-
Notifications
You must be signed in to change notification settings - Fork 0
K8shell Workspace Identifier
bruckins edited this page Aug 10, 2025
·
3 revisions
A compact identifier in the SSH user@address form that encodes:
- The user initiating the connection
- An optional workspace blueprint (direct name or parameters)
- Optional parameters for provisioning or inspecting the workspace
The SSH proxy parses the WID to determine the correct Kubernetes workspace to inspect or provision.
WID = local "@" addr
local = user [ "~" ws-spec ]
ws-spec = bp-name / param-list
param-list = kv *( "+" kv )
kv = key "=" value
user = 1*(atext / "." / "_" / "-")
bp-name = 1*(atext / "." / "_" / "-" / "/")
key = 1*(lower-alpha / digit / "-")
value = *(atext / "." / "_" / "-" / "/" / "%")
addr = 1*(VCHAR) ; your SSH host or alias
; atext (RFC 5322) roughly: A–Z a–z 0–9 and ! # $ % & ' * + - / = ? ^ _ ` { | } ~Reserved delimiters: @ ~ + =
Escape mechanism: Use percent-encoding for reserved characters inside values.
-
userandws-specare separated by~. - If
ws-speccontains no=, treat it as a direct blueprint name. - If
ws-speccontains=, parse askey=valuepairs, separated by+. -
/is allowed inbp-nameandvalue, but:- If an environment (e.g., VS Code CLI) cannot handle raw
/, replace with%2F.
- If an environment (e.g., VS Code CLI) cannot handle raw
- Percent-encode:
-
%→%25 -
~→%7E -
+→%2B -
=→%3D - Any reserved or unsafe character that must appear literally.
-
Direct blueprint
tomas~dev@edge.k8shell.io
→ user = tomas
→ bp = dev
Repo + ref with raw slash
tomas~repo=k8shell-io/identity+ref=main@edge.k8shell.io
→ user = tomas
→ repo = k8shell-io/identity
→ ref = main
Repo with escaped slash (CLI-safe)
tomas~repo=k8shell-io%2Fidentity+ref=main@edge.k8shell.io
→ repo = k8shell-io/identity
→ ref = main
Multiple params
tomas~repo=org/svc+ref=feat%2Fabc+mode=inspect@edge
→ repo = org/svc
→ ref = feat/abc
→ mode = inspect
Hierarchical blueprint name
tomas~teamA/blueprints/prod@edge
→ bp = teamA/blueprints/prod
- In
user,bp-name,value:
Letters, digits,. _ - /and RFC5322atextspecials (!#$%&'*+-/=?^_{|}~`). - Avoid
, ; : ( ) [ ] \ " < >— percent-encode if needed. - If
@is needed inside a value, percent-encode as%40.
-
local(before@) ≤ 64 characters (mirrors common email limits). - Total WID ≤ 128 characters for wide tool compatibility.
-
SSH / VS Code Remote: Works if
/is percent-encoded when necessary. - Email-style parsers: RFC-compliant local part.
-
Linux usernames: Do not reuse
localdirectly as a Unix account name. -
Kubernetes labels/annotations: If storing params in labels, follow label value restrictions (
[A-Za-z0-9_.-], ≤63 chars) or use annotations for raw WID.