feat: support for static hostkeys in ssh core

uselagoon · Aug 7, 2024 · 7f35114 · 7f35114
1 parent d082215
commit 7f35114
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 8 deletions.
diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml
@@ -21,7 +21,7 @@ type: application
 # time you make changes to the chart and its templates, including the app
 # version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.46.0
+version: 1.46.1
 
 # This is the version number of the application being deployed. This version
 # number should be incremented each time you make changes to the application.

diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml
@@ -163,6 +163,64 @@ ssh:
   resources:
     requests:
       cpu: "10m"
+  hostKeys:
+    rsa: |
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+      NhAAAAAwEAAQAAAYEA01PSVwpU00EAdkL7DXoMFjsMXWTcrMIw61jveHOxno/lpHhQuomI
+      CJAC0xVz/v7koDHXMSEpwKmhYmpe49qMJpximx/TE05kkuvCPBWUTfygLA01aszkfG3MKN
+      +rkunI3L0CXrxaSiZP0lgzKM6kYFitiN0H5JArxskQPcf5KvQShTkYzM3G0Z0k791T7FyY
+      CUiEBmKfu+k0zSE9vIflnsxlcdWH/rCpoSY4FZzHL4puuilvu9H4HmknH+bILFgV/t9U+U
+      ZFamq4VvhQXB7hZOTd25rBu5PvPeJ7LKg71T1xCpct/OquGfTspGmL/qv6PdcAAPlMFIOz
+      2/ug+1/NHI8SwRDaB9h0q2ik4/mdHuou7rArtmXf8VBlIkpi7X0NYT/Nx3ngRFlHlYo7O9
+      P4LVfV4/Bl53GiqCslf1rOsNpwiuG9VIH1dGzCw3YI3gNPihQPEUnJKFVmLRYd81MRv7xn
+      gFWZIJ3CkoRCTIHkGSfQ87raDtmWbGE7YdQvK2m9AAAFiDDW52Mw1udjAAAAB3NzaC1yc2
+      EAAAGBANNT0lcKVNNBAHZC+w16DBY7DF1k3KzCMOtY73hzsZ6P5aR4ULqJiAiQAtMVc/7+
+      5KAx1zEhKcCpoWJqXuPajCacYpsf0xNOZJLrwjwVlE38oCwNNWrM5HxtzCjfq5LpyNy9Al
+      68WkomT9JYMyjOpGBYrYjdB+SQK8bJED3H+Sr0EoU5GMzNxtGdJO/dU+xcmAlIhAZin7vp
+      NM0hPbyH5Z7MZXHVh/6wqaEmOBWcxy+Kbropb7vR+B5pJx/myCxYFf7fVPlGRWpquFb4UF
+      we4WTk3duawbuT7z3ieyyoO9U9cQqXLfzqrhn07KRpi/6r+j3XAAD5TBSDs9v7oPtfzRyP
+      EsEQ2gfYdKtopOP5nR7qLu6wK7Zl3/FQZSJKYu19DWE/zcd54ERZR5WKOzvT+C1X1ePwZe
+      dxoqgrJX9azrDacIrhvVSB9XRswsN2CN4DT4oUDxFJyShVZi0WHfNTEb+8Z4BVmSCdwpKE
+      QkyB5Bkn0PO62g7ZlmxhO2HULytpvQAAAAMBAAEAAAGANb5cgOxMtEkUr/7K0BuY1VKBC4
+      NqJ7lfLYs5o51wr42S7mf2x+nQIbVWMo6DKHd0d1UVkBYKA0hglaHNrg7Xk74zyZWnXYKT
+      S1YP2K34QHkd1vYo/pdLCGX4BPEVNlCkV5bt8l/eansh07HAmQEshqAmyebEahlMOMrLiZ
+      rAwG7AAweJShSPGqHnUeUswbCurbW2ddVBIE3nsr9gbwD0oZUDu5Z9doVBLo2Et+JeObXw
+      AQImu1Jj0oAVhiRwBe8EekcISIOORJH5sXOQSUT1U1c8SEi2hexeBykOfBiWeWAKXl+IHy
+      fDGDx+7UNc+lxX/Y/VD22AUtVGvT8VgpfRrQEQ+1VzH8vinA8lk70nGaZ88efVQBOjwLSf
+      OpQTKXEIOz6kGEUSZa6+ifasW2bVm+Y4QBBuKaSgNo5Q6ajC8lHCtsQiBqZxKZqR2FxIz5
+      J2slA7V1UEqa6G4XbgmMDuRd/35EGfIFr+XSyVuIz1+Qf5Pp0F+lHUHCbQMudIOBcVAAAA
+      wEZj+u+dfCZJEyDUrYVGpqbeOs8sevJg+DQ4GTtt6IkyXDwWUjhnvoRABhwQbcMEcj639y
+      8CjBIC+D10Zz5IOJhOiedio7IDl4og1o0SmwGRddsRIGYwCKTKrR/+H9IHPp7EcfElnZfE
+      3kenOld0feseYQG94SnJFLY638mD/zqpFiWan2VypMmJtvNV5eWI4VrLdKzVtuVdF61xvd
+      mlrsEoQ1H98W7E9/zffCZJKTgYrt51tE0rV8u0HrBFbE8d1QAAAMEA/VyoWuGFIiIaHA32
+      WTJ5+uOcp+CVLZzCCDlCKhrjnRBM0qlO7a7pyQ9j74LQ1+tw7QGvu9f5O9x3Ndaphr3DQG
+      Ner84JVBls6JMRURPiTHs+Tv5VfiPAXnsOmioIDe3X5oW5ikexkA2rVYR9RET0qW/txqJm
+      Xuve9AUfyC6GmsHpt2P7R6JF0jocYdVaSmzFrmx3F1d7j/vQkNklE9rGt4nB0dyY4ZnBi0
+      Ffo8sEiku1TfbKzCILxHZnGhc6nl0DAAAAwQDVhx63rZcSA55I9zJDWoYZIKPtGnt2f2MZ
+      QnjH9CtDHrEjJigxGnaUo5+BDtDvh3Bjb8LVgK4vbSNESl8H7WeGsq9A8jsz1J6rwJ22hU
+      nqekQovL1icA0q16x3VWVfEpXbcuWjnKVE/zFGOXf01khUrW4Xu+idkYws9bGLdtvkMliG
+      IHdnz7MSzcqR4sWmI2naEt79rGLH3rK/blJpBfCU71wmtz93jYYOW7VQrW8zt1kXtx4fn3
+      9CZBLAoHn9gj8AAAARYmVuQHNocmVkZGVkYmFjb24BAg==
+      -----END OPENSSH PRIVATE KEY-----
+    ecdsa: |
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+      1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQ3ODLabuuNJtOWW+DCHMFB+ZuF6Fj9
+      tUl/AkKo7tKXCsF39MWXs15+e+7zPw6SfRjOSe+DWoKNmInezvpO2kJMAAAAsNTQX8rU0F
+      /KAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDc4Mtpu640m05Zb
+      4MIcwUH5m4XoWP21SX8CQqju0pcKwXf0xZezXn577vM/DpJ9GM5J74Nago2Yid7O+k7aQk
+      wAAAAhAM1shfG9ZAFn1XxrmsGuqhXTuI+8W8VZJRIF+ucX6J+vAAAAEWJlbkBzaHJlZGRl
+      ZGJhY29uAQIDBAUG
+      -----END OPENSSH PRIVATE KEY-----
+    ed25519: |
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      QyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcAAAAJhzIoyXcyKM
+      lwAAAAtzc2gtZWQyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcA
+      AAAEAWTgia6XF7lvU5UrUbTq4GDvWVpa54m5OwAUqMLF5xXLWSDwhoTFNA2/itmaRwjB8d
+      z0/Tnd8VDJ6Jkhnix+1wAAAAEWJlbkBzaHJlZGRlZGJhY29uAQIDBA==
+      -----END OPENSSH PRIVATE KEY-----
 
 sshPortalAPI:
   enabled: true

diff --git a/charts/lagoon-core/templates/ssh.deployment.yaml b/charts/lagoon-core/templates/ssh.deployment.yaml
@@ -72,23 +72,38 @@ spec:
           {{- with .Values.ssh.hostKeys.ecdsa }}
             - name: {{ include "lagoon-core.ssh.fullname" $ }}
               mountPath: "/etc/ssh/ssh_host_ecdsa_key"
-              subPath: HOST_KEY_ECDSA
+              subPath: ssh_host_ecdsa_key
           {{- end }}
           {{- with .Values.ssh.hostKeys.ed25519 }}
             - name: {{ include "lagoon-core.ssh.fullname" $ }}
               mountPath: "/etc/ssh/ssh_host_ed25519_key"
-              subPath: HOST_KEY_ED25519
+              subPath: ssh_host_ed25519_key
           {{- end }}
           {{- with .Values.ssh.hostKeys.rsa }}
             - name: {{ include "lagoon-core.ssh.fullname" $ }}
               mountPath: "/etc/ssh/ssh_host_rsa_key"
-              subPath: HOST_KEY_RSA
+              subPath: ssh_host_rsa_key
           {{- end }}
       volumes:
+      {{- if or .Values.ssh.hostKeys.rsa .Values.ssh.hostKeys.ecdsa .Values.ssh.hostKeys.ed25519 }}
       - secret:
-          defaultMode: 420
+          defaultMode: 432
+          items:
+          {{- with .Values.ssh.hostKeys.rsa }}
+          - key: HOST_KEY_RSA
+            path: ssh_host_rsa_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ecdsa }}
+          - key: HOST_KEY_ECDSA
+            path: ssh_host_ecdsa_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ed25519 }}
+          - key: HOST_KEY_ED25519
+            path: ssh_host_ed25519_key
+          {{- end }}
           secretName: {{ include "lagoon-core.ssh.fullname" . }}
         name: {{ include "lagoon-core.ssh.fullname" . }}
+      {{- end }}
       {{- with .Values.ssh.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/lagoon-core/templates/ssh.secret.yaml b/charts/lagoon-core/templates/ssh.secret.yaml
@@ -8,15 +8,15 @@ metadata:
     {{- include "lagoon-core.ssh.labels" . | nindent 4 }}
 stringData:
   {{- with .Values.ssh.hostKeys.ecdsa }}
-  HOST_KEY_ECDSA: |-
+  HOST_KEY_ECDSA: |
     {{- . | nindent 4 }}
   {{- end }}
   {{- with .Values.ssh.hostKeys.ed25519 }}
-  HOST_KEY_ED25519: |-
+  HOST_KEY_ED25519: |
     {{- . | nindent 4 }}
   {{- end }}
   {{- with .Values.ssh.hostKeys.rsa }}
-  HOST_KEY_RSA: |-
+  HOST_KEY_RSA: |
     {{- . | nindent 4 }}
   {{- end }}
 {{- end }}