Skip to content

Commit

Permalink
Merge pull request #15 from montblu/13-use-official-openssh-server-tu…
Browse files Browse the repository at this point in the history 
…nnel-mod

Use Official tunnel mod and disable shell of user and minor fixes
  • Loading branch information
@pessoa
pessoa authored Jul 8, 2024
2 parents 20988ee + a34d6ef commit 10e0fb2
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 67 deletions.
99 changes: 39 additions & 60 deletions main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,5 @@
locals {
resource_name = var.name_prefix == "" ? var.name : "${var.name_prefix}-${var.name}"

# Default SSH config
sshd_config = <<-EOT
Port ${var.ssh_port}
AllowTcpForwarding yes
AuthorizedKeysFile .ssh/authorized_keys
ClientAliveCountMax 100
ClientAliveInterval 30
GatewayPorts clientspecified
PasswordAuthentication no
PermitTunnel yes
PidFile /config/sshd.pid
TCPKeepAlive no
X11Forwarding no
HostKey /config/ssh_host_keys/ssh_host_rsa_key
EOT
}

resource "kubernetes_config_map" "main" {
Expand All @@ -27,7 +11,12 @@ resource "kubernetes_config_map" "main" {
data = {
"authorized_keys" = var.ssh_keys
"motd" = "Welcome to ${var.motd_name}.\n"
"sshd_config" = var.sshd_config == "" ? local.sshd_config : var.sshd_config
"delete-generated-ssh-keys" = <<EOT
#!/bin/bash
echo "**** remove not needed ecdsa and ed25519 keys ****"
rm /config/ssh_host_keys/ssh_host_ecdsa*
rm /config/ssh_host_keys/ssh_host_ed25519*
EOT
}
}

Expand Down Expand Up @@ -95,14 +84,14 @@ resource "kubernetes_deployment" "main" {
}

volume {
name = "sshd-config"
name = "delete-generated-ssh-keys"

config_map {
name = local.resource_name

items {
key = "sshd_config"
path = "sshd_config"
key = "delete-generated-ssh-keys"
path = "delete-generated-ssh-keys"
}
}
}
Expand Down Expand Up @@ -133,82 +122,72 @@ resource "kubernetes_deployment" "main" {
}
}

volume {
name = "config"
empty_dir {}
}
container {
name = local.resource_name
image = "${var.image_repository}:${var.image_tag}"

init_container {
name = "${local.resource_name}-init"
image = "busybox:1.36.1-uclibc"
env {
# Ref: https://github.com/linuxserver/docker-mods/tree/openssh-server-ssh-tunnel
name = "DOCKER_MODS"
value = "linuxserver/mods:openssh-server-ssh-tunnel"
}

command = ["sh", "-c", "cp -r /defaults/. /config && chmod 600 /config/ssh_host_keys/ssh_host_rsa_key"]
env {
name = "PUBLIC_KEY_FILE"
value = "/defaults/authorized_keys"
}

env {
name = "SHELL_NOLOGIN"
value = var.shell_no_login
}

env {
name = "USER_NAME"
value = var.ssh_user
}

volume_mount {
name = "authorized-keys"
mount_path = "/defaults/.ssh/authorized_keys"
mount_path = "/defaults/authorized_keys"
sub_path = "authorized_keys"
}

volume_mount {
name = "sshd-config"
mount_path = "/defaults/ssh_host_keys/sshd_config"
sub_path = "sshd_config"
name = "delete-generated-ssh-keys"
mount_path = "/custom-cont-init.d/delete-generated-ssh-keys"
sub_path = "delete-generated-ssh-keys"
read_only = true
}

volume_mount {
name = "ssh-host-rsa-key"
mount_path = "/defaults/ssh_host_keys/ssh_host_rsa_key"
mount_path = "/config/ssh_host_keys/ssh_host_rsa_key"
sub_path = "ssh_host_rsa_key"
}

volume_mount {
name = "ssh-host-rsa-key-public"
mount_path = "/defaults/ssh_host_keys/ssh_host_rsa_key_public"
mount_path = "/config/ssh_host_keys/ssh_host_rsa_key_public"
sub_path = "ssh_host_rsa_key_public"
}

volume_mount {
name = "config"
mount_path = "/config"
}
}

container {
name = local.resource_name
image = "${var.image_repository}:${var.image_tag}"

env {
name = "USER_NAME"
value = var.ssh_user
}


volume_mount {
name = "motd"
mount_path = "/etc/motd"
sub_path = "motd"
}

volume_mount {
name = "config"
mount_path = "/config"
}

liveness_probe {
tcp_socket {
port = var.ssh_port
}

initial_delay_seconds = 30
}

readiness_probe {
tcp_socket {
port = var.ssh_port
}

initial_delay_seconds = 30
}
}
}
Expand Down Expand Up @@ -247,7 +226,7 @@ resource "kubernetes_service" "main" {
target_port = var.ssh_port
}

type = var.svc_type
type = var.svc_type
load_balancer_class = var.load_balancer_class
}

Expand Down
15 changes: 8 additions & 7 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,6 @@ variable "ssh_keys" {
description = "List of SSH keys to be added to the authorized keys list. Should be in the same format as the 'authorized_keys' file, represented in Heredoc style as a multi-line string value."
}

variable "sshd_config" {
type = string
default = ""
description = "Configuration file for SSH. If not defined it will use the default."
}

variable "ssh_host_rsa_key" {
type = string
default = ""
Expand Down Expand Up @@ -90,5 +84,12 @@ variable "svc_port" {
variable "load_balancer_class" {
type = string
default = null
description = "The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the svc_type is LoadBalancer"
description = "The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the svc_type is LoadBalancer"
}

variable "shell_no_login" {
type = bool
default = true
description = "Determines whether it is possible to login into shell when connecting via SSH with the created user. By default the user is not allowed to shell via SSH, to change this behaviour please set this variable to 'false'"
}

0 comments on commit 10e0fb2

Please sign in to comment.