[feature] SSH Public Key Login for DevContainer

2025-09-09 03:25:50 +00:00 · 2024-10-13 11:24:13 +00:00
parent 239edcc756
commit 50e6da3137
6 changed files with 42 additions and 3 deletions
--- a/internal/controller/devcontainerapp_controller.go
+++ b/internal/controller/devcontainerapp_controller.go
@@ -95,7 +95,7 @@ func (r *DevcontainerAppReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 				logger.Error(err, "Failed to update DevcontainerApp.Status.Ready", "DevcontainerApp.Status.Ready", app.Status.Ready)
 				return ctrl.Result{}, err
 			}
-			logger.Info("DevContainer is now ready", "ReadyReplicas", statefulSetInNamespace.Status.ReadyReplicas)
+			logger.Info("DevContainer is READY", "ReadyReplicas", statefulSetInNamespace.Status.ReadyReplicas)
 		} else {
 			app.Status.Ready = false
 			if err := r.Status().Update(ctx, app); err != nil {
--- a/internal/controller/templates/statefulset.yaml
+++ b/internal/controller/templates/statefulset.yaml
@@ -19,6 +19,23 @@ spec:
        app: {{.ObjectMeta.Name}}
        devstar-resource-type: devstar-devcontainer
    spec:
+      # 安全策略，禁止挂载 ServiceAccount Token
+      automountServiceAccountToken: false
+      volumes:
+        - name: root-ssh-dir
+          emptyDir: {}
+      initContainers:
+        - name: init-root-ssh-dir
+          image: {{.Spec.StatefulSet.Image}}
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - {{range .Spec.StatefulSet.SSHPublicKeyList}} echo "{{.}}" >> /root/.ssh/authorized_keys  && {{end}} chmod -R 700 /root/.ssh/ && echo 'SSH Public Key(s) imported.'
+            # 注意，必须递归设置 ~/.ssh/ 目录下权限 700，否则即使配置了 ~/.ssh/authorized_keys 也不会生效
+          volumeMounts:
+            - name: root-ssh-dir
+              mountPath: /root/.ssh
      containers:
        - name: {{.ObjectMeta.Name}}
          image: {{.Spec.StatefulSet.Image}}
@@ -27,6 +44,7 @@ spec:
          - {{.}}
          {{end}}
          imagePullPolicy: IfNotPresent
+          # securityContext: TODO: 设置 DevContainer 安全策略
          ports:
            - name: ssh-port
              protocol: TCP
@@ -34,6 +52,8 @@ spec:
          volumeMounts:
          - name: pvc-devcontainer
            mountPath: /data
+          - name: root-ssh-dir
+            mountPath: /root/.ssh
          livenessProbe:
            exec:
              command: