devfile · AObuchow · Nov 7, 2024 · Nov 4, 2024 · Nov 6, 2024 · Nov 6, 2024
@@ -281,9 +281,14 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 	workspace.Spec.Template = *flattenedWorkspace
 
-	err = ssh.AddSshAgentPostStartEvent(&workspace.Spec.Template)
-	if err != nil {
-		return r.failWorkspace(workspace, "Failed to add ssh-agent post start event", metrics.ReasonWorkspaceEngineFailure, reqLogger, &reconcileStatus), nil
+	if workspace.Config.EnableExperimentalFeatures != nil && *workspace.Config.EnableExperimentalFeatures {
+		if needsSSHAgentPostStartEvent, err := ssh.NeedsSSHPostStartEvent(clusterAPI, workspace.Namespace); err != nil {
+			reqLogger.Error(err, "Error retrieving SSH secret")
+		} else if needsSSHAgentPostStartEvent {
+			if err = ssh.AddSshAgentPostStartEvent(&workspace.Spec.Template); err != nil {
+				return r.failWorkspace(workspace, "Failed to add ssh-agent initialization postStart event", metrics.ReasonWorkspaceEngineFailure, reqLogger, &reconcileStatus), nil
+			}
+		}
 	}
 
 	reconcileStatus.setConditionTrue(conditions.DevWorkspaceResolved, "Resolved plugins and parents from DevWorkspace")

@@ -189,7 +189,7 @@ Prerequisites:
 ** The steps below assume the following environment variables are set:
 *** `$SSH_KEY`: path on disk to private key for SSH keypair (e.g. `~/.ssh/id_ed25519`)
 *** `$SSH_PUB_KEY`: path on disk to public key for SSH keypair (e.g. `~/.ssh/id_ed25519.pub`)
-*** `$PASSPHRASE`: SSH keypair passphrase (optional)
+*** `$PASSPHRASE`: SSH keypair passphrase (optional). *Note:* requires setting `config.enableExperimentalFeatures: true` in the DevWorkspaceOperatorConfig.
 *** `$NAMESPACE`: namespace where workspaces using the SSH keypair will be started.
 
 Process:
@@ -225,6 +225,8 @@ you must add the following in your `~/.bashrc`:
 ----
 [ -f $HOME/ssh-environment ] && source $HOME/ssh-environment
 ----
++
+*Note:*  Specifying a passphrase for an SSH key is an experimental feature and is controlled by the DevWorkspaceOperatorConfig's `config.enableExperimentalFeatures` field.
 
 3. Annotate the secret to configure automatic mounting to DevWorkspaces
 +

@@ -87,6 +87,15 @@ const (
 	// in a given namespace. It is used when e.g. adding Git credentials via secret
 	GitCredentialsConfigMapName = "devworkspace-gitconfig"
 
+	// SSHSecretName is the name used for the secret that stores the SSH key data for workspaces in a given namespace.
+	// TODO: This is a workaround for https://github.com/devfile/devworkspace-operator/issues/1340.
+	// We do not enforce the SSH secret to have this name, but it is used by the Che Dashboard and this allows us
+	// to detect if the user has provided an SSH key with a passhprase.
+	SSHSecretName = "git-ssh-key"
+
+	// SSHSecretPassphraseKey is the key used to retrieve the optional passphrase stored inside the SSH secret.
+	SSHSecretPassphraseKey = "passphrase"
+
 	SshAskPassConfigMapName = "devworkspace-ssh-askpass"
 
 	// GitCredentialsMergedSecretName is the name for the merged Git credentials secret that is mounted to workspaces

@@ -19,6 +19,10 @@ import (
 	"github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 	"github.com/devfile/devworkspace-operator/pkg/library/lifecycle"
+	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
+	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 const commandLine = `SSH_ENV_PATH=$HOME/ssh-environment \
@@ -58,3 +62,29 @@ func AddSshAgentPostStartEvent(spec *v1alpha2.DevWorkspaceTemplateSpec) error {
 	}
 	return err
 }
+
+// Determines whether an SSH key with a passphrase is provided for the namespace where the workspace exists.
+// If an SSH key with a passphrase is used, then the SSH Agent Post Start event is needed for it to automatically
+// be used by the workspace's SSH agent.
+// If no SSH key is provided, or the SSH key does not provide a passphrase, then the SSH Agent Post Start event is not required.
+func NeedsSSHPostStartEvent(api sync.ClusterAPI, namespace string) (bool, error) {
+	secretNN := types.NamespacedName{
+		Name:      constants.SSHSecretName,
+		Namespace: namespace,
+	}
+	sshSecret := &corev1.Secret{}
+	if err := api.Client.Get(api.Ctx, secretNN, sshSecret); err != nil {
+		if k8sErrors.IsNotFound(err) {
+			// No SSH secret found
+			return false, nil
+		}
+		return false, err
+	}
+
+	if _, ok := sshSecret.Data[constants.SSHSecretPassphraseKey]; ok {
+		// SSH secret exists and has a passphrase set
+		return true, nil
+	}
+
+	return false, nil
+}