
+	return &CommandResult{
+		Stdout:   string(stdoutBytes),
+		Stderr:   string(stderrBytes),
+		ExitCode: exitCode,
+	}, nil
 }
 
 func (m *SSHHostManager) NeedsUpdate() (bool, error) {

internal/exporter/ssh/ssh_test.go

@@ -325,7 +325,7 @@ func TestSSHHostManagerInterface(t *testing.T) {
 
 	// Test interface methods are available
 	_, err := manager.Status()
-	if err != nil && !strings.Contains(err.Error(), "SSH host is not configured") {
+	if err != nil && !strings.Contains(err.Error(), "SSH host is not configured") && !strings.Contains(err.Error(), "sshClient is not initialized") {
 		// We expect either success or the specific SSH host error
 		t.Errorf("Unexpected error from Status method: %v", err)
 	}

internal/templating/templating.go

@@ -41,9 +41,10 @@ func constructReplacementMap(variables *vars.Variables, parameters *Parameters,
 		replacements["var."+key] = value
 	}
 
-	// Add parameters to the replacement map
-	for key, value := range parameters.parameters {
-		replacements["param."+key] = value
+	if parameters != nil { // Add parameters to the replacement map
+		for key, value := range parameters.parameters {
+			replacements["param."+key] = value
+		}
 	}
 
 	// Add meta parameters to the replacement map

internal/templating/templating_test.go

@@ -1,6 +1,7 @@
 package templating
 
 import (
+	"os"
 	"testing"
 
 	"github.com/jumpstarter-dev/jumpstarter-lab-config/internal/config"
@@ -275,11 +276,15 @@ func TestProcessTemplate_VaultDecryptionError(t *testing.T) {
 		parameters: map[string]string{},
 	}
 
+	// unset ANSIBLE_VAULT_PASSWORD_FILE
+	if err := os.Unsetenv("ANSIBLE_VAULT_PASSWORD_FILE"); err != nil {
+		t.Fatalf("failed to unset ANSIBLE_VAULT_PASSWORD_FILE: %v", err)
+	}
+
 	input := "Vault variable: $(var.vault_var)"
 	_, err = ProcessTemplate(input, varsMock, params, nil)
-	if err == nil || err.Error() != "templating: error retrieving variable 'vault_var': "+
-		"ANSIBLE_VAULT_PASSWORD_FILE or ANSIBLE_VAULT_PASSWORD required for encrypted key vault_var" {
-		t.Errorf("unexpected error message, got %v", err)
+	if err == nil {
+		t.Errorf("Call should have failed, got nil")
 	}
 }
 

internal/vars/vault.go

@@ -42,6 +42,11 @@ type VaultDecryptor struct {
 
 // NewVaultDecryptor creates a new vault decryptor with the given password
 func NewVaultDecryptor(password string) *VaultDecryptor {
+	// trim the password left and right of whitespace, line breaks and tabs
+	password = strings.TrimSpace(password)
+	password = strings.ReplaceAll(password, "\n", "")
+	password = strings.ReplaceAll(password, "\r", "")
+	password = strings.ReplaceAll(password, "\t", "")
 	return &VaultDecryptor{password: password}
 }
 
@@ -70,7 +75,6 @@ func (vd *VaultDecryptor) Decrypt(vaultData string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-
 	// Generate keys
 	key := generateCipherKey(vd.password, salt)