diff --git a/Dockerfile b/Dockerfile index 8da5a63..816d490 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:kinetic-20230624 +FROM ubuntu:jammy ARG COMMIT="" ENV COMMIT_SHA=${COMMIT} ENV DEBIAN_FRONTEND=noninteractive @@ -8,7 +8,7 @@ RUN echo "LANG=en_US.UTF-8" >> /etc/environment RUN apt-get update && \ - apt-get install -y curl dropbear-bin sudo gcc g++ make python3 zsh vim wget htop nano openssh-client gnupg2 ca-certificates apt-transport-https ncdu tcpdump tldr bat && \ + apt-get install -y curl dropbear-bin sudo gcc g++ make python3 zsh vim wget htop nano openssh-client gnupg2 ca-certificates apt-transport-https ncdu tcpdump tldr bat unzip zip && \ apt-get install -y --no-install-recommends git # Helm @@ -25,8 +25,8 @@ RUN apt-get update && \ apt-get update && \ apt-get install -y kubectl - -RUN curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh && \ +# Node global +RUN curl -sL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh && \ chmod +x nodesource_setup.sh && \ ./nodesource_setup.sh && \ apt-get update &&\ diff --git a/Entrypoint.sh b/Entrypoint.sh index 3689a03..141e395 100755 --- a/Entrypoint.sh +++ b/Entrypoint.sh @@ -5,13 +5,37 @@ sudo mkdir -p /etc/dropbear sudo chmod 700 /etc/dropbear sudo chown -R developer:developer /etc/dropbear touch /etc/dropbear/authorized_keys -chmod 600 /etc/dropbear/authorized_keys +chmod 600 /etc/dropbear/authorized_keys + +if [ -e /authorized-keys ] ; then + echo "Trusted Authorized keys exists, setting contents of /etc/dropbear/authorized_keys" + cat /authorized-keys > /etc/dropbear/authorized_keys +fi + sudo chown -R developer:developer /home/developer # setup home directory links/permissions etc # this occurs on every container startup and is meant to be idempotent without overwriting existing files /usr/local/bin/prepare_home.sh +ohmyzshEnabled=${OH_MY_ZSH_INSTALL_ENABLED:-"false"} +if [[ $ohmyzshEnabled == "true" ]]; then + sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" +fi + +nvmEnabled=${NVM_INSTALL_ENABLED:-"false"} +if [[ $nvmEnabled == "true" ]]; then + echo "NVM Install Enabled, ensuring nvm is installed for user" + curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash +fi + +sdkManEnabled=${SDK_MAN_INSTALL_ENABLED:-"false"} +if [[ $sdkManEnabled == "true" ]]; then + echo "SDK Man Install Enabled, ensuring sdk man is installed for user" + curl -s "https://get.sdkman.io" | bash +fi + + passwordLoginEnabled=${PASSWORD_LOGIN_ENABLED:-"false"} if [[ $passwordLoginEnabled == "true" ]]; then # Create a random password for developer and echo it to the console diff --git a/PrepareHome.sh b/PrepareHome.sh index b68e667..5a2ad1e 100755 --- a/PrepareHome.sh +++ b/PrepareHome.sh @@ -9,4 +9,18 @@ if [ -e ~/.ssh/authorized_keys ] ; then else echo "Creating authorized_keys link..." ln -s /etc/dropbear/authorized_keys ~/.ssh/authorized_keys -fi \ No newline at end of file +fi + +# seed .bashrc +if [ -e ~/.bashrc ] ; then + echo "bash profile already exists, skipping..." +else + cp /etc/skel/.bashrc ~/ +fi + +# ~ folder should be 0755 +chmod 0755 ~ +# ~/.ssh should be 0700 +chmod 0700 ~/.ssh +# ~/.ssh/authorized_keys should be 0600 +chmod 0600 ~/.ssh/authorized_keys diff --git a/charts/k8s-dev-pod/Chart.yaml b/charts/k8s-dev-pod/Chart.yaml index 466b8b2..df4333d 100644 --- a/charts/k8s-dev-pod/Chart.yaml +++ b/charts/k8s-dev-pod/Chart.yaml @@ -2,7 +2,6 @@ apiVersion: v2 name: k8s-dev-pod description: A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets type: application -version: 0.2.0 -appVersion: "0.1.0" +version: 0.3.0 maintainers: - name: Bryopsida diff --git a/charts/k8s-dev-pod/README.md b/charts/k8s-dev-pod/README.md index 3424f51..2d42d80 100644 --- a/charts/k8s-dev-pod/README.md +++ b/charts/k8s-dev-pod/README.md @@ -1,6 +1,6 @@ # k8s-dev-pod -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets @@ -14,13 +14,20 @@ A Helm chart for deploying a dev environment inside a K8S cluster that is compat | Key | Type | Default | Description | |-----|------|---------|-------------| +| authorizedKeys | string | `nil` | A set of authorized public keys that will be trusted for logging in as developer, when specified this will overwrite the /etc/dropbear/authorized_keys contents with the value specified here on every pod-restart | +| existingAuthorizedKeySecretName | string | `nil` | secret that is not managed by helm that holds the authorized keys property, when a value is specified this overrides using the authorizedKys | +| existingAuthorizedKeySecretProperty | string | `"public-keys"` | property on the existing secret holding the authorized keys value | | homeSize | int | `20` | | | image.pullPolicy | string | `"Always"` | | | image.repo | string | `"ghcr.io/bryopsida/k8s-dev-pod"` | | | image.tag | string | `"main"` | | | ingressEnabled | bool | `false` | | | ingressPort | int | `3022` | | +| nvmInstallEnabled | bool | `true` | | +| nvmVersion | string | `"v0.39.7"` | | +| ohMyZshInstallEnabled | bool | `true` | | | passwordLoginEnabled | bool | `true` | | +| sdkManInstallEnabled | bool | `true` | | | tailscale.authKey | string | `nil` | | | tailscale.enabled | bool | `false` | | | tailscale.image.pullPolicy | string | `"Always"` | | @@ -28,4 +35,4 @@ A Helm chart for deploying a dev environment inside a K8S cluster that is compat | tailscale.image.tag | string | `"latest"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/k8s-dev-pod/templates/authorized-keys.yaml b/charts/k8s-dev-pod/templates/authorized-keys.yaml new file mode 100644 index 0000000..da3fe8b --- /dev/null +++ b/charts/k8s-dev-pod/templates/authorized-keys.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.authorizedKeys (not .Values.existingAuthorizedKeySecretName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-authorized-keys + labels: + {{- include "k8s-dev-pod.labels" . | nindent 4 }} +data: + public-keys: {{ .Values.authorizedKeys | b64enc }} +{{- end }} diff --git a/charts/k8s-dev-pod/templates/deployment.yaml b/charts/k8s-dev-pod/templates/deployment.yaml index 566d5cf..3685833 100644 --- a/charts/k8s-dev-pod/templates/deployment.yaml +++ b/charts/k8s-dev-pod/templates/deployment.yaml @@ -31,6 +31,15 @@ spec: - name: dropbear persistentVolumeClaim: claimName: {{ .Release.Name }}-dropbear + {{- if and .Values.authorizedKeys (not .Values.existingAuthorizedKeySecretName) }} + - name: authorized-keys + secret: + secretName: {{ .Release.Name }}-authorized-keys + {{- else if .Values.existingAuthorizedKeySecretName }} + - name: authorized-keys + secret: + secretName: {{ .Values.existingAuthorizedKeySecretName }} + {{- end }} {{- if .Values.volumes }} {{- toYaml .Values.volumes | nindent 8 }} {{- end }} @@ -46,6 +55,14 @@ spec: env: - name: PASSWORD_LOGIN_ENABLED value: "{{ .Values.passwordLoginEnabled }}" + - name: NVM_INSTALL_ENABLED + value: "{{ .Values.nvmInstallEnabled }}" + - name: NVM_VERSION + value: "{{ .Values.nvmVersion }}" + - name: SDK_MAN_INSTALL_ENABLED + value: "{{ .Values.sdkManInstallEnabled }}" + - name: OH_MY_ZSH_INSTALL_ENABLED + value: "{{ .Values.ohMyZshInstallEnabled }}" {{- if .Values.env }} {{- toYaml .Values.env | nindent 12 }} {{- end }} @@ -62,6 +79,15 @@ spec: - name: dropbear mountPath: /etc/dropbear readOnly: false + {{- if or .Values.authorizedKeys .Values.existingAuthorizedKeySecretName }} + - name: authorized-keys + mountPath: /authorized-keys + {{- if .Values.existingAuthorizedKeySecretName }} + subPath: public-keys + {{- else }} + subPath: {{ .Values.existingAuthorizedKeySecretProperty }} + {{- end }} + {{- end }} {{- if .Values.volumeMounts }} {{- toYaml .Values.volumeMounts | nindent 12 }} {{- end }} diff --git a/charts/k8s-dev-pod/values.yaml b/charts/k8s-dev-pod/values.yaml index 778ae1b..6da1989 100644 --- a/charts/k8s-dev-pod/values.yaml +++ b/charts/k8s-dev-pod/values.yaml @@ -6,6 +6,15 @@ homeSize: 20 ingressEnabled: false ingressPort: 3022 passwordLoginEnabled: true +# -- secret that is not managed by helm that holds the authorized keys property, when a value is specified this overrides using the authorizedKys +existingAuthorizedKeySecretName: ~ +# existingAuthorizedKeySecretName: dev-pod-authorized-keys +# -- property on the existing secret holding the authorized keys value +existingAuthorizedKeySecretProperty: public-keys +# -- A set of authorized public keys that will be trusted for logging in as developer, when specified this will overwrite the /etc/dropbear/authorized_keys contents with the value specified here on every pod-restart +authorizedKeys: ~ +# authorizedKeys: | +# ssh- tailscale: enabled: false image: @@ -13,3 +22,7 @@ tailscale: tag: latest pullPolicy: Always authKey: ~ +nvmInstallEnabled: true +nvmVersion: v0.39.7 +sdkManInstallEnabled: true +ohMyZshInstallEnabled: true