Skip to content

Commit

Permalink
Add ability to seed trusted public keys (#119)
Browse files Browse the repository at this point in the history
* ✨ Add ability to set trusted public keys at install

* ✨ Working pub key auth from install
  • Loading branch information
bryopsida authored Jan 14, 2024
1 parent 73612a2 commit 3dc5d12
Show file tree
Hide file tree
Showing 8 changed files with 103 additions and 10 deletions.
8 changes: 4 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ubuntu:kinetic-20230624
FROM ubuntu:jammy
ARG COMMIT=""
ENV COMMIT_SHA=${COMMIT}
ENV DEBIAN_FRONTEND=noninteractive
Expand All @@ -8,7 +8,7 @@ RUN echo "LANG=en_US.UTF-8" >> /etc/environment


RUN apt-get update && \
apt-get install -y curl dropbear-bin sudo gcc g++ make python3 zsh vim wget htop nano openssh-client gnupg2 ca-certificates apt-transport-https ncdu tcpdump tldr bat && \
apt-get install -y curl dropbear-bin sudo gcc g++ make python3 zsh vim wget htop nano openssh-client gnupg2 ca-certificates apt-transport-https ncdu tcpdump tldr bat unzip zip && \
apt-get install -y --no-install-recommends git

# Helm
Expand All @@ -25,8 +25,8 @@ RUN apt-get update && \
apt-get update && \
apt-get install -y kubectl


RUN curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh && \
# Node global
RUN curl -sL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh && \
chmod +x nodesource_setup.sh && \
./nodesource_setup.sh && \
apt-get update &&\
Expand Down
26 changes: 25 additions & 1 deletion Entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,37 @@ sudo mkdir -p /etc/dropbear
sudo chmod 700 /etc/dropbear
sudo chown -R developer:developer /etc/dropbear
touch /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys

if [ -e /authorized-keys ] ; then
echo "Trusted Authorized keys exists, setting contents of /etc/dropbear/authorized_keys"
cat /authorized-keys > /etc/dropbear/authorized_keys
fi

sudo chown -R developer:developer /home/developer

# setup home directory links/permissions etc
# this occurs on every container startup and is meant to be idempotent without overwriting existing files
/usr/local/bin/prepare_home.sh

ohmyzshEnabled=${OH_MY_ZSH_INSTALL_ENABLED:-"false"}
if [[ $ohmyzshEnabled == "true" ]]; then
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
fi

nvmEnabled=${NVM_INSTALL_ENABLED:-"false"}
if [[ $nvmEnabled == "true" ]]; then
echo "NVM Install Enabled, ensuring nvm is installed for user"
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
fi

sdkManEnabled=${SDK_MAN_INSTALL_ENABLED:-"false"}
if [[ $sdkManEnabled == "true" ]]; then
echo "SDK Man Install Enabled, ensuring sdk man is installed for user"
curl -s "https://get.sdkman.io" | bash
fi


passwordLoginEnabled=${PASSWORD_LOGIN_ENABLED:-"false"}
if [[ $passwordLoginEnabled == "true" ]]; then
# Create a random password for developer and echo it to the console
Expand Down
16 changes: 15 additions & 1 deletion PrepareHome.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,18 @@ if [ -e ~/.ssh/authorized_keys ] ; then
else
echo "Creating authorized_keys link..."
ln -s /etc/dropbear/authorized_keys ~/.ssh/authorized_keys
fi
fi

# seed .bashrc
if [ -e ~/.bashrc ] ; then
echo "bash profile already exists, skipping..."
else
cp /etc/skel/.bashrc ~/
fi

# ~ folder should be 0755
chmod 0755 ~
# ~/.ssh should be 0700
chmod 0700 ~/.ssh
# ~/.ssh/authorized_keys should be 0600
chmod 0600 ~/.ssh/authorized_keys
3 changes: 1 addition & 2 deletions charts/k8s-dev-pod/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ apiVersion: v2
name: k8s-dev-pod
description: A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets
type: application
version: 0.2.0
appVersion: "0.1.0"
version: 0.3.0
maintainers:
- name: Bryopsida
11 changes: 9 additions & 2 deletions charts/k8s-dev-pod/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# k8s-dev-pod

![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets

Expand All @@ -14,18 +14,25 @@ A Helm chart for deploying a dev environment inside a K8S cluster that is compat

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| authorizedKeys | string | `nil` | A set of authorized public keys that will be trusted for logging in as developer, when specified this will overwrite the /etc/dropbear/authorized_keys contents with the value specified here on every pod-restart |
| existingAuthorizedKeySecretName | string | `nil` | secret that is not managed by helm that holds the authorized keys property, when a value is specified this overrides using the authorizedKys |
| existingAuthorizedKeySecretProperty | string | `"public-keys"` | property on the existing secret holding the authorized keys value |
| homeSize | int | `20` | |
| image.pullPolicy | string | `"Always"` | |
| image.repo | string | `"ghcr.io/bryopsida/k8s-dev-pod"` | |
| image.tag | string | `"main"` | |
| ingressEnabled | bool | `false` | |
| ingressPort | int | `3022` | |
| nvmInstallEnabled | bool | `true` | |
| nvmVersion | string | `"v0.39.7"` | |
| ohMyZshInstallEnabled | bool | `true` | |
| passwordLoginEnabled | bool | `true` | |
| sdkManInstallEnabled | bool | `true` | |
| tailscale.authKey | string | `nil` | |
| tailscale.enabled | bool | `false` | |
| tailscale.image.pullPolicy | string | `"Always"` | |
| tailscale.image.repo | string | `"ghcr.io/tailscale/tailscale"` | |
| tailscale.image.tag | string | `"latest"` | |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
10 changes: 10 additions & 0 deletions charts/k8s-dev-pod/templates/authorized-keys.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- if and .Values.authorizedKeys (not .Values.existingAuthorizedKeySecretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-authorized-keys
labels:
{{- include "k8s-dev-pod.labels" . | nindent 4 }}
data:
public-keys: {{ .Values.authorizedKeys | b64enc }}
{{- end }}
26 changes: 26 additions & 0 deletions charts/k8s-dev-pod/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,15 @@ spec:
- name: dropbear
persistentVolumeClaim:
claimName: {{ .Release.Name }}-dropbear
{{- if and .Values.authorizedKeys (not .Values.existingAuthorizedKeySecretName) }}
- name: authorized-keys
secret:
secretName: {{ .Release.Name }}-authorized-keys
{{- else if .Values.existingAuthorizedKeySecretName }}
- name: authorized-keys
secret:
secretName: {{ .Values.existingAuthorizedKeySecretName }}
{{- end }}
{{- if .Values.volumes }}
{{- toYaml .Values.volumes | nindent 8 }}
{{- end }}
Expand All @@ -46,6 +55,14 @@ spec:
env:
- name: PASSWORD_LOGIN_ENABLED
value: "{{ .Values.passwordLoginEnabled }}"
- name: NVM_INSTALL_ENABLED
value: "{{ .Values.nvmInstallEnabled }}"
- name: NVM_VERSION
value: "{{ .Values.nvmVersion }}"
- name: SDK_MAN_INSTALL_ENABLED
value: "{{ .Values.sdkManInstallEnabled }}"
- name: OH_MY_ZSH_INSTALL_ENABLED
value: "{{ .Values.ohMyZshInstallEnabled }}"
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 12 }}
{{- end }}
Expand All @@ -62,6 +79,15 @@ spec:
- name: dropbear
mountPath: /etc/dropbear
readOnly: false
{{- if or .Values.authorizedKeys .Values.existingAuthorizedKeySecretName }}
- name: authorized-keys
mountPath: /authorized-keys
{{- if .Values.existingAuthorizedKeySecretName }}
subPath: public-keys
{{- else }}
subPath: {{ .Values.existingAuthorizedKeySecretProperty }}
{{- end }}
{{- end }}
{{- if .Values.volumeMounts }}
{{- toYaml .Values.volumeMounts | nindent 12 }}
{{- end }}
Expand Down
13 changes: 13 additions & 0 deletions charts/k8s-dev-pod/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,23 @@ homeSize: 20
ingressEnabled: false
ingressPort: 3022
passwordLoginEnabled: true
# -- secret that is not managed by helm that holds the authorized keys property, when a value is specified this overrides using the authorizedKys
existingAuthorizedKeySecretName: ~
# existingAuthorizedKeySecretName: dev-pod-authorized-keys
# -- property on the existing secret holding the authorized keys value
existingAuthorizedKeySecretProperty: public-keys
# -- A set of authorized public keys that will be trusted for logging in as developer, when specified this will overwrite the /etc/dropbear/authorized_keys contents with the value specified here on every pod-restart
authorizedKeys: ~
# authorizedKeys: |
# ssh-<key alg> <pub key> <client hostname>
tailscale:
enabled: false
image:
repo: ghcr.io/tailscale/tailscale
tag: latest
pullPolicy: Always
authKey: ~
nvmInstallEnabled: true
nvmVersion: v0.39.7
sdkManInstallEnabled: true
ohMyZshInstallEnabled: true

0 comments on commit 3dc5d12

Please sign in to comment.