Support SSH auth for SFTP event source (#2918)

Signed-off-by: dillonstreator <dillonstreator@gmail.com>
argoproj · Nov 27, 2023 · 2721ca9 · 2721ca9
1 parent 69ac700
commit 2721ca9
Show file tree

Hide file tree

Showing 10 changed files with 600 additions and 469 deletions.
diff --git a/api/event-source.html b/api/event-source.html
diff --git a/api/event-source.md b/api/event-source.md
diff --git a/api/jsonschema/schema.json b/api/jsonschema/schema.json
@@ -2690,6 +2690,10 @@
           "description": "PollIntervalDuration the interval at which to poll the SFTP server defaults to 10 seconds",
           "type": "string"
         },
+        "sshKeySecret": {
+          "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector",
+          "description": "SSHKeySecret refers to the secret that contains SSH key"
+        },
         "username": {
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector",
           "description": "Username required for authentication if any."

diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/eventsources/sources/sftp/start.go b/eventsources/sources/sftp/start.go
@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/fs"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -73,19 +74,46 @@ func (el *EventListener) StartListening(ctx context.Context, dispatch func([]byt
 	if err != nil {
 		return fmt.Errorf("username not found, %w", err)
 	}
-	password, err := common.GetSecretFromVolume(el.SFTPEventSource.Password)
-	if err != nil {
-		return fmt.Errorf("password not found, %w", err)
-	}
 	address, err := common.GetSecretFromVolume(el.SFTPEventSource.Address)
 	if err != nil {
 		return fmt.Errorf("address not found, %w", err)
 	}
 
+	var authMethod ssh.AuthMethod
+	var hostKeyCallback ssh.HostKeyCallback
+
+	if el.SFTPEventSource.SSHKeySecret != nil {
+		sshKeyPath, err := common.GetSecretVolumePath(el.SFTPEventSource.SSHKeySecret)
+		if err != nil {
+			return fmt.Errorf("failed to get SSH key from mounted volume, %w", err)
+		}
+		sshKey, err := os.ReadFile(sshKeyPath)
+		if err != nil {
+			return fmt.Errorf("failed to read ssh key file. err: %+v", err)
+		}
+		signer, err := ssh.ParsePrivateKey(sshKey)
+		if err != nil {
+			return fmt.Errorf("failed to parse private ssh key. err: %+v", err)
+		}
+		publicKey, err := ssh.ParsePublicKey(sshKey)
+		if err != nil {
+			return fmt.Errorf("failed to parse public ssh key. err: %+v", err)
+		}
+		authMethod = ssh.PublicKeys(signer)
+		hostKeyCallback = ssh.FixedHostKey(publicKey)
+	} else {
+		password, err := common.GetSecretFromVolume(el.SFTPEventSource.Password)
+		if err != nil {
+			return fmt.Errorf("password not found, %w", err)
+		}
+		authMethod = ssh.Password(password)
+		hostKeyCallback = ssh.InsecureIgnoreHostKey()
+	}
+
 	sftpConfig := &ssh.ClientConfig{
 		User:            username,
-		Auth:            []ssh.AuthMethod{ssh.Password(password)},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(), // TODO: enable host key callback
+		Auth:            []ssh.AuthMethod{authMethod},
+		HostKeyCallback: hostKeyCallback,
 	}
 
 	var sshClient *ssh.Client

diff --git a/pkg/apis/eventsource/v1alpha1/generated.pb.go b/pkg/apis/eventsource/v1alpha1/generated.pb.go
diff --git a/pkg/apis/eventsource/v1alpha1/generated.proto b/pkg/apis/eventsource/v1alpha1/generated.proto
diff --git a/pkg/apis/eventsource/v1alpha1/openapi_generated.go b/pkg/apis/eventsource/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/eventsource/v1alpha1/types.go b/pkg/apis/eventsource/v1alpha1/types.go
@@ -303,18 +303,20 @@ type SFTPEventSource struct {
 	Username *corev1.SecretKeySelector `json:"username,omitempty" protobuf:"bytes,3,opt,name=username"`
 	// Password required for authentication if any.
 	Password *corev1.SecretKeySelector `json:"password,omitempty" protobuf:"bytes,4,opt,name=password"`
+	// SSHKeySecret refers to the secret that contains SSH key
+	SSHKeySecret *corev1.SecretKeySelector `json:"sshKeySecret,omitempty" protobuf:"bytes,5,opt,name=sshKeySecret"`
 	// Address sftp address.
-	Address *corev1.SecretKeySelector `json:"address,omitempty" protobuf:"bytes,5,opt,name=address"`
+	Address *corev1.SecretKeySelector `json:"address,omitempty" protobuf:"bytes,6,opt,name=address"`
 	// Metadata holds the user defined metadata which will passed along the event payload.
 	// +optional
-	Metadata map[string]string `json:"metadata,omitempty" protobuf:"bytes,6,rep,name=metadata"`
+	Metadata map[string]string `json:"metadata,omitempty" protobuf:"bytes,7,rep,name=metadata"`
 	// Filter
 	// +optional
-	Filter *EventSourceFilter `json:"filter,omitempty" protobuf:"bytes,7,opt,name=filter"`
+	Filter *EventSourceFilter `json:"filter,omitempty" protobuf:"bytes,8,opt,name=filter"`
 	// PollIntervalDuration the interval at which to poll the SFTP server
 	// defaults to 10 seconds
 	// +optional
-	PollIntervalDuration string `json:"pollIntervalDuration" protobuf:"varint,8,opt,name=pollIntervalDuration"`
+	PollIntervalDuration string `json:"pollIntervalDuration" protobuf:"varint,9,opt,name=pollIntervalDuration"`
 }
 
 // ResourceEventType is the type of event for the K8s resource mutation

diff --git a/pkg/apis/eventsource/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/eventsource/v1alpha1/zz_generated.deepcopy.go