allow custom passwords to be set

63202db6 · Andri Joos · afc3ab80 · 63202db6 · 63202db6 · 63202db6
Commit 63202db6 authored 1 week ago by Andri Joos
--- a/ssh-jump-host/templates/_helpers.tpl
+++ b/ssh-jump-host/templates/_helpers.tpl
@@ -49,3 +49,14 @@ Selector labels
 app.kubernetes.io/name: {{ include "ssh-jump-host.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+User Credentials
+*/}}
+{{- define "ssh-jump-host.userCredentials" }}
+{{- $userCredentials := dict "username" .Values.credentials.username }}
+{{- if .Values.credentials.password.enabled }}
+{{- $_ := set $userCredentials "password" .Values.credentials.password.value }}
+{{- end }}
+{{- toYaml $userCredentials }}
+{{- end }}
--- a/ssh-jump-host/templates/deployment.yaml
+++ b/ssh-jump-host/templates/deployment.yaml
@@ -19,6 +19,7 @@ spec:
        {{- end }}
        configs-hash: {{ .Values.configs | toYaml | sha256sum | quote }}
        ssh-keys-hash: {{ (dict "hostKeys" .Values.hostKeys "userKeys" .Values.userKeys) | toYaml | sha256sum | quote }}
+        credentials-hash: {{ .Values.credentials | toYaml | sha256sum | quote }}
      labels:
        {{- include "ssh-jump-host.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
@@ -34,7 +35,7 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      initContainers:
-        - name: ssh-keys
+        - name: permissions
          image: busybox
          command:
            - sh
@@ -66,12 +67,22 @@ spec:
              value: "1000"
            - name: PUBLIC_KEY_DIR
              value: /authorized_keys
-            - name: PASSWORD_ACCESS
-              value: {{ .Values.passwordEnabled | quote }}
            - name: SUDO_ACCESS
              value: {{ .Values.sudoEnabled | quote }}
            - name: USER_NAME
-              value: {{ .Values.username | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.credentials.secretName | quote }}
+                  key: username
+          {{- if .Values.credentials.password.enabled }}
+            - name: USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.credentials.secretName | quote }}
+                  key: password
+          {{- end }}
+            - name: PASSWORD_ACCESS
+              value: {{ .Values.credentials.password.enabled | quote }}
            - name: LOG_STDOUT
              value: {{ .Values.loggingEnabled | quote }}
          ports:

--- a/ssh-jump-host/templates/secrets.yaml
+++ b/ssh-jump-host/templates/secrets.yaml
 {{ include "common.secret" (dict "Values" .Values.hostKeys "Chart" .Chart "Release" .Release) }}
 {{ include "common.secret" (dict "Values" .Values.userKeys "Chart" .Chart "Release" .Release) }}
+
+{{- $userCredentials := include "ssh-jump-host.userCredentials" . | fromYaml }}
+{{- $userCredentialsSecretName := .Values.credentials.secretName }}
+{{ include "common.secret" (dict "Values" (dict "name" $userCredentialsSecretName "data" $userCredentials) "Chart" .Chart "Release" .Release) }}
--- a/ssh-jump-host/values.yaml
+++ b/ssh-jump-host/values.yaml
@@ -86,9 +86,13 @@ tolerations: []
 affinity: {}

 loggingEnabled: false
-passwordEnabled: false
 sudoEnabled: false
-username: jumpuser
+credentials:
+  secretName: user-credentials
+  username: anVtcHVzZXI= # base64 encoded "jumpuser"
+  password:
+    enabled: false
+    value: cGFzc3dvcmQ= # base64 encoded "password", must be changed when enabling password!

 tcpRoute: # Currently, only traefik is supported
  enabled: true