dynamic host key

Author: iQQBot

.werft/build.ts

@@ -502,6 +502,21 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
             werft.fail('authProviders', err);
         }
 
+        werft.log("SSH gateway hostkey", "copy host-key from secret")
+        try {
+            exec(`kubectl --namespace keys get secret host-key -o yaml \
+            | yq w - metadata.namespace ${namespace} \
+            | yq d - metadata.uid \
+            | yq d - metadata.resourceVersion \
+            | yq d - metadata.creationTimestamp \
+            | kubectl apply -f -`, { silent: true })
+            exec(`yq w -i ./config.yaml sshGatewayHostKey.kind "secret"`)
+            exec(`yq w -i ./config.yaml sshGatewayHostKey.name "host-key"`)
+            werft.done('SSH gateway hostkey');
+        } catch (err) {
+            werft.fail('SSH gateway hostkey', err);
+        }
+
         // validate the config and cluster
         exec(`/tmp/installer validate config -c config.yaml`, {slice: installerSlices.INSTALLER_RENDER});
 

components/ws-proxy/cmd/run.go

@@ -5,8 +5,9 @@
 package cmd
 
 import (
-	_ "embed"
 	"net"
+	"os"
+	"path/filepath"
 
 	"github.com/bombsimon/logrusr"
 	"github.com/gitpod-io/gitpod/common-go/log"
@@ -28,9 +29,6 @@ var (
 	verbose bool
 )
 
-//go:embed ssh-key/hostkey
-var HostKeyByte []byte
-
 // runCmd represents the run command.
 var runCmd = &cobra.Command{
 	Use:   "run <config.json>",
@@ -82,16 +80,33 @@ var runCmd = &cobra.Command{
 		go proxy.NewWorkspaceProxy(cfg.Ingress, cfg.Proxy, proxy.HostBasedRouter(cfg.Ingress.Header, cfg.Proxy.GitpodInstallation.WorkspaceHostSuffix, cfg.Proxy.GitpodInstallation.WorkspaceHostSuffixRegex), workspaceInfoProvider).MustServe()
 		log.Infof("started proxying on %s", cfg.Ingress.HTTPAddress)
 
-		hostSigner, err := ssh.ParsePrivateKey(HostKeyByte)
-		if err != nil {
-			log.Fatal(err)
-		}
-		server := sshproxy.New(hostSigner, workspaceInfoProvider)
-		l, err := net.Listen("tcp", ":2200")
-		if err != nil {
-			panic(err)
+		flist, err := os.ReadDir("/mnt/host-key")
+		if err == nil && len(flist) > 0 {
+			var signers []ssh.Signer
+			for _, f := range flist {
+				if f.IsDir() {
+					continue
+				}
+				b, err := os.ReadFile(filepath.Join("/mnt/host-key", f.Name()))
+				if err != nil {
+					continue
+				}
+				hostSigner, err := ssh.ParsePrivateKey(b)
+				if err != nil {
+					continue
+				}
+				signers = append(signers, hostSigner)
+			}
+			if len(signers) > 0 {
+				server := sshproxy.New(signers, workspaceInfoProvider)
+				l, err := net.Listen("tcp", ":2200")
+				if err != nil {
+					panic(err)
+				}
+				go server.Serve(l)
+				log.Info("SSHGateway is up and running")
+			}
 		}
-		go server.Serve(l)
 
 		log.Info("🚪 ws-proxy is up and running")
 		if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {

components/ws-proxy/cmd/ssh-key/hostkey

@@ -127,7 +127,7 @@ func (s *Server) Serve(l net.Listener) error {
 	}
 }
 
-func New(signer ssh.Signer, workspaceInfoProvider p.WorkspaceInfoProvider) *Server {
+func New(signers []ssh.Signer, workspaceInfoProvider p.WorkspaceInfoProvider) *Server {
 	server := &Server{
 		workspaceInfoProvider: workspaceInfoProvider,
 	}
@@ -164,7 +164,8 @@ func New(signer ssh.Signer, workspaceInfoProvider p.WorkspaceInfoProvider) *Serv
 			}, nil
 		},
 	}
-	server.sshConfig.AddHostKey(signer)
-
+	for _, s := range signers {
+		server.sshConfig.AddHostKey(s)
+	}
 	return server
 }

components/ws-proxy/pkg/sshproxy/server.go

@@ -44,6 +44,21 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 			MountPath: "/mnt/certificates",
 		})
 	}
+	if ctx.Config.SSHGatewayHostKey.Name != "" {
+		volumes = append(volumes, corev1.Volume{
+			Name: "host-key",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: ctx.Config.SSHGatewayHostKey.Name,
+				},
+			},
+		})
+
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "host-key",
+			MountPath: "/mnt/host-key",
+		})
+	}
 
 	return []runtime.Object{
 		&appsv1.Deployment{

installer/pkg/components/ws-proxy/deployment.go

@@ -84,6 +84,8 @@ type Config struct {
 	AuthProviders []ObjectRef   `json:"authProviders" validate:"dive"`
 	BlockNewUsers BlockNewUsers `json:"blockNewUsers"`
 	License       *ObjectRef    `json:"license,omitempty"`
+
+	SSHGatewayHostKey *ObjectRef `json:"sshGatewayHostKey,omitempty"`
 }
 
 type Metadata struct {

installer/pkg/config/v1/config.go

@@ -150,5 +150,9 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks {
 		}
 	}
 
+	if cfg.SSHGatewayHostKey != nil {
+		secretName := cfg.SSHGatewayHostKey.Name
+		res = append(res, cluster.CheckSecret(secretName))
+	}
 	return res
 }