feat: optional ssh-proxy service

charts/lagoon-remote/Chart.yaml

@@ -19,7 +19,7 @@ type: application
 # This is the chart version. This version number should be incremented each
 # time you make changes to the chart and its templates, including the app
 # version.
-version: 0.78.1
+version: 0.79.0
 
 dependencies:
 - name: lagoon-build-deploy
@@ -45,4 +45,4 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: update lagoon-build-deploy subchart to 0.23.1
+      description: add ssh-proxy service

charts/lagoon-remote/ci/linter-values.yaml

@@ -96,5 +96,8 @@ sshPortal:
       6lnrpkhPYdpdKnF3PCEyAAAAAAECAwQF
       -----END OPENSSH PRIVATE KEY-----
 
+sshProxy:
+  enabled: true
+
 storageCalculator:
   enabled: true

charts/lagoon-remote/templates/_helpers.tpl

@@ -191,6 +191,33 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 
+{{/*
+Create a default fully qualified app name for sshProxy.
+*/}}
+{{- define "lagoon-remote.sshProxy.fullname" -}}
+{{- include "lagoon-remote.fullname" . }}-ssh-proxy
+{{- end }}
+
+{{/*
+Common labels sshProxy.
+*/}}
+{{- define "lagoon-remote.sshProxy.labels" -}}
+helm.sh/chart: {{ include "lagoon-remote.chart" . }}
+{{ include "lagoon-remote.sshProxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels sshProxy.
+*/}}
+{{- define "lagoon-remote.sshProxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lagoon-remote.name" . }}
+app.kubernetes.io/component: {{ include "lagoon-remote.sshProxy.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
 
 {{/*
 Create the name of the service account to use for insights-remote

charts/lagoon-remote/templates/ssh-proxy.deployment.yaml

@@ -0,0 +1,84 @@
+{{- if and .Values.sshProxy.enabled (ne .Values.sshPortal.enabled true) -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "lagoon-remote.sshProxy.fullname" . }}
+  labels:
+    {{- include "lagoon-remote.sshProxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.sshProxy.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.sshProxy.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.sshProxy.podSecurityContext | nindent 8 }}
+      containers:
+      - name: ssh-proxy
+        securityContext:
+          {{- toYaml .Values.sshProxy.securityContext | nindent 10 }}
+        image: "{{ .Values.sshProxy.image.repository }}:{{ .Values.sshProxy.image.tag }}"
+        imagePullPolicy: {{ .Values.sshProxy.image.pullPolicy }}
+        command:
+        - socat
+        args:
+        - TCP4-LISTEN:2020,reuseaddr,fork
+        - TCP:{{ .Values.sshProxy.ssh.host }}:{{ .Values.sshProxy.ssh.port }}
+        ports:
+          - name: sshproxy
+            containerPort: 2020
+            protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: sshproxy
+          initialDelaySeconds: 300
+        readinessProbe:
+          tcpSocket:
+            port: sshproxy
+          initialDelaySeconds: 300
+        resources:
+          {{- toYaml .Values.sshProxy.resources | nindent 10 }}
+      {{- with .Values.sshProxy.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 50
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - {{ include "lagoon-remote.name" . }}
+                - key: app.kubernetes.io/component
+                  operator: In
+                  values:
+                  - {{ include "lagoon-remote.sshProxy.fullname" . }}
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - {{ .Release.Name }}
+              topologyKey: kubernetes.io/hostname
+      {{- with .Values.sshProxy.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sshProxy.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

charts/lagoon-remote/templates/ssh-proxy.service.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.sshProxy.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.sshProxy.service.name }}
+  labels:
+    metrics-only: "true"
+    {{- include "lagoon-remote.sshProxy.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.sshProxy.service.type }}
+  ports:
+  {{- if .Values.sshPortal.enabled }}
+  - port: {{ .Values.sshPortal.service.ports.sshserver }}
+    targetPort: sshserver
+    name: sshserver
+  selector:
+    {{- include "lagoon-remote.sshPortal.selectorLabels" . | nindent 4 }}
+  {{- else }}
+  - port: {{ .Values.sshProxy.service.port }}
+    targetPort: sshproxy
+    protocol: TCP
+    name: sshproxy
+  selector:
+    {{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/lagoon-remote/values.yaml

@@ -159,6 +159,42 @@ sshPortal:
     ed25519: ""
     rsa: ""
 
+# sshProxy is an optional service that exposes a single `ssh.lagoon.svc` service within a remote
+# this can then be configured to point to the lagoon-core ssh service using `sshProxy.ssh.host` and `sshProxy.ssh.port`
+# or the ssh-portal service that is deployed if the ssh-portal is enabled
+# this service can be used in `lagoon-build-deploy.sshPortalHost` and `lagoon-build-deploy.sshPortalPort` values when configuring the remote
+# and will be exposed by the remote-controller to deployed environments via the LAGOON_CONFIG_SSH_HOST and LAGOON_CONFIG_SSH_PORT values
+# for tasks and pods to use within the cluster scope
+sshProxy:
+  enabled: false
+  replicaCount: 2
+  image:
+    repository: alpine/socat
+    pullPolicy: IfNotPresent
+    tag: "1.7.4.4"
+
+  # if ssh-portal is enabled the following `ssh` section is ignored and the ssh-portal service endpoint is used instead
+  ssh:
+    # set these to be the host and port of your lagoon-core ssh service
+    # example for amazeeio cloud:
+    #   host: ssh.amazeeio.cloud
+    #   port: 30831
+    host:
+    port:
+
+  # if you modify these values and are using `lagoon-build-deploy.sshPortalHost` and `lagoon-build-deploy.sshPortalPort`
+  # you'll need to ensure you update those values too
+  service:
+    name: ssh
+    type: ClusterIP
+    port: 2020
+
+  podAnnotations: {}
+
+  securityContext: {}
+
+  resources: {}
+
 # This subchart is disabled by default until this build-deploy type is in
 # widespread use.
 lagoon-build-deploy:
@@ -172,8 +208,8 @@ lagoon-build-deploy:
   # lagoonTokenHost: ""
   # lagoonTokenPort: ""
   # lagoonAPIHost: ""
-  # sshPortalHost: ""
-  # sshPortalPort: ""
+  # sshPortalHost: ssh.lagoon.svc
+  # sshPortalPort: 22
   # See the parent chart for the full range of values that can be passed here to control builds
   # https://github.com/uselagoon/lagoon-charts/blob/main/charts/lagoon-build-deploy/values.yaml