Skip to content

[ws-proxy] only get username if workspace not managed by mk2 #19180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 1, 2023
Merged

[ws-proxy] only get username if workspace not managed by mk2 #19180

merged 4 commits into from
Dec 1, 2023

Conversation

iQQBot
Copy link
Contributor

@iQQBot iQQBot commented Dec 1, 2023
edited by github-actions bot
Loading

Description

[ws-proxy] only get username if workspace not managed by mk2

Summary generated by Copilot

🤖[deprecated] Generated by Copilot at 3d5c859

This pull request enhances the ws-proxy component to support workspaces managed by the new workspace controller mk2. It adds a new field IsManagedByMk2 to the WorkspaceInfo type and uses it to handle SSH connections and pod detection.

Related Issue(s)

Fixes ENG-1297

How to test

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@iQQBot iQQBot requested a review from a team as a code owner December 1, 2023 14:50
kylos101
kylos101 reviewed Dec 1, 2023
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👋 sharing some initial feedback, waiting to add approval, will test now

components/ws-proxy/pkg/sshproxy/server.go
@@ -318,29 +318,30 @@ func (s *Server) HandleConn(c net.Conn) {
OwnerUserId: wsInfo.OwnerUserId,
}

if wsInfo.SSHKey != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question, blocking:
@iQQBot what scenario is wsInfo.SSHKey != nil for? Is it still needed? If no longer needed, can we remove in this PR too? Asking because if we don't do now, it might "linger".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the old method, we can indeed remove it here because next-gen has not been officially put into use, especially the ssh part.

But I'm not planning to remove it from the workspace CRD, I don't know if this will cause other problems.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we wait to land this PR until Monday? If we land it today, it could ship Monday. This would not be ideal, because pods config could apply after pods, falling back to ssh host.

When this PR lands, do we also need a ws-manager-mk2 change to land? Otherwise ws-manager-mk2 has the same risk.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR only prepared for next-gen, nothing change for regular workspace

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was nextgen the only one using wsInfo.SSHKey?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

components/ws-proxy/pkg/sshproxy/server.go Outdated
err = xerrors.Errorf("workspace not managed by mk2, but didn't have SSH CA enabled")
s.TrackSSHConnection(wsInfo, "connect", ErrCreateSSHKey)
ReportSSHAttemptMetrics(ErrCreateSSHKey)
log.WithField("instanceId", wsInfo.InstanceID).WithError(err).Error("failed to generate ssh cert")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question, non-blocking:
Should we also include wsInfo.IsManagedByMk2 as a field? I ask because I'm unsure if a nextgen cluster will support and have both managers at the same time. I assume it will.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

components/ws-proxy/pkg/sshproxy/server.go Outdated
key, err = s.GenerateSSHCert(ctx, userName)
if err != nil {
log.WithField("workspaceId", workspaceId).WithError(err).Error("failed to generate ssh cert")
log.WithField("instanceId", wsInfo.InstanceID).WithError(err).Error("failed to generate ssh cert")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question, blocking:
Should we do s.TrackSSHConnection and ReportSSHAttemptMetrics for this failure, too?

Question, non-blocking:
Also, should we include wsInfo.IsEnabledSSHCA as a field? Seems like could help when debugging.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, should we include wsInfo.IsEnabledSSHCA as a field? Seems like could help when debugging.

I assume you mean isMk2, if so that's make sense, wsInfo.IsEnabledSSHCA is always true if you enter this

@kylos101
Copy link
Contributor

kylos101 commented Dec 1, 2023

👋 sharing some initial feedback, waiting to add approval, will test now

I was able to connect to a workspace with SSH, and validate it is using ssh ca.

gitpod@kylos101-dotfiles-ah83qjcn6hs:/workspace/dotfiles$ printenv | grep GITPOD_SSH | wc
      1       3     120

# also, ~/.ssh/authorized_keys did not exist

@kylos101
Copy link
Contributor

kylos101 commented Dec 1, 2023

@iQQBot let me know if you have any questions, and when you'd like a follow-up review

@roboquat roboquat added size/M and removed size/S labels Dec 1, 2023
@iQQBot
Copy link
Contributor Author

iQQBot commented Dec 1, 2023

@kylos101 I have addressed your feedback, you can review it again.

kylos101
kylos101 reviewed Dec 1, 2023
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you , @iQQBot , a couple follow-ups

components/ws-proxy/pkg/sshproxy/server.go Outdated
@@ -366,7 +370,7 @@ func (s *Server) HandleConn(c net.Conn) {
if err != nil {
s.TrackSSHConnection(wsInfo, "connect", ErrConnFailed)
ReportSSHAttemptMetrics(ErrConnFailed)
log.WithField("instanceId", wsInfo.InstanceID).WithField("workspaceIP", wsInfo.IPAddress).WithError(err).Error("dail failed")
log.WithField("workspaceIP", wsInfo.IPAddress).WithError(err).Error("dail failed")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: dial failed

components/ws-proxy/pkg/sshproxy/server.go
@@ -318,29 +318,30 @@ func (s *Server) HandleConn(c net.Conn) {
OwnerUserId: wsInfo.OwnerUserId,
}

if wsInfo.SSHKey != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we wait to land this PR until Monday? If we land it today, it could ship Monday. This would not be ideal, because pods config could apply after pods, falling back to ssh host.

When this PR lands, do we also need a ws-manager-mk2 change to land? Otherwise ws-manager-mk2 has the same risk.

kylos101
kylos101 approved these changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💪 you rock, @iQQBot !🤗

iQQBot
iQQBot commented Dec 1, 2023
View reviewed changes
@iQQBot
Copy link
Contributor Author

iQQBot commented Dec 1, 2023

/unhold

@roboquat roboquat merged commit 7f83e2f into main Dec 1, 2023
@roboquat roboquat deleted the pd/ws-proxy-ssh-username branch December 1, 2023 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kylos101 kylos101 kylos101 approved these changes

Assignees
No one assigned
Labels
size/M team: team-engine
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iQQBot @kylos101 @roboquat