fix(ssh): wire embedded mode port/key handling across up/ssh/ports

Author: acmore

.github/workflows/syncthing-image.yml

@@ -56,7 +56,7 @@ jobs:
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
-          context: infra/sidecar
+          context: .
           file: infra/sidecar/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: true

internal/cli/common.go

@@ -22,6 +22,11 @@ import (
 )
 
 const sessionHeartbeatInterval = 5 * time.Minute
+const (
+	sshModeSidecar  = "sidecar"
+	sshModeEmbedded = "embedded"
+	embeddedSSHPort = 2222
+)
 
 var invalidOwnerChars = regexp.MustCompile(`[^a-z0-9._-]`)
 
@@ -170,6 +175,38 @@ func annotationsForSession(cfg *config.DevEnvironment) map[string]string {
 	return out
 }
 
+func normalizeSSHMode(mode string) string {
+	switch strings.ToLower(strings.TrimSpace(mode)) {
+	case sshModeEmbedded:
+		return sshModeEmbedded
+	default:
+		return sshModeSidecar
+	}
+}
+
+func sshRemotePortForMode(cfg *config.DevEnvironment, mode string) int {
+	if normalizeSSHMode(mode) == sshModeEmbedded {
+		return embeddedSSHPort
+	}
+	if cfg != nil && cfg.Spec.SSH.RemotePort > 0 {
+		return cfg.Spec.SSH.RemotePort
+	}
+	return 22
+}
+
+func detectSessionSSHMode(opts *Options, namespace, sessionName string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	mode, err := newKubeClient(opts).GetPodAnnotation(ctx, namespace, podName(sessionName), "okdev.io/ssh-mode")
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return sshModeSidecar, nil
+		}
+		return "", err
+	}
+	return normalizeSSHMode(mode), nil
+}
+
 func podName(sessionName string) string {
 	return "okdev-" + sessionName
 }

internal/cli/ports.go

@@ -30,6 +30,11 @@ func newPortsCmd(opts *Options) *cobra.Command {
 			if err := ensureSessionOwnership(opts, k, ns, sn, true); err != nil {
 				return err
 			}
+			sshMode, modeErr := detectSessionSSHMode(opts, ns, sn)
+			if modeErr != nil {
+				return fmt.Errorf("detect ssh mode: %w", modeErr)
+			}
+			effectiveSSHPort := sshRemotePortForMode(cfg, sshMode)
 			stopMaintenance := startSessionMaintenance(opts, cfg, ns, sn, cmd.OutOrStdout(), true, true)
 			defer stopMaintenance()
 			if len(cfg.Spec.Ports) == 0 {
@@ -50,14 +55,14 @@ func newPortsCmd(opts *Options) *cobra.Command {
 			if err != nil {
 				return fmt.Errorf("resolve SSH key path: %w", err)
 			}
-			if err := ensureSSHKeyOnPod(opts, cfg, ns, podName(sn), keyPath); err != nil {
+			if err := ensureSSHKeyOnPod(opts, cfg, ns, podName(sn), keyPath, sshMode); err != nil {
 				return fmt.Errorf("setup SSH key in pod: %w", err)
 			}
-			if err := waitForSSHDReady(opts, cfg, ns, podName(sn), 20*time.Second); err != nil {
+			if err := waitForSSHDReady(opts, cfg, ns, podName(sn), sshMode, 20*time.Second); err != nil {
 				return fmt.Errorf("wait for sshd ready: %w", err)
 			}
 			alias := sshHostAlias(sn)
-			changed, err := ensureSSHConfigEntry(alias, sn, ns, cfg.Spec.SSH.User, cfg.Spec.SSH.RemotePort, keyPath, cfgPath, cfg.Spec.Ports, cfg.Spec.SSH)
+			changed, err := ensureSSHConfigEntry(alias, sn, ns, cfg.Spec.SSH.User, effectiveSSHPort, keyPath, cfgPath, cfg.Spec.Ports, cfg.Spec.SSH)
 			if err != nil {
 				return fmt.Errorf("update ~/.ssh/config for managed forwards: %w", err)
 			}

internal/cli/ssh.go

@@ -47,14 +47,18 @@ func newSSHCmd(opts *Options) *cobra.Command {
 			if err := ensureSessionOwnership(opts, k, ns, sn, true); err != nil {
 				return err
 			}
+			sshMode, modeErr := detectSessionSSHMode(opts, ns, sn)
+			if modeErr != nil {
+				return fmt.Errorf("detect ssh mode: %w", modeErr)
+			}
 			stopMaintenance := startSessionMaintenance(opts, cfg, ns, sn, cmd.OutOrStdout(), true, true)
 			defer stopMaintenance()
 
 			if user == "" {
 				user = cfg.Spec.SSH.User
 			}
 			if remotePort == 0 {
-				remotePort = cfg.Spec.SSH.RemotePort
+				remotePort = sshRemotePortForMode(cfg, sshMode)
 			}
 			if localPort == 0 {
 				localPort = 2222
@@ -67,11 +71,11 @@ func newSSHCmd(opts *Options) *cobra.Command {
 			}
 
 			if setupKey {
-				if err := ensureSSHKeyOnPod(opts, cfg, ns, podName(sn), keyPath); err != nil {
+				if err := ensureSSHKeyOnPod(opts, cfg, ns, podName(sn), keyPath, sshMode); err != nil {
 					return err
 				}
 			}
-			if err := waitForSSHDReady(opts, cfg, ns, podName(sn), 20*time.Second); err != nil {
+			if err := waitForSSHDReady(opts, cfg, ns, podName(sn), sshMode, 20*time.Second); err != nil {
 				fmt.Fprintf(cmd.ErrOrStderr(), "warning: sshd not ready yet: %v\n", err)
 			}
 
@@ -248,7 +252,7 @@ func newSSHCmd(opts *Options) *cobra.Command {
 	return cmd
 }
 
-func ensureSSHKeyOnPod(opts *Options, cfg *config.DevEnvironment, namespace, pod, keyPath string) error {
+func ensureSSHKeyOnPod(opts *Options, cfg *config.DevEnvironment, namespace, pod, keyPath, sshMode string) error {
 	if err := ensureCommand("ssh-keygen"); err != nil {
 		return err
 	}
@@ -275,6 +279,7 @@ func ensureSSHKeyOnPod(opts *Options, cfg *config.DevEnvironment, namespace, pod
 	k := newKubeClient(opts)
 	container := sshTargetContainer(cfg)
 	var lastErr error
+	installed := false
 	for i := 0; i < 3; i++ {
 		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 		if container == "" {
@@ -284,25 +289,58 @@ func ensureSSHKeyOnPod(opts *Options, cfg *config.DevEnvironment, namespace, pod
 		}
 		cancel()
 		if err == nil {
-			return nil
+			installed = true
+			break
 		}
 		lastErr = err
 		time.Sleep(time.Duration(i+1) * 500 * time.Millisecond)
 	}
-	return fmt.Errorf("install ssh key in pod: %w", lastErr)
+	if !installed {
+		return fmt.Errorf("install ssh key in pod: %w", lastErr)
+	}
+
+	if normalizeSSHMode(sshMode) == sshModeEmbedded {
+		copyScript := `set -eu
+DEV_PID=""
+for pid in $(ls /proc 2>/dev/null | grep -E '^[0-9]+$' | sort -n); do
+  [ "$pid" = "1" ] && continue
+  [ "$pid" = "$$" ] && continue
+  [ -r "/proc/$pid/root" ] 2>/dev/null || continue
+  if ! [ "/proc/$pid/root" -ef "/proc/self/root" ] 2>/dev/null; then
+    if [ -d "/proc/$pid" ]; then
+      DEV_PID="$pid"
+      break
+    fi
+  fi
+done
+[ -n "$DEV_PID" ]
+nsenter --target "$DEV_PID" --mount -- mkdir -p /var/okdev
+cat /root/.ssh/authorized_keys | nsenter --target "$DEV_PID" --mount -- sh -c "cat > /var/okdev/authorized_keys && chmod 600 /var/okdev/authorized_keys"`
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		_, err := k.ExecShInContainer(ctx, namespace, pod, "okdev-sidecar", copyScript)
+		cancel()
+		if err != nil {
+			return fmt.Errorf("sync embedded ssh authorized_keys: %w", err)
+		}
+	}
+	return nil
 }
 
-func waitForSSHDReady(opts *Options, cfg *config.DevEnvironment, namespace, pod string, timeout time.Duration) error {
+func waitForSSHDReady(opts *Options, cfg *config.DevEnvironment, namespace, pod, sshMode string, timeout time.Duration) error {
 	k := newKubeClient(opts)
 	container := sshTargetContainer(cfg)
 	if container == "" {
 		return nil
 	}
+	probeCmd := "ps | grep '[s]shd' >/dev/null 2>&1"
+	if normalizeSSHMode(sshMode) == sshModeEmbedded {
+		probeCmd = "ps | grep '[o]kdev-sshd' >/dev/null 2>&1"
+	}
 	deadline := time.Now().Add(timeout)
 	var lastErr error
 	for time.Now().Before(deadline) {
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		_, err := k.ExecShInContainer(ctx, namespace, pod, container, "ps | grep '[s]shd' >/dev/null 2>&1")
+		_, err := k.ExecShInContainer(ctx, namespace, pod, container, probeCmd)
 		cancel()
 		if err == nil {
 			return nil

internal/cli/up.go

@@ -59,6 +59,7 @@ func newUpCmd(opts *Options) *cobra.Command {
 			ui.stepDone("namespace", ns)
 			labels := labelsForSession(opts, cfg, sn)
 			annotations := annotationsForSession(cfg)
+			annotations["okdev.io/ssh-mode"] = normalizeSSHMode(sshMode)
 			volumes := cfg.EffectiveVolumes()
 			pod := podName(sn)
 			if dryRun {
@@ -135,22 +136,23 @@ func newUpCmd(opts *Options) *cobra.Command {
 
 			ui.section("Setup")
 			sshSummary := "disabled"
-			if cfg.Spec.SSH.RemotePort > 0 {
+			effectiveSSHPort := sshRemotePortForMode(cfg, sshMode)
+			if effectiveSSHPort > 0 {
 				keyPath, keyErr := defaultSSHKeyPath(cfg)
 				if keyErr != nil {
 					ui.warnf("failed to resolve SSH key path: %v", keyErr)
 					sshSummary = "degraded (key path error)"
 				} else {
-					if err := ensureSSHKeyOnPod(opts, cfg, ns, pod, keyPath); err != nil {
+					if err := ensureSSHKeyOnPod(opts, cfg, ns, pod, keyPath, sshMode); err != nil {
 						ui.warnf("failed to setup SSH key in pod: %v", err)
 						sshSummary = "degraded (key setup failed)"
 					}
-					if err := waitForSSHDReady(opts, cfg, ns, pod, 20*time.Second); err != nil {
+					if err := waitForSSHDReady(opts, cfg, ns, pod, sshMode, 20*time.Second); err != nil {
 						ui.warnf("sshd not ready yet: %v", err)
 						sshSummary = "degraded (sshd not ready)"
 					}
 					alias := sshHostAlias(sn)
-					if _, cfgErr := ensureSSHConfigEntry(alias, sn, ns, cfg.Spec.SSH.User, cfg.Spec.SSH.RemotePort, keyPath, cfgPath, cfg.Spec.Ports, cfg.Spec.SSH); cfgErr != nil {
+					if _, cfgErr := ensureSSHConfigEntry(alias, sn, ns, cfg.Spec.SSH.User, effectiveSSHPort, keyPath, cfgPath, cfg.Spec.Ports, cfg.Spec.SSH); cfgErr != nil {
 						ui.warnf("failed to update ~/.ssh/config: %v", cfgErr)
 						sshSummary = "degraded (ssh config update failed)"
 					} else {