feat(up): make up setup-only with managed ssh and sync

acmore · acmore · commit 0a7179053a10 · 2026-03-07T17:16:43.000+08:00
diff --git a/docs/command-reference.md b/docs/command-reference.md
@@ -15,9 +15,9 @@
 - `okdev version`
 - `okdev init [--template basic|gpu|llm-stack] [--force]`
 - `okdev validate`
-- `okdev up [--no-attach] [--wait-timeout 3m] [--dry-run]`
-  - attach is enabled by default; use `--no-attach` to skip shell + background integrations
-  - in attach flow, `spec.ports` are applied via managed SSH `LocalForward` rules
+- `okdev up [--wait-timeout 3m] [--dry-run]`
+  - prepares pod/workspace, SSH config, managed SSH+port-forwards, and background sync (when enabled), then exits
+  - `spec.ports` are applied via managed SSH `LocalForward` rules
 - `okdev down [--delete-pvc] [--dry-run]`
 - `okdev status [--all] [--all-users]`
 - `okdev list [--all-namespaces] [--all-users]`
diff --git a/docs/okdev-design.md b/docs/okdev-design.md
@@ -71,7 +71,7 @@ Core flow:
 2. `okdev up` creates/resumes a dev session in a namespace.
 3. `okdev connect` opens terminal/SSH and optionally starts port forwards.
 4. `okdev sync` mirrors local repo <-> pod workspace.
-5. Developer can leave and later reconnect from another machine via `okdev up --attach`.
+5. Developer can leave and later reconnect from another machine via `okdev up`.
 6. `okdev down` stops session (or deletes, based on policy).
 
 ---
@@ -226,11 +226,10 @@ Ownership model:
   - scaffolds `.okdev.yaml` from template and detects language/runtime hints
   - supports `-c, --config` to generate a custom config filename/path
 
-- `okdev up [--no-attach] [--name] [-c|--config]`
+- `okdev up [--name] [-c|--config]`
   - create or resume session
   - wait for Pod Ready (watch-based readiness events)
-  - by default, attach shell and auto-start configured sync/port-forward/ssh tunnel
-  - with `--no-attach`, skip shell and background integrations
+  - setup sync/port-forward/ssh integration, then exit
   - supports `--dry-run` to preview operations without applying
   - supports explicit `--session <name>` for multiple concurrent sessions per repo
 
@@ -282,7 +281,7 @@ Problem with local-only tools: state is tied to one machine.
 okdev approach:
 - Session identity is cluster-native (`namespace + env name + labels`).
 - Local machine stores only ephemeral client metadata.
-- Any machine with kube access and repo can run `okdev up --attach`.
+- Any machine with kube access and repo can run `okdev up`.
 
 Ownership model:
 - Owner identity resolution: `--owner` flag -> `OKDEV_OWNER` -> local `USER`.
diff --git a/docs/okdev-implementation-plan.md b/docs/okdev-implementation-plan.md
@@ -46,7 +46,7 @@ Definition of done:
 Deliverables:
 - `okdev connect` (interactive shell/command execution)
 - `okdev ports` with config-defined forwards
-- Cross-machine reattach (`okdev up --attach`)
+- Cross-machine reattach (`okdev up`)
 - Local active-session pointer in repo metadata
 
 Definition of done:
diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -52,8 +52,8 @@ For a named session:
 ./bin/okdev sync --mode up
 ./bin/okdev ports
 
-# one-stop attach flow (shell + sync + app ports + ssh tunnel)
-./bin/okdev up --attach
+# one-step setup flow (sync + app ports + ssh tunnel), then exit
+./bin/okdev up
 
 # continuous sync (syncthing)
 ./bin/okdev sync
@@ -67,7 +67,7 @@ Default sidecar image tag follows the running `okdev` binary version (`ghcr.io/<
 Use `spec.sync.exclude` for local ignore patterns and `spec.sync.remoteExclude` for remote-only ignore patterns.
 For SSH, default mode is `spec.ssh.mode=dev-container` (your dev image runs sshd). Set `spec.ssh.mode=sidecar` to use `ghcr.io/<repo-owner>/okdev-sshd:<okdev-version>` instead.
 `okdev ssh` and `okdev up` manage `~/.ssh/config` entries as `okdev-<session>`.
-Configured `spec.ports` are written as SSH `LocalForward` rules and can be auto-started by `okdev up --attach`.
+Configured `spec.ports` are written as SSH `LocalForward` rules and auto-start with `okdev up`.
 
 Preview-only mode (no cluster changes):
 
diff --git a/internal/cli/ssh.go b/internal/cli/ssh.go
@@ -138,19 +138,24 @@ func ensureSSHKeyOnPod(opts *Options, cfg *config.DevEnvironment, namespace, pod
 	}
 
 	script := fmt.Sprintf("mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && (grep -qxF %s ~/.ssh/authorized_keys || echo %s >> ~/.ssh/authorized_keys)", syncengine.ShellEscape(pubKey), syncengine.ShellEscape(pubKey))
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
 	k := newKubeClient(opts)
 	container := sshTargetContainer(cfg)
-	if container == "" {
-		_, err = k.ExecSh(ctx, namespace, pod, script)
-	} else {
-		_, err = k.ExecShInContainer(ctx, namespace, pod, container, script)
-	}
-	if err != nil {
-		return fmt.Errorf("install ssh key in pod: %w", err)
+	var lastErr error
+	for i := 0; i < 3; i++ {
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		if container == "" {
+			_, err = k.ExecSh(ctx, namespace, pod, script)
+		} else {
+			_, err = k.ExecShInContainer(ctx, namespace, pod, container, script)
+		}
+		cancel()
+		if err == nil {
+			return nil
+		}
+		lastErr = err
+		time.Sleep(time.Duration(i+1) * 500 * time.Millisecond)
 	}
-	return nil
+	return fmt.Errorf("install ssh key in pod: %w", lastErr)
 }
 
 func defaultSSHKeyPath(cfg *config.DevEnvironment) (string, error) {
@@ -162,7 +167,11 @@ func defaultSSHKeyPath(cfg *config.DevEnvironment) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return filepath.Join(home, ".ssh", "okdev_ed25519"), nil
+	legacy := filepath.Join(home, ".ssh", "okdev_ed25519")
+	if _, err := os.Stat(legacy); err == nil {
+		return legacy, nil
+	}
+	return filepath.Join(home, ".okdev", "ssh", "id_ed25519"), nil
 }
 
 func sshTargetContainer(cfg *config.DevEnvironment) string {
diff --git a/internal/cli/up.go b/internal/cli/up.go
@@ -16,18 +16,13 @@ import (
 )
 
 func newUpCmd(opts *Options) *cobra.Command {
-	var attach bool
-	var noAttach bool
 	var waitTimeout time.Duration
 	var dryRun bool
 
 	cmd := &cobra.Command{
 		Use:   "up",
 		Short: "Create or resume a dev session",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			if noAttach {
-				attach = false
-			}
 			cfg, ns, err := loadConfigAndNamespace(opts)
 			if err != nil {
 				return err
@@ -50,9 +45,8 @@ func newUpCmd(opts *Options) *cobra.Command {
 				}
 				fmt.Fprintf(cmd.OutOrStdout(), "- would apply pod/%s\n", pod)
 				fmt.Fprintf(cmd.OutOrStdout(), "- would wait for pod readiness (timeout=%s)\n", waitTimeout)
-				if attach {
-					fmt.Fprintln(cmd.OutOrStdout(), "- would attach shell and start background sync/ports/ssh")
-				}
+				fmt.Fprintln(cmd.OutOrStdout(), "- would setup SSH config + managed SSH/port-forwards")
+				fmt.Fprintln(cmd.OutOrStdout(), "- would start background sync (when sync.engine=syncthing)")
 				return nil
 			}
 			if err := ensureSessionOwnership(opts, k, ns, sn, true); err != nil {
@@ -113,56 +107,51 @@ func newUpCmd(opts *Options) *cobra.Command {
 			}
 
 			fmt.Fprintf(cmd.OutOrStdout(), "Session ready: %s (namespace: %s)\n", sn, ns)
-			if attach {
-				stopMaintenance := startSessionMaintenanceWithClient(k, cfg, ns, sn, cmd.OutOrStdout(), true, true)
-				defer stopMaintenance()
-
-				if cfg.Spec.SSH.LocalPort > 0 && cfg.Spec.SSH.RemotePort > 0 {
-					keyPath, keyErr := defaultSSHKeyPath(cfg)
-					if keyErr != nil {
-						fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to resolve SSH key path: %v\n", keyErr)
+			if cfg.Spec.SSH.LocalPort > 0 && cfg.Spec.SSH.RemotePort > 0 {
+				keyPath, keyErr := defaultSSHKeyPath(cfg)
+				if keyErr != nil {
+					fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to resolve SSH key path: %v\n", keyErr)
+				} else {
+					if err := ensureSSHKeyOnPod(opts, cfg, ns, pod, keyPath); err != nil {
+						fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to setup SSH key in pod: %v\n", err)
+					}
+					alias := sshHostAlias(sn)
+					cfgPath, _ := config.ResolvePath(opts.ConfigPath)
+					if cfgErr := ensureSSHConfigEntry(alias, sn, cfg.Spec.SSH.User, cfg.Spec.SSH.LocalPort, cfg.Spec.SSH.RemotePort, keyPath, cfgPath, cfg.Spec.Ports); cfgErr != nil {
+						fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to update ~/.ssh/config: %v\n", cfgErr)
 					} else {
-						if err := ensureSSHKeyOnPod(opts, cfg, ns, pod, keyPath); err != nil {
-							fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to setup SSH key in pod: %v\n", err)
+						// Force-refresh managed master so forward rules are always current after `okdev up`.
+						_ = stopManagedSSHForward(alias)
+						if err := startManagedSSHForward(alias); err != nil {
+							fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to start managed SSH/port-forwards: %v\n", err)
 						} else {
-							alias := sshHostAlias(sn)
-							cfgPath, _ := config.ResolvePath(opts.ConfigPath)
-							if cfgErr := ensureSSHConfigEntry(alias, sn, cfg.Spec.SSH.User, cfg.Spec.SSH.LocalPort, cfg.Spec.SSH.RemotePort, keyPath, cfgPath, cfg.Spec.Ports); cfgErr != nil {
-								fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to update ~/.ssh/config: %v\n", cfgErr)
-							} else if err := startManagedSSHForward(alias); err != nil {
-								fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to start managed SSH/port-forwards: %v\n", err)
+							if len(cfg.Spec.Ports) > 0 {
+								fmt.Fprintf(cmd.OutOrStdout(), "SSH ready: ssh %s (managed forwards active)\n", alias)
 							} else {
-								if len(cfg.Spec.Ports) > 0 {
-									fmt.Fprintf(cmd.OutOrStdout(), "Background SSH tunnel + port-forwards active via %s\n", alias)
-								} else {
-									fmt.Fprintf(cmd.OutOrStdout(), "Background SSH tunnel active: ssh %s\n", alias)
-								}
+								fmt.Fprintf(cmd.OutOrStdout(), "SSH ready: ssh %s\n", alias)
 							}
 						}
 					}
 				}
+			}
 
-				if cfg.Spec.Sync.Engine == "" || cfg.Spec.Sync.Engine == "syncthing" {
-					logPath, started, err := startDetachedSyncthingSync(opts, "bi", sn)
-					if err != nil {
-						fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to start syncthing background sync: %v\n", err)
+			if cfg.Spec.Sync.Engine == "" || cfg.Spec.Sync.Engine == "syncthing" {
+				logPath, started, err := startDetachedSyncthingSync(opts, "bi", sn)
+				if err != nil {
+					fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to start syncthing background sync: %v\n", err)
+				} else {
+					if started {
+						fmt.Fprintf(cmd.OutOrStdout(), "Background syncthing sync active (mode=bi). Logs: %s\n", logPath)
 					} else {
-						if started {
-							fmt.Fprintf(cmd.OutOrStdout(), "Background syncthing sync active (mode=bi). Logs: %s\n", logPath)
-						} else {
-							fmt.Fprintf(cmd.OutOrStdout(), "Background syncthing sync already running (mode=bi). Logs: %s\n", logPath)
-						}
+						fmt.Fprintf(cmd.OutOrStdout(), "Background syncthing sync already running (mode=bi). Logs: %s\n", logPath)
 					}
 				}
-
-				return runConnectWithClient(k, ns, sn, []string{"sh", "-lc", "command -v bash >/dev/null 2>&1 && exec bash || exec sh"}, true)
 			}
+
 			return nil
 		},
 	}
 
-	cmd.Flags().BoolVar(&attach, "attach", true, "Attach shell after session is ready")
-	cmd.Flags().BoolVar(&noAttach, "no-attach", false, "Do not attach shell/background integrations after session is ready")
 	cmd.Flags().DurationVar(&waitTimeout, "wait-timeout", 3*time.Minute, "Wait timeout for pod readiness")
 	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "Preview actions without applying resources")
 	return cmd
