feat: Add lagoon-remote-ssh-core resources

charts/lagoon-remote/Chart.yaml

@@ -19,7 +19,7 @@ type: application
 # This is the chart version. This version number should be incremented each
 # time you make changes to the chart and its templates, including the app
 # version.
-version: 0.81.0
+version: 0.82.0
 
 dependencies:
 - name: lagoon-build-deploy
@@ -44,7 +44,5 @@ dependencies:
 # Valid supported kinds are added, changed, deprecated, removed, fixed and security
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: update lagoon-ssh-portal to v0.30.1
-    - kind: changed
-      description: update NATS chart dependency to v0.19.17
+    - kind: added
+      description: add lagoon-remote-ssh-core resources

charts/lagoon-remote/templates/_helpers.tpl

@@ -155,6 +155,43 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 
 
+{{/*
+Create the name of the service account to use for sshCore.
+*/}}
+{{- define "lagoon-remote.sshCore.serviceAccountName" -}}
+{{- default (include "lagoon-remote.sshCore.fullname" .) .Values.sshCore.serviceAccount.name }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name for sshCore.
+*/}}
+{{- define "lagoon-remote.sshCore.fullname" -}}
+{{- include "lagoon-remote.fullname" . }}-ssh-core
+{{- end }}
+
+{{/*
+Common labels sshCore.
+*/}}
+{{- define "lagoon-remote.sshCore.labels" -}}
+helm.sh/chart: {{ include "lagoon-remote.chart" . }}
+{{ include "lagoon-remote.sshCore.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels sshCore.
+*/}}
+{{- define "lagoon-remote.sshCore.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lagoon-remote.name" . }}
+app.kubernetes.io/component: {{ include "lagoon-remote.sshCore.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+
+
 {{/*
 Create the name of the service account to use for sshPortal.
 */}}

charts/lagoon-remote/templates/ssh-core.clusterrole.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.sshCore.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "lagoon-remote.sshCore.fullname" . }}
+  labels:
+    {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }}
+rules:
+# k8s.ensureScaled
+- apiGroups:
+  - apps
+  resources:
+  - deployments/scale
+  verbs:
+  - get
+  - update
+# k8s.podName, k8s.FindDeployment
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+# k8s.Exec
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+{{- end }}

charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.sshCore.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "lagoon-remote.sshCore.fullname" . }}
+  labels:
+    {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "lagoon-remote.sshCore.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/lagoon-remote/templates/ssh-core.secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.sshCore.enabled -}}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }}-token
+  labels:
+    {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }}
+{{- end }}

charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.sshCore.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }}
+  labels:
+    {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }}
+  {{- with .Values.sshCore.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/lagoon-remote/values.yaml

@@ -113,6 +113,17 @@ kubernetesBuildDeploy:
     # If not set, a name is generated using the fullname template.
     name:
 
+# sshCore creates a restricted, non-expiring ServiceAccount token for use by
+# lagoon-core.
+sshCore:
+  enabled: true
+  serviceAccount:
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname
+    # template
+    name: ""
+
 # sshPortal is an optional service providing low-latency SSH connectivity to
 # Lagoon environments.
 sshPortal: