From a00a4b9b5fe98c987f31ef8c8f95ceb6599f195a Mon Sep 17 00:00:00 2001
From: Ilia Kargapolov <i.kargapolov@nebius.com>
Date: Fri, 24 May 2024 18:45:15 +0200
Subject: [PATCH] Added support to provide SSH keys for k8s node groups

---
 README.md                                     |  9 +++--
 examples/example-1-zonal-with-2-ng/main.tf    |  8 ++---
 .../terraform.tfvars                          |  1 -
 .../example-1-zonal-with-2-ng/versions.tf     |  4 +--
 node_group.tf                                 |  8 ++++-
 variables.tf                                  | 34 ++++++++++++++-----
 versions.tf                                   |  4 +--
 7 files changed, 46 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 59c1f17..4006767 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 ## Features
 
-- Create zonal Kubernetes cluster  
+- Create zonal Kubernetes cluster
 - Create user defined Kubernetes node groups
 - Easy to use in other resources via outputs
 
@@ -63,11 +63,11 @@ module "kube" {
       subnet_id = "e9b3k97pr2nh1i80as04"
     },
     {
-      zone      = "eu-north1-b" 
+      zone      = "eu-north1-b"
       subnet_id = "e2laaglsc7u99ur8c4j1"
     },
     {
-      zone      = "eu-north1-c" 
+      zone      = "eu-north1-c"
       subnet_id = "b0ckjm3olbpmk2t6c28o"
     }
   ]
@@ -206,6 +206,9 @@ No modules.
 | <a name="input_service_ipv4_range"></a> [service\_ipv4\_range](#input\_service\_ipv4\_range) | CIDR block. IP range from which Kubernetes service cluster IP addresses <br>    will be allocated from. It should not overlap with<br>    any subnet in the network the Kubernetes cluster located in | `string` | `"172.18.0.0/16"` | no |
 | <a name="input_service_ipv6_range"></a> [service\_ipv6\_range](#input\_service\_ipv6\_range) | IPv6 CIDR block. IP range for allocating pod addresses. | `string` | `null` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Timeouts. | `map(string)` | <pre>{<br>  "create": "60m",<br>  "delete": "60m",<br>  "update": "60m"<br>}</pre> | no |
+| <a name="ssh_username"></a> [ssh_username](#input\_ssh_username) | SSH Username. | `map(string)` | <pre>{<br>  "create": "60m",<br>  "delete": "60m",<br>  "update": "60m"<br>}</pre> | no |
+| <a name="ssh_public_key"></a> [ssh_public_key](#input\_ssh_public_key) | SSH Public key content. | `map(string)` | <pre>{<br>  "create": "60m",<br>  "delete": "60m",<br>  "update": "60m"<br>}</pre> | no |
+| <a name="ssh_public_key_path"></a> [ssh_public_key_path](#input\_ssh_public_key_path) | Path to SSH Public key file. | `map(string)` | <pre>{<br>  "create": "60m",<br>  "delete": "60m",<br>  "update": "60m"<br>}</pre> | no |
 
 ## Outputs
 
diff --git a/examples/example-1-zonal-with-2-ng/main.tf b/examples/example-1-zonal-with-2-ng/main.tf
index c2a4b36..3364c60 100644
--- a/examples/example-1-zonal-with-2-ng/main.tf
+++ b/examples/example-1-zonal-with-2-ng/main.tf
@@ -3,7 +3,7 @@
 module "kube" {
   source = "../../"
 
-  network_id =  "btcci5d99ka84l988qvs"
+  network_id = "btcci5d99ka84l988qvs"
 
   master_locations = [
     {
@@ -28,7 +28,7 @@ module "kube" {
     }
   ]
   node_groups = {
-   "k8s-ng-h100-8gpu1" = {
+    "k8s-ng-h100-8gpu1" = {
       description = "Kubernetes nodes h100-8-gpu nodes with autoscaling"
       fixed_scale = {
         size = 2
@@ -40,12 +40,10 @@ module "kube" {
       node_gpus       = 8
       disk_type       = "network-ssd-nonreplicated"
       disk_size       = 372
-      nat = true
+      nat             = true
       node_labels = {
         "group" = "h100-8gpu"
       }
     }
   }
 }
-
-
diff --git a/examples/example-1-zonal-with-2-ng/terraform.tfvars b/examples/example-1-zonal-with-2-ng/terraform.tfvars
index 8b13789..e69de29 100644
--- a/examples/example-1-zonal-with-2-ng/terraform.tfvars
+++ b/examples/example-1-zonal-with-2-ng/terraform.tfvars
@@ -1 +0,0 @@
-
diff --git a/examples/example-1-zonal-with-2-ng/versions.tf b/examples/example-1-zonal-with-2-ng/versions.tf
index bd017d2..7605823 100644
--- a/examples/example-1-zonal-with-2-ng/versions.tf
+++ b/examples/example-1-zonal-with-2-ng/versions.tf
@@ -3,7 +3,7 @@ terraform {
 
   required_providers {
     nebius = {
-      source = "terraform-registry.storage.ai.nebius.cloud/nebius/nebius"
+      source  = "terraform-registry.storage.ai.nebius.cloud/nebius/nebius"
       version = ">= 0.6.0"
     }
     local = {
@@ -18,7 +18,7 @@ terraform {
 }
 
 provider "nebius" {
-  endpoint = "api.nemax.nebius.cloud:443"
+  endpoint  = "api.nemax.nebius.cloud:443"
   folder_id = "bjer0eu4okh6vntopouq"
 }
 
diff --git a/node_group.tf b/node_group.tf
index 9a21e78..98f81fd 100644
--- a/node_group.tf
+++ b/node_group.tf
@@ -11,6 +11,9 @@ locals {
     ])
   ]...) : []
   master_locations_subnets_ids = concat(flatten([for location in var.master_locations : location.subnet_id]))
+
+  ssh_public_key = var.ssh_public_key != null ? var.ssh_public_key : (
+  fileexists(var.ssh_public_key_path) ? file(var.ssh_public_key_path) : null)
 }
 
 resource "nebius_kubernetes_node_group" "kube_node_groups" {
@@ -32,11 +35,14 @@ resource "nebius_kubernetes_node_group" "kube_node_groups" {
       gpus          = lookup(each.value, "node_gpus", var.node_groups_defaults.node_gpus)
     }
 
+    metadata = {
+      ssh-keys = local.ssh_public_key != null ? "${var.ssh_username}:${local.ssh_public_key}" : null
+    }
 
     dynamic "gpu_settings" {
       for_each = compact([lookup(each.value, "gpu_cluster_id", null)])
       content {
-        gpu_cluster_id = each.value.gpu_cluster_id
+        gpu_cluster_id  = each.value.gpu_cluster_id
         gpu_environment = each.value.gpu_environment
       }
     }
diff --git a/variables.tf b/variables.tf
index 354211a..d175bf9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -73,7 +73,7 @@ variable "node_ipv4_cidr_mask_size" {
 
 variable "service_ipv4_range" {
   description = <<EOF
-    CIDR block. IP range from which Kubernetes service cluster IP addresses 
+    CIDR block. IP range from which Kubernetes service cluster IP addresses
     will be allocated from. It should not overlap with
     any subnet in the network the Kubernetes cluster located in
     EOF
@@ -113,7 +113,7 @@ variable "release_channel" {
 variable "network_policy_provider" {
   description = "Network policy provider for Kubernetes cluster"
   type        = string
-  default     = null #changed 
+  default     = null #changed
 }
 
 variable "enable_cilium_policy" {
@@ -223,14 +223,14 @@ variable "node_groups" {
      - If node groups version isn't defined, cluster version will be used instead of.
      - A master locations list must have only one location for zonal cluster and three locations for a regional.
      - All node groups are able to define own locations. These locations will be used at first.
-     - If own location aren't defined for node groups with auto scale policy, locations for these groups will be automatically generated from master locations. If node groups list have more than three groups, locations for them will be assigned from the beggining of the master locations list. So, all node groups will be distributed in a range of master locations. 
+     - If own location aren't defined for node groups with auto scale policy, locations for these groups will be automatically generated from master locations. If node groups list have more than three groups, locations for them will be assigned from the beggining of the master locations list. So, all node groups will be distributed in a range of master locations.
      - Master locations will be used for fixed scale node groups.
      - Auto repair and upgrade values will be used master_auto_upgrade value.
      - Master maintenance windows will be used for Node groups also!
      - Only one max_expansion OR max_unavailable values should be specified for the deployment policy.
-    
+
     Documentation - https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kubernetes_node_group
-    
+
     Default values:
     ```
       platform_id     = "standard-v2"
@@ -356,7 +356,7 @@ variable "enable_default_rules" {
 variable "custom_ingress_rules" {
   description = <<-EOF
     Map definition of custom security ingress rules.
-    
+
     Example:
     ```
     custom_ingress_rules = {
@@ -390,7 +390,7 @@ variable "custom_ingress_rules" {
 variable "custom_egress_rules" {
   description = <<-EOF
     Map definition of custom security egress rules.
-    
+
     Example:
     ```
     custom_egress_rules = {
@@ -431,4 +431,22 @@ variable "pod_mtu" {
   description = "default pod mtu for networking"
   type        = number
   default     = 8880
-}
\ No newline at end of file
+}
+
+variable "ssh_username" {
+  description = "Username for SSH login"
+  type        = string
+  default     = "ubuntu"
+}
+
+variable "ssh_public_key" {
+  description = "Public SSH key to access the cluster nodes"
+  type        = string
+  default     = null
+}
+
+variable "ssh_public_key_path" {
+  description = "Path to a SSH public key to access the cluster nodes"
+  type        = string
+  default     = "~/.ssh/id_rsa.pub"
+}
diff --git a/versions.tf b/versions.tf
index aa7a287..d2c12a8 100644
--- a/versions.tf
+++ b/versions.tf
@@ -3,10 +3,10 @@ terraform {
 
   required_providers {
     nebius = {
-      source = "terraform-registry.storage.ai.nebius.cloud/nebius/nebius"
+      source  = "terraform-registry.storage.ai.nebius.cloud/nebius/nebius"
       version = ">= 0.6.0"
     }
-    
+
     random = {
       source  = "hashicorp/random"
       version = "> 3.3"