Skip to content

Commit

Permalink
feat: optional ssh-proxy service
Browse files Browse the repository at this point in the history
  • Loading branch information
shreddedbacon committed Jun 20, 2023
1 parent c0f9c54 commit 4d841cd
Show file tree
Hide file tree
Showing 5 changed files with 174 additions and 2 deletions.
3 changes: 3 additions & 0 deletions charts/lagoon-remote/ci/linter-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -96,5 +96,8 @@ sshPortal:
6lnrpkhPYdpdKnF3PCEyAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----
sshProxy:
enabled: true

storageCalculator:
enabled: true
27 changes: 27 additions & 0 deletions charts/lagoon-remote/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,33 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}


{{/*
Create a default fully qualified app name for sshProxy.
*/}}
{{- define "lagoon-remote.sshProxy.fullname" -}}
{{- include "lagoon-remote.fullname" . }}-ssh-proxy
{{- end }}

{{/*
Common labels sshProxy.
*/}}
{{- define "lagoon-remote.sshProxy.labels" -}}
helm.sh/chart: {{ include "lagoon-remote.chart" . }}
{{ include "lagoon-remote.sshProxy.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels sshProxy.
*/}}
{{- define "lagoon-remote.sshProxy.selectorLabels" -}}
app.kubernetes.io/name: {{ include "lagoon-remote.name" . }}
app.kubernetes.io/component: {{ include "lagoon-remote.sshProxy.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use for insights-remote
Expand Down
88 changes: 88 additions & 0 deletions charts/lagoon-remote/templates/ssh-proxy.deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{{- if .Values.sshProxy.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "lagoon-remote.sshProxy.fullname" . }}
labels:
{{- include "lagoon-remote.sshProxy.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.sshProxy.replicaCount }}
selector:
matchLabels:
{{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.sshProxy.podSecurityContext | nindent 8 }}
containers:
- name: ssh-proxy
securityContext:
{{- toYaml .Values.sshProxy.securityContext | nindent 10 }}
image: "{{ .Values.sshProxy.image.repository }}:{{ .Values.sshProxy.image.tag }}"
imagePullPolicy: {{ .Values.sshProxy.image.pullPolicy }}
command:
- socat
args:
- TCP4-LISTEN:2020,reuseaddr,fork
{{- if .Values.sshPortal.enabled }}
- TCP:{{ include "lagoon-remote.sshPortal.fullname" . }}:{{ .Values.sshPortal.service.ports.sshserver }}
{{- else }}
- TCP:{{ .Values.sshProxy.ssh.host }}:{{ .Values.sshProxy.ssh.port }}
{{- end }}
ports:
- name: sshproxy
containerPort: 2020
protocol: TCP
livenessProbe:
tcpSocket:
port: sshproxy
initialDelaySeconds: 300
readinessProbe:
tcpSocket:
port: sshproxy
initialDelaySeconds: 300
resources:
{{- toYaml .Values.sshProxy.resources | nindent 10 }}
{{- with .Values.sshProxy.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- {{ include "lagoon-remote.name" . }}
- key: app.kubernetes.io/component
operator: In
values:
- {{ include "lagoon-remote.sshProxy.fullname" . }}
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
topologyKey: kubernetes.io/hostname
{{- with .Values.sshProxy.affinity }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.sshProxy.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
18 changes: 18 additions & 0 deletions charts/lagoon-remote/templates/ssh-proxy.service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.sshProxy.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.sshProxy.service.name }}
labels:
metrics-only: "true"
{{- include "lagoon-remote.sshProxy.labels" . | nindent 4 }}
spec:
type: {{ .Values.sshProxy.service.type }}
ports:
- port: {{ .Values.sshProxy.service.port }}
targetPort: sshproxy
protocol: TCP
name: sshproxy
selector:
{{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 4 }}
{{- end }}
40 changes: 38 additions & 2 deletions charts/lagoon-remote/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,42 @@ sshPortal:
ed25519: ""
rsa: ""

# sshProxy is an optional service that exposes a single `ssh.lagoon.svc` service within a remote
# this can then be configured to point to the lagoon-core ssh service using `sshProxy.ssh.host` and `sshProxy.ssh.port`
# or the ssh-portal service that is deployed if the ssh-portal is enabled
# this service can be used in `lagoon-build-deploy.sshPortalHost` and `lagoon-build-deploy.sshPortalPort` values when configuring the remote
# and will be exposed by the remote-controller to deployed environments via the LAGOON_CONFIG_SSH_HOST and LAGOON_CONFIG_SSH_PORT values
# for tasks and pods to use within the cluster scope
sshProxy:
enabled: false
replicaCount: 2
image:
repository: alpine/socat
pullPolicy: IfNotPresent
tag: "1.7.4.4"

# if ssh-portal is enabled the following `ssh` section is ignored and the ssh-portal service endpoint is used instead
ssh:
# set these to be the host and port of your lagoon-core ssh service
# example for amazeeio cloud:
# host: ssh.amazeeio.cloud
# port: 30831
host:
port:

# if you modify these values and are using `lagoon-build-deploy.sshPortalHost` and `lagoon-build-deploy.sshPortalPort`
# you'll need to ensure you update those values too
service:
name: ssh
type: ClusterIP
port: 2020

podAnnotations: {}

securityContext: {}

resources: {}

# This subchart is disabled by default until this build-deploy type is in
# widespread use.
lagoon-build-deploy:
Expand All @@ -172,8 +208,8 @@ lagoon-build-deploy:
# lagoonTokenHost: ""
# lagoonTokenPort: ""
# lagoonAPIHost: ""
# sshPortalHost: ""
# sshPortalPort: ""
# sshPortalHost: ssh.lagoon.svc
# sshPortalPort: 22
# See the parent chart for the full range of values that can be passed here to control builds
# https://github.com/uselagoon/lagoon-charts/blob/main/charts/lagoon-build-deploy/values.yaml

Expand Down

0 comments on commit 4d841cd

Please sign in to comment.