[ws-manager-mk2] Support public SSH keys

[Furisto]

Description

Support public ssh keys

Related Issue(s)

n.a.

How to test

• Create ssh keys with ssh-keygen -t ed25519
• Add the ssh key in user settings
• Start workspace
• Check that the workspace CR sshPublicKeys property is set
• Check that the gitpod.io/sshPublicKeys annotation is set on the workspace pod
• Create second ssh key
• Add the ssh key in user settings
• Check that workspace CR and workspace pod have been updated

Release Notes

None

Documentation

Build Options:

• /werft with-github-actions
  Experimental feature to run the build with GitHub Actions (and not in Werft).
• leeway-no-cache
  leeway-target=components:all
• /werft no-test
  Run Leeway with --dont-test

Publish Options

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer Options

• with-ee-license
• with-slow-database
• with-dedicated-emulation
• with-ws-manager-mk2
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment Options:

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

[werft-gitpod-dev-com]

started the job as gitpod-build-fo-adv-3.2 because the annotations in the pull request description changed
(with .werft/ from main)

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm

👍 started the job as gitpod-build-fo-adv-3.5
(with .werft/ from main)

[WVerlaek]

testing in a preview env, but can't connect with VSCode Desktop, keep getting prompted for a password like this: https://www.gitpod.io/blog/vscode-desktop-ssh-updates#ssh-gateway-access-using-the-owner-token

The workspace spec and pod annotations do contain the public ssh key, is there anything else I need to set before I can connect with ssh?

[WVerlaek]

could you add a test for this in workspace_controller_test?

[Furisto]

testing in a preview env, but can't connect with VSCode Desktop, keep getting prompted for a password like this: https://www.gitpod.io/blog/vscode-desktop-ssh-updates#ssh-gateway-access-using-the-owner-token

The workspace spec and pod annotations do contain the public ssh key, is there anything else I need to set before I can connect with ssh?

Good question, maybe @iQQBot knows the answer?

[iQQBot]

/werft run

👍 started the job as gitpod-build-fo-adv-3.6
(with .werft/ from main)

[iQQBot]

keep the same name SSH everywhere?

[iQQBot]

@Furisto Could you rebase to main? because the build is failed and I can't access the preview environment

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm

👍 started the job as gitpod-build-fo-adv-3.8
(with .werft/ from main)

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm recreate-vm

👍 started the job as gitpod-build-fo-adv-3.9
(with .werft/ from main)

[iQQBot]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm recreate-vm

👍 started the job as gitpod-build-fo-adv-3.10
(with .werft/ from main)

[iQQBot]

Good question, maybe @iQQBot knows the answer?

This implementation looks wrong. In mk2, we use CRD directly to store the public keys and we don't need to set it on annotation at all

we should put public keys in here

gitpod/components/ws-proxy/pkg/proxy/infoprovider.go

Lines 283 to 294 in edf97a9

	wsinfo := &WorkspaceInfo{
	WorkspaceID: ws.Spec.Ownership.WorkspaceID,
	InstanceID: ws.Name,
	URL: ws.Status.URL,
	IDEImage: ws.Spec.Image.IDE.Web,
	SupervisorImage: ws.Spec.Image.IDE.Supervisor,
	IDEPublicPort: getPortStr(ws.Status.URL),
	IPAddress: podIP,
	Ports: ports,
	Auth: &wsapi.WorkspaceAuthentication{Admission: admission, OwnerToken: ws.Status.OwnerToken},
	StartedAt: ws.CreationTimestamp.Time,
	}

[iQQBot]

why using string? it can by array, we don't need base64 for it, we using base64 because annotation only support string.

[werft-gitpod-dev-com]

started the job as gitpod-build-fo-adv-3.12 because the annotations in the pull request description changed
(with .werft/ from main)

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm recreate-vm

👍 started the job as gitpod-build-fo-adv-3.13
(with .werft/ from main)

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm recreate-vm

👍 started the job as gitpod-build-fo-adv-3.14
(with .werft/ from main)

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm

👍 started the job as gitpod-build-fo-adv-3.15
(with .werft/ from main)

[Furisto]

/werft run with-preview with-wsman-mk2 with-large-vm with-gce-vm recreate-vm

👍 started the job as gitpod-build-fo-adv-3.16
(with .werft/ from main)

[WVerlaek]

looks like this needs to be regenerated, with the type being an array now

[iQQBot]

why use []byte here? is it possible to directly use api.SSHPublicKeys or []string, in CRDs we should keep it readable... these things are not secret

[kylos101]

@Furisto is this PR stalled? Should it flip back to draft?

[WVerlaek]

/werft run -a with-preview=true -a with-wsman-mk2=true -a with-gce-vm=true

👍 started the job as gitpod-build-fo-adv-3.18
(with .werft/ from main)

[WVerlaek]

lgtm, tested in preview env:

• was able to connect over SSH with VS Code Desktop
• updating a key propagated to running workspace