From 8f57ae4b1e72e8b830460622d8fa061a0e24e384 Mon Sep 17 00:00:00 2001
From: Tobias Schneck <tobias.schneck@kubermatic.com>
Date: Thu, 15 Feb 2024 09:13:40 +0100
Subject: [PATCH] Upate K1 Tooling: fix root bash + add  ngrok + modify
 ssh-debug manifest (#117)

* fix k1-tooling for root (wrong path for powerline-go) and upgrade k1  to 1.7.2

* refactor ssh debug container and add k1 tooling + NGROK usage docu
---
 container/kubeone-tool-container/.bashrc      |  4 +-
 container/kubeone-tool-container/Dockerfile   | 18 +++---
 container/kubeone-tool-container/Makefile     |  2 +-
 container/kubermatic-dev-ui/Makefile          |  4 +-
 helper/ssh-debug/README.md                    | 37 +++++++++--
 helper/ssh-debug/deployment.ssh.debug.yaml    | 11 +---
 helper/ssh-debug/deployment.ssh.k1.debug.yaml | 62 +++++++++++++++++++
 helper/ssh-debug/secrect.ssh.files.yaml       | 11 ++++
 helper/ssh-debug/secrect.ssh.key.yaml         |  8 ---
 9 files changed, 125 insertions(+), 32 deletions(-)
 create mode 100644 helper/ssh-debug/deployment.ssh.k1.debug.yaml
 create mode 100644 helper/ssh-debug/secrect.ssh.files.yaml
 delete mode 100644 helper/ssh-debug/secrect.ssh.key.yaml

diff --git a/container/kubeone-tool-container/.bashrc b/container/kubeone-tool-container/.bashrc
index 3e4a6c7..fa4d91e 100644
--- a/container/kubeone-tool-container/.bashrc
+++ b/container/kubeone-tool-container/.bashrc
@@ -20,7 +20,7 @@ function _update_ps1() {
         export POWERLINE_THEME=default
         #export POWERLINE_THEME=low-contrast
     fi
-    PS1="$(powerline-go -theme $POWERLINE_THEME -cwd-max-depth 5 -newline -modules "termtitle,kube,venv,user,host,ssh,cwd,perms,git,hg,jobs,exit,root,vgo" -error $?)"
+    PS1="$(/bin/powerline-go -theme $POWERLINE_THEME -cwd-max-depth 5 -newline -modules "termtitle,kube,venv,user,host,ssh,cwd,perms,git,hg,jobs,exit,root,vgo" -error $?)"
 }
 export TERM="xterm-256color"
 if [ "$TERM" != "linux" ]; then
@@ -39,7 +39,7 @@ alias kdebug='kcmd bash nicolaka/netshoot'
 source <(helm completion bash)
 
 ##### fubectl
-[ -f $HOME/bin/fubectl.source ] && source $HOME/bin/fubectl.source
+[ -f /bin/fubectl.source ] && source /bin/fubectl.source
 
 # fzf
 [ -f ~/.fzf.bash ] && source ~/.fzf.bash
diff --git a/container/kubeone-tool-container/Dockerfile b/container/kubeone-tool-container/Dockerfile
index e93cbc7..506d10c 100644
--- a/container/kubeone-tool-container/Dockerfile
+++ b/container/kubeone-tool-container/Dockerfile
@@ -144,6 +144,15 @@ RUN LAZYGIT_VERSION=0.37.0 && \
     mv lazygit /usr/local/bin && \
     cd .. && rm -rf /tmp/lazygit-inst
 
+# Install ngrok
+RUN curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list && sudo apt update && sudo apt install ngrok
+
+### INSTALL helper
+RUN wget https://rawgit.com/kubermatic/fubectl/master/fubectl.source -O /bin/fubectl.source && \
+    # powerline go
+    wget https://github.com/justjanne/powerline-go/releases/latest/download/powerline-go-linux-amd64 -O /bin/powerline-go && \
+    chmod +x /bin/powerline-go
+
 ARG USER=kubermatic
 ARG USER_HOME=/home/${USER}
 ENV USER_HOME=$USER_HOME
@@ -164,7 +173,7 @@ RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master
     git clone --depth=1 https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting && \
     git clone --depth=1 https://github.com/kubermatic/fubectl.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/fubectl
 
-### INSTALL helper
+### INSTALL krew
 RUN echo $USER_HOME && mkdir ${USER_HOME}/bin && cd ${USER_HOME}/bin && \
     # krew
     set -x; cd "$(mktemp -d)" && \
@@ -172,12 +181,7 @@ RUN echo $USER_HOME && mkdir ${USER_HOME}/bin && cd ${USER_HOME}/bin && \
     tar -zxvf krew*.tar.gz && \
     KREW=./krew-"$(uname | tr '[:upper:]' '[:lower:]')_$(uname -m | sed -e 's/x86_64/amd64/' -e 's/arm.*$/arm/')" && \
     "$KREW" install krew && \
-    rm -rf * && \
-    # fubctl
-    wget https://rawgit.com/kubermatic/fubectl/master/fubectl.source -O ${USER_HOME}/bin/fubectl.source && \
-    # powerline go
-    wget https://github.com/justjanne/powerline-go/releases/latest/download/powerline-go-linux-amd64 -O ${USER_HOME}/bin/powerline-go && \
-    chmod +x ${USER_HOME}/bin/powerline-go
+    rm -rf *
 
 ### configure bash, use attach to ensure previous changes are stored
 COPY .bashrc .gitconfig /tmp/
diff --git a/container/kubeone-tool-container/Makefile b/container/kubeone-tool-container/Makefile
index 4475504..87d15d3 100644
--- a/container/kubeone-tool-container/Makefile
+++ b/container/kubeone-tool-container/Makefile
@@ -1,5 +1,5 @@
 ## See https://github.com/kubermatic/kubeone/releases
-KUBEONE_VERSION ?= 1.6.0
+KUBEONE_VERSION ?= 1.7.2
 DOCKER_REPO ?= 'quay.io/kubermatic-labs/kubeone-tooling'
 FINAL_TAG ?= ${KUBEONE_VERSION}
 TAG_DATE ?= ${KUBEONE_VERSION}-$(shell date -I)
diff --git a/container/kubermatic-dev-ui/Makefile b/container/kubermatic-dev-ui/Makefile
index 443e383..adbea8a 100644
--- a/container/kubermatic-dev-ui/Makefile
+++ b/container/kubermatic-dev-ui/Makefile
@@ -1,7 +1,7 @@
 ## See https://github.com/kubermatic/kubeone/releases
-UI_VERSION ?= 0.1.0
+UI_VERSION ?= 0.1.1
 
-KUBEONE_VERSION ?= 1.5.6
+KUBEONE_VERSION ?= 1.6.0
 ### TODO transfer to kubermatic repo
 DOCKER_REPO ?= 'quay.io/toschneck/kubermatic-dev-ui'
 FINAL_TAG ?= ${UI_VERSION}
diff --git a/helper/ssh-debug/README.md b/helper/ssh-debug/README.md
index 85b28c7..4bb94c1 100644
--- a/helper/ssh-debug/README.md
+++ b/helper/ssh-debug/README.md
@@ -1,15 +1,20 @@
 ## SSH Debug Client
 
 For quickly ssh to nodes in an internal network you could deploy this manifest.
-Create or add your key to the provided [`./secrect.ssh.key.yaml`](./secrect.ssh.key.yaml)  file and trigger the deployment:
+Create or add your key to the provided [`./secrect.ssh.files.yaml`](./secrect.ssh.files.yaml)  file and trigger the deployment:
 
 ```bash
 # create ssh secret from id_rsa,id_rsa.pub under `.ssh`folder:
-kubectl create secret generic --from-file ./.ssh/ ssh-key -n default --dry-run -o yaml > ./secrect.ssh.key.yaml
+kubectl create secret generic --from-file ./.ssh/ ssh-files --dry-run -o yaml > ./secrect.ssh.files.yaml
 
 #deploy manifests
-kubectl apply -f ./
+#for k1
+kubectl apply -f ./deployment.ssh.k1.debug.yaml -f ./secrect.ssh.files.yaml
+
+#alternative
+kubectl apply -f ./deployment.ssh.debug.yaml -f ./secrect.ssh.files.yaml
 ```
+
 Use now `kubectl exec -it` to login to container, and connect to the nodes ip's of the kvirt vmi's:
 ```bash
 #at seed cluster
@@ -18,4 +23,28 @@ kubectl get vmi -A
 kubectl exec -it -n default ssh-debug-xx-xxx bash
 # e.g. for ubuntu worker node
 ssh ubuntu@IP-OF-VMI
-```
\ No newline at end of file
+```
+
+### Use NGROK Tunnel
+
+We could NGROK to open an external tunnel to e.g. a secured network to get an SSH Tunnel into the cluster. To get required tokens go to the [NGROK Dashboard > Your Authtoken](https://dashboard.ngrok.com/get-started/your-authtoken) and then create an Edge Gateway [NGROK Dashboard > Edges > New Edge > TCP](https://dashboard.ngrok.com/cloud-edge/edges)
+
+To setup a ngrok tunnel inside the containers, uncomment the lines at [`deployment.ssh.k1.debug.yaml`](./deployment.ssh.k1.debug.yaml):
+```yaml
+          #Optional: your ngrok command to join
+          ngrok config add-authtoken xxxx-YOUR-TOKEN-xxxx
+          ngrok tunnel --log stdout --label edge=xxxx-your-edge-label 22
+```
+
+For the logs, check:
+```bash
+kubectl logs deployments/ssh-debug-k1-admin -f
+```
+Now after the tunnel is up you could use the public IP and ssh into the private cluster network:
+```bash
+# e.g. your ngrok IP: 8.tcp.eu.ngrok.io:21197
+ssh -t root@8.tcp.eu.ngrok.io -p 21197
+```
+
+**NOTE:** The tunnel could get used for other use cases like a https connection. See [Ngrok Docs](https://ngrok.com/docs)
+
diff --git a/helper/ssh-debug/deployment.ssh.debug.yaml b/helper/ssh-debug/deployment.ssh.debug.yaml
index 4d351eb..294d33e 100644
--- a/helper/ssh-debug/deployment.ssh.debug.yaml
+++ b/helper/ssh-debug/deployment.ssh.debug.yaml
@@ -4,7 +4,6 @@ metadata:
   labels:
     app: ssh-debug
   name: ssh-debug
-  namespace: default
 spec:
   replicas: 1
   selector:
@@ -34,13 +33,9 @@ spec:
         resources: {}
         volumeMounts:
           - mountPath: /tmp/.ssh
-            name: ssh-key
+            name: ssh-files
             readOnly: true
       volumes:
-        - name: ssh-key
+        - name: ssh-files
           secret:
-            secretName: ssh-key
-            items:
-              - key: id_rsa
-                path: id_rsa
----
+            secretName: ssh-files
diff --git a/helper/ssh-debug/deployment.ssh.k1.debug.yaml b/helper/ssh-debug/deployment.ssh.k1.debug.yaml
new file mode 100644
index 0000000..38804e1
--- /dev/null
+++ b/helper/ssh-debug/deployment.ssh.k1.debug.yaml
@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: ssh-debug-k1-admin
+  name: ssh-debug-k1-admin
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ssh-debug-k1-admin
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ssh-debug-k1-admin
+    spec:
+      terminationGracePeriodSeconds: 0
+      containers:
+      - args:
+        - /bin/bash
+        - -c
+        - |
+          mkdir -p /root/.ssh
+          ls -lah /tmp/.ssh
+          cp /tmp/.ssh/* /root/.ssh/
+          chmod 0600 /root/.ssh/*
+          ls -lah /root/.ssh
+          service ssh restart
+
+          #Optional: your ngrok command to join
+          #ngrok config add-authtoken xxxx-YOUR-TOKEN-xxxx
+          #ngrok tunnel --log stdout --label edge=xxxx-your-edge-label 22
+        image: quay.io/kubermatic-labs/kubeone-tooling:1.7.2-2024-02-14
+        name: k1-admin
+        stdin: true
+        stdinOnce: true
+        tty: true
+        readinessProbe:
+          tcpSocket:
+            port: 22
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+          - mountPath: /tmp/.ssh
+            name: ssh-files
+      tolerations:
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 300
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 300
+      volumes:
+      - name: ssh-files
+        secret:
+          secretName: ssh-files
+
diff --git a/helper/ssh-debug/secrect.ssh.files.yaml b/helper/ssh-debug/secrect.ssh.files.yaml
new file mode 100644
index 0000000..b613747
--- /dev/null
+++ b/helper/ssh-debug/secrect.ssh.files.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ssh-files
+stringData:
+#  id_rsa: |
+    #TODO-PRIVATE-SSH-KEY
+#  id_rsa.pub: |
+    #TODO--PUBLIC-SSH-KEY
+  authorized_keys: |-
+    # add your ssh public-key
\ No newline at end of file
diff --git a/helper/ssh-debug/secrect.ssh.key.yaml b/helper/ssh-debug/secrect.ssh.key.yaml
deleted file mode 100644
index 32fc62d..0000000
--- a/helper/ssh-debug/secrect.ssh.key.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: ssh-key
-  namespace: default
-data:
-  id_rsa: #TODO-BASE64-DECODED-PRIVATE-SSH-KEY
-  id_rsa.pub: #TODO-BASE64-DECODED-PUBLIC-SSH-KEY
\ No newline at end of file