feat: add optional SSH access to worker pods

Enable SSH access to NodeSet worker pods with a CRD toggle, following
the same pattern as LoginSet. SSH host keys are shared across all pods
in a NodeSet to prevent "host key changed" warnings when pods are
recreated or scaled.

Ref: https://slurm.schedmd.com/pam_slurm_adopt.

Author: faganihajizada

api/v1beta1/nodeset_keys.go

@@ -23,3 +23,11 @@ func (o *NodeSet) HeadlessServiceKey() types.NamespacedName {
 		Namespace: o.Namespace,
 	}
 }
+
+func (o *NodeSet) SshHostKeys() types.NamespacedName {
+	key := o.Key()
+	return types.NamespacedName{
+		Name:      fmt.Sprintf("%s-ssh-host-keys", key.Name),
+		Namespace: o.Namespace,
+	}
+}

api/v1beta1/nodeset_types.go

@@ -37,6 +37,10 @@ type NodeSetSpec struct {
 	// +optional
 	Slurmd ContainerWrapper `json:"slurmd,omitempty"`
 
+	// SSH configuration for worker pods.
+	// +optional
+	Ssh NodeSetSsh `json:"ssh,omitzero"`
+
 	// The logfile sidecar configuration.
 	// +optional
 	LogFile ContainerWrapper `json:"logfile,omitzero"`
@@ -112,6 +116,14 @@ type NodeSetPartition struct {
 	Config string `json:"config,omitzero"`
 }
 
+// NodeSetSsh defines SSH configuration for NodeSet worker pods.
+type NodeSetSsh struct {
+	// Enabled controls whether SSH access is enabled for this NodeSet.
+	// When enabled, SSH host keys will be created and mounted, and port 22 will be exposed.
+	// +default:=false
+	Enabled bool `json:"enabled"`
+}
+
 // NodeSetUpdateStrategy indicates the strategy that the NodeSet
 // controller will be used to perform updates. It includes any additional
 // parameters necessary to perform the update for the indicated strategy.

api/v1beta1/zz_generated.deepcopy.go

@@ -173,6 +173,18 @@ spec:
                   Ref: https://github.com/kubernetes/api/blob/master/core/v1/types.go#L2885
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              ssh:
+                description: SSH configuration for worker pods.
+                properties:
+                  enabled:
+                    default: false
+                    description: |-
+                      Enabled controls whether SSH access is enabled for this NodeSet.
+                      When enabled, SSH host keys will be created and mounted, and port 22 will be exposed.
+                    type: boolean
+                required:
+                - enabled
+                type: object
               taintKubeNodes:
                 default: false
                 description: |-

config/crd/bases/slinky.slurm.net_nodesets.yaml

@@ -173,6 +173,18 @@ spec:
                   Ref: https://github.com/kubernetes/api/blob/master/core/v1/types.go#L2885
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              ssh:
+                description: SSH configuration for worker pods.
+                properties:
+                  enabled:
+                    default: false
+                    description: |-
+                      Enabled controls whether SSH access is enabled for this NodeSet.
+                      When enabled, SSH host keys will be created and mounted, and port 22 will be exposed.
+                    type: boolean
+                required:
+                - enabled
+                type: object
               taintKubeNodes:
                 default: false
                 description: |-

helm/slurm-operator-crds/templates/slinky.slurm.net_nodesets.yaml

@@ -51,6 +51,10 @@ spec:
     config: {{ include "slurm.worker.partitionConfig" $nodeset.partition }}
     {{- end }}{{- /* if (include "slurm.worker.partitionConfig" $nodeset.partition) */}}
   {{- end }}{{- /* with $nodeset.partition */}}
+  {{- with $nodeset.ssh }}
+  ssh:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}{{- /* with $nodeset.ssh */}}
   replicas: {{ $nodeset.replicas }}
   slurmd:
     {{- $_ := set $nodeset.slurmd "imagePullPolicy" (default $.Values.imagePullPolicy $nodeset.slurmd.imagePullPolicy) -}}

helm/slurm/templates/nodeset/nodeset-cr.yaml

@@ -643,6 +643,11 @@ nodesets:
       configMap: {}
         # State: UP
         # MaxTime: UNLIMITED
+    # SSH configuration for this NodeSet.
+    # ssh:
+      # -- Enable SSH access to worker pods with pam_slurm_adopt.
+      # Ref: https://slurm.schedmd.com/pam_slurm_adopt.html
+      # enabled: false
     # -- Enable propagation of container `resources.limits` into slurmd.
     useResourceLimits: true
     # Update strategy configuration.

helm/slurm/values.yaml

@@ -68,7 +68,7 @@ func (b *Builder) BuildWorkerPodTemplate(nodeset *slinkyv1beta1.NodeSet, control
 			InitContainers: []corev1.Container{
 				b.logfileContainer(spec.LogFile, slurmdLogFilePath),
 			},
-			Volumes: nodesetVolumes(controller),
+			Volumes: nodesetVolumes(nodeset, controller),
 			Tolerations: []corev1.Toleration{
 				slurmtaints.TolerationWorkerNode,
 			},
@@ -79,7 +79,7 @@ func (b *Builder) BuildWorkerPodTemplate(nodeset *slinkyv1beta1.NodeSet, control
 	return b.buildPodTemplate(opts)
 }
 
-func nodesetVolumes(controller *slinkyv1beta1.Controller) []corev1.Volume {
+func nodesetVolumes(nodeset *slinkyv1beta1.NodeSet, controller *slinkyv1beta1.Controller) []corev1.Volume {
 	out := []corev1.Volume{
 		{
 			Name: slurmEtcVolume,
@@ -103,28 +103,83 @@ func nodesetVolumes(controller *slinkyv1beta1.Controller) []corev1.Volume {
 		},
 		logFileVolume(),
 	}
+
+	// Add SSH host keys volume if SSH is enabled
+	if nodeset.Spec.Ssh.Enabled {
+		out = append(out, corev1.Volume{
+			Name: sshHostKeysVolume,
+			VolumeSource: corev1.VolumeSource{
+				Projected: &corev1.ProjectedVolumeSource{
+					DefaultMode: ptr.To[int32](0o600),
+					Sources: []corev1.VolumeProjection{
+						{
+							Secret: &corev1.SecretProjection{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: nodeset.SshHostKeys().Name,
+								},
+								Items: []corev1.KeyToPath{
+									{Key: sshHostRsaKeyFile, Path: sshHostRsaKeyFile, Mode: ptr.To[int32](0o600)},
+									{Key: sshHostRsaPubKeyFile, Path: sshHostRsaPubKeyFile, Mode: ptr.To[int32](0o644)},
+									{Key: sshHostEd25519KeyFile, Path: sshHostEd25519KeyFile, Mode: ptr.To[int32](0o600)},
+									{Key: sshHostEd25519PubKeyFile, Path: sshHostEd25519PubKeyFile, Mode: ptr.To[int32](0o644)},
+									{Key: sshHostEcdsaKeyFile, Path: sshHostEcdsaKeyFile, Mode: ptr.To[int32](0o600)},
+									{Key: sshHostEcdsaPubKeyFile, Path: sshHostEcdsaPubKeyFile, Mode: ptr.To[int32](0o644)},
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+	}
+
 	return out
 }
 
 func (b *Builder) slurmdContainer(nodeset *slinkyv1beta1.NodeSet, controller *slinkyv1beta1.Controller) corev1.Container {
 	merge := nodeset.Spec.Slurmd.Container
 
+	// Base ports always include slurmd
+	ports := []corev1.ContainerPort{
+		{
+			Name:          labels.WorkerApp,
+			ContainerPort: SlurmdPort,
+			Protocol:      corev1.ProtocolTCP,
+		},
+	}
+
+	// Add SSH port if enabled
+	if nodeset.Spec.Ssh.Enabled {
+		ports = append(ports, corev1.ContainerPort{
+			Name:          "ssh",
+			ContainerPort: SshPort,
+			Protocol:      corev1.ProtocolTCP,
+		})
+	}
+
+	// Base volume mounts
+	volumeMounts := []corev1.VolumeMount{
+		{Name: slurmEtcVolume, MountPath: slurmEtcDir, ReadOnly: true},
+		{Name: slurmLogFileVolume, MountPath: slurmLogFileDir},
+	}
+
+	// Add SSH host key mounts if enabled
+	if nodeset.Spec.Ssh.Enabled {
+		volumeMounts = append(volumeMounts,
+			corev1.VolumeMount{Name: sshHostKeysVolume, MountPath: sshHostRsaKeyFilePath, SubPath: sshHostRsaKeyFile, ReadOnly: true},
+			corev1.VolumeMount{Name: sshHostKeysVolume, MountPath: sshHostRsaKeyPubFilePath, SubPath: sshHostRsaPubKeyFile, ReadOnly: true},
+			corev1.VolumeMount{Name: sshHostKeysVolume, MountPath: sshHostEd25519KeyFilePath, SubPath: sshHostEd25519KeyFile, ReadOnly: true},
+			corev1.VolumeMount{Name: sshHostKeysVolume, MountPath: sshHostEd25519PubKeyFilePath, SubPath: sshHostEd25519PubKeyFile, ReadOnly: true},
+			corev1.VolumeMount{Name: sshHostKeysVolume, MountPath: sshHostEcdsaKeyFilePath, SubPath: sshHostEcdsaKeyFile, ReadOnly: true},
+			corev1.VolumeMount{Name: sshHostKeysVolume, MountPath: sshHostEcdsaPubKeyFilePath, SubPath: sshHostEcdsaPubKeyFile, ReadOnly: true},
+		)
+	}
+
 	opts := ContainerOpts{
 		base: corev1.Container{
-			Name: labels.WorkerApp,
-			Args: slurmdArgs(nodeset, controller),
-			Ports: []corev1.ContainerPort{
-				{
-					Name:          labels.WorkerApp,
-					ContainerPort: SlurmdPort,
-					Protocol:      corev1.ProtocolTCP,
-				},
-				{
-					Name:          "ssh",
-					ContainerPort: SshPort,
-					Protocol:      corev1.ProtocolTCP,
-				},
-			},
+			Name:  labels.WorkerApp,
+			Args:  slurmdArgs(nodeset, controller),
+			Ports: ports,
 			StartupProbe: &corev1.Probe{
 				ProbeHandler: corev1.ProbeHandler{
 					HTTPGet: &corev1.HTTPGetAction{
@@ -175,10 +230,7 @@ func (b *Builder) slurmdContainer(nodeset *slinkyv1beta1.NodeSet, controller *sl
 					},
 				},
 			},
-			VolumeMounts: []corev1.VolumeMount{
-				{Name: slurmEtcVolume, MountPath: slurmEtcDir, ReadOnly: true},
-				{Name: slurmLogFileVolume, MountPath: slurmLogFileDir},
-			},
+			VolumeMounts: volumeMounts,
 		},
 		merge: merge,
 	}

internal/builder/worker_app.go

@@ -93,14 +93,6 @@ func TestBuilder_BuildWorkerPodTemplate(t *testing.T) {
 				t.Errorf("Containers[0].Ports[0].ContainerPort = %v , want = %v",
 					got.Spec.Containers[0].Ports[0].Name, SlurmdPort)
 
-			case got.Spec.Containers[0].Ports[1].Name != "ssh":
-				t.Errorf("Containers[0].Ports[1].Name = %v , want = ssh",
-					got.Spec.Containers[0].Ports[1].Name)
-
-			case got.Spec.Containers[0].Ports[1].ContainerPort != SshPort:
-				t.Errorf("Containers[0].Ports[1].ContainerPort = %v , want = %v",
-					got.Spec.Containers[0].Ports[1].ContainerPort, SshPort)
-
 			case got.Spec.Subdomain == "":
 				t.Errorf("Subdomain = %v , want = non-empty", got.Spec.Subdomain)
 

internal/builder/worker_app_test.go

@@ -0,0 +1,48 @@
+// SPDX-FileCopyrightText: Copyright (C) SchedMD LLC.
+// SPDX-License-Identifier: Apache-2.0
+
+package builder
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+
+	slinkyv1beta1 "github.com/SlinkyProject/slurm-operator/api/v1beta1"
+	"github.com/SlinkyProject/slurm-operator/internal/builder/labels"
+	"github.com/SlinkyProject/slurm-operator/internal/utils/crypto"
+	"github.com/SlinkyProject/slurm-operator/internal/utils/structutils"
+)
+
+func (b *Builder) BuildWorkerSshHostKeys(nodeset *slinkyv1beta1.NodeSet) (*corev1.Secret, error) {
+	keyPairRsa, err := crypto.NewKeyPair(crypto.WithType(crypto.KeyPairRsa))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create RSA key pair: %w", err)
+	}
+	keyPairEd25519, err := crypto.NewKeyPair(crypto.WithType(crypto.KeyPairEd25519))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create ED25519 key pair: %w", err)
+	}
+	keyPairEcdsa, err := crypto.NewKeyPair(crypto.WithType(crypto.KeyPairEcdsa))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create ECDSA key pair: %w", err)
+	}
+
+	opts := SecretOpts{
+		Key:      nodeset.SshHostKeys(),
+		Metadata: nodeset.Spec.Template.PodMetadata,
+		Data: map[string][]byte{
+			sshHostEcdsaKeyFile:      keyPairEcdsa.PrivateKey(),
+			sshHostEcdsaPubKeyFile:   keyPairEcdsa.PublicKey(),
+			sshHostEd25519KeyFile:    keyPairEd25519.PrivateKey(),
+			sshHostEd25519PubKeyFile: keyPairEd25519.PublicKey(),
+			sshHostRsaKeyFile:        keyPairRsa.PrivateKey(),
+			sshHostRsaPubKeyFile:     keyPairRsa.PublicKey(),
+		},
+		Immutable: true,
+	}
+
+	opts.Metadata.Labels = structutils.MergeMaps(opts.Metadata.Labels, labels.NewBuilder().WithWorkerLabels(nodeset).Build())
+
+	return b.BuildSecret(opts, nodeset)
+}