mikeghen / Kubernetes Gcs Sftp
Programming Languages
Projects that are alternatives of or similar to Kubernetes Gcs Sftp
GCS SFTP Server
SFTP Server designed to store data in Google Cloud Storage (GCS) Buckets
This is based upon atmoz/sftp project.
Dockerfile
We need to setup an image (based on atomz/sftp) so that we can mount to Google Cloud Storage. That means just installing gcsfuse.
Find and build your own image using the Dockerfile provided.
Mounting Buckets
We use gcsfuse --uid, --gid, and --only-dir arguments to mount each SFTP users home directory to a single bucket. Inside the bucket, we create a directory for each user manually. (Not sure if using --only-dir will work unless the directory already exists)
Sample Bucket Directory Structure:
bucket-name
- /user1
- /user2
The mounting is done in etc/sftp.d/mount_user_directories.sh. When deploying to Kubernetes, this script gets executed as a postStart command.
Access Control for GCS Bucket
We just need to ensure your GKE cluster is created with the OAuth scope https://www.googleapis.com/auth/devstorage.read_write, and everything else will be handled automatically. Alternatively, we can mount a file in Service Account JSON key.
Setup Instructions
Dependancies
For testing, you will need to have Minikube and Docker installed.
For deployment, you will need to have the gcloud SDK.
Configuration
You can configure SFTP user accounts by adjusting what's in etc/sftp/users.conf and etc/sftp.d/mount_user_directories.sh.
When adding a new user, add a new line into etc/sftp/users.conf:
username:password:uid:gid:directory
Where uid is a number (e.g. 1003) and gid is a number (e.g. 1003).
And then add a new line into etc/sftp.d/mount_user_directories.sh to monunt their directory to a GCS bucket:
runuser -l partner1 -c \
'export GOOGLE_APPLICATION_CREDENTIALS=/credentials/gcloud-key.json && \
gcsfuse -o nonempty --only-dir username bucket /home/username/ftp'
This command will mount the bucket as the given user. It also does some environment variable trickery.
⚠️ User passwords are committed to this repo as a demo. Not the best to commit them in practice.
Production Deployment
To deploy to GKE follow these steps:
To Do
- [ ] Push docker image to dockerhub
- [ ] Document production deployment instructions
Development Setup for Testing
Follow these steps to run this locally with minikube.
1. Start minikube:
minikube start
2. Tell minikube to use local docker images:
eval $(minikube docker-env)
3. Build a local image from the Dockerfile:
docker build --rm -t mikeghen/kube-sftp .
4. Setup Secrets and Config Mappings
You'll need to adjust files in etc so that it reflects the SFTP users you're planning to use. You'll also need a Service Account as well.
Then, you can run these commands to put these files on the cluster as secrets:
kubectl create secret generic users --from-file=users.conf=./etc/sftp/users.conf
kubectl create secret generic sftp-gcloud-key --from-file=gcloud-key.json=./secrets/gcloud-key.json
kubectl create configmap gcs-mounts --from-file=gcs-mounts.sh=./etc/sftp.d/gcs-mounts.sh
- users - Code for maintaining users credentials for SFTP access
- sftp-cloud-key - JSON Key for GCS Service Account
- gcs-mounts - Code for mounting GCS bucket
5. Deploy the SFTP server to Kubernetes:
kubectl apply -f sftp.yaml
6. Get the test IP and port:
minikube service sftp --url
This will give you the IP and NodePort port.
ℹ️ We use NodePort 30022 for SFTP.
7. Confirm you can SFTP using the usernames and password you setup in etc/sftp* with sftp utility:
$ sftp -P 30022 [email protected]
[email protected]'s password:
sftp> pwd
/directory