Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Official tunnel mod and disable shell of user and minor fixes #15

Merged
merged 14 commits into from
Jul 8, 2024
Merged

Use Official tunnel mod and disable shell of user and minor fixes #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
489188c
Get rid of sshd configuration
MiguelNdeCarvalho Jul 4, 2024
d5616a9
main.tf: Add DOCKER_MODS environment variable for tunnel
MiguelNdeCarvalho Jul 4, 2024
8a00755
variables.tf: Add shell_login variable
MiguelNdeCarvalho Jul 4, 2024
b5b25fb
variables.tf: Change variable name and fix description
MiguelNdeCarvalho Jul 4, 2024
fda8cdd
main.tf: Add SHELL_NOLOGIN ENV var controled by TF Var
MiguelNdeCarvalho Jul 4, 2024
e5990d3
main.tf: Get rid of init container and config volume
MiguelNdeCarvalho Jul 4, 2024
b77070c
main.tf: Use correct way to import SSH keys
MiguelNdeCarvalho Jul 4, 2024
cc2d595
main.tf: Mount ssh rsa keys
MiguelNdeCarvalho Jul 4, 2024
622b887
Run a terraform fmt
MiguelNdeCarvalho Jul 4, 2024
cefcb91
main.tf: Fix location of ssh keys
MiguelNdeCarvalho Jul 4, 2024
f8fae39
main.tf: Fix typo on path of ssh keys
MiguelNdeCarvalho Jul 4, 2024
d39f5cf
main.tf: Add script to delete generated ssh keys
MiguelNdeCarvalho Jul 8, 2024
1d78320
main.tf: Get rid of Liveness and Readiness delay
MiguelNdeCarvalho Jul 8, 2024
a34d6ef
main.tf: Add comment for reference to mod
MiguelNdeCarvalho Jul 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 39 additions & 60 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,5 @@
locals {
resource_name = var.name_prefix == "" ? var.name : "${var.name_prefix}-${var.name}"

# Default SSH config
sshd_config = <<-EOT
Port ${var.ssh_port}
AllowTcpForwarding yes
AuthorizedKeysFile .ssh/authorized_keys
ClientAliveCountMax 100
ClientAliveInterval 30
GatewayPorts clientspecified
PasswordAuthentication no
PermitTunnel yes
PidFile /config/sshd.pid
TCPKeepAlive no
X11Forwarding no
HostKey /config/ssh_host_keys/ssh_host_rsa_key
EOT
}

resource "kubernetes_config_map" "main" {
Expand All @@ -27,7 +11,12 @@ resource "kubernetes_config_map" "main" {
data = {
"authorized_keys" = var.ssh_keys
"motd" = "Welcome to ${var.motd_name}.\n"
"sshd_config" = var.sshd_config == "" ? local.sshd_config : var.sshd_config
"delete-generated-ssh-keys" = <<EOT
#!/bin/bash
echo "**** remove not needed ecdsa and ed25519 keys ****"
rm /config/ssh_host_keys/ssh_host_ecdsa*
rm /config/ssh_host_keys/ssh_host_ed25519*
EOT
}
}

Expand Down Expand Up @@ -95,14 +84,14 @@ resource "kubernetes_deployment" "main" {
}

volume {
name = "sshd-config"
name = "delete-generated-ssh-keys"

config_map {
name = local.resource_name

items {
key = "sshd_config"
path = "sshd_config"
key = "delete-generated-ssh-keys"
path = "delete-generated-ssh-keys"
}
}
}
Expand Down Expand Up @@ -133,82 +122,72 @@ resource "kubernetes_deployment" "main" {
}
}

volume {
name = "config"
empty_dir {}
}
container {
name = local.resource_name
image = "${var.image_repository}:${var.image_tag}"

init_container {
name = "${local.resource_name}-init"
image = "busybox:1.36.1-uclibc"
env {
# Ref: https://github.com/linuxserver/docker-mods/tree/openssh-server-ssh-tunnel
name = "DOCKER_MODS"
value = "linuxserver/mods:openssh-server-ssh-tunnel"
}

command = ["sh", "-c", "cp -r /defaults/. /config && chmod 600 /config/ssh_host_keys/ssh_host_rsa_key"]
env {
name = "PUBLIC_KEY_FILE"
value = "/defaults/authorized_keys"
}

env {
name = "SHELL_NOLOGIN"
value = var.shell_no_login
}

env {
name = "USER_NAME"
value = var.ssh_user
}

volume_mount {
name = "authorized-keys"
mount_path = "/defaults/.ssh/authorized_keys"
mount_path = "/defaults/authorized_keys"
sub_path = "authorized_keys"
}

volume_mount {
name = "sshd-config"
mount_path = "/defaults/ssh_host_keys/sshd_config"
sub_path = "sshd_config"
name = "delete-generated-ssh-keys"
mount_path = "/custom-cont-init.d/delete-generated-ssh-keys"
sub_path = "delete-generated-ssh-keys"
read_only = true
}

volume_mount {
name = "ssh-host-rsa-key"
mount_path = "/defaults/ssh_host_keys/ssh_host_rsa_key"
mount_path = "/config/ssh_host_keys/ssh_host_rsa_key"
sub_path = "ssh_host_rsa_key"
}

volume_mount {
name = "ssh-host-rsa-key-public"
mount_path = "/defaults/ssh_host_keys/ssh_host_rsa_key_public"
mount_path = "/config/ssh_host_keys/ssh_host_rsa_key_public"
sub_path = "ssh_host_rsa_key_public"
}

volume_mount {
name = "config"
mount_path = "/config"
}
}

container {
name = local.resource_name
image = "${var.image_repository}:${var.image_tag}"

env {
name = "USER_NAME"
value = var.ssh_user
}


volume_mount {
name = "motd"
mount_path = "/etc/motd"
sub_path = "motd"
}

volume_mount {
name = "config"
mount_path = "/config"
}

liveness_probe {
tcp_socket {
port = var.ssh_port
}

initial_delay_seconds = 30
}

readiness_probe {
tcp_socket {
port = var.ssh_port
}

initial_delay_seconds = 30
}
}
}
Expand Down Expand Up @@ -247,7 +226,7 @@ resource "kubernetes_service" "main" {
target_port = var.ssh_port
}

type = var.svc_type
type = var.svc_type
load_balancer_class = var.load_balancer_class
}

Expand Down
15 changes: 8 additions & 7 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,6 @@ variable "ssh_keys" {
description = "List of SSH keys to be added to the authorized keys list. Should be in the same format as the 'authorized_keys' file, represented in Heredoc style as a multi-line string value."
}

variable "sshd_config" {
type = string
default = ""
description = "Configuration file for SSH. If not defined it will use the default."
}

variable "ssh_host_rsa_key" {
type = string
default = ""
Expand Down Expand Up @@ -90,5 +84,12 @@ variable "svc_port" {
variable "load_balancer_class" {
type = string
default = null
description = "The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the svc_type is LoadBalancer"
description = "The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the svc_type is LoadBalancer"
}

variable "shell_no_login" {
type = bool
default = true
description = "Determines whether it is possible to login into shell when connecting via SSH with the created user. By default the user is not allowed to shell via SSH, to change this behaviour please set this variable to 'false'"
}