Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8af9a740718cdf48990f04ab06a7ca50a5af5233
k8s-apps/sshwifty/sshwifty.yaml
shodan 8af9a74071 sshwifty
2026-03-11 09:01:35 +00:00

322 lines
11 KiB
YAML
Raw Blame History

apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: sshwifty
data:
sshwifty.conf.json: |
{
// HTTP Host. Keep it empty to accept request from all hosts, otherwise, only
// specified host is allowed to access
"HostName": "localhost",
// Web interface access password. Set to empty to allow public access to the
// web interface (By pass the Authenticate page)
"SharedKey": "WEB_ACCESS_PASSWORD",
// Remote dial timeout. This limits how long of time the backend can spend
// to connect to a remote host. The max timeout will be determined by
// server configuration (ReadTimeout).
// (In Seconds)
"DialTimeout": 10,
// Socks5 proxy. When set, Sshwifty backend will try to connect remote through
// the given proxy
"Socks5": "localhost:1080",
// Username of the Socks5 server. Please set when needed
"Socks5User": "",
// Password of the Socks5 server. Please set when needed
"Socks5Password": "",
// Server side hooks, allowing operator to launch external processes on the
// server side to influence server behaver
//
// The operation of a Hook must be completed within the time limit defined
// by `HookTimeout` set below. Otherwise it will be terminated, and results
// a failure for the execution
//
// To determine how much time is still left for the execution, a Hook can
// fetch the deadline information from the `SSHWIFTY_HOOK_DEADLINE`
// environment variable which is a RFC3339 formatted date string indicating
// after what time the termination will occur
//
// Warning: the process will be launched within the same context and system
// permission which Sshwifty is running under, thus is it crucial that the
// Hook process is designed and operated in a secure manner, otherwise
// SECURITY VULNERABILITY (commandline injection, for example) maybe created
// as result
//
// Warning: all inputs passed by Sshwifty to the hook process must be
// considered unsanitized, and must be sanitized by each hook themselves
"Hooks": {
// before_connecting is called before Sshwifty starts to connect to a remote
// endpoint. If any of the Hook process exited with a non-zero return code,
// the connection request is aborted
//
// This Hook offers two parameters:
// - SSHWIFTY_HOOK_REMOTE_TYPE: Type of the connection (i.e. SSH or Telnet)
// - SSHWIFTY_HOOK_REMOTE_ADDRESS: Address of the remote host
"before_connecting": [
// Following example command launches a `/bin/sh` to execute a for loop
// that prints to Stdout as well as to Stderr
//
// Prints to Stdout will be sent to the client side visible to the user,
// and prints to Stderr will be captured as server side logs and it is
// invisible to the user (as server logs usually are)
//
// The command must be specified in Json array format. Each array element
// is mapped to a command fragment separated by space. For example:
// ["command", "-i", "Hello World"] will be mapped to `command -i "Hello
// World"` before it is executed
[
"/bin/sh",
"-c",
"for n in $(seq 1 5); do sleep 1 && echo Stdout $SSHWIFTY_HOOK_REMOTE_TYPE $n && echo Stderr $SSHWIFTY_HOOK_REMOTE_TYPE $n 1>&2; done"
],
// You can add multiple hooks, they're executed in sequence even when the
// previous one fails
[
"/bin/sh",
"-c",
"/etc/sshwifty/before_connecting.sh"
],
[
"/bin/another-command",
"...",
"..."
]
]
},
// The maximum execution time of each hook, in seconds. If this timeout is
// exceeded, the hook will be terminated, and thus cause a failure
"HookTimeout": 30,
// Sshwifty HTTP server, you can set multiple ones to serve on different
// ports
"Servers": [
{
// Which local network interface this server will be listening
"ListenInterface": "0.0.0.0",
// Which local network port this server will be listening
"ListenPort": 8182,
// Timeout of initial request. HTTP handshake must be finished within
// this time
// (In Seconds)
"InitialTimeout": 10,
// How long do the connection can stay in idle before the backend server
// disconnects the client
// (In Seconds)
"ReadTimeout": 120,
// How long the server will wait until the client connection is ready to
// recieve new data. If this timeout is exceed, the connection will be
// closed.
// (In Seconds)
"WriteTimeout": 120,
// The interval between internal echo requests
// (In Seconds)
"HeartbeatTimeout": 10,
// Forced delay between each request
// (In Milliseconds)
"ReadDelay": 10,
// Forced delay between each write
// (In Milliseconds)
"WriteDelay": 10,
// Path to TLS certificate file. Set empty to use HTTP
"TLSCertificateFile": "",
// Path to TLS certificate key file. Set empty to use HTTP
"TLSCertificateKeyFile": "",
// Display a short text message on the Home page. Link is supported
// through `[Title text](https://link.example.com)` format
"ServerMessage": ""
},
{
"ListenInterface": "0.0.0.0",
"ListenPort": 8182,
"InitialTimeout": 3,
.....
}
],
// Remote Presets, the operater can define few presets for user so the user
// won't have to manually fill-in all the form fields
//
// Presets will be displayed in the "Known remotes" tab on the Connector
// window
//
// Notice: You can use the same JSON value for `SSHWIFTY_PRESETS` if you are
// configuring your Sshwifty through enviroment variables.
//
// Warning: Presets Data will be sent to user client WITHOUT any protection.
// DO NOT add any secret information into Preset.
//
"Presets": [
{
// Title of the preset
"Title": "SDF.org Unix Shell",
// Preset Types, i.e. Telnet, and SSH
"Type": "SSH",
// Target address and port
"Host": "sdf.org:22",
// Define the tab and background color of the console in RGB hex format
// for better visual identification
//
// For example: 110000 will give you a dark red background, 001100 is
// dark green and 000011 is dark blue
//
// The color must not be too bright, as it will make the foreground text
// hard to read
"TabColor": "112233",
// Form fields and values, you have to manually validate the correctness
// of the field value
//
// Defining a Meta field will prevent user from changing it on their
// Connector Wizard. If you want to allow users to use their own settings,
// leave the field unsetted
//
// Values in Meta are scheme enabled, and supports following scheme
// prefixes:
// - "literal://": Text literal (Default)
// Example: literal://Data value
// (The final value will be "Data value")
// Example: literal://file:///tmp/afile
// (The final value will be "file:///tmp/afile")
// - "file://": Load Meta value from given file.
// Example: file:///home/user/.ssh/private_key
// (The file path is /home/user/.ssh/private_key)
// - "environment://": Load Meta value from an Environment Variable.
// Example: environment://PRIVATE_KEY_DATA
// (The name of the target environment variable is
// PRIVATE_KEY_DATA)
//
// All data in Meta is loaded during start up, and will not be updated
// even the source already been modified.
//
"Meta": {
// Data for predefined User field
"User": "pre-defined-username",
// Data for predefined Encoding field. Valid data is those displayed on
// the page
"Encoding": "pre-defined-encoding",
// Data for predefined Password field
"Password": "pre-defined-password",
// Data for predefined Private Key field, should contains the content
// of a Key file
"Private Key": "file:///home/user/.ssh/private_key",
// Data for predefined Authentication field. Valid values is what
// displayed on the page (Password, Private Key, None)
"Authentication": "Password",
// Data for server public key fingerprint. You can acquire the value of
// the fingerprint by manually connect to a new SSH host with Sshwifty,
// the fingerprint will be displayed on the Fingerprint comformation
// page.
"Fingerprint": "SHA256:bgO...."
}
},
{
"Title": "Endpoint Telnet",
"Type": "Telnet",
"Host": "endpoint.nirui.org:23",
"Meta": {
// Data for predefined Encoding field. Valid data is those displayed on
// the page
"Encoding": "utf-8"
....
}
},
....
],
// Allow the Preset Remotes only, and refuse to connect to any other remote
// host
//
// NOTICE: You can only configure OnlyAllowPresetRemotes through a config
// file. This option is not supported when you are configuring with
// environment variables
"OnlyAllowPresetRemotes": false
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sshwifty
namespace: sshwifty
labels:
app: sshwifty
spec:
replicas: 1
selector:
matchLabels:
app: sshwifty
template:
metadata:
annotations:
#backup.velero.io/backup-volumes: html
labels:
app: sshwifty
spec:
containers:
- name: sshwifty
image: niruix/sshwifty:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8182
env:
- name: SSHWIFTY_CONFIG
value: "./sshwifty.conf.json ./sshwifty"
volumeMounts:
- mountPath: "./sshwifty.conf.json"
name: config
subPath: sshwifty.conf.json
volumes:
- name: config
configMap:
name: config
defaultMode: 0777
items:
- key: "sshwifty.conf.json"
path: "sshwifty.conf.json"
---
apiVersion: v1
kind: Service
metadata:
name: sshwifty
namespace: sshwifty
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
#ipFamilyPolicy: SingleStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8182
selector:
app: sshwifty
#sessionAffinity: None
type: ClusterIP
Reference in New Issue View Git Blame Copy Permalink