feat: support for static hostkeys in ssh core

charts/lagoon-core/Chart.yaml

@@ -21,7 +21,7 @@ type: application
 # time you make changes to the chart and its templates, including the app
 # version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.46.0
+version: 1.46.1
 
 # This is the version number of the application being deployed. This version
 # number should be incremented each time you make changes to the application.
@@ -41,18 +41,4 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: update values for local development
-    - kind: changed
-      description: bump minimum Kubernetes version to 1.25
-    - kind: changed
-      description: added api-sidecar-handler container to api and webhooks2tasks
-    - kind: changed
-      description: update ssh-portal components to v0.37.0
-      links:
-        - name: ssh-portal release
-          url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.0
-    - kind: changed
-      description: update Lagoon appVersion to v2.20.0
-      links:
-        - name: lagoon v2.20.0 release notes
-          url: https://docs.lagoon.sh/releases/2.20.0/
+      description: add support for injecting hostkeys in core ssh service

charts/lagoon-core/ci/linter-values.yaml

@@ -163,6 +163,67 @@ ssh:
   resources:
     requests:
       cpu: "10m"
+  hostKeys:
+    rsaPub: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTU9JXClTTQQB2QvsNegwWOwxdZNyswjDrWO94c7Gej+WkeFC6iYgIkALTFXP+/uSgMdcxISnAqaFial7j2owmnGKbH9MTTmSS68I8FZRN/KAsDTVqzOR8bcwo36uS6cjcvQJevFpKJk/SWDMozqRgWK2I3QfkkCvGyRA9x/kq9BKFORjMzcbRnSTv3VPsXJgJSIQGYp+76TTNIT28h+WezGVx1Yf+sKmhJjgVnMcvim66KW+70fgeaScf5sgsWBX+31T5RkVqarhW+FBcHuFk5N3bmsG7k+894nssqDvVPXEKly386q4Z9OykaYv+q/o91wAA+UwUg7Pb+6D7X80cjxLBENoH2HSraKTj+Z0e6i7usCu2Zd/xUGUiSmLtfQ1hP83HeeBEWUeVijs70/gtV9Xj8GXncaKoKyV/Ws6w2nCK4b1UgfV0bMLDdgjeA0+KFA8RSckoVWYtFh3zUxG/vGeAVZkgncKShEJMgeQZJ9DzutoO2ZZsYTth1C8rab0="
+    rsa: |-
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+      NhAAAAAwEAAQAAAYEA01PSVwpU00EAdkL7DXoMFjsMXWTcrMIw61jveHOxno/lpHhQuomI
+      CJAC0xVz/v7koDHXMSEpwKmhYmpe49qMJpximx/TE05kkuvCPBWUTfygLA01aszkfG3MKN
+      +rkunI3L0CXrxaSiZP0lgzKM6kYFitiN0H5JArxskQPcf5KvQShTkYzM3G0Z0k791T7FyY
+      CUiEBmKfu+k0zSE9vIflnsxlcdWH/rCpoSY4FZzHL4puuilvu9H4HmknH+bILFgV/t9U+U
+      ZFamq4VvhQXB7hZOTd25rBu5PvPeJ7LKg71T1xCpct/OquGfTspGmL/qv6PdcAAPlMFIOz
+      2/ug+1/NHI8SwRDaB9h0q2ik4/mdHuou7rArtmXf8VBlIkpi7X0NYT/Nx3ngRFlHlYo7O9
+      P4LVfV4/Bl53GiqCslf1rOsNpwiuG9VIH1dGzCw3YI3gNPihQPEUnJKFVmLRYd81MRv7xn
+      gFWZIJ3CkoRCTIHkGSfQ87raDtmWbGE7YdQvK2m9AAAFiDDW52Mw1udjAAAAB3NzaC1yc2
+      EAAAGBANNT0lcKVNNBAHZC+w16DBY7DF1k3KzCMOtY73hzsZ6P5aR4ULqJiAiQAtMVc/7+
+      5KAx1zEhKcCpoWJqXuPajCacYpsf0xNOZJLrwjwVlE38oCwNNWrM5HxtzCjfq5LpyNy9Al
+      68WkomT9JYMyjOpGBYrYjdB+SQK8bJED3H+Sr0EoU5GMzNxtGdJO/dU+xcmAlIhAZin7vp
+      NM0hPbyH5Z7MZXHVh/6wqaEmOBWcxy+Kbropb7vR+B5pJx/myCxYFf7fVPlGRWpquFb4UF
+      we4WTk3duawbuT7z3ieyyoO9U9cQqXLfzqrhn07KRpi/6r+j3XAAD5TBSDs9v7oPtfzRyP
+      EsEQ2gfYdKtopOP5nR7qLu6wK7Zl3/FQZSJKYu19DWE/zcd54ERZR5WKOzvT+C1X1ePwZe
+      dxoqgrJX9azrDacIrhvVSB9XRswsN2CN4DT4oUDxFJyShVZi0WHfNTEb+8Z4BVmSCdwpKE
+      QkyB5Bkn0PO62g7ZlmxhO2HULytpvQAAAAMBAAEAAAGANb5cgOxMtEkUr/7K0BuY1VKBC4
+      NqJ7lfLYs5o51wr42S7mf2x+nQIbVWMo6DKHd0d1UVkBYKA0hglaHNrg7Xk74zyZWnXYKT
+      S1YP2K34QHkd1vYo/pdLCGX4BPEVNlCkV5bt8l/eansh07HAmQEshqAmyebEahlMOMrLiZ
+      rAwG7AAweJShSPGqHnUeUswbCurbW2ddVBIE3nsr9gbwD0oZUDu5Z9doVBLo2Et+JeObXw
+      AQImu1Jj0oAVhiRwBe8EekcISIOORJH5sXOQSUT1U1c8SEi2hexeBykOfBiWeWAKXl+IHy
+      fDGDx+7UNc+lxX/Y/VD22AUtVGvT8VgpfRrQEQ+1VzH8vinA8lk70nGaZ88efVQBOjwLSf
+      OpQTKXEIOz6kGEUSZa6+ifasW2bVm+Y4QBBuKaSgNo5Q6ajC8lHCtsQiBqZxKZqR2FxIz5
+      J2slA7V1UEqa6G4XbgmMDuRd/35EGfIFr+XSyVuIz1+Qf5Pp0F+lHUHCbQMudIOBcVAAAA
+      wEZj+u+dfCZJEyDUrYVGpqbeOs8sevJg+DQ4GTtt6IkyXDwWUjhnvoRABhwQbcMEcj639y
+      8CjBIC+D10Zz5IOJhOiedio7IDl4og1o0SmwGRddsRIGYwCKTKrR/+H9IHPp7EcfElnZfE
+      3kenOld0feseYQG94SnJFLY638mD/zqpFiWan2VypMmJtvNV5eWI4VrLdKzVtuVdF61xvd
+      mlrsEoQ1H98W7E9/zffCZJKTgYrt51tE0rV8u0HrBFbE8d1QAAAMEA/VyoWuGFIiIaHA32
+      WTJ5+uOcp+CVLZzCCDlCKhrjnRBM0qlO7a7pyQ9j74LQ1+tw7QGvu9f5O9x3Ndaphr3DQG
+      Ner84JVBls6JMRURPiTHs+Tv5VfiPAXnsOmioIDe3X5oW5ikexkA2rVYR9RET0qW/txqJm
+      Xuve9AUfyC6GmsHpt2P7R6JF0jocYdVaSmzFrmx3F1d7j/vQkNklE9rGt4nB0dyY4ZnBi0
+      Ffo8sEiku1TfbKzCILxHZnGhc6nl0DAAAAwQDVhx63rZcSA55I9zJDWoYZIKPtGnt2f2MZ
+      QnjH9CtDHrEjJigxGnaUo5+BDtDvh3Bjb8LVgK4vbSNESl8H7WeGsq9A8jsz1J6rwJ22hU
+      nqekQovL1icA0q16x3VWVfEpXbcuWjnKVE/zFGOXf01khUrW4Xu+idkYws9bGLdtvkMliG
+      IHdnz7MSzcqR4sWmI2naEt79rGLH3rK/blJpBfCU71wmtz93jYYOW7VQrW8zt1kXtx4fn3
+      9CZBLAoHn9gj8AAAARYmVuQHNocmVkZGVkYmFjb24BAg==
+      -----END OPENSSH PRIVATE KEY-----
+    ecdsaPub: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDc4Mtpu640m05Zb4MIcwUH5m4XoWP21SX8CQqju0pcKwXf0xZezXn577vM/DpJ9GM5J74Nago2Yid7O+k7aQkw="
+    ecdsa: |-
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+      1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQ3ODLabuuNJtOWW+DCHMFB+ZuF6Fj9
+      tUl/AkKo7tKXCsF39MWXs15+e+7zPw6SfRjOSe+DWoKNmInezvpO2kJMAAAAsNTQX8rU0F
+      /KAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDc4Mtpu640m05Zb
+      4MIcwUH5m4XoWP21SX8CQqju0pcKwXf0xZezXn577vM/DpJ9GM5J74Nago2Yid7O+k7aQk
+      wAAAAhAM1shfG9ZAFn1XxrmsGuqhXTuI+8W8VZJRIF+ucX6J+vAAAAEWJlbkBzaHJlZGRl
+      ZGJhY29uAQIDBAUG
+      -----END OPENSSH PRIVATE KEY-----
+    ed25519Pub: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWSDwhoTFNA2/itmaRwjB8dz0/Tnd8VDJ6Jkhnix+1w"
+    ed25519: |-
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      QyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcAAAAJhzIoyXcyKM
+      lwAAAAtzc2gtZWQyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcA
+      AAAEAWTgia6XF7lvU5UrUbTq4GDvWVpa54m5OwAUqMLF5xXLWSDwhoTFNA2/itmaRwjB8d
+      z0/Tnd8VDJ6Jkhnix+1wAAAAEWJlbkBzaHJlZGRlZGJhY29uAQIDBA==
+      -----END OPENSSH PRIVATE KEY-----
 
 sshPortalAPI:
   enabled: true

charts/lagoon-core/templates/ssh.deployment.yaml

@@ -68,6 +68,69 @@ spec:
             port: ssh
         resources:
           {{- toYaml .Values.ssh.resources | nindent 10 }}
+        volumeMounts:
+        {{- with .Values.ssh.hostKeys.ecdsa }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_ecdsa_key"
+          subPath: ssh_host_ecdsa_key
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.ecdsaPub }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_ecdsa_key.pub"
+          subPath: ssh_host_ecdsa_pubkey
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.ed25519 }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_ed25519_key"
+          subPath: ssh_host_ed25519_key
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.ed25519Pub }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_ed25519_key.pub"
+          subPath: ssh_host_ed25519_pubkey
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.rsa }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_rsa_key"
+          subPath: ssh_host_rsa_key
+        {{- end }}
+        {{- with .Values.ssh.hostKeys.rsaPub }}
+        - name: {{ include "lagoon-core.ssh.fullname" $ }}
+          mountPath: "/etc/ssh/ssh_host_rsa_key.pub"
+          subPath: ssh_host_rsa_pubkey
+        {{- end }}
+      volumes:
+      {{- if or .Values.ssh.hostKeys.rsa .Values.ssh.hostKeys.ecdsa .Values.ssh.hostKeys.ed25519 }}
+      - secret:
+          defaultMode: 432
+          items:
+          {{- with .Values.ssh.hostKeys.rsa }}
+          - key: HOST_KEY_RSA
+            path: ssh_host_rsa_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.rsaPub }}
+          - key: HOST_PUBKEY_RSA
+            path: ssh_host_rsa_pubkey
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ecdsa }}
+          - key: HOST_KEY_ECDSA
+            path: ssh_host_ecdsa_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ecdsaPub }}
+          - key: HOST_PUBKEY_ECDSA
+            path: ssh_host_ecdsa_pubkey
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ed25519 }}
+          - key: HOST_KEY_ED25519
+            path: ssh_host_ed25519_key
+          {{- end }}
+          {{- with .Values.ssh.hostKeys.ed25519Pub }}
+          - key: HOST_PUBKEY_ED25519
+            path: ssh_host_ed25519_pubkey
+          {{- end }}
+          secretName: {{ include "lagoon-core.ssh.fullname" . }}
+        name: {{ include "lagoon-core.ssh.fullname" . }}
+      {{- end }}
       {{- with .Values.ssh.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/lagoon-core/templates/ssh.secret.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.ssh.enabled -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "lagoon-core.ssh.fullname" . }}
+  labels:
+    {{- include "lagoon-core.ssh.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.ssh.hostKeys.ecdsa }}
+  HOST_KEY_ECDSA: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.ecdsaPub }}
+  HOST_PUBKEY_ECDSA: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.ed25519 }}
+  HOST_KEY_ED25519: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.ed25519Pub }}
+  HOST_PUBKEY_ED25519: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.rsa }}
+  HOST_KEY_RSA: |
+    {{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ssh.hostKeys.rsaPub }}
+  HOST_PUBKEY_RSA: |
+    {{- . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/lagoon-core/values.yaml

@@ -778,6 +778,15 @@ ssh:
     targetCPUUtilizationPercentage: 80
     # targetMemoryUtilizationPercentage: 80
 
+  # host keys, PEM encoded
+  hostKeys:
+    ecdsaPub: ""
+    ecdsa: ""
+    ed25519Pub: ""
+    ed25519: ""
+    rsaPub: ""
+    rsa: ""
+
 workflows:
   enabled: true
   replicaCount: 2