fix(config): support ssh

2025-10-12 15:14:24 +02:00
parent 5b9fa88dd6
commit c157c8c210
3 changed files with 349 additions and 15 deletions
--- a/templates/athens-proxy/_deployment.tpl
+++ b/templates/athens-proxy/_deployment.tpl
@@ -64,14 +64,41 @@
 {{- $volumeMounts = concat $volumeMounts (list (dict "name" "data" "mountPath" .Values.persistence.data.mountPath)) }}
 {{- end }}

+
+{{/* volumeMount (git config) */}}
 {{- if .Values.config.gitConfig.enabled }}
 {{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.gitconfig" "subPath" ".gitconfig" )) }}
 {{- end }}

+{{/* volumeMount (netrc) */}}
 {{- if .Values.config.netrc.enabled }}
 {{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.netrc" "subPath" ".netrc" )) }}
 {{- end }}

+{{/* volumeMount (ssh) */}}
+{{- if and .Values.config.ssh.enabled }}
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.config) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.configKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/config" "subPath" "config" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_ed25519) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_ed25519Key) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_ed25519" "subPath" "id_ed25519" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_ed25519_pub) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_ed25519PubKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_ed25519.pub" "subPath" "id_ed25519.pub" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_rsa) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_rsaKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_rsa" "subPath" "id_rsa" )) }}
+{{- end }}
+
+{{- if or (and (not .Values.config.ssh.existingSecret.enabled) (gt (len .Values.config.ssh.secret.id_rsa_pub) 0)) (and .Values.config.ssh.existingSecret.enabled (gt (len .Values.config.ssh.existingSecret.id_rsaPubKey) 0)) }}
+{{- $volumeMounts = concat $volumeMounts (list (dict "name" "secrets" "mountPath" "/root/.ssh/id_rsa.pub" "subPath" "id_rsa.pub" )) }}
+{{- end }}
+
+{{- end }}
+
 {{ toYaml (dict "volumeMounts" $volumeMounts) }}
 {{- end -}}

@@ -88,30 +115,102 @@
 {{- $volumes = concat $volumes (list (dict "name" "data" "persistentVolumeClaim" (dict "claimName" $claimName))) }}
 {{- end }}

+{{/* volumes (git config) */}}
+{{- $projectedSecretSources := list -}}
+
+
 {{- if .Values.config.gitConfig.enabled }}
-{{- $projectedSources := list -}}
 {{- $itemList := list (dict "key" ".gitconfig" "path" ".gitconfig" "mode" 0644) }}
 {{- $configMapName := include "athens-proxy.configMap.gitConfig.name" . }}
 {{- if .Values.config.gitConfig.existingConfigMap.enabled }}
 {{- $itemList = list (dict "key" .Values.config.gitConfig.existingConfigMap.gitConfigKey "path" ".gitconfig" "mode" 0644) }}
 {{- $configMapName = .Values.config.gitConfig.existingConfigMap.configMapName }}
 {{- end }}
-{{- $projectedSources = concat $projectedSources (list (dict "configMap" (dict "name" $configMapName "items" $itemList))) }}
+{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "configMap" (dict "name" $configMapName "items" $itemList))) }}

-{{- $volumes = concat $volumes (list (dict "name" "secrets" "projected" (dict "sources" $projectedSources)))}}
 {{- end }}

+{{/* volumes (netrc) */}}
+
 {{- if .Values.config.netrc.enabled }}
-{{- $projectedSources := list -}}
 {{- $itemList := list (dict "key" ".netrc" "path" ".netrc" "mode" 0600) }}
 {{- $secretName := include "athens-proxy.secrets.netrc.name" . }}
 {{- if .Values.config.netrc.existingSecret.enabled }}
 {{- $itemList = list (dict "key" .Values.config.netrc.existingSecret.netrcKey "path" ".netrc" "mode" 0600) }}
 {{- $secretName = .Values.config.netrc.existingSecret.secretName }}
 {{- end }}
-{{- $projectedSources = concat $projectedSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }}
+{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }}

-{{- $volumes = concat $volumes (list (dict "name" "secrets" "projected" (dict "sources" $projectedSources)))}}
+{{- end }}
+
+{{/* volumes (ssh) */}}
+{{- if .Values.config.ssh.enabled }}
+
+{{- $itemList := list -}}
+{{- $secretName := include "athens-proxy.secrets.ssh.name" . }}
+
+{{- if and .Values.config.ssh.existingSecret.enabled .Values.config.ssh.existingSecret.secretName }}
+{{- $secretName = .Values.config.ssh.existingSecret.secretName }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.configKey) 0 }}
+{{- $configItem := dict "key" .Values.config.ssh.existingSecret.configKey "path" "config" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $configItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_ed25519Key) 0 }}
+{{- $idED25519Item := dict "key" .Values.config.ssh.existingSecret.id_ed25519Key "path" "id_ed25519" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idED25519Item) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_ed25519PubKey) 0 }}
+{{- $idED25519PubItem := dict "key" .Values.config.ssh.existingSecret.id_ed25519PubKey "path" "id_ed25519.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idED25519PubItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_rsaKey) 0 }}
+{{- $idRSAItem := dict "key" .Values.config.ssh.existingSecret.id_rsaKey "path" "id_rsa" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idRSAItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.existingSecret.id_rsaPubKey) 0 }}
+{{- $idRSAPubItem := dict "key" .Values.config.ssh.existingSecret.id_rsaPubKey "path" "id_rsa.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idRSAPubItem) }}
+{{- end }}
+{{- end }}
+
+{{- if not .Values.config.ssh.existingSecret.enabled }}
+{{- if gt (len .Values.config.ssh.secret.config) 0 }}
+{{- $configItem := dict "key" "config" "path" "config" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $configItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_ed25519) 0 }}
+{{- $idED25519Item := dict "key" "id_ed25519" "path" "id_ed25519" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idED25519Item) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_ed25519_pub) 0 }}
+{{- $idED25519PubItem := dict "key" "id_ed25519.pub" "path" "id_ed25519.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idED25519PubItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_rsa) 0 }}
+{{- $idRSAItem := dict "key" "id_rsa" "path" "id_rsa" "mode" 0600 }}
+{{- $itemList = concat $itemList (list $idRSAItem) }}
+{{- end }}
+
+{{- if gt (len .Values.config.ssh.secret.id_rsa_pub) 0 }}
+{{- $idRSAPubItem := dict "key" "id_rsa.pub" "path" "id_rsa.pub" "mode" 0644 }}
+{{- $itemList = concat $itemList (list $idRSAPubItem) }}
+{{- end }}
+{{- end }}
+
+{{- $projectedSecretSources = concat $projectedSecretSources (list (dict "secret" (dict "name" $secretName "items" $itemList))) }}
+{{- end }}
+
+{{- if gt (len $projectedSecretSources) 0 }}
+{{- $projectedSecretVolume := dict "name" "secrets" "projected" (dict "sources" $projectedSecretSources) }}
+{{- $volumes = concat $volumes (list $projectedSecretVolume) }}
 {{- end }}

 {{ toYaml (dict "volumes" $volumes) }}
--- a/unittests/deployment/ssh.yaml
+++ b/unittests/deployment/ssh.yaml
@@ -0,0 +1,221 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/athens-proxy/deployment.yaml
+tests:
+- it: Rendering default without mounted ssh secret
+  asserts:
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519
+          subPath: id_ed25519
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519.pub
+          subPath: id_ed25519.pub
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa
+          subPath: id_rsa
+    - notContains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa.pub
+          subPath: id_rsa.pub
+    - notContains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: config
+                  path: config
+                  mode: 0644
+                - key: id_ed25519
+                  path: id_ed25519
+                  mode: 0600
+                - key: id_ed25519.pub
+                  path: id_ed25519.pub
+                  mode: 0644
+                - key: id_rsa
+                  path: id_rsa
+                  mode: 0600
+                - key: id_rsa.pub
+                  path: id_rsa.pub
+                  mode: 0644
+                name: athens-proxy-unittest-ssh
+
+- it: Rendering default with mounted ssh config
+  set:
+    config.ssh.enabled: true
+    persistence.enabled: true
+  asserts:
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: config
+                  path: config
+                  mode: 0600
+                name: athens-proxy-unittest-ssh
+
+- it: Rendering default with mounted ssh keys
+  set:
+    config.ssh.enabled: true
+    config.ssh.secret.id_ed25519: foo
+    config.ssh.secret.id_ed25519_pub: bar
+    config.ssh.secret.id_rsa: foo
+    config.ssh.secret.id_rsa_pub: bar
+    persistence.enabled: true
+  asserts:
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519
+          subPath: id_ed25519
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519.pub
+          subPath: id_ed25519.pub
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa
+          subPath: id_rsa
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa.pub
+          subPath: id_rsa.pub
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: config
+                  path: config
+                  mode: 0600
+                - key: id_ed25519
+                  path: id_ed25519
+                  mode: 0600
+                - key: id_ed25519.pub
+                  path: id_ed25519.pub
+                  mode: 0644
+                - key: id_rsa
+                  path: id_rsa
+                  mode: 0600
+                - key: id_rsa.pub
+                  path: id_rsa.pub
+                  mode: 0644
+                name: athens-proxy-unittest-ssh
+
+- it: Rendering with custom ssh secret
+  set:
+    config.ssh.enabled: true
+    config.ssh.existingSecret.enabled: true
+    config.ssh.existingSecret.secretName: "my-custom-secret"
+    config.ssh.existingSecret.configKey : "my-config-key"
+    config.ssh.existingSecret.id_ed25519Key : "my-private-ed25519-key"
+    config.ssh.existingSecret.id_ed25519PubKey : "my-public-ed25519-key"
+    config.ssh.existingSecret.id_rsaKey : "my-private-rsa-key"
+    config.ssh.existingSecret.id_rsaPubKey : "my-public-rsa-key"
+    persistence.enabled: true
+  asserts:
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/config
+          subPath: config
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519
+          subPath: id_ed25519
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_ed25519.pub
+          subPath: id_ed25519.pub
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa
+          subPath: id_rsa
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: secrets
+          mountPath: /root/.ssh/id_rsa.pub
+          subPath: id_rsa.pub
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: secrets
+          projected:
+            sources:
+            - secret:
+                items:
+                - key: my-config-key
+                  path: config
+                  mode: 0600
+                - key: my-private-ed25519-key
+                  path: id_ed25519
+                  mode: 0600
+                - key: my-public-ed25519-key
+                  path: id_ed25519.pub
+                  mode: 0644
+                - key: my-private-rsa-key
+                  path: id_rsa
+                  mode: 0600
+                - key: my-public-rsa-key
+                  path: id_rsa.pub
+                  mode: 0644
+                name: my-custom-secret
--- a/values.yaml
+++ b/values.yaml
@@ -185,18 +185,32 @@ config:
        # machine api.github.com  [octocat]  password  [PAT]

  ssh:
-    ## @param config.ssh.existingSecret.enabled TODO:.
-    ## @param config.ssh.existingSecret.secretName TODO:
+    ## @param config.ssh.enabled Enable mounting of a .netrc file into the container file system.
+    enabled: false
+
+    ## @param config.ssh.existingSecret.enabled Enable to use an external secret for mounting the public and private SSH key files.
+    ## @param config.ssh.existingSecret.secretName The name of the existing secret which should be used to mount the public and private SSH key files.
+    ## @param config.ssh.existingSecret.configKey The name of the key inside the secret where the content of the SSH client config file is stored.
+    ## @param config.ssh.existingSecret.id_ed25519Key The name of the key inside the secret where the content of the id_ed25519 key file is stored.
+    ## @param config.ssh.existingSecret.id_ed25519PubKey The name of the key inside the secret where the content of the id_ed25519.pub key file is stored.
+    ## @param config.ssh.existingSecret.id_rsaKey The name of the key inside the secret where the content of the id_rsa key file is stored.
+    ## @param config.ssh.existingSecret.id_rsaPubKey The name of the key inside the secret where the content of the id_ed25519.pub key file is stored.
    existingSecret:
      enabled: false
+      secretName: ""
+      configKey: "config"
+      id_ed25519Key: "id_ed25519"
+      id_ed25519PubKey: "id_ed25519.pub"
+      id_rsaKey: "id_rsa"
+      id_rsaPubKey: "id_rsa.pub"

-    ## @param config.ssh.secret.annotations Additional annotations of the secret containing the database credentials.
-    ## @param config.ssh.secret.labels Additional labels of the secret containing the database credentials.
-    ## @param config.ssh.secret.files TODO:
-    ## @skip config.ssh.secret.id_ed25519 TODO:
-    ## @skip config.ssh.secret.id_ed25519_pub TODO:
-    ## @skip config.ssh.secret.id_rsa TODO:
-    ## @skip config.ssh.secret.id_rsa_pub TODO:
+    ## @param config.ssh.secret.annotations Additional annotations of the secret containing the public and private SSH key files.
+    ## @param config.ssh.secret.labels Additional labels of the secret containing the public and private SSH key files.
+    ## @param config.ssh.secret.config The content of the SSH client config file.
+    ## @skip config.ssh.secret.id_ed25519 The content of the private SSH ed25519 key.
+    ## @skip config.ssh.secret.id_ed25519_pub The content of the public SSH ed25519 key.
+    ## @skip config.ssh.secret.id_rsa The content of the private SSH RSA key.
+    ## @skip config.ssh.secret.id_rsa_pub The content of the public SSH RSA key.
    secret:
      annotations: {}
      labels: {}