ssh_proxy_client.yaml

services:
  - name: dns-proxy
    addr: "127.0.0.1:5353"
    hosts: well-known-hosts
    handler:
      type: dns
    listener:
      type: dns
      metadata:
        mode: udp
    forwarder:
      nodes:
        - name: metadata-server-dns
          addr: 169.254.169.254
        - name: 8888-dns
          addr: 8.8.8.8
        - name: 8844-dns
          addr: 8.8.4.4
  - name: tls-web-ssh
    addr: "127.0.0.1:8443"
    hosts: well-known-hosts
    handler:
      type: forward
      metadata:
        sniffing: true
    listener:
      type: tls
    forwarder:
      nodes:
        - name: web-ssh
          addr: "%SSH_PROXY_CLIENT_ID%.ssh.internal:%SSH_HTTP_PORT%"
          http:
            host: "127.0.0.1:%SSH_HTTP_PORT%"
  - name: "ssh-%INSTANCE_ID%"
    addr: "127.0.0.1:1111"
    hosts: well-known-hosts
    handler:
      type: tcp
      metadata:
        sniffing: true
    listener:
      type: tcp
    forwarder:
      nodes:
        - name: tls-web-ssh-fwd
          addr: "%SSH_PROXY_CLIENT_ID%.ssh.internal:8443"
          filter:
            protocol: tls
        - name: local-ssh-server
          addr: "%SSH_PROXY_CLIENT_ID%.ssh.internal:2222"
          filter:
            protocol: ssh
  - name: ssh-proxy-server-api
    addr: "127.0.0.1:%SSH_PROXY_SERVER_API_PORT%"
    hosts: well-known-hosts
    handler:
      type: tcp
    listener:
      type: tcp
    forwarder:
      nodes:
        - name: ssh-proxy-server-api
          addr: "%SSH_PROXY_SERVER_ID%.ssh-proxy.internal:%SSH_PROXY_SERVER_API_PORT%"
  - name: https-metadata-server
    addr: "127.0.0.1:8254"
    hosts: well-known-hosts
    handler:
      type: tcp
      metadata:
        sniffing: true
    listener:
      type: tls
    forwarder:
      nodes:
        - name: metadata-server-id-token
          addr: "metadata.google.internal:80"
          http:
            host: metadata.google.internal
            header:
              Metadata-Flavor: Google
            rewrite:
              - match: /id-token
                replacement: /computeMetadata/v1/instance/service-accounts/default/identity
  - name: "%INSTANCE_ID%"
    addr: :0
    hosts: well-known-hosts
    handler:
      type: tcp
    listener:
      type: rtcp
      chain: ssh-proxy
    forwarder:
      nodes:
        - name: proxy-server-fwd
          addr: "%SSH_PROXY_CLIENT_ID%.ssh.internal:1111"

hosts:
  - name: well-known-hosts
    mappings:
      - ip: 127.0.0.1
        hostname: "%SSH_PROXY_CLIENT_ID%.ssh.internal"
      - ip: "%SSH_PROXY_SERVER_HOST%"
        hostname: "%SSH_PROXY_SERVER_ID%.ssh-proxy.internal"
      - ip: "%SSH_PROXY_SERVER_HOST%"
        hostname: "%SSH_PROXY_SERVER_ID%.ssh.internal"
      - ip: 169.254.169.254
        hostname: metadata.google.internal
      - ip: 127.0.0.1
        hostname: "%K_SERVICE%-%PROJECT_NUM%.%GCP_REGION%.run.app"

chains:
  - name: ssh-proxy
    hops:
      - name: ssh-proxy
        nodes:
          - name: ssh-proxy-server
            addr: "%SSH_PROXY_SERVER_HOST%:%SSH_PROXY_SERVER_TUNNEL_PORT%"
            connector:
              type: tunnel
              metadata:
                tunnel.id: "%SSH_PROXY_CLIENT_ID%"
                tunnel.weight: 1
            dialer:
              type: tls
              tls:
                secure: false
                serverName: "%SSH_PROXY_SERVER_ID%.ssh-proxy.internal"

tls:
  validity: 8760h
  commonName: "%K_REVISION%.%K_SERVICE%.%PROJECT_NUM%.%GCP_REGION%.run.app"
  organization: "%PROJECT_ID%-%INSTANCE_ID%"