diff options
| author | Paul Buetow <paul@buetow.org> | 2026-02-07 23:09:49 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-02-07 23:09:49 +0200 |
| commit | ffbe2cb0a75c7f44d51cd74280dd6d597d6e7c8e (patch) | |
| tree | a9e57e9f63187dcb4cd9273463bde129e1489e35 | |
| parent | 4439d1624bd68ee4b8e030d6f36908e162f44717 (diff) | |
fix(git-server): copy SSH keys from NFS to local emptyDir
OpenSSH refuses to load host keys from NFS for security reasons.
The solution is to store keys in persistent NFS (so they survive
restarts) but copy them to a local emptyDir at startup (so sshd
can read them).
This ensures:
- SSH host keys persist across pod restarts
- sshd can successfully load the keys from local storage
- Clients don't see "host key changed" warnings
Co-authored-by: Cursor <cursoragent@cursor.com>
| -rw-r--r-- | f3s/git-server/helm-chart/templates/deployment.yaml | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index 5d40fbb..3013364 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -45,6 +45,15 @@ spec: chown 1001:33 /ssh-persistent/sshd_config chmod 644 /ssh-persistent/sshd_config fi + # Copy SSH host keys from NFS to local emptyDir + # OpenSSH refuses to load keys from NFS for security reasons + echo "Copying SSH keys to local storage..." + cp -a /ssh-persistent/* /ssh-local/ + chown -R 1001:33 /ssh-local + chmod 755 /ssh-local + chmod 600 /ssh-local/ssh_host_*_key + chmod 644 /ssh-local/ssh_host_*_key.pub + chmod 644 /ssh-local/sshd_config # Setup authorized_keys with correct ownership # The /ssh-git mount point IS the .ssh directory # UID 1001 and GID 33 match the NFS file ownership @@ -56,6 +65,8 @@ spec: - name: repos mountPath: /ssh-persistent subPath: ssh-keys + - name: ssh-host-keys + mountPath: /ssh-local - name: git-ssh-keys mountPath: /ssh-keys-secret readOnly: true @@ -96,9 +107,8 @@ spec: subPath: repos - name: git-ssh-writable mountPath: /home/git/.ssh - - name: repos + - name: ssh-host-keys mountPath: /etc/ssh - subPath: ssh-keys securityContext: runAsUser: 1001 runAsGroup: 33 @@ -216,5 +226,7 @@ spec: - name: sshd-config configMap: name: git-server-sshd-config + - name: ssh-host-keys + emptyDir: {} - name: cgit-runtime emptyDir: {} |