This is an experimental cluster-local SSH service for Lagoon.
The Lagoon SSH portal is implemented as a pair of services: ssh-portal-api, and ssh-portal.
These two services communicate over a backend messaging system.
Currently the message system used is NATS.
There may be many instances of ssh-portal in many remote clusters communicating back to the ssh-portal-api in the core cluster.
ssh-portal-api is part of Lagoon Core, and serves requests from the ssh-portal service, which may be in a remote cluster.
ssh-portal-api is explicitly not a public API and makes no guarantees about compatiblity.
It is only designed to cater to the requirements of ssh-portal.
ssh-portal is part of Lagoon Remote, and implements an SSH server which connects incoming SSH sessions with pods running in the cluster.
To perform authentication it communicates back to ssh-portal-api running in Lagoon Core, which responds with a true/false if the SSH key is valid for the requested Lagoon environment.
ssh-portal implements shell access with service and container selection as described in the Lagoon documentation, but it does not implement token generation.
Unlike the existing Lagoon SSH service, ssh-portal only provides access to Lagoon environments running in the local cluster.
If a user gets an error from ssh-portal it may not contain much detail for security reasons.
However it will contain a Session ID (SID).
The SID is logged by the ssh-portal, and is also passed to the ssh-portal-api and logged there too.
This helps to correlate error messages in ssh-portal and ssh-portal-api logs with user connection errors.