latest -> master

.github/workflows/deploy.yml

@@ -32,24 +32,29 @@ jobs:
     #environment: production
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     # Setup gcloud CLI
-    - uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        credentials_json: '${{ secrets.GKE_SA_KEY }}'
+
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v2'
       with:
-        service_account_key: ${{ secrets.GKE_SA_KEY }}
         project_id: ${{ secrets.GKE_PROJECT }}
 
     # Configure Docker to use the gcloud command-line tool as a credential
     # helper for authentication
     - run: |-
         gcloud --quiet auth configure-docker $AR_LOCATION-docker.pkg.dev
     # Get the GKE credentials so we can deploy to the cluster
-    - uses: google-github-actions/get-gke-credentials@fb08709ba27618c31c09e014e1d8364b02e5042e
+    - uses: google-github-actions/get-gke-credentials@v2
       with:
         cluster_name: ${{ env.GKE_CLUSTER }}
         location: ${{ env.GKE_ZONE }}
-        credentials: ${{ secrets.GKE_SA_KEY }}
+        project_id: ${{ secrets.GKE_PROJECT }}
 
     # Build the Docker image
     - name: Build
@@ -66,40 +71,27 @@ jobs:
     # Set up kustomize
     - name: Set up Kustomize
       run: |-
-        curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
+        curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.3.0/kustomize_v5.3.0_linux_amd64.tar.gz
         chmod u+x ./kustomize
     # Deploy secret variables
     - run: |
         sed -i.bak "s|CLUSTER_NAME_VALUE|${{ secrets.GKE_CLUSTER }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_ENDPOINT_VALUE|${{ secrets.KUBERNETES_CLUSTER_ENDPOINT }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_NAMESPACE_VALUE|${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_USER_TOKEN_VALUE|${{ secrets.KUBERNETES_CLUSTER_USER_TOKEN }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_SERVICEACCOUNT_VALUE|${{ secrets.KUBERNETES_CLUSTER_SERVICEACCOUNT }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_CERTIFICATE_VALUE|${{ secrets.KUBERNETES_CLUSTER_CERTIFICATE }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_USER_SECRET_VALUE|${{ secrets.KUBERNETES_CLUSTER_USER_SECRET }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|CLUSTER_CONTEXT_VALUE|${{ secrets.KUBERNETES_CLUSTER_CONTEXT }}|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|ACCESS_TOKEN_VALUE|${{ secrets.ACCESS_TOKEN }}|g" bin/ci/deployment-v2.yml
-    - run: |
+        sed -i.bak "s|SLACK_NOTIFICACTION_URL_VALUE|${{ secrets.SLACK_NOTIFICACTION_URL }}|g" bin/ci/deployment-v2.yml
+        sed -i.bak "s|SLACK_NOTIFICACTION_CHANNEL_VALUE|${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}|g" bin/ci/deployment-v2.yml
         sed -i.bak "s|IMAGE_VERSION|$GITHUB_SHA|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" bin/ci/service.yml
-    - run: |
         sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" bin/ci/service.yml
-    - run: |
         sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|PROJECT_ID|$PROJECT_ID|g" bin/ci/deployment-v2.yml
-    - run: |
         sed -i.bak "s|AR_LOCATION|$AR_LOCATION|g" bin/ci/deployment-v2.yml
     # Deploy the Docker image to the GKE cluster
     - run: |

Dockerfile

@@ -1,5 +1,5 @@
-FROM node:18-alpine
-ENV VERSION=v1.25.1
+FROM node:20-alpine
+ENV VERSION=0.2.8
 ENV NODE_ENV=production
 ENV SERVICE_ENABLE_SSHD=true
 ENV SERVICE_ENABLE_API=true

bin/controller.keys.js

@@ -304,11 +304,11 @@ module.exports.updateKeys = function updateKeys(options, taskCallback) {
                     containerName: _.get(_applications[appID], 'containers[0].containerName'),
                     podName: _.get(_applications[appID], 'containers[0].podName'),
                     user_data: userData._id,
-                    CONNECTION_STRING: ['-n', _applications[appID].namespace, ' ', _.get(_applications[appID], 'containers[0].podName'), ' -c ', _.get(_applications[appID], 'containers[0].containerName')].join(' ')
+                    CONNECTION_STRING: [_applications[appID].namespace, ' ', _.get(_applications[appID], 'containers[0].podName'), ' -c ', _.get(_applications[appID], 'containers[0].containerName')].join(' ')
                 };
 
                 _.get(_allKeys, userData._id, []).forEach(function(thisUsersKey) {
-                    writableKeys.push('environment="CONNECTION_STRING=' + _envs.CONNECTION_STRING + '"   ' + thisUsersKey);
+                    writableKeys.push('environment="ENV_VARS=' + _envs.CONNECTION_STRING + ';'+userData._id+'"   ' + thisUsersKey);
                 })
 
             });

bin/controller.ssh.entrypoint.sh

@@ -4,25 +4,27 @@
 ##
 
 export _SERVICE=${USER};
+export CONNECTION_STRING=$(echo ${ENV_VARS} | cut -d ';' -f 1)
+export USER_LOGIN=$(echo ${ENV_VARS} | cut -d ';' -f 2)
 
-echo "[$(date)] Have a session for [${USER}] : ${SSH_ORIGINAL_COMMAND}, ${SSH_CLIENT}, ${SSH_CONNECTION} and [${CONNECTION_STRING}] command." >> /var/log/sshd.log
+echo "[$(date)] Have a session for [${USER_LOGIN}] : ${USER}, ${SSH_ORIGINAL_COMMAND}, ${SSH_CLIENT}, ${SSH_CONNECTION} and [${CONNECTION_STRING}] command." >> /var/log/sshd.log
 
 ## SFTP.
-if [[ "${SSH_ORIGINAL_COMMAND}" == "internal-sftp" ]]; then
+if [[ ${SSH_ORIGINAL_COMMAND} == "internal-sftp" ]]; then
 
   echo "[$(date)] Have SFTP connection [${CONNECTION_STRING}] for [${USER}]." >> /var/log/sshd.log
 
-  /usr/local/bin/kubectl exec ${CONNECTION_STRING} -i -- /usr/lib/sftp-server
+  /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -i -- /usr/lib/sftp-server
 
   exit;
 
 fi
 
-if [[ "${SSH_ORIGINAL_COMMAND}" == "/usr/lib/ssh/sftp-server" ]]; then
+if [[ ${SSH_ORIGINAL_COMMAND} == "/usr/lib/ssh/sftp-server" ]]; then
 
   echo "[$(date)] Have SFTP connection [${CONNECTION_STRING}] for [${USER}]." >> /var/log/sshd.log
 
-  /usr/local/bin/kubectl exec ${CONNECTION_STRING} -i -- /usr/lib/sftp-server
+  /usr/local/bin/kubectl exec -n ${CONNECTION_STRING} -i -- /usr/lib/sftp-server
 
   exit;
 
@@ -39,7 +41,7 @@ fi;
 ## Terminal, pipe into container.
 if [[ "x${SSH_ORIGINAL_COMMAND}" == "x" ]]; then
 
-  echo "kubectl  exec ${CONNECTION_STRING} -ti /bin/bash" >> /var/log/sshd.log
+  echo "kubectl exec -n ${CONNECTION_STRING} -ti /bin/bash" >> /var/log/sshd.log
 
   #if [  "x${SSH_CONNECTION}" != "x" ]; then
   #  export GIT_AUTHOR_EMAIL="${SSH_USER}";
@@ -57,7 +59,7 @@ if [[ "x${SSH_ORIGINAL_COMMAND}" == "x" ]]; then
   ## Log screen size.
   echo "[$(date)] Container [${USER}] has [${_COLUMNS}] columns and [${_ROWS}] rows." >> /var/log/sshd.log
 
-  _command="/usr/local/bin/kubectl exec $CONNECTION_STRING -ti -- /bin/bash"
+  _command="/usr/local/bin/kubectl exec -n $CONNECTION_STRING -ti -- /bin/bash"
 
   echo $_command >> /var/log/sshd.log
 

bin/entrypoint.sh

@@ -44,23 +44,11 @@ if [[ -f /home/node/.kube/kuberentes-ca.crt ]]; then
 
 fi;
 
-# npm install google-gax
-# npm install axios
-# npm install async
-# npm install debug
-# npm install express
-# npm install lodash
-# npm install mustache
-# npm install md5
-# npm install firebase-admin
-# npm install dot-object
-
 npm install google-gax
 
 pm2 startOrReload /opt/sources/rabbitci/rabbit-ssh/static/ecosystem.config.js --silent
 
 npm install
 
 ## Command pass-through.
-exec "$@"
-
+exec "$@"

bin/firebase.consume.js

@@ -5,12 +5,7 @@
  */
 //var newrelic = require('newrelic')
 var admin = require("firebase-admin/lib/index");
-var request = require( 'request' );
-var execFile = require( 'child_process' ).execFile;
-var request = require( 'request' );
-var async = require( 'async' );
 var _ = require( 'lodash' );
-var controllerKeys = require( './controller.keys' );
 
 exports.changeQueue = [];
 

bin/rabbit.ssh.cli.js

@@ -8,7 +8,6 @@
 var utility = require( '../lib/utility' );
 var dot = require( 'dot-object' );
 var _ = require( 'lodash' );
-var admin = utility.getFirebase();
 
 utility.getCollection( 'container', 'meta/sshUser', function( error, data ) {
 

bin/server.js

@@ -1,6 +1,6 @@
 /**
  *
- *
+ * This is the SSH server that is used to connect to the Kubernetes cluster.
  * node ./server
  *
  */
@@ -12,7 +12,6 @@ const debug = require('debug')('ssh');
 const app = express();
 let utility = require('../lib/utility');
 const md5 = require('md5');
-const { get } = require('lodash');
 
 var accessToken = process.env.ACCESS_TOKEN;
 
@@ -249,10 +248,6 @@ function serverOnline() {
 
     // detect non-kubernetes
     if (process.env.KUBERNETES_CLUSTER_ENDPOINT) {
-        //async function firestoreDoc() {
-        // var snap = await db.collection('github').doc("access").get();
-        // accessToken = snap.data().token;
-        //console.log("token", accessToken);
         utility.updateKeys({
             keysPath: '/etc/ssh/authorized_keys.d',
             passwordFile: '/etc/passwd',
@@ -262,12 +257,9 @@ function serverOnline() {
             console.log('Updated state with [%s] SSH keys.', error || _.size(data.users));
             app.set('sshUser', data.users);
         });
-        //}
-        //firestoreDoc();
     }
 
     if (process.env.SLACK_NOTIFICACTION_URL && process.env.SLACK_NOTIFICACTION_URL.indexOf("https") === 0) {
-
         axios({
             method: 'post', //you can set what request you want to be
             url: process.env.SLACK_NOTIFICACTION_URL,
@@ -277,7 +269,6 @@ function serverOnline() {
                 text: "Container " + (process.env.HOSTNAME || process.env.HOST) + " is up. ```kubectl -n rabbit-system logs -f " + (process.env.HOSTNAME || process.env.HOST) + "```"
             }
         });
-
     } else {
         console.log("process.env.SLACK_NOTIFICACTION_URL isn't set");
     }

changes.md

@@ -1,3 +1,12 @@
+### 0.2.8
+* updated `NodeJS` version to `20`
+* updated `NodeJS Modules` to the latest versions
+* fixed issue with `SFTP` connection
+* prevented access for the `root` user
+* added processing `SLACK_NOTIFICACTION_CHANNEL` and `SLACK_NOTIFICACTION_URL` environment variables in `GitHub Action`
+* updated `GitHub Action` `Build and Deploy to GKE`
+* added additional logging
+
 ### 0.2.7
 * updated curl to 8.5.0 because of vulnerability
 * access is allowed for the admin role in production

lib/utility.js

@@ -1,8 +1,6 @@
 var _ = require('lodash');
-var dot = require('dot-object');
 var admin = require("firebase-admin");
 var debug = require('debug')('ssh');
-var async = require('async');
 
 /**
  * Converts Docker event message into a firebase-friendly container object.
@@ -39,8 +37,6 @@ module.exports.normalizeMessage = function normalizeMessage(type, action, data)
     }
 
     if (_attributes && type === 'container') {
-        //_normalized.fields = dot.object(_attributes);
-
         _.forEach(_attributes, function(value, key) {
 
             var _field = {

package.json

@@ -1,7 +1,7 @@
 {
     "name": "docker-sftp",
-    "version": "0.2.5",
-    "description": "SSH tunnels to containers",
+    "version": "0.2.8",
+    "description": "SSH tunnels to Kubernetes containers",
     "main": "bin/server.js",
     "scripts": {
         "dev-start": "NODE_ENV=development pm2 start --watch --name server-ssh-dev bin/server.js",
@@ -23,15 +23,15 @@
     },
     "homepage": "https://github.com/udx/docker-sftp#readme",
     "dependencies": {
-        "async": "^3.2.4",
-        "axios": "^1.2.2",
-        "google-gax": "^3.5.2",
-        "debug": "^3.2.6",
-        "dot-object": "^2.1.3",
-        "express": "^4.16.3",
-        "firebase-admin": "^11.4.1",
+        "async": "^3.2.5",
+        "axios": "^1.6.7",
+        "google-gax": "^4.3.0",
+        "debug": "^4.3.4",
+        "dot-object": "^2.1.4",
+        "express": "^4.18.2",
+        "firebase-admin": "^12.0.0",
         "lodash": "^4.17.21",
-        "mustache": "^2.3.0",
+        "mustache": "^4.2.0",
         "md5": "^2.3.0"
     }
 }

static/etc/ssh/sshd_config

@@ -37,7 +37,7 @@ HostKey /etc/ssh/ssh_host_rsa_key
 LogLevel INFO
 
 # Authentication:
-PermitRootLogin yes
+PermitRootLogin no
 StrictModes yes
 
 PubkeyAuthentication yes