refactor ssh debug container and add k1 tooling + NGROK usage docu

kubermatic · Feb 14, 2024 · 6cc9781 · 6cc9781
1 parent 0cb0988
commit 6cc9781
Show file tree

Hide file tree

Showing 5 changed files with 109 additions and 20 deletions.
diff --git a/helper/ssh-debug/README.md b/helper/ssh-debug/README.md
@@ -1,15 +1,20 @@
 ## SSH Debug Client
 
 For quickly ssh to nodes in an internal network you could deploy this manifest.
-Create or add your key to the provided [`./secrect.ssh.key.yaml`](./secrect.ssh.key.yaml)  file and trigger the deployment:
+Create or add your key to the provided [`./secrect.ssh.files.yaml`](./secrect.ssh.files.yaml)  file and trigger the deployment:
 
 ```bash
 # create ssh secret from id_rsa,id_rsa.pub under `.ssh`folder:
-kubectl create secret generic --from-file ./.ssh/ ssh-key -n default --dry-run -o yaml > ./secrect.ssh.key.yaml
+kubectl create secret generic --from-file ./.ssh/ ssh-files --dry-run -o yaml > ./secrect.ssh.files.yaml
 
 #deploy manifests
-kubectl apply -f ./
+#for k1
+kubectl apply -f ./deployment.ssh.k1.debug.yaml -f ./secrect.ssh.files.yaml
+
+#alternative
+kubectl apply -f ./deployment.ssh.debug.yaml -f ./secrect.ssh.files.yaml
 ```
+
 Use now `kubectl exec -it` to login to container, and connect to the nodes ip's of the kvirt vmi's:
 ```bash
 #at seed cluster
@@ -18,4 +23,28 @@ kubectl get vmi -A
 kubectl exec -it -n default ssh-debug-xx-xxx bash
 # e.g. for ubuntu worker node
 ssh ubuntu@IP-OF-VMI
-```
+```
+
+### Use NGROK Tunnel
+
+We could NGROK to open an external tunnel to e.g. a secured network to get an SSH Tunnel into the cluster. To get required tokens go to the [NGROK Dashboard > Your Authtoken](https://dashboard.ngrok.com/get-started/your-authtoken) and then create an Edge Gateway [NGROK Dashboard > Edges > New Edge > TCP](https://dashboard.ngrok.com/cloud-edge/edges)
+
+To setup a ngrok tunnel inside the containers, uncomment the lines at [`deployment.ssh.k1.debug.yaml`](./deployment.ssh.k1.debug.yaml):
+```yaml
+          #Optional: your ngrok command to join
+          ngrok config add-authtoken xxxx-YOUR-TOKEN-xxxx
+          ngrok tunnel --log stdout --label edge=xxxx-your-edge-label 22
+```
+
+For the logs, check:
+```bash
+kubectl logs deployments/ssh-debug-k1-admin -f
+```
+Now after the tunnel is up you could use the public IP and ssh into the private cluster network:
+```bash
+# e.g. your ngrok IP: 8.tcp.eu.ngrok.io:21197
+ssh -t [email protected] -p 21197
+```
+
+**NOTE:** The tunnel could get used for other use cases like a https connection. See [Ngrok Docs](https://ngrok.com/docs)
+
diff --git a/helper/ssh-debug/deployment.ssh.debug.yaml b/helper/ssh-debug/deployment.ssh.debug.yaml
@@ -4,7 +4,6 @@ metadata:
   labels:
     app: ssh-debug
   name: ssh-debug
-  namespace: default
 spec:
   replicas: 1
   selector:
@@ -34,13 +33,9 @@ spec:
         resources: {}
         volumeMounts:
           - mountPath: /tmp/.ssh
-            name: ssh-key
+            name: ssh-files
             readOnly: true
       volumes:
-        - name: ssh-key
+        - name: ssh-files
           secret:
-            secretName: ssh-key
-            items:
-              - key: id_rsa
-                path: id_rsa
----
+            secretName: ssh-files
diff --git a/helper/ssh-debug/deployment.ssh.k1.debug.yaml b/helper/ssh-debug/deployment.ssh.k1.debug.yaml
@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: ssh-debug-k1-admin
+  name: ssh-debug-k1-admin
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ssh-debug-k1-admin
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ssh-debug-k1-admin
+    spec:
+      terminationGracePeriodSeconds: 0
+      containers:
+      - args:
+        - /bin/bash
+        - -c
+        - |
+          mkdir -p /root/.ssh
+          ls -lah /tmp/.ssh
+          cp /tmp/.ssh/* /root/.ssh/
+          chmod 0600 /root/.ssh/*
+          ls -lah /root/.ssh
+          service ssh restart
+
+          #Optional: your ngrok command to join
+          #ngrok config add-authtoken xxxx-YOUR-TOKEN-xxxx
+          #ngrok tunnel --log stdout --label edge=xxxx-your-edge-label 22
+        image: quay.io/kubermatic-labs/kubeone-tooling:1.7.2-2024-02-14
+        name: k1-admin
+        stdin: true
+        stdinOnce: true
+        tty: true
+        readinessProbe:
+          tcpSocket:
+            port: 22
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+          - mountPath: /tmp/.ssh
+            name: ssh-files
+      tolerations:
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 300
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 300
+      volumes:
+      - name: ssh-files
+        secret:
+          secretName: ssh-files
+
diff --git a/helper/ssh-debug/secrect.ssh.files.yaml b/helper/ssh-debug/secrect.ssh.files.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ssh-files
+stringData:
+#  id_rsa: |
+    #TODO-PRIVATE-SSH-KEY
+#  id_rsa.pub: |
+    #TODO--PUBLIC-SSH-KEY
+  authorized_keys: |-
+    # add your ssh public-key
diff --git a/helper/ssh-debug/secrect.ssh.key.yaml b/helper/ssh-debug/secrect.ssh.key.yaml