From dec692df9cbb114736a405691bdfc09abe3c6292 Mon Sep 17 00:00:00 2001
From: shreddedbacon <b@benjackson.email>
Date: Wed, 7 Aug 2024 12:43:26 +1000
Subject: [PATCH] feat: support for static hostkeys in ssh core

---
 charts/lagoon-core/Chart.yaml                 | 18 +-----
 charts/lagoon-core/ci/linter-values.yaml      | 58 +++++++++++++++++++
 .../lagoon-core/templates/ssh.deployment.yaml | 36 ++++++++++++
 charts/lagoon-core/templates/ssh.secret.yaml  | 22 +++++++
 charts/lagoon-core/values.yaml                |  6 ++
 5 files changed, 124 insertions(+), 16 deletions(-)
 create mode 100644 charts/lagoon-core/templates/ssh.secret.yaml

diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml
index 9c2c75185..71a1cddcc 100644
--- a/charts/lagoon-core/Chart.yaml
+++ b/charts/lagoon-core/Chart.yaml
@@ -21,7 +21,7 @@ type: application
 # time you make changes to the chart and its templates, including the app
 # version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.46.0
+version: 1.46.1
 
 # This is the version number of the application being deployed. This version
 # number should be incremented each time you make changes to the application.
@@ -41,18 +41,4 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: update values for local development
-    - kind: changed
-      description: bump minimum Kubernetes version to 1.25
-    - kind: changed
-      description: added api-sidecar-handler container to api and webhooks2tasks
-    - kind: changed
-      description: update ssh-portal components to v0.37.0
-      links:
-        - name: ssh-portal release
-          url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.0
-    - kind: changed
-      description: update Lagoon appVersion to v2.20.0
-      links:
-        - name: lagoon v2.20.0 release notes
-          url: https://docs.lagoon.sh/releases/2.20.0/
+      description: add support for injecting hostkeys in core ssh service
diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml
index c8916ba45..312824923 100644
--- a/charts/lagoon-core/ci/linter-values.yaml
+++ b/charts/lagoon-core/ci/linter-values.yaml
@@ -163,6 +163,64 @@ ssh:
   resources:
     requests:
       cpu: "10m"
+  hostKeys:
+    rsa: |-
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+      NhAAAAAwEAAQAAAYEA01PSVwpU00EAdkL7DXoMFjsMXWTcrMIw61jveHOxno/lpHhQuomI
+      CJAC0xVz/v7koDHXMSEpwKmhYmpe49qMJpximx/TE05kkuvCPBWUTfygLA01aszkfG3MKN
+      +rkunI3L0CXrxaSiZP0lgzKM6kYFitiN0H5JArxskQPcf5KvQShTkYzM3G0Z0k791T7FyY
+      CUiEBmKfu+k0zSE9vIflnsxlcdWH/rCpoSY4FZzHL4puuilvu9H4HmknH+bILFgV/t9U+U
+      ZFamq4VvhQXB7hZOTd25rBu5PvPeJ7LKg71T1xCpct/OquGfTspGmL/qv6PdcAAPlMFIOz
+      2/ug+1/NHI8SwRDaB9h0q2ik4/mdHuou7rArtmXf8VBlIkpi7X0NYT/Nx3ngRFlHlYo7O9
+      P4LVfV4/Bl53GiqCslf1rOsNpwiuG9VIH1dGzCw3YI3gNPihQPEUnJKFVmLRYd81MRv7xn
+      gFWZIJ3CkoRCTIHkGSfQ87raDtmWbGE7YdQvK2m9AAAFiDDW52Mw1udjAAAAB3NzaC1yc2
+      EAAAGBANNT0lcKVNNBAHZC+w16DBY7DF1k3KzCMOtY73hzsZ6P5aR4ULqJiAiQAtMVc/7+
+      5KAx1zEhKcCpoWJqXuPajCacYpsf0xNOZJLrwjwVlE38oCwNNWrM5HxtzCjfq5LpyNy9Al
+      68WkomT9JYMyjOpGBYrYjdB+SQK8bJED3H+Sr0EoU5GMzNxtGdJO/dU+xcmAlIhAZin7vp
+      NM0hPbyH5Z7MZXHVh/6wqaEmOBWcxy+Kbropb7vR+B5pJx/myCxYFf7fVPlGRWpquFb4UF
+      we4WTk3duawbuT7z3ieyyoO9U9cQqXLfzqrhn07KRpi/6r+j3XAAD5TBSDs9v7oPtfzRyP
+      EsEQ2gfYdKtopOP5nR7qLu6wK7Zl3/FQZSJKYu19DWE/zcd54ERZR5WKOzvT+C1X1ePwZe
+      dxoqgrJX9azrDacIrhvVSB9XRswsN2CN4DT4oUDxFJyShVZi0WHfNTEb+8Z4BVmSCdwpKE
+      QkyB5Bkn0PO62g7ZlmxhO2HULytpvQAAAAMBAAEAAAGANb5cgOxMtEkUr/7K0BuY1VKBC4
+      NqJ7lfLYs5o51wr42S7mf2x+nQIbVWMo6DKHd0d1UVkBYKA0hglaHNrg7Xk74zyZWnXYKT
+      S1YP2K34QHkd1vYo/pdLCGX4BPEVNlCkV5bt8l/eansh07HAmQEshqAmyebEahlMOMrLiZ
+      rAwG7AAweJShSPGqHnUeUswbCurbW2ddVBIE3nsr9gbwD0oZUDu5Z9doVBLo2Et+JeObXw
+      AQImu1Jj0oAVhiRwBe8EekcISIOORJH5sXOQSUT1U1c8SEi2hexeBykOfBiWeWAKXl+IHy
+      fDGDx+7UNc+lxX/Y/VD22AUtVGvT8VgpfRrQEQ+1VzH8vinA8lk70nGaZ88efVQBOjwLSf
+      OpQTKXEIOz6kGEUSZa6+ifasW2bVm+Y4QBBuKaSgNo5Q6ajC8lHCtsQiBqZxKZqR2FxIz5
+      J2slA7V1UEqa6G4XbgmMDuRd/35EGfIFr+XSyVuIz1+Qf5Pp0F+lHUHCbQMudIOBcVAAAA
+      wEZj+u+dfCZJEyDUrYVGpqbeOs8sevJg+DQ4GTtt6IkyXDwWUjhnvoRABhwQbcMEcj639y
+      8CjBIC+D10Zz5IOJhOiedio7IDl4og1o0SmwGRddsRIGYwCKTKrR/+H9IHPp7EcfElnZfE
+      3kenOld0feseYQG94SnJFLY638mD/zqpFiWan2VypMmJtvNV5eWI4VrLdKzVtuVdF61xvd
+      mlrsEoQ1H98W7E9/zffCZJKTgYrt51tE0rV8u0HrBFbE8d1QAAAMEA/VyoWuGFIiIaHA32
+      WTJ5+uOcp+CVLZzCCDlCKhrjnRBM0qlO7a7pyQ9j74LQ1+tw7QGvu9f5O9x3Ndaphr3DQG
+      Ner84JVBls6JMRURPiTHs+Tv5VfiPAXnsOmioIDe3X5oW5ikexkA2rVYR9RET0qW/txqJm
+      Xuve9AUfyC6GmsHpt2P7R6JF0jocYdVaSmzFrmx3F1d7j/vQkNklE9rGt4nB0dyY4ZnBi0
+      Ffo8sEiku1TfbKzCILxHZnGhc6nl0DAAAAwQDVhx63rZcSA55I9zJDWoYZIKPtGnt2f2MZ
+      QnjH9CtDHrEjJigxGnaUo5+BDtDvh3Bjb8LVgK4vbSNESl8H7WeGsq9A8jsz1J6rwJ22hU
+      nqekQovL1icA0q16x3VWVfEpXbcuWjnKVE/zFGOXf01khUrW4Xu+idkYws9bGLdtvkMliG
+      IHdnz7MSzcqR4sWmI2naEt79rGLH3rK/blJpBfCU71wmtz93jYYOW7VQrW8zt1kXtx4fn3
+      9CZBLAoHn9gj8AAAARYmVuQHNocmVkZGVkYmFjb24BAg==
+      -----END OPENSSH PRIVATE KEY-----
+    ecdsa: |-
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+      1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQ3ODLabuuNJtOWW+DCHMFB+ZuF6Fj9
+      tUl/AkKo7tKXCsF39MWXs15+e+7zPw6SfRjOSe+DWoKNmInezvpO2kJMAAAAsNTQX8rU0F
+      /KAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDc4Mtpu640m05Zb
+      4MIcwUH5m4XoWP21SX8CQqju0pcKwXf0xZezXn577vM/DpJ9GM5J74Nago2Yid7O+k7aQk
+      wAAAAhAM1shfG9ZAFn1XxrmsGuqhXTuI+8W8VZJRIF+ucX6J+vAAAAEWJlbkBzaHJlZGRl
+      ZGJhY29uAQIDBAUG
+      -----END OPENSSH PRIVATE KEY-----
+    ed25519: |-
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      QyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcAAAAJhzIoyXcyKM
+      lwAAAAtzc2gtZWQyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcA
+      AAAEAWTgia6XF7lvU5UrUbTq4GDvWVpa54m5OwAUqMLF5xXLWSDwhoTFNA2/itmaRwjB8d
+      z0/Tnd8VDJ6Jkhnix+1wAAAAEWJlbkBzaHJlZGRlZGJhY29uAQIDBA==
+      -----END OPENSSH PRIVATE KEY-----
 
 sshPortalAPI:
   enabled: true
diff --git a/charts/lagoon-core/templates/ssh.deployment.yaml b/charts/lagoon-core/templates/ssh.deployment.yaml
index 94c5e8141..63f9a3b2f 100644
--- a/charts/lagoon-core/templates/ssh.deployment.yaml
+++ b/charts/lagoon-core/templates/ssh.deployment.yaml
@@ -68,6 +68,42 @@ spec:
             port: ssh
         resources:
           {{- toYaml .Values.ssh.resources | nindent 10 }}
+        volumeMounts:
+        {{- with .Values.ssh.hostKeys.ecdsa }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_ecdsa_key"
+          subPath: ssh_host_ecdsa_key
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.ed25519 }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_ed25519_key"
+          subPath: ssh_host_ed25519_key
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.rsa }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_rsa_key"
+          subPath: ssh_host_rsa_key
+        {{- end }}
+      volumes:
+      {{- if or .Values.ssh.hostKeys.rsa .Values.ssh.hostKeys.ecdsa .Values.ssh.hostKeys.ed25519 }}
+      - secret:
+          defaultMode: 432
+          items:
+          {{- with .Values.ssh.hostKeys.rsa }}
+          - key: HOST_KEY_RSA
+            path: ssh_host_rsa_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ecdsa }}
+          - key: HOST_KEY_ECDSA
+            path: ssh_host_ecdsa_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ed25519 }}
+          - key: HOST_KEY_ED25519
+            path: ssh_host_ed25519_key
+          {{- end }}
+          secretName: {{ include "lagoon-core.ssh.fullname" . }}
+        name: {{ include "lagoon-core.ssh.fullname" . }}
+      {{- end }}
       {{- with .Values.ssh.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/lagoon-core/templates/ssh.secret.yaml b/charts/lagoon-core/templates/ssh.secret.yaml
new file mode 100644
index 000000000..d4e48f83e
--- /dev/null
+++ b/charts/lagoon-core/templates/ssh.secret.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.ssh.enabled -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "lagoon-core.ssh.fullname" . }}
+  labels:
+    {{- include "lagoon-core.ssh.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.ssh.hostKeys.ecdsa }}
+  HOST_KEY_ECDSA: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.ed25519 }}
+  HOST_KEY_ED25519: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.rsa }}
+  HOST_KEY_RSA: |
+    {{- . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml
index bab048c94..8902dbec8 100644
--- a/charts/lagoon-core/values.yaml
+++ b/charts/lagoon-core/values.yaml
@@ -778,6 +778,12 @@ ssh:
     targetCPUUtilizationPercentage: 80
     # targetMemoryUtilizationPercentage: 80
 
+  # host keys, PEM encoded
+  hostKeys:
+    ecdsa: ""
+    ed25519: ""
+    rsa: ""
+
 workflows:
   enabled: true
   replicaCount: 2