From 1ebe0fd593ec03728796b7f000e57d45b3f2cc52 Mon Sep 17 00:00:00 2001 From: Jannik Badenhop Date: Tue, 6 Feb 2024 12:37:42 +0100 Subject: [PATCH] OPS 5666 integrate sshd users into present users (#2) * move chart into named chart folder and rename sc-sshd to infra-sshd for generelization * Change GHA to run on tag push and use specified tag as image-tag, * Add a kics scan on every push * change suggested namespace from service to sshd-service --- .github/workflows/chart-release-manual.yml | 22 +++++------------- .github/workflows/scan-helm-on-push.yml | 14 +++++++++++ infra-sshd/.helmignore | 23 +++++++++++++++++++ Chart.yaml => infra-sshd/Chart.yaml | 6 ++--- README.md => infra-sshd/README.md | 10 ++++---- .../templates}/additional-configmap.yaml | 0 .../templates}/configmap.yaml | 0 .../templates}/deployment.yaml | 0 .../templates}/service.yaml | 0 values.yaml => infra-sshd/values.yaml | 2 +- 10 files changed, 52 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/scan-helm-on-push.yml create mode 100644 infra-sshd/.helmignore rename Chart.yaml => infra-sshd/Chart.yaml (95%) rename README.md => infra-sshd/README.md (87%) rename {templates => infra-sshd/templates}/additional-configmap.yaml (100%) rename {templates => infra-sshd/templates}/configmap.yaml (100%) rename {templates => infra-sshd/templates}/deployment.yaml (100%) rename {templates => infra-sshd/templates}/service.yaml (100%) rename values.yaml => infra-sshd/values.yaml (95%) diff --git a/.github/workflows/chart-release-manual.yml b/.github/workflows/chart-release-manual.yml index 4b6a2a6..9368573 100644 --- a/.github/workflows/chart-release-manual.yml +++ b/.github/workflows/chart-release-manual.yml @@ -1,19 +1,12 @@ -name: Push Charts to helm-charts-registry manually with specified version +name: Push Charts to helm-charts-registry on: - workflow_dispatch: - inputs: - chart_version: - type: string - description: "Chart version" - required: true - image_tag: - type: string - description: "image tag" - required: true + push: + tags: + - "[0-9]+.[0-9]+.[0-9]+" concurrency: - group: infra-sshd-chart-manual + group: infra-sshd-chart cancel-in-progress: true jobs: @@ -26,8 +19,5 @@ jobs: uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@5.0.0 secrets: inherit with: + chart_path: . chart_name: infra-sshd - helm_chart_version_generation: specified - image_tag_generation: specified - helm_chart_version: ${{ inputs.chart_version }} - image_tag: ${{ inputs.image_tag }} diff --git a/.github/workflows/scan-helm-on-push.yml b/.github/workflows/scan-helm-on-push.yml new file mode 100644 index 0000000..8fc0d9c --- /dev/null +++ b/.github/workflows/scan-helm-on-push.yml @@ -0,0 +1,14 @@ +name: "Scan Helm on push" + +on: + push: + +concurrency: + group: infra-sshd-scan-helm-${{ github.event.ref }} + cancel-in-progress: true + +jobs: + scan_helm: + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5.0.0 + permissions: + contents: read diff --git a/infra-sshd/.helmignore b/infra-sshd/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/infra-sshd/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Chart.yaml b/infra-sshd/Chart.yaml similarity index 95% rename from Chart.yaml rename to infra-sshd/Chart.yaml index 2c2e475..fb9e00a 100644 --- a/Chart.yaml +++ b/infra-sshd/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: sc-sshd +name: infra-sshd description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. @@ -15,9 +15,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 1.0.0 +appVersion: 1.0.1 diff --git a/README.md b/infra-sshd/README.md similarity index 87% rename from README.md rename to infra-sshd/README.md index 3bd4607..a2e7c9a 100644 --- a/README.md +++ b/infra-sshd/README.md @@ -1,9 +1,9 @@ -# SSHD +# INFRA-SSHD A bastion host (also jump server or jump service) is usually set up as a single entrypoint into a privat system. In IONOS' case, a SSH daemon grants access to a DMZ which contains PostgreSQL and MongoDB databases. ## TL;DR; ``` -$ helm upgrade sc-sshd ./sc-sshd --install --create-namespace -n sc-service +$ helm upgrade infra-sshd ./infra-sshd --install --create-namespace -n sshd-service ``` ## Introduction @@ -20,12 +20,12 @@ This chart can be installed in two flavors: ## Installing the chart Prior to installing, please update the authorized keys file. This file is used to create a configmap which eventually tells the daemon which keys to grant access. Currently, only a "support" user is configured in the image. For scalability reasons, authorized key files are separated by users, e.g. user support: support_authorized_keys. ``` -$ helm upgrade sc-sshd ./sc-sshd --install --create-namespace -n sc-service +$ helm upgrade infra-sshd ./infra-sshd --install --create-namespace -n sshd-service ``` ## Uninstalling the chart ``` -$ helm -n sc-service delete sc-sshd +$ helm -n sshd-service delete infra-sshd ``` ## Parameters @@ -36,7 +36,7 @@ These parameters can be set: | replicaCount | Count of pods that will be created as part of the deployment | 1 | | image.repository | Repository the image will be pulled from | schulcloud/infra-sshd | | image.tag | Image tag which will be used | stable | -| ingress.standalone | Specifies whether SSHD is deployed behind HAProxy or standalone | false | +| ingress.standalone | Specifies whether INFRA-SSHD is deployed behind HAProxy or standalone | false | ## Authorized keys Currently supported users and key files: diff --git a/templates/additional-configmap.yaml b/infra-sshd/templates/additional-configmap.yaml similarity index 100% rename from templates/additional-configmap.yaml rename to infra-sshd/templates/additional-configmap.yaml diff --git a/templates/configmap.yaml b/infra-sshd/templates/configmap.yaml similarity index 100% rename from templates/configmap.yaml rename to infra-sshd/templates/configmap.yaml diff --git a/templates/deployment.yaml b/infra-sshd/templates/deployment.yaml similarity index 100% rename from templates/deployment.yaml rename to infra-sshd/templates/deployment.yaml diff --git a/templates/service.yaml b/infra-sshd/templates/service.yaml similarity index 100% rename from templates/service.yaml rename to infra-sshd/templates/service.yaml diff --git a/values.yaml b/infra-sshd/values.yaml similarity index 95% rename from values.yaml rename to infra-sshd/values.yaml index e4394cf..1318933 100644 --- a/values.yaml +++ b/infra-sshd/values.yaml @@ -1,4 +1,4 @@ -# Default values for sc-sshd. +# Default values for infra-sshd. # This is a YAML-formatted file. # Declare variables to be passed into your templates.