udx-docker-sftp/master -> icamiami-docker-sftp/master

.dockerignore

@@ -1 +1,4 @@
-Makefile
+Makefile
+
+# Ignore generated credentials from google-github-actions/auth
+gha-creds-*.json

.github/dependabot.yml

@@ -0,0 +1,26 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Enable Dependabot alerts for `Docker` 
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Enable Dependabot alerts for `npm`
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Enable Dependabot alerts for `GitHub Actions`
+  - package-ecosystem: "github-actions"
+    directory: ".github/workflows"
+    schedule:
+      interval: "weekly"
+
+

.github/workflows/deploy.yml

@@ -7,7 +7,7 @@
 # To get a newer version, you will need to update the SHA.
 # You can also reference a tag or branch, but the action may change without warning.
 
-name: Build and Deploy to GKE
+name: Build, Release and Deploy to GKE
 
 on:
   push:
@@ -25,6 +25,7 @@ env:
   SLACK_NOTIFICACTION_CHANNEL: ${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}
   AR_LOCATION: ${{ vars.AR_LOCATION }}
   AR_REPOSITORY: ${{ vars.AR_REPOSITORY }}
+  IMAGE_NAME: ${{vars.AR_LOCATION}}-docker.pkg.dev/${{secrets.GKE_PROJECT}}/${{vars.AR_REPOSITORY}}/${{github.ref_name}}
 
 jobs:
   setup-build-publish-deploy:
@@ -33,16 +34,64 @@ jobs:
     if: github.event_name == 'push'
     environment:
       name: ${{ github.ref_name }}
+    permissions:
+      contents: write
+      checks: write
+      # required for all workflows
+      security-events: write
 
     steps:
     - uses: actions/checkout@v4
 
+    # fetch Tag from package.json version
+    - name: Get Tag from package.json
+      id: version
+      run: echo "TAG=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
+
+    # echo Tag
+    - name: Echo Tag
+      run: echo ${{ steps.version.outputs.TAG }}
+
+    # parse the changelog to get the release description
+    - name: Parse Changelog Entries
+      uses: actions/github-script@v7
+      id: changelog
+      with:
+        script: |
+          const { open } = require('fs/promises');
+
+          const version ='${{ steps.version.outputs.TAG }}';
+          const delimiter = '### ';
+          const file = await open('./changes.md');
+
+          let description = [];
+          let found = false;
+
+          for await (let line of file.readLines()) {
+            line = line.trim();
+
+            if ( line.startsWith(`${delimiter}${version}`) ) {
+              found = true;
+              continue;
+            }
+
+            if (!found) continue;
+            if ( line.startsWith(delimiter) )  break;
+
+            description.push(line);
+          }
+
+          if ( !description.length ) core.setFailed(`Release ${version} not found in the changelog!`);
+
+          core.setOutput('description', description.join('\n') );
+
     # Setup gcloud CLI
     - id: 'auth'
       uses: 'google-github-actions/auth@v2'
       with:
         credentials_json: '${{ secrets.GKE_SA_KEY }}'
 
+    # Set up Cloud SDK
     - name: 'Set up Cloud SDK'
       uses: 'google-github-actions/setup-gcloud@v2'
       with:
@@ -52,25 +101,69 @@ jobs:
     # helper for authentication
     - run: |-
         gcloud --quiet auth configure-docker $AR_LOCATION-docker.pkg.dev
-    # Get the GKE credentials so we can deploy to the cluster
-    - uses: google-github-actions/get-gke-credentials@v2
-      with:
-        cluster_name: ${{ env.GKE_CLUSTER }}
-        location: ${{ env.GKE_REGION }}
-        project_id: ${{ secrets.GKE_PROJECT }}
 
     # Build the Docker image
     - name: Build
       run: |-
         docker build \
-          --tag "$AR_LOCATION-docker.pkg.dev/$PROJECT_ID/$AR_REPOSITORY/$GITHUB_REF_NAME:$GITHUB_SHA" \
+          --tag "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}" \
           --build-arg GITHUB_SHA="$GITHUB_SHA" \
           --build-arg GITHUB_REF="$GITHUB_REF" \
           .
+
     # Push the Docker image to Google Container Registry
     - name: Publish
       run: |-
-        docker push "$AR_LOCATION-docker.pkg.dev/$PROJECT_ID/$AR_REPOSITORY/$GITHUB_REF_NAME:$GITHUB_SHA"
+        docker push "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
+
+    # Scan Docker image for vulnerabilities
+    - name: Scan Docker Image using Trivy
+      if: github.ref_name == 'master'
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
+        exit-code: '0'
+        timeout: '60m0s'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    # Upload Trivy scan results to GitHub Security tab
+    - name: Upload Trivy scan results to GitHub Security tab
+      if: github.ref_name == 'master'
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    # Generate SPDX SBOM
+    - name: Generate SBOM with Anchore Action
+      if: github.ref_name == 'master'
+      id: sbom
+      uses: anchore/sbom-action@v0
+      with:
+        image: "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
+        output-file: sbom.spdx.json
+        format: spdx-json
+
+    # Create a release with the version changelog as a description and attach the sbom
+    - name: Create GitHub Release
+      if: github.ref_name == 'master'
+      id: create_github_release
+      uses: softprops/action-gh-release@v2
+      with:
+        name: "Release ${{ steps.version.outputs.TAG }}"
+        body: "${{ steps.changelog.outputs.description }}"
+        tag_name: ${{ steps.version.outputs.TAG }}
+        prerelease: false
+        files: |
+          ./sbom.spdx.json
+
+    # Get the GKE credentials so we can deploy to the cluster
+    - uses: google-github-actions/get-gke-credentials@v2
+      with:
+        cluster_name: ${{ env.GKE_CLUSTER }}
+        location: ${{ env.GKE_REGION }}
+        project_id: ${{ secrets.GKE_PROJECT }}
+
     # Set up kustomize
     - name: Set up Kustomize
       run: |-
@@ -81,6 +174,7 @@ jobs:
         sed -i.bak "s|CLUSTER_NAME_VALUE|${{ vars.GKE_CLUSTER }}|g" ci/deployment-v2.yml
         sed -i.bak "s|CLUSTER_ENDPOINT_VALUE|${{ secrets.KUBERNETES_CLUSTER_ENDPOINT }}|g" ci/deployment-v2.yml
         sed -i.bak "s|CLUSTER_NAMESPACE_VALUE|${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }}|g" ci/deployment-v2.yml
+        sed -i.bak "s|CLUSTER_NAMESPACE_VALUE|${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }}|g" ci/deployment-restart-cronjob.yml
         sed -i.bak "s|CLUSTER_USER_TOKEN_VALUE|${{ secrets.KUBERNETES_CLUSTER_USER_TOKEN }}|g" ci/deployment-v2.yml
         sed -i.bak "s|CLUSTER_SERVICEACCOUNT_VALUE|${{ secrets.KUBERNETES_CLUSTER_SERVICEACCOUNT }}|g" ci/deployment-v2.yml
         sed -i.bak "s|CLUSTER_CERTIFICATE_VALUE|${{ secrets.KUBERNETES_CLUSTER_CERTIFICATE }}|g" ci/deployment-v2.yml
@@ -89,14 +183,17 @@ jobs:
         sed -i.bak "s|ACCESS_TOKEN_VALUE|${{ secrets.ACCESS_TOKEN }}|g" ci/deployment-v2.yml
         sed -i.bak "s|SLACK_NOTIFICACTION_URL_VALUE|${{ secrets.SLACK_NOTIFICACTION_URL }}|g" ci/deployment-v2.yml
         sed -i.bak "s|SLACK_NOTIFICACTION_CHANNEL_VALUE|${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}|g" ci/deployment-v2.yml
-        sed -i.bak "s|IMAGE_VERSION|$GITHUB_SHA|g" ci/deployment-v2.yml
+        sed -i.bak "s|IMAGE_VERSION|${{ steps.version.outputs.TAG }}|g" ci/deployment-v2.yml
         sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/service.yml
         sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/deployment-v2.yml
+        sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/deployment-restart-cronjob.yml
         sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/service.yml
         sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/deployment-v2.yml
+        sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/deployment-restart-cronjob.yml
         sed -i.bak "s|PROJECT_ID|$PROJECT_ID|g" ci/deployment-v2.yml
         sed -i.bak "s|AR_LOCATION|$AR_LOCATION|g" ci/deployment-v2.yml
     # Deploy the Docker image to the GKE cluster
     - run: |
         kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/service.yml && \
-        kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/deployment-v2.yml
+        kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/deployment-v2.yml && \
+        kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/deployment-restart-cronjob.yml

.gitignore

@@ -16,4 +16,9 @@ Temporary Items
 /newrelic_agent.log
 .idea
 static/kuberentes-ca.crt
-docker-compose.yml
+docker-compose.yml
+
+# Ignore generated credentials from google-github-actions/auth
+gha-creds-*.json
+
+node_modules

Dockerfile

@@ -1,18 +1,40 @@
-FROM node:20-alpine
-ENV VERSION=v1.29.0
+FROM node:23.5-alpine
+ENV KUBECTL_VERSION=1.32.0
 ENV NODE_ENV=production
 ENV SERVICE_ENABLE_SSHD=true
 ENV SERVICE_ENABLE_API=true
 ENV SERVICE_ENABLE_FIREBASE=false
 
-RUN apk update && apk upgrade && apk add bash
-
-RUN apk add --no-cache git openssh nfs-utils rpcbind curl ca-certificates nano tzdata ncurses make tcpdump \
-  && curl -L https://storage.googleapis.com/kubernetes-release/release/$VERSION/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl \
+RUN apk update --no-cache && apk upgrade --no-cache && apk add bash tar
+
+# Install build dependencies
+RUN apk add --no-cache \
+    build-base \
+    linux-headers \
+    openssl-dev \
+    zlib-dev \
+    file \
+    wget
+
+# Download the latest OpenSSH (9.8p1) source
+RUN wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p1.tar.gz \
+    && tar -xzf openssh-9.9p1.tar.gz \
+    && cd openssh-9.9p1 \
+    # Configure and compile the source
+    && ./configure \
+    && make \
+    && make install
+
+# Cleanup build dependencies and unnecessary files
+RUN apk del build-base linux-headers openssl-dev zlib-dev file wget \
+    && rm -rf /openssh-9.9p1.tar.gz /openssh-9.9p1
+
+RUN apk add --no-cache nfs-utils rpcbind curl ca-certificates nano tzdata ncurses make tcpdump \
+  && curl -L https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl \
   && chmod +x /usr/local/bin/kubectl \
   && kubectl version --client \
   && rm -rf /etc/ssh/* \
-  && mkdir /etc/ssh/authorized_keys.d \
+  && mkdir -p /etc/ssh/authorized_keys.d \
   && cp /usr/share/zoneinfo/America/New_York /etc/localtime \
   && echo "America/New_York" >  /etc/timezone \
   && apk del tzdata

bin/controller.keys.js

@@ -112,10 +112,12 @@ module.exports.updateKeys = function updateKeys(options, taskCallback) {
 
                 singleItem.Labels = _.get(singleItem, 'metadata.labels');
 
-                singleItem.Labels['ci.rabbit.name'] = singleItem.Labels['name'];
-
-                singleItem.Labels['ci.rabbit.ssh.user'] = singleItem.Labels['ci.rabbit.ssh.user'] || null;
-                return singleItem;
+                // Prevents the application from being added to the list if it does not have the required labels
+                if ( _.get(singleItem.Labels, 'name', false) && _.get(singleItem.Labels, 'ci.rabbit.ssh.user', false) ) {
+                    singleItem.Labels['ci.rabbit.name'] = singleItem.Labels['name'];
+                    singleItem.Labels['ci.rabbit.ssh.user'] = singleItem.Labels['ci.rabbit.ssh.user'] || null;
+                    return singleItem;
+                }
 
             });
 

bin/controller.ssh.entrypoint.sh

@@ -9,25 +9,35 @@ export USER_LOGIN=$(echo ${ENV_VARS} | cut -d ';' -f 2)
 
 echo "[$(date)] Have a session for [${USER_LOGIN}] : ${USER}, ${SSH_ORIGINAL_COMMAND}, ${SSH_CLIENT}, ${SSH_CONNECTION} and [${CONNECTION_STRING}] command." >> /var/log/sshd.log
 
-## SFTP.
-if [[ ${SSH_ORIGINAL_COMMAND} == "internal-sftp" ]]; then
-
-  echo "[$(date)] Have SFTP connection [${CONNECTION_STRING}] for [${USER}]." >> /var/log/sshd.log
-
-  /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -i -- /usr/lib/sftp-server
-
-  exit;
-
-fi
-
-if [[ ${SSH_ORIGINAL_COMMAND} == "/usr/lib/ssh/sftp-server" ]]; then
-
-  echo "[$(date)] Have SFTP connection [${CONNECTION_STRING}] for [${USER}]." >> /var/log/sshd.log
-
-  /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -i -- /usr/lib/sftp-server
-
-  exit;
-
+## SFTP handling with Alpine-specific paths
+if [[ ${SSH_ORIGINAL_COMMAND} == "internal-sftp" ]] || [[ ${SSH_ORIGINAL_COMMAND} == "/usr/lib/ssh/sftp-server" ]]; then
+  echo "[$(date)] SFTP connection attempt from [${SSH_CLIENT}] for user [${USER}] to pod [${CONNECTION_STRING}]" >> /var/log/sshd.log
+
+  # Check container OS type for better error reporting
+  CONTAINER_OS="unknown"
+  if /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -- which apk >/dev/null 2>&1; then
+    CONTAINER_OS="Alpine"
+  elif /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -- which apt-get >/dev/null 2>&1; then
+    CONTAINER_OS="Debian/Ubuntu"
+  elif /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -- which yum >/dev/null 2>&1; then
+    CONTAINER_OS="RHEL/CentOS"
+  fi
+  echo "[$(date)] Container OS detected: ${CONTAINER_OS}" >> /var/log/sshd.log
+
+  # Try common SFTP server paths
+  for SFTP_PATH in "/usr/lib/ssh/sftp-server" "/usr/lib/sftp-server" "/usr/libexec/sftp-server"; do
+    echo "[$(date)] Checking for SFTP server at ${SFTP_PATH}" >> /var/log/sshd.log
+    if /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -- test -f ${SFTP_PATH} 2>/dev/null; then
+      echo "[$(date)] Found SFTP server at ${SFTP_PATH}, establishing connection" >> /var/log/sshd.log
+      exec /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -i -- ${SFTP_PATH}
+      exit 0
+    fi
+  done
+
+  # If we get here, we couldn't find the SFTP server
+  echo "[$(date)] Error: SFTP server not found in ${CONTAINER_OS} container [${CONNECTION_STRING}]. Client IP: ${SSH_CLIENT}" >> /var/log/sshd.log
+  echo "Error: SFTP access requires openssh-sftp-server to be installed in the container. Please contact your administrator." >&2
+  exit 1
 fi
 
 ## Specific Command, pipe into container.

bin/server.js

@@ -51,8 +51,8 @@ setInterval(function() {
 
             var _containers = body = _.map(body.items, function(singleItem) {
                 singleItem.Labels = _.get(singleItem, 'metadata.labels');
-                singleItem.Labels['ci.rabbit.name'] = singleItem.Labels['name'];
-                singleItem.Labels['ci.rabbit.ssh.user'] = singleItem.Labels['ci.rabbit.ssh.user'] || null;
+                singleItem.Labels['ci.rabbit.name'] = _.get(singleItem.Labels,'name', null);
+                singleItem.Labels['ci.rabbit.ssh.user'] = _.get(singleItem.Labels,'ci.rabbit.ssh.user', null);
                 return singleItem;
             });