Support ssh public keys configuration

[mustard-mh]

Description

This PR works on allowing users to upload their own ssh public key to Gitpod, make copy-paste ssh connect more conventional, and make sharing of ssh connect command more safety

Link of Figma

TODO

• ‼️ Find out how to setup db-sync
• ‼️ Merge PR [ws-proxy, ws-manager] support user upload ssh public key #10617
• ‼️ Deploy previous PR [ws-proxy, ws-manager] support user upload ssh public key #10617
• Dashboard ssh copy-paste improve
• Make copy-paste ways can be switched
• Properly content for users

Functions for late used time?

Related Issue(s)

Relate #9932

How to test

Modal of ssh copy-paste always shows SSH Key as the default selection, if the user has no public key uploaded, it will show a warning in this section.

• Start a workspace in prev env
• Wait until the workspace is ready
• Connect with ssh copy-paste, get conn A
  • Failed with ssh key conn
  • Success with access token conn
• add a public key via setting -> ssh keys
• Connect with ssh copy-paste use ssh key, get conn B
• Delete that public key you set in the settings
• Connection B should still work
• A new conn C which use the same command like conn B, will not works - ask a password

Release Notes

Allow users to add and remove SSH public keys in settings
Change UX of SSH copy-paste to support ssh key connection

Documentation

• TODO

Werft options:

• /werft with-preview

[mustard-mh]

/hold

[werft-gitpod-dev-com]

started the job as gitpod-build-hw-ssh-keys-s.30 because the annotations in the pull request description changed
(with .werft/ from main)

[werft-gitpod-dev-com]

started the job as gitpod-build-hw-ssh-keys-s.31 because the annotations in the pull request description changed
(with .werft/ from main)

[werft-gitpod-dev-com]

started the job as gitpod-build-hw-ssh-keys-s.32 because the annotations in the pull request description changed
(with .werft/ from main)

[mustard-mh]

I'll not change the description anymore until one build success, since werft is crazy now... 😱

[geropl]

Nice, LGTM! 👍

[akosyakov]

/werft run

👍 started the job as gitpod-build-hw-ssh-keys-s.45
(with .werft/ from main)

[akosyakov]

@mustard-mh wanted to check out UI, but werft fails

[gtsiolis]

/werft run

👍 started the job as gitpod-build-hw-ssh-keys-s.46
(with .werft/ from main)

[mustard-mh]

Resolved merge conflict

/werft run with-clean-slate-deployment=true

👍 started the job as gitpod-build-hw-ssh-keys-s.48
(with .werft/ from main)

[gtsiolis]

@mustard-mh Could you clean deploy another preview environment or delete some users because we've reached the limit of 10 users and no new users can sign up.

[mustard-mh]

@mustard-mh Could you clean deploy another preview environment or delete some users because we've reached the limit of 10 users and no new users can sign up.

@gtsiolis Rebased to main again, since some commits may fix this problem (db have only two builtin users)

[mustard-mh]

/werft run

👍 started the job as gitpod-build-hw-ssh-keys-s.50
(with .werft/ from main)

[mustard-mh]

works now @gtsiolis

[gtsiolis]

Looks great, @mustard-mh! 🔮

Took another look at this and left a few more comments below. 👀

[gtsiolis]

thought: Do we need this help link here? Asking because we also link below to the same page.

[iQQBot]

I think we can keep that, they are different part link

[gtsiolis]

issue(non-blocking): While we catch some cases, we still allow users adding invalid keys. Is this known? If needed, let's open a follow-up issue to resolve this.

[gtsiolis]

issue: When you don't have an SSH key in place, you still see an SSH command below to connect, which asks for a password. Should we drop (hide) the SSH command below?

[akosyakov]

If we should allow to copy it always. If a user adds keys following a warning then they can use it immediately. Otherwise they need to reopen the dialog

[gtsiolis]

If we should allow to copy it always. If a user adds keys following a warning then they can use it immediately. Otherwise they need to reopen the dialog

Ah, I see. Then the warning dialog becomes obsolete or no longer relevant after adding a key, right?

Maybe it's not worth doing so, but what do you think of rephrasing the copy then to the following when there are no keys in place:

BEFORE

The following shell command can be used to SSH into this workspace with a ssh key.

AFTER

The following shell command can be used to SSH into this workspace with a ssh key, once you add an SSH key.

Otherwise, let's leave this as is and ignore the comment above in #10573 (comment). ✔️

[akosyakov]

I'm fine with both. I think they will read a warning when prompted for a password.

[gtsiolis]

DEAL—Let's go with any option for now.

[akosyakov]

UI looks good, but then I try first time user flow I cannot connect:

• i start a workspace
• then go to dashboard and select connect to SSH
• it tells me that I don't have public keys
• i generate a new key on my machine under ~/.ssh/test_rsa
• i go to setting and add this key
• i go back to dialog, copy a command, paste it with -i ~/.ssh/test_rsa
• it asks me for password

Is it because newly installed keys are not automatically propagated to workspaces? Hm it does not work after restart either.

[iQQBot]

for me it works good @akosyakov Did your really upload correct public key? public key file name should be end with .pub

could your use ssh -vvv ..... command and provider logs?

[akosyakov]

@iQQBot I did everything again and it worked now. So probably some mistake on my side.

Oh, I know why, I did not exit another ssh session 😆 so I was in Gitpod container.

[iQQBot]

rebase to main and double-checked everything, now we are in gen51 it's time to merge

/unhold