feat(sftpgo): add TLS support and internal certificate management

This commit is contained in:
2025-05-08 22:36:47 +02:00
parent 4d4f085c3e
commit 9de7d52192
12 changed files with 285 additions and 116 deletions
+46 -40
View File
@@ -3,70 +3,76 @@ locals {
sftpgo_config = {
"common" : {
"defender" : {
"enabled" : false
common = {
defender = {
enabled = false
}
},
"sftpd" : {
"bindings" : [
sftpd = {
bindings = [
{
"port" : 0
port = 0
}
]
},
"webdavd" : {
"bindings" : [
webdavd = {
bindings = [
{
"port" : 8081,
"address" : "0.0.0.0"
port = 8081
address = "0.0.0.0"
enable_https = var.tls_enabled
certificate_file = "/etc/ssl/certs/private/tls.crt"
certificate_key_file = "/etc/ssl/certs/private/tls.key"
}
]
},
"data_provider" : {
"create_default_admin" : true,
"backups_path" : "/var/lib/sftpgo/backup"
data_provider = {
create_default_admin = true
backups_path = "/var/lib/sftpgo/backup"
},
"httpd" : {
"bindings" : [
httpd = {
bindings = [
{
"port" : 8080,
"address" : "0.0.0.0",
"branding" : {
"web_client" : {
"name" : "alexpires.me cloud",
"short_name" : "alexpires.me"
port = 8080
address = "0.0.0.0"
enable_https = var.tls_enabled
certificate_file = "/etc/ssl/certs/private/tls.crt"
certificate_key_file = "/etc/ssl/certs/private/tls.key"
branding = {
web_client = {
name = "alexpires.me cloud"
short_name = "alexpires.me"
},
"web_admin" : {
"name" : "alexpires.me cloud",
"short_name" : "alexpires.me"
web_admin = {
name = "alexpires.me cloud"
short_name = "alexpires.me"
}
}
}
],
"web_root" : "/config/dav",
web_root = "/config/dav",
},
"telemetry" : {
"bind_port" : 10000,
"bind_address" : "0.0.0.0"
telemetry = {
bind_port = 10000
bind_address = "0.0.0.0"
},
"mfa" : {
"totp" : [
mfa = {
totp = [
{
"name" : "Default",
"issuer" : "alexpires.me",
"algo" : "sha1"
name = "Default",
issuer = "alexpires.me"
algo = "sha1"
}
]
},
"smtp" : {
"host" : var.smtp_host,
"port" : var.smtp_port,
"from" : var.from_email
"encryption" : 1,
"domain" : "alexpires.me"
smtp = {
host = var.smtp_host,
port = var.smtp_port,
from = var.from_email
encryption = 1,
domain = "alexpires.me"
},
"plugins" : []
plugins = []
}
config = jsonencode(local.sftpgo_config)
+11 -3
View File
@@ -6,7 +6,7 @@ resource "kubernetes_ingress_v1" "ingress" {
name = "webdav-ingress"
namespace = kubernetes_namespace.sftpgo.metadata[0].name
annotations = {
annotations = merge({
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
"kubernetes.io/tls-acme" = "true"
@@ -15,7 +15,15 @@ resource "kubernetes_ingress_v1" "ingress" {
"nginx.ingress.kubernetes.io/proxy-request-buffering" = "on"
"nginx.ingress.kubernetes.io/proxy-buffer-size" = "32k"
"nginx.ingress.kubernetes.io/proxy-buffers-number" = "16"
}
},
var.tls_enabled ? {
"nginx.org/ssl-services" = "webdav"
"nginx.org/ssl-redirect" = "true"
"nginx.org/redirect-to-https" = "true"
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
} : {}
)
}
spec {
tls {
@@ -30,7 +38,7 @@ resource "kubernetes_ingress_v1" "ingress" {
service {
name = "webdav"
port {
number = 8081
name = var.tls_enabled ? "davs" : "dav"
}
}
}
+49 -9
View File
@@ -4,6 +4,27 @@ resource "kubernetes_namespace" "sftpgo" {
}
}
resource "kubernetes_manifest" "internal_cert" {
count = var.tls_enabled ? 1 : 0
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "internal-cert"
namespace = kubernetes_namespace.sftpgo.metadata[0].name
}
spec = {
secretName = "internal-cert"
issuerRef = {
name = var.issuer
kind = "ClusterIssuer"
}
commonName = var.fqdn
dnsNames = [var.fqdn]
}
}
}
resource "kubernetes_config_map" "sftpgo" {
metadata {
name = "sftpgo"
@@ -121,12 +142,13 @@ resource "kubernetes_deployment" "sftpgo" {
}
port {
container_port = 8081
name = "webdav"
name = "dav"
protocol = "TCP"
}
port {
container_port = 8080
name = "http"
name = "web"
protocol = "TCP"
}
port {
@@ -166,6 +188,14 @@ resource "kubernetes_deployment" "sftpgo" {
sub_path = "credentials"
read_only = true
}
dynamic "volume_mount" {
for_each = var.tls_enabled ? [1] : []
content {
mount_path = "/etc/ssl/certs/private"
name = "internal-cert"
read_only = true
}
}
}
volume {
name = "config"
@@ -191,6 +221,15 @@ resource "kubernetes_deployment" "sftpgo" {
name = kubernetes_config_map.object_store_credentials.metadata[0].name
}
}
dynamic "volume" {
for_each = var.tls_enabled ? [1] : []
content {
name = "internal-cert"
secret {
secret_name = kubernetes_manifest.internal_cert[0].manifest["metadata"]["name"]
}
}
}
}
}
}
@@ -206,17 +245,18 @@ resource "kubernetes_service" "sftpgo_webdav" {
app = "sftpgo"
}
port {
name = var.tls_enabled ? "davs" : "dav"
protocol = "TCP"
port = 8081
target_port = "webdav"
port = var.tls_enabled ? 443 : 80
target_port = "dav"
}
cluster_ip = "None"
}
}
resource "kubernetes_service" "sftpgo_http" {
resource "kubernetes_service" "sftpgo_web" {
metadata {
name = "http"
name = "web"
namespace = kubernetes_namespace.sftpgo.metadata[0].name
}
spec {
@@ -225,9 +265,9 @@ resource "kubernetes_service" "sftpgo_http" {
}
port {
protocol = "TCP"
port = 8080
target_port = "http"
port = var.tls_enabled ? 443 : 80
target_port = "web"
}
cluster_ip = "None"
type = "ClusterIP"
}
}
@@ -71,3 +71,16 @@ variable "fqdn" {
description = "The fully qualified domain name for the Rustdesk server"
type = string
}
variable "issuer" {
description = "The issuer for the certificate"
type = string
default = "internal-ca"
}
variable "tls_enabled" {
description = "Enable TLS for the SFTPGo server"
type = bool
default = true
}