feat: remove helm rsync.fixPrivateKeyPerms option and change how ssh …

…private key is mounted and used (#252)

* Remove helm rsync.fixPrivateKeyPerms option and change how ssh private key is mounted and used

Signed-off-by: Alex Romanenko <[email protected]

* Update helm/pv-migrate/templates/rsync/job.yaml

Adding quotes to avoid spaces issue with file paths.

Co-authored-by: Utku Özdemir <[email protected]>

* Update helm/pv-migrate/templates/sshd/deployment.yaml

Adding quotes to avoid spaces issue with file paths.

Co-authored-by: Utku Özdemir <[email protected]>

* update chart

Signed-off-by: Utku Ozdemir <[email protected]>

---------

Signed-off-by: Alex Romanenko <[email protected]
Signed-off-by: Utku Ozdemir <[email protected]>
Co-authored-by: Utku Özdemir <[email protected]>

helm/pv-migrate/README.md

@@ -27,7 +27,6 @@ The helm chart of pv-migrate
 | rsync.command | string | `""` | Full Rsync command and flags |
 | rsync.enabled | bool | `false` | Enable creation of Rsync job |
 | rsync.extraArgs | string | `""` | Extra args to be appended to the rsync command. Setting this might cause the tool to not function properly. |
-| rsync.fixPrivateKeyPerms | bool | `false` | Enable fixing permissions on the private key prior to running rsync |
 | rsync.image.pullPolicy | string | `"IfNotPresent"` | Rsync image pull policy |
 | rsync.image.repository | string | `"docker.io/utkuozdemir/pv-migrate-rsync"` | Rsync image repository |
 | rsync.image.tag | string | `"1.0.0"` | Rsync image tag |
@@ -41,7 +40,7 @@ The helm chart of pv-migrate
 | rsync.podSecurityContext | object | `{}` | Rsync pod security context |
 | rsync.privateKey | string | `""` | The private key content |
 | rsync.privateKeyMount | bool | `false` | Mount a private key into the Rsync pod |
-| rsync.privateKeyMountPath | string | `"/root/.ssh/id_ed25519"` | The path to mount the private key |
+| rsync.privateKeyMountPath | string | `"/tmp/id_ed25519"` | The path to mount the private key |
 | rsync.pvcMounts | list | `[]` | PVC mounts into the Rsync pod. For examples, see [values.yaml](values.yaml) |
 | rsync.resources | object | `{}` | Rsync pod resources |
 | rsync.restartPolicy | string | `"Never"` |  |
@@ -65,7 +64,7 @@ The helm chart of pv-migrate
 | sshd.podSecurityContext | object | `{}` | SSHD pod security context |
 | sshd.privateKey | string | `""` | The private key content |
 | sshd.privateKeyMount | bool | `false` | Mount a private key into the SSHD pod |
-| sshd.privateKeyMountPath | string | `"/root/.ssh/id_ed25519"` | The path to mount the private key |
+| sshd.privateKeyMountPath | string | `"/tmp/id_ed25519"` | The path to mount the private key |
 | sshd.publicKey | string | `""` | The public key content |
 | sshd.publicKeyMount | bool | `true` | Mount a public key into the SSHD pod |
 | sshd.publicKeyMountPath | string | `"/root/.ssh/authorized_keys"` | The path to mount the public key |

helm/pv-migrate/templates/rsync/job.yaml

@@ -38,8 +38,12 @@ spec:
               rc=1
               retries={{ .Values.rsync.maxRetries }}
               period={{ .Values.rsync.retryPeriodSeconds }}
-              {{ if .Values.rsync.fixPrivateKeyPerms -}}
-              chmod 400 {{ .Values.rsync.privateKeyMountPath }}
+              {{ if .Values.rsync.privateKeyMount -}}
+              privateKeyFilename=$(basename "{{ .Values.rsync.privateKeyMountPath }}")
+              mkdir -p ~/.ssh
+              chmod 700 ~/.ssh
+              cp -v "{{ .Values.rsync.privateKeyMountPath }}" ~/.ssh/
+              chmod 400 "~/.ssh/$privateKeyFilename"
               {{- end }}
               until [ "$n" -ge "$retries" ]
               do

helm/pv-migrate/templates/sshd/deployment.yaml

@@ -33,6 +33,19 @@ spec:
         {{- toYaml .Values.sshd.podSecurityContext | nindent 8 }}
       containers:
         - name: sshd
+          command:
+            - sh
+            - -c
+            - |
+              set -x
+              {{ if .Values.sshd.privateKeyMount -}}
+              privateKeyFilename=$(basename "{{ .Values.sshd.privateKeyMountPath }}")
+              mkdir -p ~/.ssh
+              chmod 700 ~/.ssh
+              cp -v "{{ .Values.sshd.privateKeyMountPath }}" ~/.ssh/
+              chmod 400 "~/.ssh/$privateKeyFilename"
+              {{- end }}
+              /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config
           securityContext:
             {{- toYaml .Values.sshd.securityContext | nindent 12 }}
           image: "{{ .Values.sshd.image.repository }}:{{ .Values.sshd.image.tag }}"

helm/pv-migrate/values.yaml

@@ -73,7 +73,7 @@ sshd:
   # -- Mount a private key into the SSHD pod
   privateKeyMount: false
   # -- The path to mount the private key
-  privateKeyMountPath: /root/.ssh/id_ed25519
+  privateKeyMountPath: /tmp/id_ed25519
   # -- The private key content
   privateKey: ""
 
@@ -143,11 +143,9 @@ rsync:
   # -- Mount a private key into the Rsync pod
   privateKeyMount: false
   # -- The path to mount the private key
-  privateKeyMountPath: /root/.ssh/id_ed25519
+  privateKeyMountPath: /tmp/id_ed25519
   # -- The private key content
   privateKey: ""
-  # -- Enable fixing permissions on the private key prior to running rsync
-  fixPrivateKeyPerms: false
   # -- Number of retries to run rsync command
   maxRetries: 10
   # -- Waiting time between retries

helm/test-vals-different-cluster.yaml

@@ -4,7 +4,7 @@ rsync:
   mountSource: false
 
   privateKeyMount: true
-  privateKeyMountPath: /root/.ssh/id_ed25519
+  privateKeyMountPath: /tmp/id_ed25519
   privateKey: asdf
 
   sshRemoteHost: REMOTE_HOST

helm/test-vals-different-ns.yaml

@@ -3,7 +3,7 @@ rsync:
   deleteExtraneousFiles: false
   noChown: false
   privateKeyMount: true
-  privateKeyMountPath: /root/.ssh/id_ed25519
+  privateKeyMountPath: /tmp/id_ed25519
   privateKey: |
     -----BEGIN OPENSSH PRIVATE KEY-----
     b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz

integration/integration_test.go

@@ -52,8 +52,6 @@ const (
 	migrateCmdlineWithNetpols = migrateCmdline +
 		"--helm-set rsync.networkPolicy.enabled=true " +
 		"--helm-set sshd.networkPolicy.enabled=true"
-        migrateCmdlineWithNetpolsAndRsyncFixPrivateKeyPerms = migrateCmdlineWithNetpols +
-                " --helm-set rsync.fixPrivateKeyPerms=true"
 )
 
 var (
@@ -179,7 +177,7 @@ func TestSameNSLbSvc(t *testing.T) {
 	_, err := execInPod(ctx, mainClusterCli, ns1, "dest", generateExtraDataShellCommand)
 	assert.NoError(t, err)
 
-	cmd := fmt.Sprintf("%s -s lbsvc -i -n %s -N %s --lbsvc-timeout 5m source dest", migrateCmdlineWithNetpolsAndRsyncFixPrivateKeyPerms, ns1, ns1)
+	cmd := fmt.Sprintf("%s -s lbsvc -i -n %s -N %s --lbsvc-timeout 5m source dest", migrateCmdlineWithNetpols, ns1, ns1)
 	assert.NoError(t, runCliApp(ctx, cmd))
 
 	stdout, err := execInPod(ctx, mainClusterCli, ns1, "dest", printDataUIDGIDContentShellCommand)

strategy/lbsvc.go

@@ -29,7 +29,7 @@ func (r *LbSvc) Run(ctx context.Context, attempt *migration.Attempt) error {
 		return fmt.Errorf("failed to create ssh key pair: %w", err)
 	}
 
-	privateKeyMountPath := "/root/.ssh/id_" + keyAlgorithm
+	privateKeyMountPath := "/tmp/id_" + keyAlgorithm
 
 	srcReleaseName := attempt.HelmReleaseNamePrefix + "-src"
 	destReleaseName := attempt.HelmReleaseNamePrefix + "-dest"

strategy/local.go

@@ -152,7 +152,7 @@ func (r *Local) installLocalReleases(attempt *migration.Attempt) (string, string
 		return "", "", "", fmt.Errorf("failed to generate SSH key pair: %w", err)
 	}
 
-	privateKeyMountPath := "/root/.ssh/id_" + keyAlgorithm
+	privateKeyMountPath := "/tmp/id_" + keyAlgorithm
 
 	srcReleaseName := attempt.HelmReleaseNamePrefix + "-src"
 	destReleaseName := attempt.HelmReleaseNamePrefix + "-dest"

strategy/svc.go

@@ -69,7 +69,7 @@ func buildHelmVals(mig *migration.Migration, helmReleaseName string) (map[string
 		return nil, fmt.Errorf("failed to create ssh key pair: %w", err)
 	}
 
-	privateKeyMountPath := "/root/.ssh/id_" + keyAlgorithm
+	privateKeyMountPath := "/tmp/id_" + keyAlgorithm
 
 	sshTargetHost := helmReleaseName + "-sshd." + sourceNs
 	if mig.Request.DestHostOverride != "" {