set correct permissions

9578e22e · Andri Joos · 63202db6 · 9578e22e · 9578e22e · 9578e22e
Commit 9578e22e authored 1 week ago by Andri Joos
--- a/ssh-jump-host/templates/deployment.yaml
+++ b/ssh-jump-host/templates/deployment.yaml
@@ -39,7 +39,11 @@ spec:
          image: busybox
          command:
            - sh
-            - /init_script.sh
+            - /set_ssh_key_permissions.sh
+            - "/ssh_host_keys_secret"
+            - "/ssh_host_keys"
+            - "/ssh_user_keys_secret"
+            - "/ssh_user_keys"
          volumeMounts:
            - name: ssh-host-keys-secret
              mountPath: /ssh_host_keys_secret
@@ -50,8 +54,8 @@ spec:
            - name: ssh-user-keys
              mountPath: /ssh_user_keys
            - name: init-scripts
-              mountPath: /init_script.sh
-              subPath: init_script.sh
+              mountPath: /set_ssh_key_permissions.sh
+              subPath: set_ssh_key_permissions.sh
      containers:
        - name: {{ .Chart.Name }}
          {{- with .Values.securityContext }}
@@ -111,11 +115,15 @@ spec:
              mountPath: /authorized_keys
            - name: sshd-config
              mountPath: /etc/ssh/sshd_config.d/
-            - name: startup-scripts
-              mountPath: /custom-cont-init.d
            - name: banner
              mountPath: /etc/ssh/ssh_banner
              subPath: ssh_banner
+          # Needed so files have correct permissions, updates are handled by configs-hash in annotations
+          {{- range $filename, $_ := .Values.configs.startupScripts.data }}
+            - name: startup-scripts
+              mountPath: /custom-cont-init.d/{{ $filename }}
+              subPath: {{ $filename }}
+          {{- end }}
      volumes:
        {{- with .Values.volumes }}
        {{- toYaml . | nindent 8 }}
@@ -145,9 +153,6 @@ spec:
        - name: init-scripts
          configMap:
            name: {{ (.Files.Get "values/init-configmap.yaml" | fromYaml).name }}
-            items:
-              - key: init_script.sh
-                path: init_script.sh
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}

--- a/ssh-jump-host/values.yaml
+++ b/ssh-jump-host/values.yaml
@@ -17,12 +17,12 @@ podAnnotations: {}
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 podLabels: {}

-podSecurityContext:
-  fsGroup: 0
+# podSecurityContext:
+#   fsGroup: 0

-securityContext:
-  runAsUser: 0
-  runAsGroup: 0
+# securityContext:
+#   runAsUser: 0
+#   runAsGroup: 0

 # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
 service:

--- a/ssh-jump-host/values/init-configmap.yaml
+++ b/ssh-jump-host/values/init-configmap.yaml
 name: init-scripts
 data:
-  init_script.sh: |
+  set_ssh_key_permissions.sh: |
    #!/bin/bash

-    host_keys_secret_dir="/ssh_host_keys_secret"
-    host_keys_dir="/ssh_host_keys"
-    user_keys_secret_dir="/ssh_user_keys_secret"
-    user_keys_dir="/ssh_user_keys"
+    host_keys_secret_dir="$1"
+    host_keys_dir="$2"
+    user_keys_secret_dir="$3"
+    user_keys_dir="$4"


    if find $host_keys_secret_dir -mindepth 1 -maxdepth 1 | read; then