Skip to content

Commit e8bb61c

Browse files
committed
dynamic host key
1 parent c53d545 commit e8bb61c

File tree

7 files changed

+68
-55
lines changed

7 files changed

+68
-55
lines changed

.werft/build.ts

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -502,6 +502,21 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
502502
werft.fail('authProviders', err);
503503
}
504504

505+
werft.log("SSH gateway hostkey", "copy host-key from secret")
506+
try {
507+
exec(`kubectl --namespace keys get secret host-key -o yaml \
508+
| yq w - metadata.namespace ${namespace} \
509+
| yq d - metadata.uid \
510+
| yq d - metadata.resourceVersion \
511+
| yq d - metadata.creationTimestamp \
512+
| kubectl apply -f -`, { silent: true })
513+
exec(`yq w -i ./config.yaml sshGatewayHostKey.kind "secret"`)
514+
exec(`yq w -i ./config.yaml sshGatewayHostKey.name "host-key"`)
515+
werft.done('SSH gateway hostkey');
516+
} catch (err) {
517+
werft.fail('SSH gateway hostkey', err);
518+
}
519+
505520
// validate the config and cluster
506521
exec(`/tmp/installer validate config -c config.yaml`, {slice: installerSlices.INSTALLER_RENDER});
507522

components/ws-proxy/cmd/run.go

Lines changed: 28 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,9 @@
55
package cmd
66

77
import (
8-
_ "embed"
98
"net"
9+
"os"
10+
"path/filepath"
1011

1112
"github.com/bombsimon/logrusr"
1213
"github.com/gitpod-io/gitpod/common-go/log"
@@ -28,9 +29,6 @@ var (
2829
verbose bool
2930
)
3031

31-
//go:embed ssh-key/hostkey
32-
var HostKeyByte []byte
33-
3432
// runCmd represents the run command.
3533
var runCmd = &cobra.Command{
3634
Use: "run <config.json>",
@@ -82,16 +80,33 @@ var runCmd = &cobra.Command{
8280
go proxy.NewWorkspaceProxy(cfg.Ingress, cfg.Proxy, proxy.HostBasedRouter(cfg.Ingress.Header, cfg.Proxy.GitpodInstallation.WorkspaceHostSuffix, cfg.Proxy.GitpodInstallation.WorkspaceHostSuffixRegex), workspaceInfoProvider).MustServe()
8381
log.Infof("started proxying on %s", cfg.Ingress.HTTPAddress)
8482

85-
hostSigner, err := ssh.ParsePrivateKey(HostKeyByte)
86-
if err != nil {
87-
log.Fatal(err)
88-
}
89-
server := sshproxy.New(hostSigner, workspaceInfoProvider)
90-
l, err := net.Listen("tcp", ":2200")
91-
if err != nil {
92-
panic(err)
83+
flist, err := os.ReadDir("/mnt/host-key")
84+
if err == nil && len(flist) > 0 {
85+
var signers []ssh.Signer
86+
for _, f := range flist {
87+
if f.IsDir() {
88+
continue
89+
}
90+
b, err := os.ReadFile(filepath.Join("/mnt/host-key", f.Name()))
91+
if err != nil {
92+
continue
93+
}
94+
hostSigner, err := ssh.ParsePrivateKey(b)
95+
if err != nil {
96+
continue
97+
}
98+
signers = append(signers, hostSigner)
99+
}
100+
if len(signers) > 0 {
101+
server := sshproxy.New(signers, workspaceInfoProvider)
102+
l, err := net.Listen("tcp", ":2200")
103+
if err != nil {
104+
panic(err)
105+
}
106+
go server.Serve(l)
107+
log.Info("SSHGateway is up and running")
108+
}
93109
}
94-
go server.Serve(l)
95110

96111
log.Info("🚪 ws-proxy is up and running")
97112
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {

components/ws-proxy/cmd/ssh-key/hostkey

Lines changed: 0 additions & 39 deletions
This file was deleted.

components/ws-proxy/pkg/sshproxy/server.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@ func (s *Server) Serve(l net.Listener) error {
127127
}
128128
}
129129

130-
func New(signer ssh.Signer, workspaceInfoProvider p.WorkspaceInfoProvider) *Server {
130+
func New(signers []ssh.Signer, workspaceInfoProvider p.WorkspaceInfoProvider) *Server {
131131
server := &Server{
132132
workspaceInfoProvider: workspaceInfoProvider,
133133
}
@@ -164,7 +164,8 @@ func New(signer ssh.Signer, workspaceInfoProvider p.WorkspaceInfoProvider) *Serv
164164
}, nil
165165
},
166166
}
167-
server.sshConfig.AddHostKey(signer)
168-
167+
for _, s := range signers {
168+
server.sshConfig.AddHostKey(s)
169+
}
169170
return server
170171
}

installer/pkg/components/ws-proxy/deployment.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,21 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
4444
MountPath: "/mnt/certificates",
4545
})
4646
}
47+
if ctx.Config.SSHGatewayHostKey.Name != "" {
48+
volumes = append(volumes, corev1.Volume{
49+
Name: "host-key",
50+
VolumeSource: corev1.VolumeSource{
51+
Secret: &corev1.SecretVolumeSource{
52+
SecretName: ctx.Config.SSHGatewayHostKey.Name,
53+
},
54+
},
55+
})
56+
57+
volumeMounts = append(volumeMounts, corev1.VolumeMount{
58+
Name: "host-key",
59+
MountPath: "/mnt/host-key",
60+
})
61+
}
4762

4863
return []runtime.Object{
4964
&appsv1.Deployment{

installer/pkg/config/v1/config.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,8 @@ type Config struct {
8484
AuthProviders []ObjectRef `json:"authProviders" validate:"dive"`
8585
BlockNewUsers BlockNewUsers `json:"blockNewUsers"`
8686
License *ObjectRef `json:"license,omitempty"`
87+
88+
SSHGatewayHostKey *ObjectRef `json:"sshGatewayHostKey,omitempty"`
8789
}
8890

8991
type Metadata struct {

installer/pkg/config/v1/validation.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,5 +150,9 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks {
150150
}
151151
}
152152

153+
if cfg.SSHGatewayHostKey != nil {
154+
secretName := cfg.SSHGatewayHostKey.Name
155+
res = append(res, cluster.CheckSecret(secretName))
156+
}
153157
return res
154158
}

0 commit comments

Comments
 (0)