From c6f47bfd2e0fd990cb6af9eff825d3e0f7b949c5 Mon Sep 17 00:00:00 2001 From: Thomas Way Date: Wed, 12 Jun 2024 23:49:13 +0100 Subject: [PATCH] fix(k8s/amour): gazelle --- container/smartmontools/BUILD.bazel | 4 +- k8s/amour/backup/breakfast/service_list.cue | 11 ++++ .../backup/breakfast/statefulset_list.cue | 58 +++++++++++++++++++ 3 files changed, 71 insertions(+), 2 deletions(-) diff --git a/container/smartmontools/BUILD.bazel b/container/smartmontools/BUILD.bazel index ee8a0d64c..b6518934a 100644 --- a/container/smartmontools/BUILD.bazel +++ b/container/smartmontools/BUILD.bazel @@ -5,7 +5,7 @@ load("@io_bazel_rules_docker//docker/package_managers:install_pkgs.bzl", "instal download_pkgs( name = "pkgs", image_tar = "@io_docker_index_library_debian_bookworm_slim//image", - packages = ["smartmontools"], + packages = ["dropbear"], ) install_pkgs( @@ -19,6 +19,6 @@ install_pkgs( container_image( name = "image", base = ":pkgs_image.tar", - entrypoint = ["smartctl"], + entrypoint = ["dropbear"], visibility = ["//visibility:public"], ) diff --git a/k8s/amour/backup/breakfast/service_list.cue b/k8s/amour/backup/breakfast/service_list.cue index c77faddf1..48ef707e5 100644 --- a/k8s/amour/backup/breakfast/service_list.cue +++ b/k8s/amour/backup/breakfast/service_list.cue @@ -60,4 +60,15 @@ import "k8s.io/api/core/v1" selector: "app.kubernetes.io/name": "\(#Name)-syncthing" type: v1.#ServiceTypeLoadBalancer } +}, { + metadata: name: "\(#Name)-ssh" + spec: { + ports: [{ + name: "ssh" + port: 22 + targetPort: "ssh" + }] + selector: "app.kubernetes.io/name": "\(#Name)-ssh" + type: v1.#ServiceTypeLoadBalancer + } }] diff --git a/k8s/amour/backup/breakfast/statefulset_list.cue b/k8s/amour/backup/breakfast/statefulset_list.cue index c037a45ca..eda9e1d14 100644 --- a/k8s/amour/backup/breakfast/statefulset_list.cue +++ b/k8s/amour/backup/breakfast/statefulset_list.cue @@ -82,4 +82,62 @@ import ( }] serviceName: metadata.name } +}, { + metadata: name: "\(#Name)-ssh" + spec: { + // replicas: 0 + selector: matchLabels: "app.kubernetes.io/name": "\(#Name)-ssh" + template: { + metadata: labels: "app.kubernetes.io/name": "\(#Name)-ssh" + spec: { + volumes: [{ + name: "data" + persistentVolumeClaim: { + claimName: #Name + readOnly: true + } + }, { + name: "ssh" + configMap: name: "ssh" + }] + containers: [{ + name: "ssh" + image: "ghcr.io/uhthomas/uhthomas/dropbear@sha256:e5a81546704ca3cf6c2ffcad46153adc3e827c3ac143a9e588c838acf7221708" + command: ["dropbear"] + args: ["-RFE", "-p2222"] + ports: [{ + name: "ssh" + containerPort: 2222 + }] + resources: limits: { + (v1.#ResourceCPU): "1" + (v1.#ResourceMemory): "2Gi" + } + volumeMounts: [{ + name: "data" + mountPath: "/data" + }, { + name: "ssh" + mountPath: "/root/.ssh/authorized_keys" + subPath: "authorized_keys" + }] + imagePullPolicy: v1.#PullIfNotPresent + securityContext: { + capabilities: drop: ["ALL"] + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + } + }] + securityContext: { + runAsUser: 1000 + runAsGroup: 3000 + runAsNonRoot: true + fsGroup: 2000 + fsGroupChangePolicy: v1.#FSGroupChangeOnRootMismatch + seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault + } + } + } + serviceName: metadata.name + } }]