feat(cli): improve attach flow and add ssh sidecar mode

Author: acmore

internal/cli/down.go

@@ -2,6 +2,9 @@ package cli
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
 
 	"github.com/spf13/cobra"
 )
@@ -47,6 +50,7 @@ func newDownCmd(opts *Options) *cobra.Command {
 					return fmt.Errorf("delete workspace pvc: %w", err)
 				}
 			}
+			_ = removeSSHConfigEntry(sshHostAlias(sn))
 			fmt.Fprintf(cmd.OutOrStdout(), "Session stopped: %s\n", sn)
 			if !deletePVC && cfg.Spec.Workspace.PVC.ClaimName == "" {
 				fmt.Fprintf(cmd.OutOrStdout(), "Workspace PVC retained: %s (use --delete-pvc to remove)\n", pvcName(cfg, sn))
@@ -58,3 +62,22 @@ func newDownCmd(opts *Options) *cobra.Command {
 	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "Preview actions without deleting resources")
 	return cmd
 }
+
+func removeSSHConfigEntry(hostAlias string) error {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return err
+	}
+	configPath := filepath.Join(home, ".ssh", "config")
+	existing, err := os.ReadFile(configPath)
+	if err != nil {
+		return nil
+	}
+	begin := "# BEGIN OKDEV " + hostAlias
+	end := "# END OKDEV " + hostAlias
+	updated := strings.TrimSpace(stripManagedSSHBlock(string(existing), begin, end))
+	if updated == "" {
+		return os.WriteFile(configPath, []byte(""), 0o600)
+	}
+	return os.WriteFile(configPath, []byte(updated+"\n"), 0o600)
+}

internal/cli/portforward_helper.go

@@ -16,6 +16,10 @@ func startManagedPortForward(opts *Options, namespace, pod string, forwards []st
 	return startManagedPortForwardWithClient(newKubeClient(opts), namespace, pod, forwards)
 }
 
+func startManagedPortForwardNoProbe(opts *Options, namespace, pod string, forwards []string) (context.CancelFunc, error) {
+	return startManagedPortForwardNoProbeWithClient(newKubeClient(opts), namespace, pod, forwards)
+}
+
 func startManagedPortForwardWithClient(k interface {
 	PortForward(context.Context, string, string, []string, io.Writer, io.Writer) error
 }, namespace, pod string, forwards []string) (context.CancelFunc, error) {
@@ -58,6 +62,37 @@ func startManagedPortForwardWithClient(k interface {
 	}
 }
 
+func startManagedPortForwardNoProbeWithClient(k interface {
+	PortForward(context.Context, string, string, []string, io.Writer, io.Writer) error
+}, namespace, pod string, forwards []string) (context.CancelFunc, error) {
+	ctx, cancel := context.WithCancel(context.Background())
+	errCh := make(chan error, 1)
+	doneCh := make(chan struct{})
+	go func() {
+		defer close(doneCh)
+		errCh <- k.PortForward(ctx, namespace, pod, forwards, io.Discard, io.Discard)
+	}()
+	cancelAndWait := func() {
+		cancel()
+		select {
+		case <-doneCh:
+		case <-time.After(portForwardShutdownWait):
+		}
+	}
+	timer := time.NewTimer(500 * time.Millisecond)
+	defer timer.Stop()
+	select {
+	case err := <-errCh:
+		cancelAndWait()
+		if err != nil {
+			return nil, err
+		}
+		return nil, fmt.Errorf("port-forward exited before ready")
+	case <-timer.C:
+		return cancelAndWait, nil
+	}
+}
+
 func localPortsFromForwards(forwards []string) []int {
 	ports := make([]int, 0, len(forwards))
 	for _, f := range forwards {

internal/cli/ssh.go

@@ -25,7 +25,7 @@ func newSSHCmd(opts *Options) *cobra.Command {
 
 	cmd := &cobra.Command{
 		Use:   "ssh",
-		Short: "Connect to session pod over SSH (requires sshd in container)",
+		Short: "Connect to session pod over SSH (dev container or okdev SSH sidecar)",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cfg, ns, err := loadConfigAndNamespace(opts)
 			if err != nil {
@@ -59,7 +59,7 @@ func newSSHCmd(opts *Options) *cobra.Command {
 			}
 
 			if setupKey {
-				if err := ensureSSHKeyOnPod(opts, ns, podName(sn), keyPath); err != nil {
+				if err := ensureSSHKeyOnPod(opts, cfg, ns, podName(sn), keyPath); err != nil {
 					return err
 				}
 			}
@@ -70,16 +70,21 @@ func newSSHCmd(opts *Options) *cobra.Command {
 			}
 			defer cancelPF()
 
+			sshHost := sshHostAlias(sn)
+			if cfgErr := ensureSSHConfigEntry(sshHost, user, localPort, keyPath); cfgErr != nil {
+				fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to update ~/.ssh/config: %v\n", cfgErr)
+			}
+
 			sshArgs := []string{
 				"-p", fmt.Sprintf("%d", localPort),
 				"-o", "StrictHostKeyChecking=no",
 				"-o", "UserKnownHostsFile=/dev/null",
 				"-i", keyPath,
 			}
 			if cmdStr != "" {
-				sshArgs = append(sshArgs, fmt.Sprintf("%s@127.0.0.1", user), cmdStr)
+				sshArgs = append(sshArgs, sshHost, cmdStr)
 			} else {
-				sshArgs = append(sshArgs, fmt.Sprintf("%s@127.0.0.1", user))
+				sshArgs = append(sshArgs, sshHost)
 			}
 			sshCmd := exec.Command("ssh", sshArgs...)
 			sshCmd.Stdin = os.Stdin
@@ -101,7 +106,7 @@ func newSSHCmd(opts *Options) *cobra.Command {
 	return cmd
 }
 
-func ensureSSHKeyOnPod(opts *Options, namespace, pod, keyPath string) error {
+func ensureSSHKeyOnPod(opts *Options, cfg *config.DevEnvironment, namespace, pod, keyPath string) error {
 	if err := ensureCommand("ssh-keygen"); err != nil {
 		return err
 	}
@@ -127,7 +132,13 @@ func ensureSSHKeyOnPod(opts *Options, namespace, pod, keyPath string) error {
 	script := fmt.Sprintf("mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && (grep -qxF %s ~/.ssh/authorized_keys || echo %s >> ~/.ssh/authorized_keys)", syncengine.ShellEscape(pubKey), syncengine.ShellEscape(pubKey))
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
-	_, err = newKubeClient(opts).ExecSh(ctx, namespace, pod, script)
+	k := newKubeClient(opts)
+	container := sshTargetContainer(cfg)
+	if container == "" {
+		_, err = k.ExecSh(ctx, namespace, pod, script)
+	} else {
+		_, err = k.ExecShInContainer(ctx, namespace, pod, container, script)
+	}
 	if err != nil {
 		return fmt.Errorf("install ssh key in pod: %w", err)
 	}
@@ -149,3 +160,72 @@ func defaultSSHKeyPath(cfg *config.DevEnvironment) (string, error) {
 	}
 	return filepath.Join(home, ".ssh", "okdev_ed25519"), nil
 }
+
+func sshTargetContainer(cfg *config.DevEnvironment) string {
+	if cfg == nil {
+		return ""
+	}
+	if strings.EqualFold(strings.TrimSpace(cfg.Spec.SSH.Mode), "sidecar") {
+		return "okdev-ssh"
+	}
+	return ""
+}
+
+func sshHostAlias(sessionName string) string {
+	return "okdev-" + sessionName
+}
+
+func ensureSSHConfigEntry(hostAlias, user string, localPort int, keyPath string) error {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return err
+	}
+	sshDir := filepath.Join(home, ".ssh")
+	if err := os.MkdirAll(sshDir, 0o700); err != nil {
+		return err
+	}
+	configPath := filepath.Join(sshDir, "config")
+	existing, _ := os.ReadFile(configPath)
+
+	begin := "# BEGIN OKDEV " + hostAlias
+	end := "# END OKDEV " + hostAlias
+	blockLines := []string{
+		begin,
+		"Host " + hostAlias,
+		"  HostName 127.0.0.1",
+		fmt.Sprintf("  Port %d", localPort),
+		"  User " + user,
+		"  IdentityFile " + keyPath,
+		"  StrictHostKeyChecking no",
+		"  UserKnownHostsFile /dev/null",
+		end,
+	}
+	block := strings.Join(blockLines, "\n") + "\n"
+	updated := stripManagedSSHBlock(string(existing), begin, end) + "\n" + block
+	updated = strings.TrimSpace(updated) + "\n"
+	return os.WriteFile(configPath, []byte(updated), 0o600)
+}
+
+func stripManagedSSHBlock(content, begin, end string) string {
+	lines := strings.Split(content, "\n")
+	out := make([]string, 0, len(lines))
+	inBlock := false
+	for _, line := range lines {
+		t := strings.TrimSpace(line)
+		if t == begin {
+			inBlock = true
+			continue
+		}
+		if inBlock {
+			if t == end {
+				inBlock = false
+			}
+			continue
+		}
+		out = append(out, line)
+	}
+	for len(out) > 0 && strings.TrimSpace(out[len(out)-1]) == "" {
+		out = out[:len(out)-1]
+	}
+	return strings.Join(out, "\n")
+}

internal/cli/up.go

@@ -7,12 +7,14 @@ import (
 	"log/slog"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/acmore/okdev/internal/config"
 	"github.com/acmore/okdev/internal/kube"
 	"github.com/acmore/okdev/internal/session"
 	"github.com/spf13/cobra"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 func newUpCmd(opts *Options) *cobra.Command {
@@ -61,6 +63,16 @@ func newUpCmd(opts *Options) *cobra.Command {
 			if warnErr := warnIfConfigNewerThanSession(opts, k, ns, sn, pod, cmd.ErrOrStderr()); warnErr != nil {
 				slog.Debug("skip config drift warning", "error", warnErr)
 			}
+			existingRunningReady := false
+			{
+				ctxCheck, cancelCheck := context.WithTimeout(context.Background(), 10*time.Second)
+				defer cancelCheck()
+				if ps, perr := k.GetPodSummary(ctxCheck, ns, pod); perr == nil {
+					existingRunningReady = strings.EqualFold(ps.Phase, "Running") && podReadyFromSummary(ps.Ready)
+				} else if !apierrors.IsNotFound(perr) {
+					return perr
+				}
+			}
 
 			ctx, cancel := defaultContext()
 			defer cancel()
@@ -75,36 +87,40 @@ func newUpCmd(opts *Options) *cobra.Command {
 				}
 			}
 
-			preparedSpec, err := kube.PreparePodSpec(
+			preparedSpec, err := kube.PreparePodSpecWithSSH(
 				cfg.Spec.PodTemplate.Spec,
 				pvc,
 				cfg.Spec.Workspace.MountPath,
 				cfg.Spec.Sync.Engine == "syncthing",
 				cfg.Spec.Sync.Syncthing.Image,
+				strings.EqualFold(cfg.Spec.SSH.Mode, "sidecar"),
+				cfg.Spec.SSH.SidecarImage,
 			)
 			if err != nil {
 				return err
 			}
 
-			podManifest, err := kube.BuildPodManifest(ns, pod, labels, annotations, preparedSpec)
-			if err != nil {
-				return err
-			}
-			if err := k.Apply(ctx, ns, podManifest); err != nil {
-				return err
-			}
-			progressPrinter := func(p kube.PodReadinessProgress) {
-				fmt.Fprintf(cmd.OutOrStdout(), "Waiting for pod/%s: phase=%s ready=%d/%d reason=%s\n", pod, p.Phase, p.ReadyContainers, p.TotalContainers, p.Reason)
-			}
-			if err := k.WaitReadyWithProgress(ctx, ns, pod, waitTimeout, progressPrinter); err != nil {
-				hints := fmt.Sprintf("next steps:\n- run `okdev status --session %s`\n- run `kubectl -n %s describe pod %s`", sn, ns, pod)
-				diag, derr := k.DescribePod(ctx, ns, pod)
-				if derr == nil {
-					fmt.Fprintf(cmd.ErrOrStderr(), "pod diagnostics:\n%s\n\n%s\n", diag, hints)
+			if !existingRunningReady {
+				podManifest, err := kube.BuildPodManifest(ns, pod, labels, annotations, preparedSpec)
+				if err != nil {
+					return err
+				}
+				if err := k.Apply(ctx, ns, podManifest); err != nil {
+					return err
+				}
+				progressPrinter := func(p kube.PodReadinessProgress) {
+					fmt.Fprintf(cmd.OutOrStdout(), "Waiting for pod/%s: phase=%s ready=%d/%d reason=%s\n", pod, p.Phase, p.ReadyContainers, p.TotalContainers, p.Reason)
+				}
+				if err := k.WaitReadyWithProgress(ctx, ns, pod, waitTimeout, progressPrinter); err != nil {
+					hints := fmt.Sprintf("next steps:\n- run `okdev status --session %s`\n- run `kubectl -n %s describe pod %s`", sn, ns, pod)
+					diag, derr := k.DescribePod(ctx, ns, pod)
+					if derr == nil {
+						fmt.Fprintf(cmd.ErrOrStderr(), "pod diagnostics:\n%s\n\n%s\n", diag, hints)
+						return fmt.Errorf("wait for pod/%s readiness failed: %w", pod, err)
+					}
+					fmt.Fprintln(cmd.ErrOrStderr(), hints)
 					return fmt.Errorf("wait for pod/%s readiness failed: %w", pod, err)
 				}
-				fmt.Fprintln(cmd.ErrOrStderr(), hints)
-				return fmt.Errorf("wait for pod/%s readiness failed: %w", pod, err)
 			}
 
 			if err := session.SaveActiveSession(sn); err != nil {
@@ -132,29 +148,34 @@ func newUpCmd(opts *Options) *cobra.Command {
 						forwards = append(forwards, strconv.Itoa(p.Local)+":"+strconv.Itoa(p.Remote))
 					}
 					if len(forwards) > 0 {
-						cancelPF, err := startManagedPortForwardWithClient(k, ns, pod, forwards)
+						cancelPF, err := startManagedPortForwardNoProbeWithClient(k, ns, pod, forwards)
 						if err != nil {
-							return fmt.Errorf("start background port-forward: %w", err)
+							fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to start background port-forward: %v\n", err)
+						} else {
+							stopBackgrounds = append(stopBackgrounds, cancelPF)
+							fmt.Fprintf(cmd.OutOrStdout(), "Background port-forward active: %v\n", forwards)
 						}
-						stopBackgrounds = append(stopBackgrounds, cancelPF)
-						fmt.Fprintf(cmd.OutOrStdout(), "Background port-forward active: %v\n", forwards)
 					}
 				}
 				if cfg.Spec.SSH.LocalPort > 0 && cfg.Spec.SSH.RemotePort > 0 {
 					keyPath, keyErr := defaultSSHKeyPath(cfg)
 					if keyErr != nil {
 						fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to resolve SSH key path: %v\n", keyErr)
 					} else {
-						if err := ensureSSHKeyOnPod(opts, ns, pod, keyPath); err != nil {
+						if err := ensureSSHKeyOnPod(opts, cfg, ns, pod, keyPath); err != nil {
 							fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to setup SSH key in pod: %v\n", err)
 						} else {
 							sshForward := []string{strconv.Itoa(cfg.Spec.SSH.LocalPort) + ":" + strconv.Itoa(cfg.Spec.SSH.RemotePort)}
-							cancelSSH, err := startManagedPortForwardWithClient(k, ns, pod, sshForward)
+							cancelSSH, err := startManagedPortForwardNoProbeWithClient(k, ns, pod, sshForward)
 							if err != nil {
 								fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to start SSH port-forward %v: %v\n", sshForward, err)
 							} else {
 								stopBackgrounds = append(stopBackgrounds, cancelSSH)
-								fmt.Fprintf(cmd.OutOrStdout(), "Background SSH tunnel active: ssh -p %d -i %s %s@127.0.0.1\n", cfg.Spec.SSH.LocalPort, keyPath, cfg.Spec.SSH.User)
+								alias := sshHostAlias(sn)
+								if cfgErr := ensureSSHConfigEntry(alias, cfg.Spec.SSH.User, cfg.Spec.SSH.LocalPort, keyPath); cfgErr != nil {
+									fmt.Fprintf(cmd.ErrOrStderr(), "warning: failed to update ~/.ssh/config: %v\n", cfgErr)
+								}
+								fmt.Fprintf(cmd.OutOrStdout(), "Background SSH tunnel active: ssh %s\n", alias)
 							}
 						}
 					}
@@ -206,3 +227,11 @@ func warnIfConfigNewerThanSession(opts *Options, k *kube.Client, namespace, sess
 	}
 	return nil
 }
+
+func podReadyFromSummary(ready string) bool {
+	parts := strings.Split(strings.TrimSpace(ready), "/")
+	if len(parts) != 2 {
+		return false
+	}
+	return parts[0] == parts[1] && parts[0] != "0"
+}