feat: add production hardening — Ed25519 signing, Portainer Edge, SSH extension (Phase 4)

Image signing: - Ed25519 sign/verify package (pure Go stdlib, zero deps) - genkey and sign CLI subcommands for build system - Optional --pubkey flag for verifying updates on apply - Signature URLs in update metadata (latest.json) Portainer Edge Agent: - cloud-init portainer.go module writes K8s manifest - Auto-deploys Edge Agent when portainer.edge-agent.enabled - Full RBAC (ServiceAccount, ClusterRoleBinding, Deployment) - 5 Portainer tests in portainer_test.go Production tooling: - SSH debug extension builder (hack/build-ssh-extension.sh) - Boot performance benchmark (test/benchmark/bench-boot.sh) - Resource usage benchmark (test/benchmark/bench-resources.sh) - Deployment guide (docs/deployment-guide.md) Test results: 50 update agent tests + 22 cloud-init tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 11:26:23 -06:00
parent 8d25e1890e
commit 49a37e30e8
15 changed files with 1965 additions and 11 deletions
--- a/update/cmd/apply.go
+++ b/update/cmd/apply.go
@@ -33,6 +33,12 @@ func Apply(args []string) error {
 	client := image.NewClient(opts.ServerURL, stageDir)
 	defer client.Cleanup()

+	// Enable signature verification if public key is configured
+	if opts.PubKeyPath != "" {
+		client.SetPublicKeyPath(opts.PubKeyPath)
+		slog.Info("signature verification enabled", "pubkey", opts.PubKeyPath)
+	}
+
 	meta, err := client.CheckForUpdate()
 	if err != nil {
 		return fmt.Errorf("checking for update: %w", err)
--- a/update/cmd/opts.go
+++ b/update/cmd/opts.go
@@ -5,6 +5,7 @@ type opts struct {
 	ServerURL   string
 	GrubenvPath string
 	TimeoutSecs int
+	PubKeyPath  string
 }

 // parseOpts extracts command-line flags from args.
@@ -40,6 +41,11 @@ func parseOpts(args []string) opts {
 				}
 				i++
 			}
+		case "--pubkey":
+			if i+1 < len(args) {
+				o.PubKeyPath = args[i+1]
+				i++
+			}
 		}
 	}

--- a/update/cmd/sign.go
+++ b/update/cmd/sign.go
@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/portainer/kubesolo-os/update/pkg/signing"
+)
+
+// Sign creates Ed25519 signatures for update artifacts.
+// Used during the build process, not on the target device.
+//
+// Usage:
+//
+//	kubesolo-update sign --key <privkey.hex> <file> [file...]
+func Sign(args []string) error {
+	var keyPath string
+	var files []string
+
+	for i := 0; i < len(args); i++ {
+		switch args[i] {
+		case "--key":
+			if i+1 < len(args) {
+				keyPath = args[i+1]
+				i++
+			}
+		default:
+			// Non-flag args are files to sign
+			if args[i] != "" && args[i][0] != '-' {
+				files = append(files, args[i])
+			}
+		}
+	}
+
+	if keyPath == "" {
+		return fmt.Errorf("--key is required (path to Ed25519 private key hex file)")
+	}
+	if len(files) == 0 {
+		return fmt.Errorf("at least one file to sign is required")
+	}
+
+	signer, err := signing.NewSignerFromFile(keyPath)
+	if err != nil {
+		return fmt.Errorf("loading private key: %w", err)
+	}
+
+	for _, f := range files {
+		sigPath := f + ".sig"
+		if err := signer.SignFile(f, sigPath); err != nil {
+			return fmt.Errorf("signing %s: %w", f, err)
+		}
+		fmt.Printf("Signed: %s → %s\n", f, sigPath)
+	}
+
+	return nil
+}
+
+// GenKey generates a new Ed25519 key pair for signing updates.
+//
+// Usage:
+//
+//	kubesolo-update genkey
+func GenKey(args []string) error {
+	pub, priv, err := signing.GenerateKeyPair()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Public key (hex):  %s\n", pub)
+	fmt.Printf("Private key (hex): %s\n", priv)
+	fmt.Println()
+	fmt.Println("Save the public key to /etc/kubesolo/update-pubkey.hex on the device.")
+	fmt.Println("Keep the private key secure and offline — use it only for signing updates.")
+
+	return nil
+}