Local development on aks public IP

.gitignore

@@ -7,6 +7,9 @@
 ##
 ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
 
+# Local tunnel key material and certificates
+.aks-tunnel/
+
 # User-specific files
 *.rsuser
 *.suo
@@ -404,4 +407,5 @@ FodyWeavers.xsd
 # Project specific files that should be ignored
 *.env
 deploy/teams-recording-bot/charts/*
-src/RecordingBot.Console/cache/*
+src/RecordingBot.Console/cache/*
+/src/RecordingBot.Console/ecs-cache

deploy/local-dev-tunnel/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: local-dev-tunnel
+description: Helm chart for deploying a reverse SSH tunnel endpoint for local bot development
+type: application
+version: 1.0.0
+appVersion: 1.0.0

deploy/local-dev-tunnel/templates/_helpers.tpl

@@ -0,0 +1,23 @@
+{{/* Default deployment name */}}
+{{- define "fullName" -}}
+  {{- default $.Release.Name $.Values.global.override.name -}}
+{{- end -}}
+
+{{/* Default namespace */}}
+{{- define "namespace" -}}
+  {{- default $.Release.Namespace $.Values.global.override.namespace -}}
+{{- end -}}
+
+{{/* Define ingress-tls secret name */}}
+{{- define "ingress.tls.secretName" -}}
+  {{- printf "ingress-tls-%s" .Values.ingress.botReleaseName -}}
+{{- end -}}
+
+{{/* Check if host is set */}}
+{{- define "hostName" -}}
+  {{- if .Values.ingress.host -}}
+    {{- printf "%s" $.Values.ingress.host -}}
+  {{- else -}}
+    {{- fail "You need to specify ingress.host" -}}
+  {{- end -}}
+{{- end -}}

deploy/local-dev-tunnel/templates/configmap.yaml

@@ -0,0 +1,19 @@
+{{- $fullName := include "fullName" . -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-ssh-config
+  namespace: {{ include "namespace" . }}
+  labels:
+    app: {{ $fullName }}
+data:
+  sshd_config: |
+    Port {{ .Values.ssh.port }}
+    PermitRootLogin no
+    PasswordAuthentication yes
+    PermitEmptyPasswords yes
+    PubkeyAuthentication no
+    GatewayPorts yes
+    AllowTcpForwarding yes
+    ClientAliveInterval 30
+    ClientAliveCountMax 3

deploy/local-dev-tunnel/templates/deployment.yaml

@@ -0,0 +1,51 @@
+{{- $fullName := include "fullName" . -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "namespace" . }}
+  labels:
+    app: {{ $fullName }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ $fullName }}
+  template:
+    metadata:
+      labels:
+        app: {{ $fullName }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: sshd
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          set -e
+          apk add --no-cache openssh-server
+          ssh-keygen -A
+          adduser -D -s /bin/sh tunnel
+          echo "tunnel:" | chpasswd
+          cp /etc/ssh-config/sshd_config /etc/ssh/sshd_config
+          echo "SSH tunnel endpoint ready (passwordless, secured by kubectl)"
+          exec /usr/sbin/sshd -D -e
+        ports:
+        - containerPort: {{ .Values.ssh.port }}
+          name: ssh
+        - containerPort: {{ .Values.ports.signaling }}
+          name: signaling
+        - containerPort: {{ .Values.ports.media }}
+          name: media
+        volumeMounts:
+        - name: ssh-config
+          mountPath: /etc/ssh-config
+          readOnly: true
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+      - name: ssh-config
+        configMap:
+          name: {{ $fullName }}-ssh-config

deploy/local-dev-tunnel/templates/ingress.yaml

@@ -0,0 +1,30 @@
+{{- $fullName := include "fullName" . -}}
+{{- $namespace := include "namespace" . -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ $namespace }}
+  labels:
+    app: {{ $fullName }}
+  annotations:
+    {{- if .Values.ingress.annotations }}
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+  - hosts:
+    - {{ include "hostName" . }}
+    secretName: {{ include "ingress.tls.secretName" . }}
+  rules:
+  - host: {{ include "hostName" . }}
+    http:
+      paths:
+      - path: {{ .Values.ingress.path }}
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ $fullName }}-http
+            port:
+              number: 80

deploy/local-dev-tunnel/templates/service.yaml

@@ -0,0 +1,57 @@
+{{- $fullName := include "fullName" . -}}
+# ClusterIP service for ingress HTTP traffic
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullName }}-http
+  namespace: {{ include "namespace" . }}
+  labels:
+    app: {{ $fullName }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    targetPort: signaling
+    protocol: TCP
+  selector:
+    app: {{ $fullName }}
+---
+# Public-facing LoadBalancer: only media port
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "namespace" . }}
+  labels:
+    app: {{ $fullName }}
+spec:
+  type: {{ .Values.service.type }}
+  {{- if .Values.service.publicIp }}
+  loadBalancerIP: {{ .Values.service.publicIp }}
+  {{- end }}
+  ports:
+  - name: media
+    port: {{ .Values.service.mediaPort }}
+    targetPort: media
+    protocol: TCP
+  selector:
+    app: {{ $fullName }}
+---
+# Internal SSH service: reachable only via kubectl port-forward
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullName }}-ssh
+  namespace: {{ include "namespace" . }}
+  labels:
+    app: {{ $fullName }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: ssh
+    port: {{ .Values.ssh.port }}
+    targetPort: ssh
+    protocol: TCP
+  selector:
+    app: {{ $fullName }}

deploy/local-dev-tunnel/values.yaml

@@ -0,0 +1,37 @@
+global:
+  override:
+    name: ""
+    namespace: ""
+
+image:
+  repository: alpine
+  tag: "3.20"
+
+ssh:
+  authorizedKey: ""
+  port: 22
+
+ports:
+  signaling: 9441
+  media: 8445
+
+ingress:
+  enabled: true
+  className: traefik
+  host: ""
+  path: ""
+  botReleaseName: ""
+  annotations: {}
+
+service:
+  type: LoadBalancer
+  publicIp: null
+  mediaPort: 28551
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 128Mi