feat(sftp): adding sftp support to the server

Cargo.toml

@@ -59,6 +59,7 @@ reqwest = { version = "0.12.7", features = ["json", "stream", "multipart"] }
 ringbuffer = "0.15.0"
 russh = "0.45.0"
 russh-keys = "0.45.0"
+russh-sftp = "2.0.3"
 schemars = { version = "0.8.21", features = ["chrono"] }
 serde = { version = "1.0.208", features = ["derive"] }
 serde_json = "1.0.124"
@@ -74,6 +75,7 @@ tracing = "0.1.40"
 tracing-error = { version = "0.2.0", features = ["traced-error"] }
 tracing-log = "0.2.0"
 tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
+umask = "2.1.0"
 warp = "0.3.7"
 
 

README.md

@@ -10,6 +10,7 @@ You can:
 
 - Get a shell in running pods - just like you would with SSH normally.
 - Access the logs for running and exited containers in a pod.
+- `scp` files from pods. sftp clients work as well.
 
 ![demo](./assets/demo.gif)
 
@@ -45,14 +46,52 @@ You can:
 From this point, here's a few suggestions for things to check out:
 
 - Start a new pod. It'll show up in the dashboard immediately!
+
 - Exec into a pod. Select the pod you want and go to the `Shell` tab. You'll be
   able to pick the command to exec and then be shell'd into the pod directly.
+
 - Follow the logs. Logs for all containers in a pod are streamed to the `Logs`
   tab when you've selected a pod from the main list.
 
+- `scp` some files out of a container:
+
+  ```bash
+  scp -P 2222 me@localhost:/default/my-pod/etc/hosts /tmp
+  ```
+
 [cli-download]: https://github.com/grampelberg/kuberift/releases
 [k3d]: https://k3d.io
 
+## Interaction
+
+### SSH
+
+To get to the dashboard, you can run:
+
+```bash
+ssh anything@my-remote-host-or-ip -p 2222
+```
+
+As you're authenticated either via OpenID or public key, the username is not
+used.
+
+### SFTP
+
+The cluster is represented by a file tree:
+
+```bash
+/<namespace>/<pod-name>/<container-name>/<file-path>
+```
+
+For the `nginx` pod running in `default`, you would do something like:
+
+```bash
+scp -P 2222 me@localhost:/default/nginx/nginx/etc/hosts /tmp
+```
+
+It can be a little easier to navigate all this with an sftp client as that'll
+render the file tree natively for you.
+
 ## Deployment
 
 The `kuberift` server needs access to your cluster's API server and credentials
@@ -241,6 +280,13 @@ the design decisions section for an explanation of what's happening there.
 - table_filter_total - Number of times a table was filtered.
 - widget_views_total - Number of times a widget was created by resource
   (container, pod) and type (cmd, log, yaml, ...).
+- requests_total - Number of requests that have come in by type (pty, sftp).
+- sftp_active_sessions - Total number of active sessions currently.
+- sftp_bytes_total - Total number of bytes transferred via sftp by direction
+  (read, write).
+- sftp_files_total - Total number of files by direction (sent, received).
+- sftp_stat_total - Total number of times `stat` was called on a path.
+- sftp_list_total - Total number of times `list` was called on a path.
 
 ## Design Decisions
 

TODO.md

@@ -1,4 +1,6 @@
-## TODO
+# TODO
+
+## Authorization
 
 - Groups are probably what most users are going to want to use to configure all
   this. The closest to the OpenID spec would be via adding extra scopes that add
@@ -13,6 +15,31 @@
   handled in the provider backend and it is unclear how easy that'll be. It is
   possible in auth0, so I'll go down this route for now.
 
+  Note: it looks like Google might require addition verification to get the
+  `groups()` scope "externally".
+
+## TUI
+
 - Is there a way to do FPS on a per-session basis with prometheus? Naively the
   way to do it would be to have a per-session label value, but that would be
   crazy for cardinality.
+
+## SFTP
+
+- Document that the permissions here are different than for the dashboard. You
+  can get away with `get` and `exec` on ~everything as long as you use `scp`.
+  Anything `sftp` is going to do a `readdir` and require `list`.
+- The API for `russh_sftp` feels nicer than the one for dashboard currently -
+  hand off a channel entirely instead of dealing with `data()` to begin with.
+  Should `Dashboard` get reimplemented to take something like
+  `async Read + Write` instead? I think I didn't do it this way to being with
+  because of writes being consumed entirely.
+- Allow globs in file paths, eg `/*/nginx**/etc/passwd`.
+- Return an error that is nicer than "no files found" when a container doesn't
+  have cat/ls.
+
+## SSH Functionality
+
+- Allow `ssh` directly into a pod without starting the dashboard.
+- Enable `ssh -L` for forwarding requests _into_ a pod.
+- Enable `ssh -R` for forwarding a remote service _into_ a localhost.

src/identity.rs

@@ -7,6 +7,7 @@ use k8s_openapi::api::authorization::v1::{
     ResourceAttributes, SelfSubjectAccessReview, SelfSubjectAccessReviewSpec,
     SubjectAccessReviewStatus,
 };
+pub use key::Key;
 use kube::api::{Api, PostParams};
 
 use crate::ssh::{Authenticate, Controller};

src/resources.rs

@@ -1,10 +1,12 @@
 pub mod age;
 pub mod container;
+pub mod file;
 pub mod pod;
 pub mod store;
 
 use color_eyre::Section;
 use eyre::{eyre, Result};
+pub use file::File;
 use futures::StreamExt;
 use itertools::Itertools;
 use json_value_merge::Merge;