Add SSH Gateway to ws-proxy

Author: iQQBot

.werft/build.ts

@@ -502,6 +502,21 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
             werft.fail('authProviders', err);
         }
 
+        werft.log("SSH gateway hostkey", "copy host-key from secret")
+        try {
+            exec(`kubectl --namespace keys get secret host-key -o yaml \
+            | yq w - metadata.namespace ${namespace} \
+            | yq d - metadata.uid \
+            | yq d - metadata.resourceVersion \
+            | yq d - metadata.creationTimestamp \
+            | kubectl apply -f -`, { silent: true })
+            exec(`yq w -i ./config.yaml sshGatewayHostKey.kind "secret"`)
+            exec(`yq w -i ./config.yaml sshGatewayHostKey.name "host-key"`)
+            werft.done('SSH gateway hostkey');
+        } catch (err) {
+            werft.fail('SSH gateway hostkey', err);
+        }
+
         // validate the config and cluster
         exec(`/tmp/installer validate config -c config.yaml`, {slice: installerSlices.INSTALLER_RENDER});
 

.werft/post-process.sh

@@ -213,6 +213,13 @@ while [ "$i" -le "$DOCS" ]; do
       yq m -x -i k8s.yaml -d "$i" /tmp/"$NAME"overrides.yaml
    fi
 
+    if [[ "ws-proxy" == "$NAME" ]] && [[ "$KIND" == "Service" ]]; then
+      WORK="overrides for $NAME $KIND"
+      echo "$WORK"
+      yq w -i k8s.yaml -d "$i" "metadata.annotations[cloud.google.com/neg]" '{"exposed_ports": {"22":{}}}'
+      yq w -i k8s.yaml -d "$i" spec.type LoadBalancer
+   fi
+
    # update workspace-templates configmap to set affinity for workspace, ghosts, image builders, etc.
    # if this is not done, and they start on a node other than workspace, they won't be able to talk to registry-facade or ws-daemon
    if [[ "workspace-templates" == "$NAME" ]] && [[ "$KIND" == "ConfigMap" ]]; then

chart/templates/ws-proxy-deployment.yaml

@@ -51,6 +51,11 @@ spec:
       - name: config-certificates
         secret:
           secretName: {{ $.Values.certificatesSecret.secretName }}
+{{- end }}
+{{- if $.comp.hostKeySecretName }}
+      - name: host-key
+        secret:
+          secretName: {{ $.comp.hostKeySecretName }}
 {{- end }}
       enableServiceLinks: false
       containers:
@@ -84,6 +89,10 @@ spec:
 {{- if $.Values.certificatesSecret.secretName }}
         - name: config-certificates
           mountPath: "/mnt/certificates"
+{{- end }}
+{{- if $.comp.hostKeySecretName }}
+        - name: host-key
+          mountPath: "/mnt/host-key"
 {{- end }}
         securityContext:
           privileged: false

chart/templates/ws-proxy-networkpolicy.yaml

@@ -20,10 +20,12 @@ spec:
   policyTypes:
   - Ingress
   ingress:
-  # Allow access to HTTP/HTTPS proxy ports from everywhere
+  # Allow access to HTTP/HTTPS/SSH proxy ports from everywhere
   - ports:
     - protocol: TCP
       port: {{ $comp.ports.httpProxy.containerPort }}
     - protocol: TCP
       port: {{ $comp.ports.httpsProxy.containerPort }}
+    - protocol: TCP
+      port: {{ $comp.ports.ssh.containerPort }}
 {{ end }}

chart/values.yaml

@@ -563,6 +563,7 @@ components:
       memory: 64Mi
     replicas: 1
     hostHeader: "x-wsproxy-host"
+    # hostKeySecretName: "host-key"
     ports:
       httpProxy:
         expose: true
@@ -573,6 +574,10 @@ components:
       metrics:
         expose: false
         containerPort: 9500
+      ssh:
+        expose: false
+        containerPort: 2200
+        servicePort: 22
 
 docker-registry:
   enabled: true

components/supervisor-api/control.proto

@@ -14,6 +14,9 @@ service ControlService {
 
   // ExposePort exposes a port
   rpc ExposePort(ExposePortRequest) returns (ExposePortResponse) {}
+
+  // CreateSSHKeyPair Create a pair of SSH Keys and put them in ~/.ssh/authorized_keys, this will only be generated once in the entire workspace lifecycle
+  rpc CreateSSHKeyPair(CreateSSHKeyPairRequest) returns (CreateSSHKeyPairResponse) {}
 }
 
 message ExposePortRequest {
@@ -22,4 +25,10 @@ message ExposePortRequest {
   // external port if missing the the same as port
   reserved 2;
 }
-message ExposePortResponse {}
+message ExposePortResponse {}
+
+message CreateSSHKeyPairRequest {}
+message CreateSSHKeyPairResponse {
+    // Return privateKey for ws-proxy
+    string private_key = 1;
+}