Add ability to seed trusted public keys (#119)

* ✨ Add ability to set trusted public keys at install

* ✨ Working pub key auth from install

Author: bryopsida

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:kinetic-20230624
+FROM ubuntu:jammy
 ARG COMMIT=""
 ENV COMMIT_SHA=${COMMIT}
 ENV DEBIAN_FRONTEND=noninteractive
@@ -8,7 +8,7 @@ RUN echo "LANG=en_US.UTF-8" >> /etc/environment
 
 
 RUN apt-get update && \
-  apt-get install -y curl dropbear-bin sudo gcc g++ make python3 zsh vim wget htop nano openssh-client gnupg2 ca-certificates apt-transport-https ncdu tcpdump tldr bat && \
+  apt-get install -y curl dropbear-bin sudo gcc g++ make python3 zsh vim wget htop nano openssh-client gnupg2 ca-certificates apt-transport-https ncdu tcpdump tldr bat unzip zip && \
   apt-get install -y --no-install-recommends git  
 
 # Helm
@@ -25,8 +25,8 @@ RUN apt-get update && \
   apt-get update && \
   apt-get install -y kubectl
 
-
-RUN curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh && \
+# Node global
+RUN curl -sL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh && \
   chmod +x nodesource_setup.sh && \
   ./nodesource_setup.sh && \
   apt-get update &&\

Entrypoint.sh

@@ -5,13 +5,37 @@ sudo mkdir -p /etc/dropbear
 sudo chmod 700 /etc/dropbear
 sudo chown -R developer:developer /etc/dropbear
 touch /etc/dropbear/authorized_keys
-chmod 600 /etc/dropbear/authorized_keys 
+chmod 600 /etc/dropbear/authorized_keys
+
+if [ -e /authorized-keys ] ; then
+  echo "Trusted Authorized keys exists, setting contents of /etc/dropbear/authorized_keys"
+  cat /authorized-keys > /etc/dropbear/authorized_keys
+fi
+
 sudo chown -R developer:developer /home/developer
 
 # setup home directory links/permissions etc
 # this occurs on every container startup and is meant to be idempotent without overwriting existing files
 /usr/local/bin/prepare_home.sh
 
+ohmyzshEnabled=${OH_MY_ZSH_INSTALL_ENABLED:-"false"}
+if [[ $ohmyzshEnabled == "true" ]]; then
+  sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
+fi
+
+nvmEnabled=${NVM_INSTALL_ENABLED:-"false"}
+if [[ $nvmEnabled == "true" ]]; then
+  echo "NVM Install Enabled, ensuring nvm is installed for user"
+  curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
+fi
+
+sdkManEnabled=${SDK_MAN_INSTALL_ENABLED:-"false"}
+if [[ $sdkManEnabled == "true" ]]; then
+  echo "SDK Man Install Enabled, ensuring sdk man is installed for user"
+  curl -s "https://get.sdkman.io" | bash
+fi
+
+
 passwordLoginEnabled=${PASSWORD_LOGIN_ENABLED:-"false"}
 if [[ $passwordLoginEnabled == "true" ]]; then
   # Create a random password for developer and echo it to the console

PrepareHome.sh

@@ -9,4 +9,18 @@ if [ -e ~/.ssh/authorized_keys ] ; then
 else
   echo "Creating authorized_keys link..."
   ln -s /etc/dropbear/authorized_keys ~/.ssh/authorized_keys
-fi
+fi
+
+# seed .bashrc
+if [ -e ~/.bashrc ] ; then
+  echo "bash profile already exists, skipping..."
+else
+  cp /etc/skel/.bashrc ~/
+fi
+
+# ~ folder should be 0755
+chmod 0755 ~
+# ~/.ssh should be 0700
+chmod 0700 ~/.ssh
+# ~/.ssh/authorized_keys should be 0600
+chmod 0600 ~/.ssh/authorized_keys

charts/k8s-dev-pod/Chart.yaml

@@ -2,7 +2,6 @@ apiVersion: v2
 name: k8s-dev-pod
 description: A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets
 type: application
-version: 0.2.0
-appVersion: "0.1.0"
+version: 0.3.0
 maintainers:
   - name: Bryopsida

charts/k8s-dev-pod/README.md

@@ -1,6 +1,6 @@
 # k8s-dev-pod
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets
 
@@ -14,18 +14,25 @@ A Helm chart for deploying a dev environment inside a K8S cluster that is compat
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| authorizedKeys | string | `nil` | A set of authorized public keys that will be trusted for logging in as developer, when specified this will overwrite the /etc/dropbear/authorized_keys contents with the value specified here on every pod-restart |
+| existingAuthorizedKeySecretName | string | `nil` | secret that is not managed by helm that holds the authorized keys property, when a value is specified this overrides using the authorizedKys |
+| existingAuthorizedKeySecretProperty | string | `"public-keys"` | property on the existing secret holding the authorized keys value |
 | homeSize | int | `20` |  |
 | image.pullPolicy | string | `"Always"` |  |
 | image.repo | string | `"ghcr.io/bryopsida/k8s-dev-pod"` |  |
 | image.tag | string | `"main"` |  |
 | ingressEnabled | bool | `false` |  |
 | ingressPort | int | `3022` |  |
+| nvmInstallEnabled | bool | `true` |  |
+| nvmVersion | string | `"v0.39.7"` |  |
+| ohMyZshInstallEnabled | bool | `true` |  |
 | passwordLoginEnabled | bool | `true` |  |
+| sdkManInstallEnabled | bool | `true` |  |
 | tailscale.authKey | string | `nil` |  |
 | tailscale.enabled | bool | `false` |  |
 | tailscale.image.pullPolicy | string | `"Always"` |  |
 | tailscale.image.repo | string | `"ghcr.io/tailscale/tailscale"` |  |
 | tailscale.image.tag | string | `"latest"` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/k8s-dev-pod/templates/authorized-keys.yaml

@@ -0,0 +1,10 @@
+{{- if and .Values.authorizedKeys (not .Values.existingAuthorizedKeySecretName) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-authorized-keys
+  labels:
+    {{- include "k8s-dev-pod.labels" . | nindent 4 }}
+data:
+  public-keys: {{ .Values.authorizedKeys | b64enc }}
+{{- end }}

charts/k8s-dev-pod/templates/deployment.yaml

@@ -31,6 +31,15 @@ spec:
       - name: dropbear
         persistentVolumeClaim:
           claimName: {{ .Release.Name }}-dropbear
+      {{- if and .Values.authorizedKeys (not .Values.existingAuthorizedKeySecretName) }}
+      - name: authorized-keys
+        secret:
+          secretName: {{ .Release.Name }}-authorized-keys
+      {{- else if .Values.existingAuthorizedKeySecretName }}
+      - name: authorized-keys
+        secret:
+          secretName: {{ .Values.existingAuthorizedKeySecretName }}
+      {{- end }}
       {{- if .Values.volumes }}
       {{- toYaml .Values.volumes | nindent 8 }}
       {{- end }}
@@ -46,6 +55,14 @@ spec:
           env:
             - name: PASSWORD_LOGIN_ENABLED
               value: "{{ .Values.passwordLoginEnabled }}"
+            - name: NVM_INSTALL_ENABLED
+              value: "{{ .Values.nvmInstallEnabled }}"
+            - name: NVM_VERSION
+              value: "{{ .Values.nvmVersion }}"
+            - name: SDK_MAN_INSTALL_ENABLED
+              value: "{{ .Values.sdkManInstallEnabled }}"
+            - name: OH_MY_ZSH_INSTALL_ENABLED
+              value: "{{ .Values.ohMyZshInstallEnabled }}"
             {{- if .Values.env }}
             {{- toYaml .Values.env | nindent 12 }}
             {{- end }}
@@ -62,6 +79,15 @@ spec:
             - name: dropbear
               mountPath: /etc/dropbear
               readOnly: false
+            {{- if or .Values.authorizedKeys .Values.existingAuthorizedKeySecretName }}
+            - name: authorized-keys
+              mountPath: /authorized-keys
+            {{- if .Values.existingAuthorizedKeySecretName }}
+              subPath: public-keys
+            {{- else }}
+              subPath: {{ .Values.existingAuthorizedKeySecretProperty }}
+            {{- end }}
+            {{- end }}
             {{- if .Values.volumeMounts }}
             {{- toYaml .Values.volumeMounts | nindent 12 }}
             {{- end }}

charts/k8s-dev-pod/values.yaml

@@ -6,10 +6,23 @@ homeSize: 20
 ingressEnabled: false
 ingressPort: 3022
 passwordLoginEnabled: true
+# -- secret that is not managed by helm that holds the authorized keys property, when a value is specified this overrides using the authorizedKys
+existingAuthorizedKeySecretName: ~
+# existingAuthorizedKeySecretName: dev-pod-authorized-keys
+# -- property on the existing secret holding the authorized keys value
+existingAuthorizedKeySecretProperty: public-keys
+# -- A set of authorized public keys that will be trusted for logging in as developer, when specified this will overwrite the /etc/dropbear/authorized_keys contents with the value specified here on every pod-restart
+authorizedKeys: ~
+# authorizedKeys: |
+#   ssh-<key alg> <pub key> <client hostname>
 tailscale:
   enabled: false
   image:
     repo: ghcr.io/tailscale/tailscale
     tag: latest
     pullPolicy: Always
   authKey: ~
+nvmInstallEnabled: true
+nvmVersion: v0.39.7
+sdkManInstallEnabled: true
+ohMyZshInstallEnabled: true