Could we have a Kubernetes yaml for sftp

[alvincjin]

@atmoz
Actually, I am trying to build it in kubernetes.
I found I can access to sftp from a docker container.

In users.conf file,
foo:pass:1001: 100 :upload

I used the default sshd_config file from this repo.

I used WinSCP to connect the pod in kubernetes. The error is as bleow:

SFTP No supported authentication methods available (server sent: publickey)
Authentication log (see session log for details):
Using username "foo".
Authentication failed.

[atmoz]

Haven't tried it with Kubernetes yet

Sounds like you are trying to copy this image from scratch? From the error message it looks like the server only accepts publickey. Probably something more you must configure in Kubernetes.

[alvincjin]

yes, I use this images without changes. Thanks.

[jujhars13]

How's this https://gist.github.com/jujhars13/1e99cf110e5df39d4ae3c7fef81589f8 ?

[atmoz]

Did you mange to get it working with Kubernetes, @alvincjin ?

[jujhars13]

I'm using it daily on Kubernetes, on Google Cloud Platform (GKE) it works just great. So stable

[alvincjin]

@jujhars13

I tried your sftp.yaml in Kubernetes. It always in below status.
$ kubectl get pods -o wide --namespace=sftp
NAME READY STATUS RESTARTS AGE IP NODE
sftp-2982426637-txs0k 0/1 ContainerCreating 0 34m ip-172-18-x-x

I guess it's due to the secrets/keys can't be found.
How do you manage the keys for myUser?
My main issue is don't know where to put the public keys for the sftp users.
Thanks.

[jujhars13]

@alvincjin I put them into kubernetes secrets and then mount them into my container

something like

  #public ssh keys
  kubectl delete configMap sftp-public-keys || true #if error, just carry on
  kubectl create configmap sftp-public-keys \
  --from-file=${PROJECT_DIR}/build/sftp || true

Then in your pod's manifest

...
volumeMounts:
            - mountPath: /home/myuser/.ssh/keys
              name: sftp-public-keys
              readOnly: true
            - mountPath: /home/myuserTwo/.ssh/keys
              name: sftp-public-keys
              readOnly: true

[alvincjin]

Hi @jujhars13

It works. Thanks.

[P9110963]

@jujhars13 - Could you confirm whether have you tried with user.conf in K8s. As we have multiple users for our SFTP inbound.

[jujhars13]

I have used it with multiple users but I'm not quite sure what you mean by user.conf

  containers:
        #the ftp server itself
        - name: our-sftp
          image: jujhars13/sftp:latest
          imagePullPolicy: Always
          env:
            - name: ENVIRONMENT
              value: $N_ENVIRONMENT
          args: ["fred::1001:100:incoming,outgoing", "dave::1002:100:incoming,outgoing"] #create users and dirs
          volumeMounts:
            - mountPath: /home/fred/.ssh/keys
              name: sftp-public-keys
              readOnly: true
            - mountPath: /home/dave/.ssh/keys
              name: sftp-public-keys
              readOnly: true
            - mountPath: /home
              name: sftp-server-pv-storage
          securityContext:
            capabilities:
              add: ["SYS_ADMIN"]
          resources: {}

[gijo-varghese]

@jujhars13 I'm getting the error MountVolume.SetUp failed for volume "sftp-public-keys" : configmaps "sftp-public-keys" not found

I didn't get what this command does kubectl create configmap sftp-public-keys \ --from-file=${PROJECT_DIR}/build/sftp || true

any way to solve this? I'm on GKE

[jujhars13]

Hi Gijo, kubectl create configmap sftp-public-keys \ --from-file=${PROJECT_DIR}/build/sftp || true uploads your sftp public keys as a Kubernetes configmap. This is then mounted as a volume into your pod.

So if you generate some ssh-keys using ssh-keygen -t rsa -b 4096 and drop them into ${PROJECT_DIR}/build/sftp then the command will pick them up and upload them as a configmap for you

[gijo-varghese]

@jujhars13 Thanks. What I'm trying to do is provide multi-tenant WordPress sites. So each customer will get a WP site and it's SFTP/FTP login details. Each WP site will have its own persistent disk using NFS server with ReadWriteMany mode.

Here is how my spec looks like:

    spec:
      #secrets and config
      volumes:
        - name: nfs
          persistentVolumeClaim:
            claimName: nfs

      containers:
        #the sftp server itself
        - name: sftp
          image: atmoz/sftp:latest
          imagePullPolicy: Always
          args: ["admin:admin:1010:1013"]
          ports:
            - containerPort: 22
          volumeMounts:
            - mountPath: /var/www/html
              name: nfs
          securityContext:
            capabilities:
              add: ["SYS_ADMIN"]
          resources: {}

The WP sites will be installed in /var/www/html. It works. But I'm not able to edit/delete files. Also after creating this, WP now asks for FTP credentials for doing everything. Looks like it lost the permission

Could you pls look into it?

[jujhars13]

@gijo-varghese This config I shared is for SSH key authentication only which I'm guessing won't work with Wordpress.

You'll have to use password based authentication, pregenerate your wordpress passwords and inject those in as kubernetes secrets as per https://github.com/atmoz/sftp#encrypted-password

[bukowa]

apiVersion: v1
kind: Pod
metadata:
  name: "test-sftp"
  labels:
    app: "test-sftp"
spec:
  volumes:
    - name: sftp
      emptyDir: {}

  initContainers:
    - name: alpine
      image: alpine
      command: ["/bin/sh", "-c", "adduser -D -u 555 test && chown -R 555:555 /var/www/html"]
      volumeMounts:
        - mountPath: /var/www/html
          name: sftp

  containers:
    - name: sftp
      # change this
      image: atmoz-sftp
      imagePullPolicy: Always
      ports:
        - containerPort: 22
      volumeMounts:
        - mountPath: /home/test
          name: sftp
      args:
        - test:test:555

    - name: openssh
      image: alpine
      command: ["/bin/sh", "-c", "apk add openssh sshpass && time sleep 2 && sshpass -p 'test' sftp -oStrictHostKeyChecking=no test@localhost && sleep infinite"]

[jujhars13]

I love the initContainer idea.

What's the openssh container testing or specifically?

[bukowa]

@jujhars13 Hey, from what i remember it's just trying to connect, the yaml is just a POC for atmoz/sftp on kubernetes from my repo.