diff --git a/README.md b/README.md index b282b17..acddac6 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ An ssh-bastion pod to make access to openshift clusters easy 1. Make sure that `oc` is configured to talk to the cluster +1. (Optionally configure namespace where the bastion will run: `export SSH_BASTION_NAMESPACE=openshift-ssh-bastion`. + `openshift-ssh-bastion` is used by default.) 1. Run: `curl https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy/deploy.sh | bash` 1. ssh as core to/through the bastion. 1. The bastion address can be found by running `oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'` diff --git a/deploy/clusterrolebinding.yaml b/deploy/clusterrolebinding.yaml deleted file mode 100644 index cda3d5b..0000000 --- a/deploy/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - openshift.io/description: Allows ssh-pod to read nodes and machineconfigs - name: ssh-bastion -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ssh-bastion -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:openshift-ssh-bastion:ssh-bastion diff --git a/deploy/deploy.sh b/deploy/deploy.sh index c6096c7..ed129a5 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -2,6 +2,11 @@ set -e +# Configuration via env. variables: +# Namespace where the bastion should run. The namespace will be created. +SSH_BASTION_NAMESPACE="${SSH_BASTION_NAMESPACE:-openshift-ssh-bastion}" + +# Directory with bastion yaml files. Can be either local directory or http(s) URL. BASEDIR="${BASEDIR:-https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy}" clean_up () { @@ -43,24 +48,35 @@ AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server ' > ${CONFIGFILE} - oc create -n openshift-ssh-bastion secret generic ssh-host-keys --from-file="ssh_host_rsa_key=${RSATMP},ssh_host_ecdsa_key=${ECDSATMP},ssh_host_ed25519_key=${ED25519TMP},sshd_config=${CONFIGFILE}" + oc create -n ${SSH_BASTION_NAMESPACE} secret generic ssh-host-keys --from-file="ssh_host_rsa_key=${RSATMP},ssh_host_ecdsa_key=${ECDSATMP},ssh_host_ed25519_key=${ED25519TMP},sshd_config=${CONFIGFILE}" } -oc apply -f ${BASEDIR}/namespace.yaml -oc apply -f ${BASEDIR}/service.yaml -oc get -n openshift-ssh-bastion secret ssh-host-keys &>/dev/null || create_host_keys -oc apply -f ${BASEDIR}/serviceaccount.yaml -oc apply -f ${BASEDIR}/role.yaml -oc apply -f ${BASEDIR}/rolebinding.yaml +# Non-namespaced objects +oc apply -f - </dev/null || create_host_keys +oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/serviceaccount.yaml +oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/role.yaml +oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/rolebinding.yaml +oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/deployment.yaml retry=120 while [ $retry -ge 0 ] do retry=$(($retry-1)) - bastion_host=$(oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') + bastion_host=$(oc get service -n ${SSH_BASTION_NAMESPACE} ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') if [ -z ${bastion_host} ]; then sleep 1 else diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 69372ca..33b9865 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -4,7 +4,6 @@ metadata: labels: run: ssh-bastion name: ssh-bastion - namespace: openshift-ssh-bastion spec: replicas: 1 selector: diff --git a/deploy/namespace.yaml b/deploy/namespace.yaml deleted file mode 100644 index 0f18934..0000000 --- a/deploy/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-ssh-bastion - labels: - openshift.io/run-level: "0" - diff --git a/deploy/role.yaml b/deploy/role.yaml index d77caf1..a3f5a47 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ssh-bastion - namespace: openshift-ssh-bastion rules: - apiGroups: - security.openshift.io diff --git a/deploy/rolebinding.yaml b/deploy/rolebinding.yaml index 402b83f..300a486 100644 --- a/deploy/rolebinding.yaml +++ b/deploy/rolebinding.yaml @@ -4,7 +4,6 @@ metadata: annotations: openshift.io/description: Allows ssh-pod to run as root name: ssh-bastion - namespace: openshift-ssh-bastion roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/deploy/service.yaml b/deploy/service.yaml index bc81c0f..e1eb316 100644 --- a/deploy/service.yaml +++ b/deploy/service.yaml @@ -4,7 +4,6 @@ metadata: labels: run: ssh-bastion name: ssh-bastion - namespace: openshift-ssh-bastion spec: externalTrafficPolicy: Local ports: diff --git a/deploy/serviceaccount.yaml b/deploy/serviceaccount.yaml index 89a8a65..5c4b1b0 100644 --- a/deploy/serviceaccount.yaml +++ b/deploy/serviceaccount.yaml @@ -2,4 +2,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: ssh-bastion - namespace: openshift-ssh-bastion diff --git a/ssh.sh b/ssh.sh index e5b6187..7cb57c2 100755 --- a/ssh.sh +++ b/ssh.sh @@ -1,3 +1,3 @@ #!/bin/bash -ssh -t -o StrictHostKeyChecking=no -o ProxyCommand='ssh -A -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -W %h:%p core@$(oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")' core@$1 "sudo -i" +ssh -t -o StrictHostKeyChecking=no -o ProxyCommand='ssh -A -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -W %h:%p core@$(oc get service --all-namespaces -l run=ssh-bastion -o jsonpath="{.items[0].status.loadBalancer.ingress[0].hostname}")' core@$1 "sudo -i"