search

eclipse-che / che

Kubernetes based Cloud Development Environments for Enterprise Teams
http://eclipse.org/che
Eclipse Public License 2.0
6.99k stars 1.19k forks source link

Control Git SSH passphrase injection in Che Dashboard instead of DevWorkspace Operator #23248

Open AObuchow opened 1 week ago

AObuchow commented 1 week ago

Is your task related to a problem? Please describe

Currently, DevWorkspace Operator is responsible for injecting a postStart event that allows the workspace's SSH agent to automatically read the SSH passphrase mounted in a workspace.

This SSH agent initialization postStart event was previously injected unconditionally to all workspaces, causing issues such as https://github.com/eclipse-che/che/issues/23213 & https://github.com/devfile/devworkspace-operator/issues/1337. In order to prevent this feature from breaking existing workspaces, we have guarded this feature under the DevWorkspaceOperatorConfig's config.enableExperimentalFeatures option & ensured the postStart event will always succeed.

After reconsideration (mentioned in https://github.com/devfile/devworkspace-operator/issues/1337#issuecomment-2452216834 and https://github.com/devfile/devworkspace-operator/issues/1340#issue-2633910434) I believe the Che Dashboard would be better suited for injecting the postStart event as well as creating an automount configmap that provides a passphrase-injection script for the SSH agent to use.

Describe the solution you'd like

If the user provides a passphrase for their SSH key, the Dashboard should:

  1. Create an automount configmap in the user's namespace that will mount this script into their workspace. The SSH agent will use this script to automatically read the user's SSH passphrase when performing git operations.
  2. Add a postStart event to every devworkspace generated by the Dashboard. The postStart event will initialize the SSH agent to read the user's SSH passphrase everytime the workspace's .bashrc is sourced.

Once this functionality is implemented in the Dashboard, we should remove it from DevWorkspace Operator.

Describe alternatives you've considered

Before migrating the SSH passphrase injection functionality from the DevWorkspace Operator to the Che Dashboard, we could:

Keep the SSH agent functionality in DWO, but have it enabled only when a devworkspace attribute is provided, e.g. controller.devfile.io/initialize-ssh-agent: true. The Che Dashboard could then add this attribute to devworkspace's when the user provides an SSH key that has a passphrase.

By performing this intermediary step, we would no longer have to guard the SSH passphrase injection functionality with the DevWorkspaceOperatorConfigs config.enableExperimentalFeatures field. Instead, this functionality would be guarded by the controller.devfile.io/initialize-ssh-agent: true devworkspace attribute, that the Dashboard would inject when appropriate.

Additional context

Currently https://issues.redhat.com/browse/CRW-6614 is marked as a Technology Preview Feature. Resolving the current issue (with the proposed solution or the alternate solution) would allow us to move it out of tech preview.