diff --git a/argocd/applications/sshca.yaml b/argocd/applications/sshca.yaml new file mode 100644 index 0000000..f630775 --- /dev/null +++ b/argocd/applications/sshca.yaml @@ -0,0 +1,13 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sshca + namespace: argocd +spec: + destination: + server: https://kubernetes.default.svc + project: default + source: + path: sshca + repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git + targetRevision: master diff --git a/sshca/.gitignore b/sshca/.gitignore new file mode 100644 index 0000000..2d38d4f --- /dev/null +++ b/sshca/.gitignore @@ -0,0 +1 @@ +machine-ids.json diff --git a/sshca/README.md b/sshca/README.md new file mode 100644 index 0000000..6ae4552 --- /dev/null +++ b/sshca/README.md @@ -0,0 +1,53 @@ +# SSHCA + +[SSHCA][0] is an online Certificate Authority for SSH. It can automatically +issue signed SSH certificates for hosts' public keys. Machines authenticate to +the service using a JWT signed with their machine UUID, and the service +validates the signature by looking up the UUID in either a local JSON document +or by querying the libvirt API on one or more VM hosts. Certificates will only +be issued for hosts that can authenticate successfully. + +## Installation + +```sh +kubectl apply -k sshca +``` + +## Configuration + +SSHCA is configured by the `config.toml` file. It is stored as a Kubernetes +ConfigMap and mounted into the server container. The configuration file is +only read at startup, so the ConfigMap uses the name suffix hash feature of +Kustomize; when the contents of the configuration file change, the name of the +ConfigMap will change, which will cause Kubernetes to restart the pod. Old +ConfigMap resources are not deleted, but must be cleaned up by some other means +(manually or e.g. Argo CD). + +The configuration file specifies the path to the private keys for signing +certificates. It also includes the list of libvirt hosts to check for machine +UUIDs, as well as the path to a static file where additional machine UUIDs are +provided. + +Besides the main configuration file, SSHCA needs an additional ConfigMap that +contains an `ssh_known_hosts` file. This file contains the public keys of the +libvirt VM hosts, so that the service can securely connect to the libvirt API +over SSH. + +## Secrets + +Several secrets are necessary for SSHCA to operate: + +1. The private key used to issue SSH host certificates, and optionally a + password to encrypt that key. +2. A JSON document containing a map of host names to machine UUIDs, in order to + authenticate physical machines and other hosts that are not libvirt domains. +3. An SSH user private key for authenticating to the libvirt hosts for VM UUID + lookups. +4. OCI registry credentials for pulling container images. + +These secrets are stored encrypted as SealedSecret resources. The Bitnami +Sealed Secrets controller decrypts these and manages regular Secret resources +for them automatically. + + +[0]: https://git.pyrocufflink.net/dustin/sshca diff --git a/sshca/config.toml b/sshca/config.toml new file mode 100644 index 0000000..3556b90 --- /dev/null +++ b/sshca/config.toml @@ -0,0 +1,11 @@ +machine_ids = "/var/lib/sshca/machine-ids.json" + +[ca.host] +private_key_file = "/run/sshca/secrets/host/key/host-ca-key" +private_key_passphrase_file = "/run/sshca/secrets/host/passphrase/host-ca-key.passphrase" + +[[libvirt]] +uri = "qemu+ssh://sshca@vmhost0.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey" + +[[libvirt]] +uri = "qemu+ssh://sshca@vmhost1.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey" diff --git a/sshca/host-ca-key.pub b/sshca/host-ca-key.pub new file mode 100644 index 0000000..4cf1997 --- /dev/null +++ b/sshca/host-ca-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t sshca.pyrocufflink.blue diff --git a/sshca/ingress.yaml b/sshca/ingress.yaml new file mode 100644 index 0000000..301ef1c --- /dev/null +++ b/sshca/ingress.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: sshca + labels: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + app.kubernetes.io/part-of: sshca +spec: + ingressClassName: nginx + rules: + - host: sshca.pyrocufflink.blue + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: sshca + port: + name: sshca diff --git a/sshca/kustomization.yaml b/sshca/kustomization.yaml new file mode 100644 index 0000000..d6876b1 --- /dev/null +++ b/sshca/kustomization.yaml @@ -0,0 +1,24 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: sshca + +labels: +- pairs: + app.kubernetes.io/instance: sshca + includeSelectors: true + +resources: +- namespace.yaml +- secrets.yaml +- sshca.yaml +- ingress.yaml + +configMapGenerator: +- name: sshca-config + files: + - config.toml + +- name: ssh-known-hosts + files: + - ssh_known_hosts diff --git a/sshca/libvirt-sshkey.pub b/sshca/libvirt-sshkey.pub new file mode 100644 index 0000000..641ee19 --- /dev/null +++ b/sshca/libvirt-sshkey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQpBPCOlZvB8/kURvYITdkWf16LpwOenfphPDEETnyo sshca.pyrocufflink.blue diff --git a/sshca/namespace.yaml b/sshca/namespace.yaml new file mode 100644 index 0000000..4100f19 --- /dev/null +++ b/sshca/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: sshca + labels: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + app.kubernetes.io/part-of: sshca diff --git a/sshca/secrets.yaml b/sshca/secrets.yaml new file mode 100644 index 0000000..b3c0aed --- /dev/null +++ b/sshca/secrets.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: sshca-host-key + namespace: sshca +spec: + encryptedData: + host-ca-key: AgBG0Y/FZD87XZu4k/w78mqyN06VDoGkALP0xQ+IU59ZHoXAqz6HsOGP+0T5FUDBtvAwmOWlTehalXdKdhrU8anxFzbR79xbZVcwVDTWqsrybBPNMUYDJ7oc3T7BNyGfEEJIcbUBdFfiefCLJhl2rkaxIfG2ZBDdSmqdRI/m0QUE4u8vkDnI+Sxs53eM2qBZ/a4VHyGQkOLn0XlsQeTJiDo+oRRQQtDHNZ0i/2myX2RfLoiSNKv8BqFuhXnMG7Rx9HXjJ0dAFIO5e57eLkkBxElVZQEs+NfwZP/fd89sWTvRzeDvRCykhSS7RXgQtTEKdTpzoQdGUxDBNd3AcmBvb/BP0FyRJTGRQIhrRQmCzYKFVNI+oWvMlVp/aQ2tZpmL7BESkwoQ/jcWhx02r2dH9r7U/eZJnZdmsH5gvLhacHPkChfkKHesp9f4PZhDalhNP4WbIcJobe+/IG3L9eF4hjPVrYG7aoKrnNzHVETzYDh91vwQA1/v2ahQUxe4Gr3VwVOCxYtIc6ce/k0h+h5luDHA3l7/h7Z2O1EGkkcWzffJCslVKVwoW8wYk1kCN/iVPDNYWd7sVScM/yq8Pam/jzfB7yJwpQtpv6crezLTjXtUz1peRlgwu1V54j0FZDiTPaza+nC25BqCK0j8MhEicR5QTAMxNZE4mGfZESvHAQXXmuOoHwMUoNCoyvbk34chohOInYy6itWgrihHkFVAEhYVavxvb1N+i5fYzt2po1rynVBjpxHHp+/lb9Us8rFAPfD6lsl79njUeUX8E9OpDFUorwr+kNJz7AD3Nau1ZnSiJmBJfkTxaYo/JdGecNfe8G4FBx3/7g/VjHJAaPEpG+6+dJGlr+lNSHwfeS27ykP7UQVUvooF8tEjO3oTFSbb858MIrSqgJHAej5CeXI6gANEeHzeZ18TZQ9nANfKZjiguDx84FnrU97jyaB8BnYw8aPTFcBRtWrRlM+xtIOCojl12a72s0dPjxQvjKyd9OrYi6Xukik1wCVqO3OBvNIJPSVwczpxiDT3Gu2HBLl7S8xY0wROtdYUmTrKYoCEDSx1Ue7iRqsgSx5UQmXQQcIBKGQy+SbIrAJo4xmtKFtKN+JeMX8TCbu/wCSck0pOjXf30MxJlRNaefThJOKMLg/KugBTJE99CFx+uiSJneRFsZBlNpD+V7lUMU2rF9nwUnBjko5g1TRQqx456wQLrH7YB9EcgofMnQ6/pkONGpFylfObDGdnB6JVGjCwbeTe5F+Cv4sICGQDcA7QDeaZ4GhqyI9ywhXtzJ0IsFRCq96otD64ioc/JIZgPDm8YDh1FZDj1w== + template: + metadata: + name: sshca-host-key + namespace: sshca + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: sshca-host-passphrase + namespace: sshca +spec: + encryptedData: + host-ca-key.passphrase: AgBGgXPHfyXA8wEkG2kXBUY/STvBZ98g8lEZ63M0WtMKCrwGj/LPmS0Xje0Lzr1WU6Js56/8AKOcUrXwpmCUMrtNORD3BCExgFP6eT0KNRZ4L/0ybfQRYdMlYDrWh0mG2kXCQ/VKUKKyICJeYYe8tyEfwYMyeXjG0+wn2Xpnw78B9msmaeDVTopCaCIY+3aUOmqmdakKA3QhfaOmfW5/j4c7Z5GhN56FXp1HxuDITWGijAiRI+dmhW0gGgZ1kBiWEGtXFG/24Ln6wEC2Gg477AECcReLmlbhjE0ckihzs1O8rIK0n7hM9cq+sxmhVTl/bfRYXnIGyc4vMwV5pzjshlFErK0/9Qh5Uhk7g474Z3hnF+GEzJmuyEthrsHW0Y3E922VMzHxU1v/7ZvX3cOwUFmjJ/bJrrU9/leaV7QdqiZaxvgYngEnf7xRQwiiunbbfn60bgDrrnMLuvqcG9AJ8vsBrc+62/OH8AB/9OSJYIkIT6eIquevv+WOrdT1i7qPtlK+xY/lOcfXuGUPhf96T/0sNYOgxSvHSWLLrv5S703aTS5Yqb/nERFWiOGlGyjhgUOv9GTTkzfCuRIYcRpjLSsWtUebzAale/wYniS4CaqfcOI9kv11whPUohMPVSQFhUaeQBmi0Gc6xIBVPT4L/QUzKFMhjLM2UXj+Z2ql7tJkTQ2GGWP89RZX6IGOPP/nZdCdqSNBtPvvaGC3mNCqksGu1v2ORyvRVYixF6PAfBlj/Afm/A9t+yPcNH0DjcGY7qZnrZ+YH+yZWlTeHA69vubh + template: + metadata: + name: sshca-host-passphrase + namespace: sshca + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: sshca-libvirt-sshkey + namespace: sshca +spec: + encryptedData: + sshkey: AgB90kcWxJfkVI+NbKy+3S6CfFKsx7NwjeIOEzU5MnUx0PbkAG2VUAI9Xp0h5Md1/1qcTwXq1hOa/7NhfOPovarxBDf5iQISSX2aQcQbwcr3eOIuGbE3Uny4ttZqG5v5TJhnfhHdKlvv5Wmafmpv6xPkcV7mFLd5yaRNwu0zgg8eHnpGXxOFnp8LQXlB4KIP5NLYgEdLR0CTU/ygJMh4YSvtR+jQnt/gD7d6NRvyHsx+0dIHeaCfmYD2ewAW8a26sknG/ZuCEl3ZN2GE/rT8dyS8pd35aApEQvSjMW50hSb5kRTGjhvlhMOzoTpRAkp6gT4T9BIru8h1OenXr59d+xUxuHlIACZAOstxTV08dVfqBdlKvUvw8qxtb9htXe1m4NMTxZlSDp2zjvIUbRlopLBrLWuC55l+3DDmJg4w6ASL1W+KdflufAfK3JNJwMkHqORX8KzqhYa1McbyxTKshjoMkFm0yOip2kMcrrVVAJtymPElAwyjpwgWn1UIpMTLGoaXRxcaf38ljHY70yRZz4eWzIrtW5BeMbFdOBxpstQbSRHr8f5UueQr3nCavyv3lnKjiX3jxspnnBrv6WQDFs6yu6L97QSD3Gbx0yXYV/MOr8Cg/3+2KUDy9mCDUQ1mzNoObbdfwU+q1yHXgTRWd1QXBpov7f+E3Q/hcdO/9OaPu+DmiRfCrqTSnclh4LV/LMuYCWJogdzvEhGxItMscIfBmHLbIZIVrxCnVXJ4VkF0HGv35L+t+ZlhwA8XHN++LNVDvuHzvxAIrpqgQ5itHKSOjwXOepJ15Id/1eSP4fBnjeTL+OzVOr8H17S1oTF0aVNql9lCV1lgLVYMJrjsbERfvkfC8bfVZ3OdOJZAVE6EHWJOiYopKuX5cmB4Ca35+mEeLyGEM21KVxWeIIjzBgcMnDmNoMtSIHOT38Vy5DLs5qwQcXR19jx03x+BDVh22zkM8y/0YgZZFL1bkS0W6Y58HDGw33qXd0uPBnC+eL5BpN4nTJtiIv/C1+2P6RQz8qdf2yp9bn0+e4rdtRf/NFP/kQgED9bVX1LyOkAeb+W/L5Z99LRIqmYG+vhCeCnYZlzZto4jYV4h8Su8FxrbR0cIL0TH98FMP2e4sWh74aU63A3d7wFIrrR/hF+4mE7CiEbmtqgPGfXv6VrIY8fuzzQV6tAeH52yF7MQQGoy+8S9jlWDctqPRGhfMl0IvzwkuXtKeB+4z707VKN/SuheH74zDGbxvEwDBLzIDVN8fnV2bo7OhQ== + template: + metadata: + name: sshca-libvirt-sshkey + namespace: sshca + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: imagepull-gitea + namespace: sshca +spec: + encryptedData: + .dockerconfigjson: AgCv0B4foYgX1AITeFvpn+M3fChalqe5qyR7uM+ltVFp35R0ojosrfTOynHTVQ4c4LHtHsU9JihS4IinLPM0F4FfT3gSkKwaz5cD0vwF3gWu5GC3/8EdlquMhCTq4ZNT5ZUEO6XAaFWjPPJ9F4TQsC6UTvQ5mg8AijQ3T7tZmVr61QA15frnm+MkiPcfPW/A3Ku2cUK+SBYyiGd/G7iBId13nWbkj1y74l1DZPV10ZaOoZRmOCoAx0QSkhOqENXvAFLC++Jny0OcP87sYXmdsoTPVO2BtuivVo+X3jxLBAX/nqaU3PuZkTORX/XlMtVhu7qF23aCzvumaayrnxDgE3HT+ddHi7S4PwDw1OCPwDd81hTzJ0b1x65a6PxiOgflfQS7ogYeN22edLlJt1KLdmEuvK6kp3D6yxU5Lx6VBDu24SBbfv0lrq2k3JyseeNYqJQ21oDW9bm1QqU2YbbwxsLxCv9Uc1stXxJ77d08dSgjCZ1PQsWnUAZLw53sGgytvvhcvdASy8d9VWNp0n5UlH27zxeFP6w78KAjdY54HvDxCJCk3hDR9jnE6Amwi8K6vMiI02bfEyrQb82I2yuZxCVj+4icS6wW/haMEnfnzNXNwqDxuLsWXL31ItyHmNgyhV5GOTPihA+phPXz91PbxsYDa2oMRZQ6M2uaGSbXHUAqiZA/cKPzISh5fKI1fsvbpjOditvYnig8JcvclrPe04EMuNr5+zPcaUI/kuwUb1sH7kMNGaP8tobRqTOLshN+ZQreVBC/3/tgjn+a5ERzmy1IPmqu5r/msSm3KJla9JOQZ+++3ZQuNZvqt8MF32WYyGxKieYP6claOVYMYfXxpGc3PrqdeVNUAw2fSnNp5N9+oVHTZD5aqmyeCE64sG7/IvUu+B9o/P6TEloJPy6SXcNO0ZkT+4Ttkvo/6KrQluJ8vt9PFSBU2/kFjX4IEJG4B6oASzvJ0QkVgn9P/7r+yfs1RAneNi5/r2upCsgpaYDLa676IdDkwy/m2f+QIyg= + template: + metadata: + name: imagepull-gitea + namespace: sshca + type: kubernetes.io/dockerconfigjson + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: sshca-data + namespace: sshca +spec: + encryptedData: + machine-ids.json: AgCmwNtLiL3SbRthy7TIMcKtNWzo2Xm1uSpdyWAWSxLnuyfBDT7sgNn2ILma/bCW9zJe/EaPbbZDgeUbcob1YWLkm6gBEZ8UkA0z/Jgu9hyvVDFoicvDFcmpLiPviyUrak7mmioeOgshAKmHAILa5m1fWNjbzxy0UgkjrGPJA9GXF/g1BFerf/kp5qAkpk0zAONx3ToganSDL7wXj4Mz6x2bb4Nu4s6kdyWdaxyz3evOzvBcy9HRl9Yyq/sIjW/nSahrTs1iwtWDOqF7j5pLmUa5FBoD2hlPmDUCC2Sw5JhwDJd2KuTV811Sl4qk60xLrp6RLlbhrhq3XsRPsUJm/5F8s7kKr2KPtEZu24+uZ12w7DYxlkuEJSlRcH1g/BMc1SD4PDQ2UJK04uQN6RVZlkm8bBYKunMniX9btF4ECXNlgYe0jr7o1SHj862tSnx63GJ4LVnO6Q8ahuM5d9BqMduo+8gpLBVb8vV1pT0zDhLVDGAsDHZE7s8V84eDn83iqlIVaTkUyUt4UAVvRseXENk7s2wyTSf7hYEbVPfcoMfuYR//PQWlN1+iEHtwxU6wSYEBmAXEuS0HXUAVFo55XSQylLDZBERkP0xD1svVFUV062hfFy5sTWTgEciZItMqdX+2TFlPdojZUSj0hk0TsxnuKUBnZLDimKmMa/8e360s3t4b9q9TL4PutGbr57SFZvat5wRmDjq/YgPOtA8H1QV6U7CU5SjG2vKH7KXdoI4wGk84n+F6ECUBQ8pp8lxwlzjyIDzIYM8EEsWW3qc7EcZC7wsj1i+0MJAoauyTYQBpAu9OzwzVSpHlK4N6QNm7do0fpL8UsAX1EbdSxsLg7yWUTpNx02qiXhtLVt/csUGiokHapLxy+60b3kzHS5vpW5k= + template: + metadata: + name: sshca-data + namespace: sshca diff --git a/sshca/ssh_known_hosts b/sshca/ssh_known_hosts new file mode 100644 index 0000000..15b3a7a --- /dev/null +++ b/sshca/ssh_known_hosts @@ -0,0 +1,6 @@ +vmhost0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIE4HC02W4y4FG7tepnug47bH/DXAL2xX5klUN9r+a+P +vmhost0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2mhyQV9esoL+P20DYIK+mz7+9ndvavXOhc15nFYUkIQX7hZzfcZnvccjd/4Ii7U6IY/8pmgT7Qk72OS9l9aCUzxKwRe3hD9ICz1ncrBQB2dCw2zL3fdfywU5WHCYWdgJPY5L9EYe6G5XNnKZN8k0Bs5mtryLytQre06eiDo5tNsFs6iKNCM75JbHNTY2yI1Pcc+FS65jYxNUyuFm6MfbxgM8gUdtS8czifgFMZxXcaAjqN3Mc6UyR2NvBTrytnCuRay2d67KK3xWCtllw+hxkS7dGlpzV8DE+iYm7spFMFcQW3Az6xBs0G+SWBkvyBUn63YKsoarwl3G9VC9/SQhR +vmhost0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOSoJjVyG6dQMm0A+cTXFne1uh+smq13/bbvxJrxiVwFZiyi2ng5qU5tr+WSxyGNj2xLXGjtoygWUyr6D0R8mts= +vmhost1.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHL7MW0Tnl4BUyxWiwQ2ldAmQFqrVvRGd3razpQwK7P +vmhost1.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2E9a0+JIcT7yWnbquZCSAdG43TFDyBlvdZgOYHanh6VRGlSDUWDkTdfqDuy4UvZ38OO5zRwjWv3X6jDF9wahyLYzkXYZ53/5piCnIl5Vki6KjpHCS3iFYVw8ZEX8NiPfMIqaNhmM+20q1qLGLV6YW/OJo504PfWh+pXGjMlIIJfLHlJpfhQD284RLZJWCjfEq+cr8j8/lE21j/adL9xReYoC9+TpfUNgUMRi06aMAu2fwR0ijU7oWSD/jnbYCvXgikt7cPrGI7jTIu2HFpTs5ctVIcE3c9NyQYbu1xKza2Scrt/0b3+jRdzAttGShwebW1iYzoctvzWDCd9DkHVQL +vmhost1.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCix3Nzwir1BjTR+pv5Q1c+Yvqu9KS4OxEcDFqcvEQtVWWKZXR+QOAq/ZHvUaCi4FBuXvEKAJPQpZXF7ufdrd6Y= diff --git a/sshca/sshca.yaml b/sshca/sshca.yaml new file mode 100644 index 0000000..8da1ed1 --- /dev/null +++ b/sshca/sshca.yaml @@ -0,0 +1,113 @@ +apiVersion: v1 +kind: Service +metadata: + name: sshca + namespace: sshca + labels: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + app.kubernetes.io/instance: sshca + app.kubernetes.io/part-of: sshca +spec: + ports: + - port: 8087 + name: sshca + selector: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + app.kubernetes.io/instance: sshca + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sshca + namespace: sshca + labels: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + app.kubernetes.io/part-of: sshca +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + template: + metadata: + labels: + app.kubernetes.io/name: sshca + app.kubernetes.io/component: sshca + spec: + enableServiceLinks: false + containers: + - name: sshca + image: git.pyrocufflink.net/packages/sshca + args: + - -c + - /etc/sshca/config.toml + env: + - name: RUST_LOG + value: info,sshca=trace + ports: + - containerPort: 8087 + name: sshca + readinessProbe: &probe + httpGet: + port: 8087 + path: / + failureThreshold: 3 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + <<: *probe + failureThreshold: 30 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /etc/ssh/ssh_known_hosts + name: ssh-known-hosts + subPath: ssh_known_hosts + readOnly: true + - mountPath: /etc/sshca + name: sshca-config + readOnly: true + - mountPath: /run/sshca/libvirt + name: sshca-libvirt-key + readOnly: true + - mountPath: /run/sshca/secrets/host/key + name: sshca-host-key + readOnly: true + - mountPath: /run/sshca/secrets/host/passphrase + name: sshca-host-passphrase + readOnly: true + - mountPath: /var/lib/sshca + name: sshca-data + readOnly: true + imagePullSecrets: + - name: imagepull-gitea + securityContext: + runAsNonRoot: true + fsGroup: 298 + volumes: + - name: sshca-config + configMap: + name: sshca-config + - name: sshca-data + secret: + secretName: sshca-data + - name: sshca-host-key + secret: + secretName: sshca-host-key + - name: sshca-host-passphrase + secret: + secretName: sshca-host-passphrase + - name: sshca-libvirt-key + secret: + secretName: sshca-libvirt-sshkey + - name: ssh-known-hosts + configMap: + name: ssh-known-hosts