[ws-proxy] only get username if workspace not managed by mk2 (#19180)

* [ws-proxy] only get username if workspace not managed by mk2

* remove ssh key from infoprovider

* improve logs

* Update components/ws-proxy/pkg/sshproxy/server.go

Author: iQQBot

components/ws-proxy/pkg/common/infoprovider.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/gitpod-io/gitpod/ws-manager/api"
 	wsapi "github.com/gitpod-io/gitpod/ws-manager/api"
-	workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1"
 )
 
 const (
@@ -65,7 +64,6 @@ type WorkspaceInfo struct {
 	SSHPublicKeys []string
 	IsRunning     bool
 
-	SSHKey *workspacev1.SSHKey
-
 	IsEnabledSSHCA bool
+	IsManagedByMk2 bool
 }

components/ws-proxy/pkg/proxy/infoprovider.go

@@ -18,6 +18,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
+	wsk8s "github.com/gitpod-io/gitpod/common-go/kubernetes"
 	"github.com/gitpod-io/gitpod/common-go/log"
 	wsapi "github.com/gitpod-io/gitpod/ws-manager/api"
 	workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1"
@@ -137,6 +138,11 @@ func (r *CRDWorkspaceInfoProvider) Reconcile(ctx context.Context, req ctrl.Reque
 	if ws.Spec.Admission.Level == workspacev1.AdmissionLevelEveryone {
 		admission = wsapi.AdmissionLevel_ADMIT_EVERYONE
 	}
+	managedByMk2 := true
+	if managedBy, ok := ws.Labels[wsk8s.WorkspaceManagedByLabel]; ok && managedBy != "ws-manager-mk2" {
+		managedByMk2 = false
+	}
+
 	wsinfo := &common.WorkspaceInfo{
 		WorkspaceID:     ws.Spec.Ownership.WorkspaceID,
 		InstanceID:      ws.Name,
@@ -150,9 +156,9 @@ func (r *CRDWorkspaceInfoProvider) Reconcile(ctx context.Context, req ctrl.Reque
 		StartedAt:       ws.CreationTimestamp.Time,
 		OwnerUserId:     ws.Spec.Ownership.Owner,
 		SSHPublicKeys:   ws.Spec.SshPublicKeys,
-		SSHKey:          ws.Spec.SSHKey,
 		IsRunning:       ws.Status.Phase == workspacev1.WorkspacePhaseRunning,
 		IsEnabledSSHCA:  ws.Spec.SSHGatewayCAPublicKey != "",
+		IsManagedByMk2:  managedByMk2,
 	}
 
 	r.store.Update(req.Name, wsinfo)

components/ws-proxy/pkg/sshproxy/server.go

@@ -301,6 +301,7 @@ func (s *Server) HandleConn(c net.Conn) {
 		log.WithField("workspaceId", workspaceId).WithError(err).Error("failed to get workspace info")
 		return
 	}
+	log := log.WithField("instanceId", wsInfo.InstanceID).WithField("isMk2", wsInfo.IsManagedByMk2)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	supervisorPort := "22999"
 	if debugWorkspace {
@@ -318,37 +319,40 @@ func (s *Server) HandleConn(c net.Conn) {
 		OwnerUserId: wsInfo.OwnerUserId,
 	}
 
-	if wsInfo.SSHKey != nil {
-		key, err = ssh.ParsePrivateKey([]byte(wsInfo.SSHKey.Private))
-		if err != nil {
+	if !wsInfo.IsManagedByMk2 {
+		if s.caKey == nil || !wsInfo.IsEnabledSSHCA {
+			err = xerrors.Errorf("workspace not managed by mk2, but didn't have SSH CA enabled")
+			s.TrackSSHConnection(wsInfo, "connect", ErrCreateSSHKey)
+			ReportSSHAttemptMetrics(ErrCreateSSHKey)
+			log.WithError(err).Error("failed to generate ssh cert")
 			cancel()
 			return
 		}
-
-		session.WorkspacePrivateKey = key
-
 		// obtain the SSH username from workspacekit.
 		workspacekitPort := "22998"
 		userName, err = workspaceSSHUsername(ctx, wsInfo.IPAddress, workspacekitPort)
 		if err != nil {
-			log.WithField("instanceId", wsInfo.InstanceID).WithError(err).Warn("failed to retrieve the SSH username. Using the default.")
+			log.WithError(err).Warn("failed to retrieve the SSH username. Using the default.")
 		}
-	} else if s.caKey != nil && wsInfo.IsEnabledSSHCA {
+	}
+
+	if s.caKey != nil && wsInfo.IsEnabledSSHCA {
 		key, err = s.GenerateSSHCert(ctx, userName)
 		if err != nil {
-			log.WithField("workspaceId", workspaceId).WithError(err).Error("failed to generate ssh cert")
+			s.TrackSSHConnection(wsInfo, "connect", ErrCreateSSHKey)
+			ReportSSHAttemptMetrics(ErrCreateSSHKey)
+			log.WithError(err).Error("failed to generate ssh cert")
 			cancel()
 			return
 		}
-
 		session.WorkspacePrivateKey = key
 	} else {
 		key, userName, err = s.GetWorkspaceSSHKey(ctx, wsInfo.IPAddress, supervisorPort)
 		if err != nil {
 			cancel()
 			s.TrackSSHConnection(wsInfo, "connect", ErrCreateSSHKey)
 			ReportSSHAttemptMetrics(ErrCreateSSHKey)
-			log.WithField("instanceId", wsInfo.InstanceID).WithError(err).Error("failed to create private pair in workspace")
+			log.WithError(err).Error("failed to create private pair in workspace")
 			return
 		}
 
@@ -366,7 +370,7 @@ func (s *Server) HandleConn(c net.Conn) {
 	if err != nil {
 		s.TrackSSHConnection(wsInfo, "connect", ErrConnFailed)
 		ReportSSHAttemptMetrics(ErrConnFailed)
-		log.WithField("instanceId", wsInfo.InstanceID).WithField("workspaceIP", wsInfo.IPAddress).WithError(err).Error("dail failed")
+		log.WithField("workspaceIP", wsInfo.IPAddress).WithError(err).Error("dial failed")
 		return
 	}
 	defer conn.Close()
@@ -384,7 +388,7 @@ func (s *Server) HandleConn(c net.Conn) {
 	if err != nil {
 		s.TrackSSHConnection(wsInfo, "connect", ErrConnFailed)
 		ReportSSHAttemptMetrics(ErrConnFailed)
-		log.WithField("instanceId", wsInfo.InstanceID).WithField("workspaceIP", wsInfo.IPAddress).WithError(err).Error("connect failed")
+		log.WithField("workspaceIP", wsInfo.IPAddress).WithError(err).Error("connect failed")
 		return
 	}
 	s.Heartbeater.SendHeartbeat(wsInfo.InstanceID, false, true)