feat: support for static hostkeys in ssh core

uselagoon · Aug 7, 2024 · d082215 · d082215
1 parent e02e385
commit d082215
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 15 deletions.
diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml
@@ -41,18 +41,4 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: update values for local development
-    - kind: changed
-      description: bump minimum Kubernetes version to 1.25
-    - kind: changed
-      description: added api-sidecar-handler container to api and webhooks2tasks
-    - kind: changed
-      description: update ssh-portal components to v0.37.0
-      links:
-        - name: ssh-portal release
-          url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.0
-    - kind: changed
-      description: update Lagoon appVersion to v2.20.0
-      links:
-        - name: lagoon v2.20.0 release notes
-          url: https://docs.lagoon.sh/releases/2.20.0/
+      description: add support for injecting hostkeys in core ssh service
diff --git a/charts/lagoon-core/templates/ssh.deployment.yaml b/charts/lagoon-core/templates/ssh.deployment.yaml
@@ -68,6 +68,27 @@ spec:
             port: ssh
         resources:
           {{- toYaml .Values.ssh.resources | nindent 10 }}
+        volumeMounts:
+          {{- with .Values.ssh.hostKeys.ecdsa }}
+            - name: {{ include "lagoon-core.ssh.fullname" $ }}
+              mountPath: "/etc/ssh/ssh_host_ecdsa_key"
+              subPath: HOST_KEY_ECDSA
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ed25519 }}
+            - name: {{ include "lagoon-core.ssh.fullname" $ }}
+              mountPath: "/etc/ssh/ssh_host_ed25519_key"
+              subPath: HOST_KEY_ED25519
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.rsa }}
+            - name: {{ include "lagoon-core.ssh.fullname" $ }}
+              mountPath: "/etc/ssh/ssh_host_rsa_key"
+              subPath: HOST_KEY_RSA
+          {{- end }}
+      volumes:
+      - secret:
+          defaultMode: 420
+          secretName: {{ include "lagoon-core.ssh.fullname" . }}
+        name: {{ include "lagoon-core.ssh.fullname" . }}
       {{- with .Values.ssh.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/lagoon-core/templates/ssh.secret.yaml b/charts/lagoon-core/templates/ssh.secret.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.ssh.enabled -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "lagoon-core.ssh.fullname" . }}
+  labels:
+    {{- include "lagoon-core.ssh.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.ssh.hostKeys.ecdsa }}
+  HOST_KEY_ECDSA: |-
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.ed25519 }}
+  HOST_KEY_ED25519: |-
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.rsa }}
+  HOST_KEY_RSA: |-
+    {{- . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml
@@ -778,6 +778,12 @@ ssh:
     targetCPUUtilizationPercentage: 80
     # targetMemoryUtilizationPercentage: 80
 
+  # host keys, PEM encoded
+  hostKeys:
+    ecdsa: ""
+    ed25519: ""
+    rsa: ""
+
 workflows:
   enabled: true
   replicaCount: 2