WIP: fix: conditionally add SSH agent postStart event

Only add the SSH agent initialization postStart event if
an SSH key with a passphrase is being used.

fix #1340

Signed-off-by: Andrew Obuchowicz <[email protected]>

Author: AObuchow

controllers/workspace/devworkspace_controller.go

@@ -281,9 +281,15 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 	workspace.Spec.Template = *flattenedWorkspace
 
-	err = ssh.AddSshAgentPostStartEvent(&workspace.Spec.Template)
-	if err != nil {
-		return r.failWorkspace(workspace, "Failed to add ssh-agent post start event", metrics.ReasonWorkspaceEngineFailure, reqLogger, &reconcileStatus), nil
+	if needsSSHAgentPostStartEvent, err := ssh.NeedsSSHPostStartEvent(clusterAPI, workspace.Namespace); err != nil {
+		// Something's wrong with the ssh secret in the user's namespace
+		// TODO: Should we fail the workspace? Or log the error and continue on?
+		return r.failWorkspace(workspace, fmt.Sprintf("Error retrieving SSH secret: %s", err), metrics.ReasonInfrastructureFailure, reqLogger, &reconcileStatus), nil
+	} else if needsSSHAgentPostStartEvent {
+		if err = ssh.AddSshAgentPostStartEvent(&workspace.Spec.Template); err != nil {
+			// TODO: Is this the right metric reason?
+			return r.failWorkspace(workspace, "Failed to add ssh-agent post start event", metrics.ReasonWorkspaceEngineFailure, reqLogger, &reconcileStatus), nil
+		}
 	}
 
 	reconcileStatus.setConditionTrue(conditions.DevWorkspaceResolved, "Resolved plugins and parents from DevWorkspace")

pkg/constants/metadata.go

@@ -87,6 +87,15 @@ const (
 	// in a given namespace. It is used when e.g. adding Git credentials via secret
 	GitCredentialsConfigMapName = "devworkspace-gitconfig"
 
+	// SSHSecretName is the name used for the secret that stores the SSH key data for workspaces in a given namespace.
+	// TODO: This is a workaround for https://github.com/devfile/devworkspace-operator/issues/1340.
+	// We do not enforce the SSH secret to have this name, but it is used by the Che Dashboard and this allows us
+	// to detect if the user has provided an SSH key with a passhprase.
+	SSHSecretName = "git-ssh-key"
+
+	// SSHSecretPassphraseKey is the key used to retrieve the optional passphrase stored inside the SSH secret.
+	SSHSecretPassphraseKey = "passphrase"
+
 	SshAskPassConfigMapName = "devworkspace-ssh-askpass"
 
 	// GitCredentialsMergedSecretName is the name for the merged Git credentials secret that is mounted to workspaces

pkg/library/ssh/event.go

@@ -19,6 +19,10 @@ import (
 	"github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 	"github.com/devfile/devworkspace-operator/pkg/library/lifecycle"
+	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
+	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 const commandLine = `SSH_ENV_PATH=$HOME/ssh-environment \
@@ -58,3 +62,30 @@ func AddSshAgentPostStartEvent(spec *v1alpha2.DevWorkspaceTemplateSpec) error {
 	}
 	return err
 }
+
+// TODO: Is this the best place for this function?
+// Determines whether an SSH key with a passphrase is provided for the namespace where the workspace exists.
+// If an SSH key with a passphrase is used, then the SSH Agent Post Start event is needed for it to automatically
+// be used by the workspace's SSH agent.
+// If no SSH key is provided, or the SSH key does not provide a passphrase, then the SSH Agent Post Start event is not required.
+func NeedsSSHPostStartEvent(api sync.ClusterAPI, namespace string) (bool, error) {
+	secretNN := types.NamespacedName{
+		Name:      constants.SSHSecretName,
+		Namespace: namespace,
+	}
+	sshSecret := &corev1.Secret{}
+	if err := api.Client.Get(api.Ctx, secretNN, sshSecret); err != nil {
+		if k8sErrors.IsNotFound(err) {
+			// No SSH secret found
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to get SSH secret: %s", err)
+	}
+
+	if _, ok := sshSecret.Data[constants.SSHSecretPassphraseKey]; ok {
+		// SSH secret exists and has a passphrase set
+		return true, nil
+	}
+
+	return false, nil
+}