SSH Gateway #7412

iQQBot · 2022-01-01T15:38:10Z

Description

Add SSH Gateway to ws-proxy
This Gateway support sftp, shell, pty, scp and port-forward

Related Issue(s)

Fixes #5602

How to test

Common step

start a workspace
get ownerToken

Integration with openssh

Use follow command to connect workspace, the username is workspaceId password is ownerToken

ssh workspaceId@workspaceUrl

2. or you can use workspaceId:ownerToken for the username, and provider any publickey

Integration with VSCode Desktop

Remove your vscode desktop config remote.SSH.configFile
Use Remote plugin
Select Connect to Host...
Enter workspaceId@workspaceUrl or workspaceId:ownerToken@workspaceUrl

Integration with Jetbrains IDE

start Jetbrains Gateway
click Connect via SSH
Host is workspace url and user is workspaceId or workspaceId:ownerToken
Select a IDE to start

How to get ownerToken?

You can get it via kubectl or lens
You can use Chrome DevTool, and find it on cookie

Release Notes

NONE

Documentation

TOOD:

Replace fixed hostkey
Loadbalancer for ws-proxy in preview env

codecov · 2022-01-01T15:40:25Z

Codecov Report

Merging #7412 (adcf62e) into main (ebf03b0) will increase coverage by 13.54%.
The diff coverage is 4.83%.

❗ Current head adcf62e differs from pull request most recent head c415b21. Consider uploading reports for the commit c415b21 to get more accurate results

@@             Coverage Diff             @@
##             main    #7412       +/-   ##
===========================================
+ Coverage   19.04%   32.59%   +13.54%     
===========================================
  Files           2       61       +59     
  Lines         168     9112     +8944     
===========================================
+ Hits           32     2970     +2938     
- Misses        134     5925     +5791     
- Partials        2      217      +215

Flag	Coverage Δ
components-gitpod-cli-app	`9.56% <ø> (?)`
components-ide-code-desktop-status-app	`∅ <ø> (?)`
components-image-builder-mk3-app	`35.26% <ø> (?)`
components-local-app-api-go-lib	`∅ <ø> (?)`
components-local-app-app-darwin-amd64	`∅ <ø> (?)`
components-local-app-app-darwin-arm64	`∅ <ø> (?)`
components-local-app-app-linux-amd64	`19.04% <ø> (ø)`
components-local-app-app-linux-arm64	`∅ <ø> (∅)`
components-local-app-app-windows-386	`∅ <ø> (∅)`
components-local-app-app-windows-amd64	`∅ <ø> (∅)`
components-local-app-app-windows-arm64	`∅ <ø> (∅)`
components-supervisor-api-go-lib	`∅ <ø> (?)`
components-supervisor-app	`35.57% <0.00%> (?)`
components-ws-proxy-app	`68.32% <75.00%> (?)`
installer-raw-app	`5.76% <ø> (?)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
components/supervisor/pkg/supervisor/services.go	`21.56% <0.00%> (ø)`
components/supervisor/pkg/supervisor/ssh.go	`0.00% <0.00%> (ø)`
components/ws-proxy/pkg/proxy/workspacerouter.go	`81.89% <75.00%> (ø)`
...ents/image-builder-mk3/pkg/orchestrator/monitor.go	`23.12% <0.00%> (ø)`
installer/pkg/components/ws-manager/configmap.go	`29.71% <0.00%> (ø)`
components/gitpod-cli/cmd/credential-helper.go	`1.25% <0.00%> (ø)`
components/gitpod-cli/cmd/await-port.go	`8.00% <0.00%> (ø)`
components/ws-proxy/pkg/proxy/cookies.go	`78.57% <0.00%> (ø)`
components/supervisor/pkg/ports/slirp4netns.go	`0.00% <0.00%> (ø)`
... and 52 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ebf03b0...c415b21. Read the comment docs.

akosyakov · 2022-01-03T08:27:44Z

Please don't forget to fill in how to test section. It should demonstrate how to try with VS Code and JetBrains product as well as existing local companion is not broken in any way.

components/ide/jetbrains/image/status/main.go

akosyakov · 2022-01-03T08:52:39Z

components/ws-proxy/pkg/sshproxy/server.go

+		case "tcpip-forward":
+			newChannel.Reject(ssh.UnknownChannelType, "Gitpod SSH Gateway cannot remote forward ports")
+		default:
+			newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("Gitpod SSH Gateway cannot handle %s channel types", newChannel.ChannelType()))


it may be worth to log that we know

this may spam the logs. Consider introducing a counter metric instead

components/ws-proxy/pkg/sshproxy/server.go

components/supervisor/pkg/supervisor/ssh.go

components/supervisor-api/sshkey.proto

iQQBot · 2022-01-03T09:26:00Z

Please don't forget to fill in how to test section. It should demonstrate how to try with VS Code and JetBrains product as well as existing local companion is not broken in any way.

updated how to test section

akosyakov · 2022-01-03T09:47:57Z

I tested for regressions:

local companion works fine
but VS Code Desktop integration cannot connect for some reasons, it hangs forever
- i checked that VS Code Desktop still works in production
- updated: although i am not sure i can reproduce it on staging as well

It turned out to be a regression in the local companion: #7420

akosyakov · 2022-01-03T10:28:38Z

@csweichel I can confirm that VS Code and JetBrains integration work nicely with this approach. Could you review please? 🙏 We would like to move with that as soon as possible to provide JetBrains team with test builds of Gateway plugin.

csweichel · 2022-01-03T11:44:11Z

will take a look before the end of the day

iQQBot · 2022-01-03T11:54:00Z

I tested for regressions:

local companion works fine

but VS Code Desktop integration cannot connect for some reasons, it hangs forever

i checked that VS Code Desktop still works in production

updated: although i am not sure i can reproduce it on staging as well

It turned out to be a regression in the local companion: #7420

Already rebase, you can test again after build

csweichel

Code by and large looks very good. A bunch of nits and potentially dangling Go routines.

Trying this now.

components/ws-proxy/pkg/sshproxy/forward.go

components/ws-proxy/pkg/sshproxy/server.go

csweichel · 2022-01-03T12:34:26Z

components/ws-proxy/pkg/sshproxy/server.go

+		case "tcpip-forward":
+			newChannel.Reject(ssh.UnknownChannelType, "Gitpod SSH Gateway cannot remote forward ports")
+		default:
+			newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("Gitpod SSH Gateway cannot handle %s channel types", newChannel.ChannelType()))


this may spam the logs. Consider introducing a counter metric instead

components/supervisor/pkg/supervisor/services.go

installer/pkg/config/v1/validation.go

components/ws-proxy/cmd/run.go

meysholdt

Since this PR is about more than just preview envs and there is time pressure - feel free to merge and do the cleanup in a follow-up PR.

roboquat · 2022-01-06T12:30:07Z

LGTM label has been added.

Git tree hash: 689ab2beec09246c6286895ba7d44ee1b5303b7e

meysholdt · 2022-01-06T14:26:24Z

.werft/build.ts

@@ -533,6 +535,21 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
            werft.fail('authProviders', err);
        }

+        werft.log("SSH gateway hostkey", "copy host-key from secret")
+        try {
+            exec(`kubectl --namespace keys get secret host-key -o yaml \


Can you run kubectl --namespace keys get secret host-key before

gitpod/.werft/build.ts

Line 334 in c732acb

exec(`mv k3s.yml /home/gitpod/.kube/config`)

gets executed?

This is needed in the with-vm scenario because we change the kubectl-context awawy from core-dev to the preview environment's k3s cluster.

meysholdt · 2022-01-06T14:28:06Z

.werft/post-process.sh

+    if [[ "ws-proxy" == "$NAME" ]] && [[ "$KIND" == "Service" ]]; then
+      WORK="overrides for $NAME $KIND"
+      echo "$WORK"
+      # Provide harvester compatibility by adding ports instead of modifying the original ports


meysholdt · 2022-01-06T14:30:17Z

Just one remark; Other than that it L very GTM :)

akosyakov · 2022-01-06T16:17:10Z

/lgtm

roboquat · 2022-01-06T16:17:14Z

LGTM label has been added.

Git tree hash: 2bcb02036bd6c74d5153b22c147ce61ab7d6a580

meysholdt · 2022-01-06T16:26:54Z

/lgtm

roboquat · 2022-01-06T16:26:58Z

LGTM label has been added.

Git tree hash: 8f36f5acf9454ef47aa4ee772afcd7b44c997b9c

roboquat · 2022-01-06T16:27:02Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: akosyakov, csweichel, meysholdt, MrSimonEmms

Associated issue: #5602

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [MrSimonEmms,akosyakov,csweichel]
~~components/supervisor/OWNERS~~ [akosyakov]
~~components/supervisor-api/OWNERS~~ [akosyakov,csweichel]
~~components/ws-proxy/OWNERS~~ [MrSimonEmms,csweichel]
~~installer/OWNERS~~ [MrSimonEmms]
~~installer/pkg/components/ws-proxy/OWNERS~~ [MrSimonEmms,csweichel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

iQQBot · 2022-01-06T16:28:48Z

/unhold

roboquat added release-note-none team: IDE team: delivery Issue belongs to the self-hosted team team: workspace Issue belongs to the Workspace team size/XXL labels Jan 1, 2022

iQQBot force-pushed the pd/ssh-gateway branch 6 times, most recently from e8bb61c to 0b55333 Compare January 2, 2022 18:54

iQQBot force-pushed the pd/ssh-gateway branch from 0b55333 to 3c7eb41 Compare January 3, 2022 08:36