Merge branch 'release/0.1.10'

raethlein · raethlein · commit 2afedc658e07 · 2019-11-22T11:16:23.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -75,7 +75,8 @@ ENV SSH_PERMIT_TARGET_HOST="*" \
     SSH_TARGET_KEY_PATH="~/.ssh/id_ed25519.pub" \ 
     MANUAL_AUTH_FILE="false" \
     SSHD_ENVIRONMENT_VARIABLES="${_RESOURCES_PATH}/sshd_environment" \
-    SSH_TARGET_PUBLICKEY_API_PORT=8080
+    SSH_TARGET_PUBLICKEY_API_PORT=8080 \
+    ENV_NAME_SSH_TARGET_LABELS=""
 
 RUN \
     chmod -R ug+rwx $_RESOURCES_PATH && \
diff --git a/README.md b/README.md
@@ -96,6 +96,11 @@ The container can be configured with the following environment variables (`--env
         <td>Defines on which port the other containers can be reached via ssh. The ssh connection to the target can only be made via this port then. The default value '*' permits any port.</td>
         <td>*</td>
     </tr>
+    <tr>
+        <td>SSH_TARGET_LABELS</td>
+        <td>Specify which containers are targeted. Filters containers / pods via these labels. Must be in the form of "label1=value1,label2=value2,label3=value3". Default is empty string which disables filtering.</td>
+        <td>""</td>
+    </tr>
     <tr>
         <td>SSH_TARGET_PUBLICKEY_API_PORT</td>
         <td>Port where the target container exposes the /publickey endpoint (if used).</td>
diff --git a/docker-res/ssh/update_authorized_keys.py b/docker-res/ssh/update_authorized_keys.py
@@ -21,6 +21,7 @@
 SSH_PERMIT_TARGET_HOST = os.getenv("SSH_PERMIT_TARGET_HOST", "*")
 SSH_TARGET_KEY_PATH = os.getenv("SSH_TARGET_KEY_PATH", "~/.ssh/id_ed25519.pub")
 SSH_TARGET_PUBLICKEY_API_PORT = os.getenv("SSH_TARGET_PUBLICKEY_API_PORT", 8080)
+ENV_SSH_TARGET_LABELS = os.getenv("SSH_TARGET_LABELS", "")
 
 authorized_keys_cache_file = "/etc/ssh/authorized_keys_cache"
 authorized_keys_cache_file_lock = "cache_files.lock"
@@ -78,7 +79,7 @@ def get_authorized_keys_kubernetes(query_cache: list = []) -> (list, list):
     """
 
     pod_list = kubernetes_client.list_namespaced_pod(
-        NAMESPACE, field_selector="status.phase=Running")
+        NAMESPACE, field_selector="status.phase=Running", label_selector=SSH_TARGET_LABELS)
     authorized_keys = []
     new_query_cache = []
     for pod in pod_list.items:
@@ -135,7 +136,12 @@ def get_authorized_keys_docker(query_cache: list = []) -> (list, list):
 
     """
 
-    containers = docker_client.containers.list()
+    filters = {"status": "running"}
+    if ENV_SSH_TARGET_LABELS != "":
+        SSH_TARGET_LABELS = ENV_SSH_TARGET_LABELS.split(",")
+        filters.update({"label": SSH_TARGET_LABELS})
+    
+    containers = docker_client.containers.list(filters=filters)
     authorized_keys = []
     new_query_cache = []
     for container in containers:
@@ -154,8 +160,8 @@ def get_authorized_keys_docker(query_cache: list = []) -> (list, list):
             request = requests.request("GET", publickey_url, timeout=timeout_seconds)
             if request.status_code == 200:
                 key = request.text
-        except requests.exceptions.ConnectTimeout:
-            print("Connection to {ip} timed out after {timeout} seconds. Will try to exec into the pod to retrieve the key.".format(ip=pod_ip, timeout=str(timeout_seconds)))
+        except (requests.exceptions.ConnectionError, requests.exceptions.ConnectTimeout):
+            print("Connection to {ip} timed out after {timeout} seconds. Will try to exec into the pod to retrieve the key.".format(ip=container.id, timeout=str(timeout_seconds)))
 
         if key is None:
             exec_result = container.exec_run(PRINT_KEY_COMMAND)
diff --git a/docker-res/start_ssh.py b/docker-res/start_ssh.py
@@ -14,6 +14,9 @@
 ENV_NAME_MANUAL_AUTH_FILE = "MANUAL_AUTH_FILE"
 ENV_MANUAL_AUTH_FILE = os.getenv(ENV_NAME_MANUAL_AUTH_FILE, "false")
 
+ENV_NAME_SSH_TARGET_LABELS = "SSH_TARGET_LABELS"
+ENV_SSH_TARGET_LABELS = os.getenv(ENV_NAME_SSH_TARGET_LABELS, "")
+
 if ENV_SSH_PERMIT_TARGET_HOST == "":
     print("The environment variable {} must be set.".format(ENV_NAME_PERMIT_TARGET_HOST))
     exit(1)
@@ -29,5 +32,6 @@
 # export environment variables to a file which sshd can read to preserve their values in the ssh session
 call("echo 'export {}={}' >> {}".format(ENV_NAME_PERMIT_TARGET_HOST, ENV_SSH_PERMIT_TARGET_HOST, os.getenv("SSHD_ENVIRONMENT_VARIABLES")), shell=True)
 call("echo 'export {}={}' >> {}".format(ENV_NAME_MANUAL_AUTH_FILE, ENV_MANUAL_AUTH_FILE, os.getenv("SSHD_ENVIRONMENT_VARIABLES")), shell=True)
+call("echo 'export {}={}' >> {}".format(ENV_NAME_SSH_TARGET_LABELS, ENV_SSH_TARGET_LABELS, os.getenv("SSHD_ENVIRONMENT_VARIABLES")), shell=True)
 
 call("/usr/local/sbin/sshd -D -f " + SSHD_CONFIG, shell=True)
