Enable SSH for the Gerrit replica
Change-Id: I9c294bed1e57fe381ec71941ebe8e8f72ad6c496
diff --git a/helm-charts/gerrit-replica/README.md b/helm-charts/gerrit-replica/README.md
index e720056..ae361d0 100644
--- a/helm-charts/gerrit-replica/README.md
+++ b/helm-charts/gerrit-replica/README.md
@@ -157,6 +157,7 @@
| `istio.tls.enabled` | Whether to enable TLS | `false` |
| `istio.tls.cert` | TLS certificate | `-----BEGIN CERTIFICATE-----` |
| `istio.tls.key` | TLS key | `-----BEGIN RSA PRIVATE KEY-----` |
+| `istio.ssh.enabled` | Whether to enable SSH | `false` |
### Apache-Git-HTTP-Backend (Git-Backend)
@@ -221,31 +222,34 @@
is mandatory, if access to the Gerrit replica is required!
***
-| Parameter | Description | Default |
-|-----------------------------------------------|----------------------------------------------------------------------------------------------------------|-----------------------------------|
-| `gerritReplica.images.gerritInit` | Image name of the Gerrit init container image | `k8s-gerrit/gerrit-init` |
-| `gerritReplica.images.gerritReplica` | Image name of the Gerrit replica container image | `k8s-gerrit/gerrit-replica` |
-| `gerritReplica.replicas` | Number of pod replicas to deploy | `1` |
-| `gerritReplica.maxSurge` | Max. percentage or number of pods allowed to be scheduled above the desired number | `25%` |
-| `gerritReplica.maxUnavailable` | Max. percentage or number of pods allowed to be unavailable at a time | `100%` |
-| `gerritReplica.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 1` |
-| | | `requests.memory: 5Gi` |
-| | | `limits.cpu: 1` |
-| | | `limits.memory: 6Gi` |
-| `gerritReplica.persistence.enabled` | Whether to persist the Gerrit site | `true` |
-| `gerritReplica.persistence.size` | Storage size for persisted Gerrit site | `10Gi` |
-| `gerritReplica.service.type` | Which kind of Service to deploy | `NodePort` |
-| `gerritReplica.service.http.port` | Port over which to expose HTTP | `80` |
-| `gerritReplica.ingress.host` | REQUIRED: Host name to use for the Ingress (required for Ingress) | `nil` |
-| `gerritReplica.ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` |
-| `gerritReplica.ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` |
-| `gerritReplica.ingress.tls.secret.create` | Whether to create a TLS-secret | `true` |
-| `gerritReplica.ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
-| `gerritReplica.ingress.tls.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gerritReplica.ingress.tls.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
-| `gerritReplica.keystore` | base64-encoded Java keystore (`cat keystore.jks | base64`) to be used by Gerrit, when using SSL | `nil` |
-| `gerritReplica.config.gerrit` | The contents of the gerrit.config | [see here](#Gerrit-config-files) |
-| `gerritReplica.config.secure` | The contents of the secure.config | [see here](#Gerrit-config-files) |
+| Parameter | Description | Default |
+|-----------------------------------------------|-------------------------------------------------------------------------------------------------|-----------------------------------|
+| `gerritReplica.images.gerritInit` | Image name of the Gerrit init container image | `k8s-gerrit/gerrit-init` |
+| `gerritReplica.images.gerritReplica` | Image name of the Gerrit replica container image | `k8s-gerrit/gerrit-replica` |
+| `gerritReplica.replicas` | Number of pod replicas to deploy | `1` |
+| `gerritReplica.maxSurge` | Max. percentage or number of pods allowed to be scheduled above the desired number | `25%` |
+| `gerritReplica.maxUnavailable` | Max. percentage or number of pods allowed to be unavailable at a time | `100%` |
+| `gerritReplica.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 1` |
+| | | `requests.memory: 5Gi` |
+| | | `limits.cpu: 1` |
+| | | `limits.memory: 6Gi` |
+| `gerritReplica.persistence.enabled` | Whether to persist the Gerrit site | `true` |
+| `gerritReplica.persistence.size` | Storage size for persisted Gerrit site | `10Gi` |
+| `gerritReplica.service.type` | Which kind of Service to deploy | `NodePort` |
+| `gerritReplica.service.http.port` | Port over which to expose HTTP | `80` |
+| `gerritReplica.service.ssh.enabled` | Whether to enable SSH for the Gerrit replica | `false` |
+| `gerritReplica.service.ssh.port` | Port for SSH | `29418` |
+| `gerritReplica.service.ssh.rsaKey` | Private SSH key in RSA format | `-----BEGIN RSA PRIVATE KEY-----` |
+| `gerritReplica.ingress.host` | REQUIRED: Host name to use for the Ingress (required for Ingress) | `nil` |
+| `gerritReplica.ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` |
+| `gerritReplica.ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` |
+| `gerritReplica.ingress.tls.secret.create` | Whether to create a TLS-secret | `true` |
+| `gerritReplica.ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
+| `gerritReplica.ingress.tls.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
+| `gerritReplica.ingress.tls.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
+| `gerritReplica.keystore` | base64-encoded Java keystore (`cat keystore.jks | base64`) to be used by Gerrit, when using SSL | `nil` |
+| `gerritReplica.config.gerrit` | The contents of the gerrit.config | [see here](#Gerrit-config-files) |
+| `gerritReplica.config.secure` | The contents of the secure.config | [see here](#Gerrit-config-files) |
### Gerrit config files
diff --git a/helm-charts/gerrit-replica/templates/gerrit-replica.deployment.yaml b/helm-charts/gerrit-replica/templates/gerrit-replica.deployment.yaml
index fe3b28c..fa607a7 100644
--- a/helm-charts/gerrit-replica/templates/gerrit-replica.deployment.yaml
+++ b/helm-charts/gerrit-replica/templates/gerrit-replica.deployment.yaml
@@ -67,6 +67,9 @@
# The git repositories will be mounted from a volume
[ -L /var/gerrit/git ] || rm -rf /var/gerrit/git
+ {{ if .Values.gerritReplica.service.ssh.enabled -}}
+ rm -f /var/gerrit/etc/ssh_host*key*
+ {{- end }}
volumeMounts:
- name: gerrit-site
mountPath: "/var/gerrit"
@@ -89,6 +92,9 @@
{{- end }}
ln -sf /var/config/gerrit.config /var/gerrit/etc/gerrit.config
ln -sf /var/config/secure.config /var/gerrit/etc/secure.config
+ {{ if .Values.gerritReplica.service.ssh.enabled -}}
+ ln -sf /var/config/ssh_host_rsa_key /var/gerrit/etc/ssh_host_rsa_key
+ {{- end }}
}
mkdir -p /var/gerrit/etc
@@ -122,12 +128,20 @@
mountPath: "/var/config/keystore"
subPath: keystore
{{- end }}
+ {{ if .Values.gerritReplica.service.ssh.enabled -}}
+ - name: gerrit-replica-ssh
+ mountPath: "/var/config/ssh_host_rsa_key"
+ subPath: ssh_host_rsa_key
+ {{- end }}
containers:
- name: gerrit-replica
image: {{ template "registry" . }}{{ .Values.gerritReplica.images.gerritReplica }}:{{ .Values.images.version }}
imagePullPolicy: {{ .Values.images.imagePullPolicy }}
ports:
- containerPort: 8080
+ {{ if .Values.gerritReplica.service.ssh -}}
+ - containerPort: 29418
+ {{- end }}
volumeMounts:
- name: gerrit-site
mountPath: "/var/gerrit"
@@ -148,6 +162,11 @@
mountPath: "/var/config/keystore"
subPath: keystore
{{- end }}
+ {{ if .Values.gerritReplica.service.ssh.enabled -}}
+ - name: gerrit-replica-ssh
+ mountPath: "/var/config/ssh_host_rsa_key"
+ subPath: ssh_host_rsa_key
+ {{- end }}
resources:
{{ toYaml .Values.gerritReplica.resources | indent 10 }}
volumes:
@@ -179,3 +198,8 @@
- name: gerrit-replica-secure-config
secret:
secretName: {{ .Release.Name }}-gerrit-replica-secure-config
+ {{ if .Values.gerritReplica.service.ssh.enabled -}}
+ - name: gerrit-replica-ssh
+ secret:
+ secretName: {{ .Release.Name }}-gerrit-replica-ssh-secret
+ {{- end }}
diff --git a/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml b/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml
index 6569f28..0b7fa9f 100644
--- a/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml
+++ b/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml
@@ -31,3 +31,18 @@
tls.key: {{ .key | b64enc }}
{{- end }}
{{- end }}
+---
+{{ if .Values.gerritReplica.service.ssh.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Release.Name }}-gerrit-replica-ssh-secret
+ labels:
+ app: gerrit-replica
+ chart: {{ template "gerrit-replica.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+type: Opaque
+data:
+ ssh_host_rsa_key: {{ .Values.gerritReplica.service.ssh.rsaKey | b64enc }}
+{{- end }}
diff --git a/helm-charts/gerrit-replica/templates/gerrit-replica.service.yaml b/helm-charts/gerrit-replica/templates/gerrit-replica.service.yaml
index 8798667..dc6460c 100644
--- a/helm-charts/gerrit-replica/templates/gerrit-replica.service.yaml
+++ b/helm-charts/gerrit-replica/templates/gerrit-replica.service.yaml
@@ -13,6 +13,11 @@
- name: http
port: {{ .http.port }}
targetPort: 8080
+ {{ if .ssh.enabled -}}
+ - name: ssh
+ port: {{ .ssh.port }}
+ targetPort: 29418
+ {{- end }}
selector:
app: gerrit-replica
type: {{ .type }}
diff --git a/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml b/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml
index 33e1698..21a1a7f 100644
--- a/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml
+++ b/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml
@@ -50,6 +50,14 @@
mode: SIMPLE
credentialName: {{ .Release.Name }}-istio-tls-secret
{{- end }}
+ {{ if .Values.istio.ssh.enabled }}
+ - port:
+ number: 29418
+ name: ssh
+ protocol: TCP
+ hosts:
+ - {{ .Values.istio.host }}
+ {{- end }}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
@@ -88,4 +96,14 @@
host: {{ .Release.Name }}-gerrit-replica-service.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 80
+ {{ if .Values.istio.ssh.enabled }}
+ tcp:
+ - match:
+ - port: {{ .Values.gerritReplica.service.ssh.port }}
+ route:
+ - destination:
+ host: {{ .Release.Name }}-gerrit-replica-service.{{ .Release.Namespace }}.svc.cluster.local
+ port:
+ number: {{ .Values.gerritReplica.service.ssh.port }}
+ {{- end }}
{{- end }}
diff --git a/helm-charts/gerrit-replica/values.yaml b/helm-charts/gerrit-replica/values.yaml
index bc17e35..020bf1d 100644
--- a/helm-charts/gerrit-replica/values.yaml
+++ b/helm-charts/gerrit-replica/values.yaml
@@ -62,6 +62,8 @@
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
+ ssh:
+ enabled: false
gitBackend:
@@ -185,6 +187,13 @@
type: NodePort
http:
port: 80
+ ssh:
+ enabled: false
+ port: 29418
+ rsaKey: |-
+ -----BEGIN RSA PRIVATE KEY-----
+
+ -----END RSA PRIVATE KEY-----
ingress:
host:
@@ -252,7 +261,7 @@
# If using an ingress use proxy-http or proxy-https
listenUrl = proxy-http://*:8080/
[sshd]
- listenAddress = off
+ listenAddress = *:29418
[transfer]
timeout = 120 s
[user]