WebSSH: Backend

Author: lucam

.github/workflows/build-matrix.json

@@ -27,6 +27,13 @@
         "build-args": "COMPONENT=bastion-ssh-tracker",
         "harbor-project": "crownlabs-core"
     },
+    {
+        "component": "webssh-bastion",
+        "context": "./operators",
+        "dockerfile": "./operators/build/golang-common/Dockerfile",
+        "build-args": "COMPONENT=webssh-bastion",
+        "harbor-project": "crownlabs-core"
+    },
     {
         "component": "exam-agent",
         "context": "./operators",

deploy/crownlabs/values.yaml

@@ -118,6 +118,15 @@ bastion-operator:
     sshTrackerPort: 22
     sshTrackerSnaplen: 1600
     sshTrackerMetricsAddr: ":8082"
+    
+  webssh:
+    ingress:
+      enabled: true
+      annotations:
+        nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+      hostname: crownlabs.example.com
+      path: /webssh
+      pathType: Prefix
 
 image-list:
   replicaCount: 1

operators/cmd/examagent/main.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/klog/v2/textlogger"
 
 	"github.com/netgroup-polito/CrownLabs/operators/pkg/examagent"
+	"github.com/netgroup-polito/CrownLabs/operators/pkg/utils"
 )
 
 func main() {
@@ -36,7 +37,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	k8sClient, err := examagent.NewK8sClient()
+	k8sClient, err := utils.NewK8sClient()
 	if err != nil {
 		log.Error(err, "unable to prepare k8s client")
 		os.Exit(1)

operators/cmd/instance-operator/main.go

@@ -18,6 +18,7 @@ package main
 import (
 	"flag"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -72,6 +73,8 @@ func main() {
 		"which the controller will work. Different labels (key=value) can be specified, by separating them with a &"+
 		"( e.g. key1=value1&key2=value2")
 
+	websshKeyPathFlag := flag.String("webbastion-master-key-path", "", "Contain the path of the secret where the public key is stored. Used for webssh component.")
+
 	sharedVolumeStorageClass := flag.String("shared-volume-storage-class", "rook-nfs", "The StorageClass to be used for all SharedVolumes' PVC (if unique can be used to enforce ResourceQuota on Workspaces, about number and size of ShVols)")
 
 	maxConcurrentTerminationReconciles := flag.Int("max-concurrent-reconciles-termination", 1, "The maximum number of concurrent Reconciles which can be run for the Instance Termination controller")
@@ -124,13 +127,27 @@ func main() {
 
 	// Configure the Instance controller
 	const instanceCtrlName = "Instance"
+
+	// read the webssh public key form the secret
+	var pubKeyBytes []byte
+	if *websshKeyPathFlag != "" {
+		pubKeyBytes, err = os.ReadFile(filepath.Clean(*websshKeyPathFlag))
+		if err != nil {
+			log.Error(err, "failed to read webssh public key", "path", *websshKeyPathFlag)
+		}
+		log.Info("webssh public key correctly retrieved")
+	} else {
+		log.Error(err, "no path provided for webssh public key")
+	}
+
 	if err = (&instctrl.InstanceReconciler{
-		Client:             mgr.GetClient(),
-		Scheme:             mgr.GetScheme(),
-		EventsRecorder:     mgr.GetEventRecorderFor(instanceCtrlName),
-		NamespaceWhitelist: nsWhitelist,
-		ServiceUrls:        svcUrls,
-		ContainerEnvOpts:   containerEnvOpts,
+		Client:                mgr.GetClient(),
+		Scheme:                mgr.GetScheme(),
+		EventsRecorder:        mgr.GetEventRecorderFor(instanceCtrlName),
+		NamespaceWhitelist:    nsWhitelist,
+		ServiceUrls:           svcUrls,
+		ContainerEnvOpts:      containerEnvOpts,
+		WebSSHMasterPublicKey: pubKeyBytes,
 	}).SetupWithManager(mgr, *maxConcurrentReconciles); err != nil {
 		log.Error(err, "unable to create controller", "controller", instanceCtrlName)
 		os.Exit(1)

operators/cmd/webssh-bastion/main.go

@@ -0,0 +1,104 @@
+// Copyright 2020-2025 Politecnico di Torino
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package main contains the entrypoint for webSSH, a WebSocket SSH bridge for CrownLabs.
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/go-logr/stdr"
+	"k8s.io/apimachinery/pkg/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+
+	crownlabsv1alpha1 "github.com/netgroup-polito/CrownLabs/operators/api/v1alpha1"
+	crownlabsv1alpha2 "github.com/netgroup-polito/CrownLabs/operators/api/v1alpha2"
+	"github.com/netgroup-polito/CrownLabs/operators/pkg/utils"
+	"github.com/netgroup-polito/CrownLabs/operators/pkg/webssh-bastion"
+)
+
+var (
+	scheme = runtime.NewScheme()
+)
+
+func init() {
+	_ = clientgoscheme.AddToScheme(scheme)
+	_ = crownlabsv1alpha1.AddToScheme(scheme)
+	_ = crownlabsv1alpha2.AddToScheme(scheme)
+}
+
+func main() {
+	sshUserFlag := flag.String("websshuser", "crownlabs", "The user to use for SSH connections.")
+	websshprivatekeypathFlag := flag.String("websshprivatekeypath", "", "The path to the private key file for SSH authentication.")
+	websshtimeoutdurationFlag := flag.String("websshtimeoutduration", "0", "The timeout duration for SSH connections. In minutes.")
+	websshmaxconncountFlag := flag.String("websshmaxconncount", "1000", "The maximum number of concurrent SSH connections.")
+	websshvmport := flag.String("websshvmport", "22", "The default SSH port for VMs.")
+	websshwebsocketportFlag := flag.String("websshwebsocketport", "8085", "The port on which the WebSocket server listens.")
+
+	flag.Parse()
+
+	timeout64, err := strconv.ParseInt(*websshtimeoutdurationFlag, 10, 32) // parse directly as int32
+	if err != nil {
+		timeout64 = 30
+	}
+
+	maxConn64, err := strconv.ParseInt(*websshmaxconncountFlag, 10, 32)
+	if err != nil {
+		maxConn64 = 1000
+	}
+
+	stdLogger := log.New(os.Stderr, "", log.LstdFlags)
+	baseLogger := stdr.New(stdLogger)
+
+	webSSHCtx := &webssh.ServerContext{}
+	webSSHCtx.BaseLogger = baseLogger
+	webSSHCtx.SSHUser = *sshUserFlag
+	webSSHCtx.PrivateKeyPath = *websshprivatekeypathFlag
+	webSSHCtx.TimeoutDuration = time.Duration(timeout64) * time.Minute
+	webSSHCtx.MaxConnectionCount = int32(maxConn64)
+	webSSHCtx.WebsocketPort = *websshwebsocketportFlag
+	webSSHCtx.VMSSHPort = *websshvmport
+	webSSHCtx.BaseConfig, err = utils.GetRestConfig()
+
+	if err != nil {
+		webSSHCtx.BaseLogger.Error(err, "Failed to get REST config")
+		return
+	}
+
+	info, err := os.Stat(webSSHCtx.PrivateKeyPath)
+	if err != nil {
+		webSSHCtx.BaseLogger.Error(err, "Cannot access private key file")
+		return
+	}
+
+	if info.IsDir() {
+		webSSHCtx.BaseLogger.Error(nil, "Private key path points to a directory, not a file")
+		return
+	}
+
+	webSSHCtx.BaseLogger.Info("Config loaded",
+		"SSHUser", webSSHCtx.SSHUser,
+		"PrivateKeyPath", webSSHCtx.PrivateKeyPath,
+		"TimeoutDuration", webSSHCtx.TimeoutDuration,
+		"MaxConnectionCount", webSSHCtx.MaxConnectionCount,
+		"WebsocketPort", webSSHCtx.WebsocketPort,
+		"VMSSHPort", webSSHCtx.VMSSHPort)
+
+	webSSHCtx.StartWebSSH()
+}

operators/deploy/bastion-operator/templates/_helpers.tpl

@@ -52,6 +52,14 @@ app.kubernetes.io/version: {{ include "bastion-operator.version" . | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{- define "webssh.labels" -}}
+helm.sh/chart: {{ include "bastion-operator.chart" . }}
+{{ include "webssh.selectorLabels" . }}
+app.kubernetes.io/version: {{ include "bastion-operator.version" . | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: webssh
+{{- end }}
+
 {{/*
 Selector labels
 */}}
@@ -60,6 +68,11 @@ app.kubernetes.io/name: {{ include "bastion-operator.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{- define "webssh.selectorLabels" -}}
+app.kubernetes.io/name: webssh
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Metrics selector additional labels
 */}}

operators/deploy/bastion-operator/templates/deployment.yaml

@@ -122,3 +122,59 @@ spec:
                 matchLabels:
                   {{- include "bastion-operator.selectorLabels" . | nindent 18 }}
               topologyKey: kubernetes.io/hostname
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "bastion-operator.fullname" . }}-webssh
+  labels:
+    {{ include "webssh.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{ include "webssh.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{ include "webssh.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: webssh
+          image: "{{ .Values.image.repositoryWebBastion  }}:{{ include "bastion-operator.version" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: {{ .Values.webssh.service.targetPort }}
+              containerPort: {{ .Values.webssh.config.webSocketPort }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.webssh.service.targetPort }}
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: {{ .Values.webssh.service.targetPort }}
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          volumeMounts:
+            - mountPath: /web-keys
+              name: web-keys
+          resources:
+            {{- toYaml .Values.resources.webssh | nindent 12 }}
+          args:
+            - "--websshuser={{ .Values.webssh.config.user }}"
+            - "--websshprivatekeypath=/web-keys/{{ .Values.webssh.masterKey.name }}"
+            - "--websshmaxconncount={{ .Values.webssh.config.maxConnCount }}"
+            - "--websshvmport={{ .Values.webssh.config.vmPort }}"
+            - "--websshwebsocketport={{ .Values.webssh.config.webSocketPort }}"
+      volumes:
+        - name: web-keys
+          secret:
+            secretName: {{ .Values.webssh.masterKey.secretName }}
+            defaultMode: 0444
+

operators/deploy/bastion-operator/templates/hook-createsecret.yaml

@@ -85,7 +85,27 @@ spec:
           - |
             ssh-keygen -f /tmp/ssh-keys/ssh_host_key_ecdsa -N "" -t ecdsa -C "" && \
             ssh-keygen -f /tmp/ssh-keys/ssh_host_key_ed25519 -N "" -t ed25519 -C "" && \
-            ssh-keygen -f /tmp/ssh-keys/ssh_host_key_rsa -N "" -t rsa -C ""
+            ssh-keygen -f /tmp/ssh-keys/ssh_host_key_rsa -N "" -t rsa -C "" && \
+            ssh-keygen -f /tmp/ssh-keys/{{ .Values.webssh.masterKey.name }} -N "" -t {{ .Values.webssh.masterKey.type }} -C {{ .Values.webssh.masterKey.comment | quote }}
+        securityContext:
+          {{- toYaml .Values.securityContexts.hookCreateSecret | nindent 12 }}
+        resources:
+          {{- toYaml .Values.resources.hookCreateSecret | nindent 12 }}
+        volumeMounts:
+          - name: ssh-keys
+            mountPath: /tmp/ssh-keys
+      - name: kubectl-webbastion
+        image: {{ .Values.sshKeysSecret.kubectlImage }}
+        command:
+          - kubectl
+        args:
+          - create
+          - secret
+          - generic
+          - {{ .Values.webssh.masterKey.secretName }}
+          - --namespace={{ .Release.Namespace }}
+          - --from-file=/tmp/ssh-keys/{{ .Values.webssh.masterKey.name }}
+          - --from-file=/tmp/ssh-keys/{{ .Values.webssh.masterKey.name }}.pub
         securityContext:
           {{- toYaml .Values.securityContexts.hookCreateSecret | nindent 12 }}
         resources:

operators/deploy/bastion-operator/templates/ingress.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.webssh.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "bastion-operator.fullname" . }}-webssh
+  labels:
+    {{- include "webssh.labels" . | nindent 4 }}
+  {{- with .Values.webssh.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  rules:
+    - host: {{ .Values.webssh.ingress.hostname }}
+      http:
+        paths:
+          - path: {{ .Values.webssh.ingress.path }}
+            pathType: {{ .Values.webssh.ingress.pathType }}
+            backend:
+              service:
+                name: {{ include "bastion-operator.fullname" . }}-webssh
+                port:
+                  name: webssh
+  {{- if .Values.webssh.ingress.secret }}
+  tls:
+    - hosts:
+        - {{ .Values.webssh.ingress.hostname }}
+      secretName: {{ .Values.webssh.ingress.secret }}
+  {{- end }}
+{{- end }}

operators/deploy/bastion-operator/templates/service.yaml

@@ -18,3 +18,24 @@ spec:
   externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
   selector:
     {{- include "bastion-operator.selectorLabels" . | nindent 4 }}
+
+---
+
+{{- if .Values.webssh.service }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "bastion-operator.fullname" . }}-webssh
+  labels:
+    {{- include "webssh.labels" . | nindent 4 }}
+    {{- include "bastion-operator.metricsAdditionalLabels" . | nindent 4 }}
+spec:
+  type: {{ .Values.webssh.service.type }}
+  ports:
+    - port: {{ .Values.webssh.service.port }}
+      targetPort: {{ .Values.webssh.service.targetPort }}
+      protocol: TCP
+      name: webssh
+  selector:
+    {{- include "webssh.selectorLabels" . | nindent 4 }}
+{{- end }}