fix: conditionally add SSH agent postStart event

Only add the SSH agent initialization postStart event if
an SSH key with a passphrase is being used & experimental features are
enabled.

We don't use the config package's ExperimentalFeaturesEnabled function so that
the SSH agent initialization postStart event injection can be enabled from
an external DWOC, or the global DWOC if no external DWOC is used.

fix #1340

Signed-off-by: Andrew Obuchowicz <[email protected]>

Author: AObuchow

controllers/workspace/devworkspace_controller.go

@@ -281,9 +281,14 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 	workspace.Spec.Template = *flattenedWorkspace
 
-	err = ssh.AddSshAgentPostStartEvent(&workspace.Spec.Template)
-	if err != nil {
-		return r.failWorkspace(workspace, "Failed to add ssh-agent post start event", metrics.ReasonWorkspaceEngineFailure, reqLogger, &reconcileStatus), nil
+	if workspace.Config.EnableExperimentalFeatures != nil && *workspace.Config.EnableExperimentalFeatures {
+		if needsSSHAgentPostStartEvent, err := ssh.NeedsSSHPostStartEvent(clusterAPI, workspace.Namespace); err != nil {
+			reqLogger.Error(err, "Error retrieving SSH secret")
+		} else if needsSSHAgentPostStartEvent {
+			if err = ssh.AddSshAgentPostStartEvent(&workspace.Spec.Template); err != nil {
+				return r.failWorkspace(workspace, "Failed to add ssh-agent post start event", metrics.ReasonWorkspaceEngineFailure, reqLogger, &reconcileStatus), nil
+			}
+		}
 	}
 
 	reconcileStatus.setConditionTrue(conditions.DevWorkspaceResolved, "Resolved plugins and parents from DevWorkspace")

pkg/constants/metadata.go

@@ -87,6 +87,15 @@ const (
 	// in a given namespace. It is used when e.g. adding Git credentials via secret
 	GitCredentialsConfigMapName = "devworkspace-gitconfig"
 
+	// SSHSecretName is the name used for the secret that stores the SSH key data for workspaces in a given namespace.
+	// TODO: This is a workaround for https://github.com/devfile/devworkspace-operator/issues/1340.
+	// We do not enforce the SSH secret to have this name, but it is used by the Che Dashboard and this allows us
+	// to detect if the user has provided an SSH key with a passhprase.
+	SSHSecretName = "git-ssh-key"
+
+	// SSHSecretPassphraseKey is the key used to retrieve the optional passphrase stored inside the SSH secret.
+	SSHSecretPassphraseKey = "passphrase"
+
 	SshAskPassConfigMapName = "devworkspace-ssh-askpass"
 
 	// GitCredentialsMergedSecretName is the name for the merged Git credentials secret that is mounted to workspaces

pkg/library/ssh/event.go

@@ -19,6 +19,10 @@ import (
 	"github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 	"github.com/devfile/devworkspace-operator/pkg/library/lifecycle"
+	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
+	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 const commandLine = `(
@@ -63,3 +67,29 @@ func AddSshAgentPostStartEvent(spec *v1alpha2.DevWorkspaceTemplateSpec) error {
 	}
 	return err
 }
+
+// Determines whether an SSH key with a passphrase is provided for the namespace where the workspace exists.
+// If an SSH key with a passphrase is used, then the SSH Agent Post Start event is needed for it to automatically
+// be used by the workspace's SSH agent.
+// If no SSH key is provided, or the SSH key does not provide a passphrase, then the SSH Agent Post Start event is not required.
+func NeedsSSHPostStartEvent(api sync.ClusterAPI, namespace string) (bool, error) {
+	secretNN := types.NamespacedName{
+		Name:      constants.SSHSecretName,
+		Namespace: namespace,
+	}
+	sshSecret := &corev1.Secret{}
+	if err := api.Client.Get(api.Ctx, secretNN, sshSecret); err != nil {
+		if k8sErrors.IsNotFound(err) {
+			// No SSH secret found
+			return false, nil
+		}
+		return false, err
+	}
+
+	if _, ok := sshSecret.Data[constants.SSHSecretPassphraseKey]; ok {
+		// SSH secret exists and has a passphrase set
+		return true, nil
+	}
+
+	return false, nil
+}