Refactor configuration of workspace SSH key (#19059)

* Refactor configuration of workspace SSH key

* Update go modules

* Update CRD

* only add SSH Key to workspace CR (#19130)

---------

Co-authored-by: Pudong <[email protected]>

Author: aledbf

components/ws-manager-api/go/crd/v1/workspace_types.go

@@ -62,6 +62,8 @@ type WorkspaceSpec struct {
 
 	// the XFS quota to enforce on the workspace's /workspace folder
 	StorageQuota int `json:"storageQuota,omitempty"`
+
+	SSHKey *SSHKey `json:"ssh,omitempty"`
 }
 
 type Ownership struct {
@@ -116,6 +118,14 @@ type TimeoutSpec struct {
 	MaximumLifetime *metav1.Duration `json:"maximumLifetime,omitempty"`
 }
 
+// SSHKey temporal generated SSH key required to access the workspace
+type SSHKey struct {
+	// +kubebuilder:validation:Required
+	Public string `json:"publicKey"`
+	// +kubebuilder:validation:Required
+	Private string `json:"privateKey"`
+}
+
 type AdmissionSpec struct {
 	// +kubebuilder:default=Owner
 	Level AdmissionLevel `json:"level"`

components/ws-manager-api/go/crd/v1/zz_generated.deepcopy.go

@@ -157,6 +157,18 @@ spec:
                   type: object
                 minItems: 0
                 type: array
+              ssh:
+                description: SSHKey temporal generated SSH key required to access
+                  the workspace
+                properties:
+                  privateKey:
+                    type: string
+                  publicKey:
+                    type: string
+                required:
+                - privateKey
+                - publicKey
+                type: object
               sshPublicKeys:
                 items:
                   type: string
@@ -557,6 +569,19 @@ spec:
                   prior to shutting the workspace down. This condition is only used
                   for headless workspaces.
                 type: string
+              storage:
+                properties:
+                  attachedDevice:
+                    type: string
+                  mountPath:
+                    type: string
+                  volumeName:
+                    type: string
+                required:
+                - attachedDevice
+                - mountPath
+                - volumeName
+                type: object
               url:
                 type: string
             required:

components/ws-manager-mk2/config/crd/bases/workspace.gitpod.io_workspaces.yaml

@@ -9,6 +9,7 @@ import (
 
 	"github.com/gitpod-io/gitpod/ws-manager/api"
 	wsapi "github.com/gitpod-io/gitpod/ws-manager/api"
+	workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1"
 )
 
 const (
@@ -63,4 +64,6 @@ type WorkspaceInfo struct {
 	OwnerUserId   string
 	SSHPublicKeys []string
 	IsRunning     bool
+
+	SSHKey *workspacev1.SSHKey
 }

components/ws-proxy/pkg/common/infoprovider.go

@@ -150,6 +150,7 @@ func (r *CRDWorkspaceInfoProvider) Reconcile(ctx context.Context, req ctrl.Reque
 		StartedAt:       ws.CreationTimestamp.Time,
 		OwnerUserId:     ws.Spec.Ownership.Owner,
 		SSHPublicKeys:   ws.Spec.SshPublicKeys,
+		SSHKey:          ws.Spec.SSHKey,
 		IsRunning:       ws.Status.Phase == workspacev1.WorkspacePhaseRunning,
 	}
 

components/ws-proxy/pkg/proxy/infoprovider.go

@@ -299,23 +299,40 @@ func (s *Server) HandleConn(c net.Conn) {
 	if debugWorkspace {
 		supervisorPort = "24999"
 	}
-	key, userName, err := s.GetWorkspaceSSHKey(ctx, wsInfo.IPAddress, supervisorPort)
-	if err != nil {
-		cancel()
-		s.TrackSSHConnection(wsInfo, "connect", ErrCreateSSHKey)
-		ReportSSHAttemptMetrics(ErrCreateSSHKey)
-		log.WithField("instanceId", wsInfo.InstanceID).WithError(err).Error("failed to create private pair in workspace")
-		return
-	}
-	cancel()
+
+	var key ssh.Signer
+	userName := "gitpod"
 
 	session := &Session{
-		Conn:                clientConn,
-		WorkspaceID:         workspaceId,
-		InstanceID:          wsInfo.InstanceID,
-		OwnerUserId:         wsInfo.OwnerUserId,
-		WorkspacePrivateKey: key,
+		Conn:        clientConn,
+		WorkspaceID: workspaceId,
+		InstanceID:  wsInfo.InstanceID,
+		OwnerUserId: wsInfo.OwnerUserId,
 	}
+
+	if wsInfo.SSHKey != nil {
+		key, err = ssh.ParsePrivateKey([]byte(wsInfo.SSHKey.Private))
+		if err != nil {
+			cancel()
+			return
+		}
+
+		session.WorkspacePrivateKey = key
+	} else {
+		key, userName, err = s.GetWorkspaceSSHKey(ctx, wsInfo.IPAddress, supervisorPort)
+		if err != nil {
+			cancel()
+			s.TrackSSHConnection(wsInfo, "connect", ErrCreateSSHKey)
+			ReportSSHAttemptMetrics(ErrCreateSSHKey)
+			log.WithField("instanceId", wsInfo.InstanceID).WithError(err).Error("failed to create private pair in workspace")
+			return
+		}
+
+		session.WorkspacePrivateKey = key
+	}
+
+	cancel()
+
 	sshPort := "23001"
 	if debugWorkspace {
 		sshPort = "25001"