feat: CheCluster API v2

[tolusha]

Signed-off-by: Anatolii Bazko abazko@redhat.com

What does this PR do?

• add CheCluster API v2

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#20758

How to test this PR?

N/A

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Custom resource definition file is up to date
• OLM bundles are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

Merging #1324 (f379e5c) into main (16c92ec) will increase coverage by 1.03%.
The diff coverage is 61.74%.

❗ Current head f379e5c differs from pull request most recent head 72fe63a. Consider uploading reports for the commit 72fe63a to get more accurate results

@@            Coverage Diff             @@
##             main    #1324      +/-   ##
==========================================
+ Coverage   62.00%   63.04%   +1.03%     
==========================================
  Files          76       70       -6     
  Lines        6301     5812     -489     
==========================================
- Hits         3907     3664     -243     
+ Misses       2008     1785     -223     
+ Partials      386      363      -23     

Impacted Files	Coverage Δ
controllers/che/checluster_controller.go	0.00% <0.00%> (ø)
controllers/che/checluster_validator.go	0.00% <0.00%> (ø)
controllers/devworkspace/solver/solver.go	36.84% <0.00%> (ø)
controllers/devworkspace/state.go	3.22% <ø> (+1.18%)	⬆️
pkg/common/operator-defaults/defaults.go	15.97% <ø> (ø)
pkg/common/utils/process.go	0.00% <ø> (ø)
pkg/common/utils/utils.go	28.31% <ø> (ø)
pkg/deploy/checluster.go	56.52% <ø> (+8.37%)	⬆️
pkg/deploy/checluster_util.go	66.66% <ø> (ø)
pkg/deploy/clusterrole.go	100.00% <ø> (ø)
... and 113 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 16c92ec...72fe63a. Read the comment docs.

[l0rd]

I did a review of https://github.com/eclipse-che/che-operator/blob/20758/api/v2/checluster_types.go. Here are a few comments:

---

the Operator automatically creates and maintains several ConfigMaps

• Can we list them?

---

• At line 58 you should replace displayName="Devfile registry" with displayName="Dashboard"

---

• At line 79 you should not you should remove ", the plugin and devfile registries"

---

• What happens if server.clusterRoles is omitted? What are the default ClusterRoles?

---

• In server.workspaceServiceAccountClusterRole description it's mentioned "The default roles are used when omitted or left blank." What are the default roles?

---

• In server.WorkspaceNamespaceName description: "for a case when a user does not override it.". I don't think a user can override it: users cannot select the workspace namespace anymore. I would rather say: "If users namespaces are not pre-created this field defines the Kubernetes namespace created when a user starts his first workspace....". And also what happens when omitted or left blank?

---

• Maybe server.serverTrustStoreConfigMapName should be renamed serverTrustStoreConfigMapName.javaTrustStoreConfigMapName?

---

• It would be better if instead of the boolean server.gitSelfSignedCert we had server.gitServerTLSCertificateConfigMapName

---

• For storage.pvcStrategy: We should mention that currently only common is supported and add a link to the issue: Persistent Volume strategies: add “per workspace” che#21185.

---

• Isn't CheCluster.storage only related to workspaces (and database.pvc is server side)? In that case we should probably make it explicit in the comments, call it workspaceStorage and probably move it under CheCluster.server since everything related to workspaces is there.

---

• In server.workspacesDefaultPlugins workspaces is plural whereas other fields use the singular (workspacePodNodeSelector etc...). For consistency we should rather use singular everywhere.

---

• Do we really need database.postgresVersion? What's the default by the way?

---

• server.workspacesDefaultPlugins should be renamed server.workspaceDefaultPluginsPerEditor

---

• How an admin can specify the default editor?

---

• How an admin can specify the default container image (if for instance there is no devfile.yaml in a github repository)

---

• All server components Deployment can be overridden using DeploymentCustomSettings except the Gateway (server side) and the 3 sidecar (workspace side) where only image can be overriden. This is inconsistent.

---

• We should mention that when gateway.ingress is specified, gateway.route should not. And that gateway.route is for OpenShift only. It would be even better if both could be merged together so that we only have gateway.ingress

---

• The sentence "The generated host name will follow this pattern: <route-name>-<route-namespace>.<domain>" is confusing because an admin cannot specify <route-name> and <route-namespace>. I would replace that with "The generated hostname will follow this pattern: che-<che-namespace>.<domain>, where <che-namespace> is the namespace where the CheCluster CRD is created".

---

• What about renaming route.host and ingress.host as route.hostname and ingress.hostname respectively?

---

• We can safely replace every instance of host name with hostname

---

• Setting the hostname is a common task. With the new model it's hidden under the auth section: auth>gateway>ingress>hostname. I am wondering if we should not rather organize things like this:

ingress
  > labels 
  > annotations 
  > domain 
  > hostname 
  > tlsSecret
  > auth
    > identityProviderURL
    > oAuthClientName
    > oAuthSecret
    > gateway
      > ...

---

• In CheClusterSpecMetrics there is the following description: "/ Enables metrics the Che server endpoint. Default to true.". Doesn't it control DevWorkspace controller metrics too? If it's only for che-server it should be moved under server if it's for DevWorkspace it should be mentioned. And it shoudl be also mentioned that this is distinct from workspace telemetry that can be enabled through a plugin editor only.

---

• The server.proxy is described as "// Proxy server settings" but then in the Proxy struct: This drives the appropriate changes in the JAVA_OPTS and https(s)_proxy variables in the Che server and workspaces containers. So are the proxy settings propagated to the che-server, to the workspaces or both? What about other server side components as the dashboard, the registries etc...?

---

• server.customCheProperties should be server.customCheServerProperties (server.extraProperties || server.additionalProperties)

---

• server.debug is a string but should be a boolean

---

• workspaceServiceAccountClusterRole is described as "Custom cluster role bound to the user for the Che workspaces": is it bound to the user or is bound to the SA?

---

• Finally I think it makes sense to have all the workspace related fields grouped under workspaces so I have imagined the following structure:

> workspaces
    > defaultPlugins
    > defaultNamespace
        > nameTemplate
        > userClusterRoles (or serviceAccountClusterRoles?)
    > storage
    > nodeSelector
    > tolerations
    > trustedCerts
        > trustStoreConfigMapName
        > gitTrustedCertsConfigMapName
> serverComponents
    > dashboard
    > cheServer
        > clusterRoles
        > deployment
        > loglevel
        > debug
    > database
    > pluginRegistry
    > devfileRegistry
    > imagePuller
    > devWorkspace
    > metrics?
> containerRegistry
    > hostname
    > organization

[tolusha]

/test v8-che-behind-proxy

[tolusha]

/test v9-devworkspace-happy-path

[tolusha]

/test v9-upgrade-stable-to-next

[tolusha]

/test v8-che-behind-proxy

[tolusha]

/test v9-devworkspace-happy-path

[tolusha]

/test v9-upgrade-stable-to-next

[tolusha]

/test v9-upgrade-stable-to-next

[ibuziuk]

@l0rd devEnvironments / networking LGTM
no more suggestions from my end

[amisevsk]

Approving to not block merge, a few comments below but generally looks good and comments can be addressed in a separate PR if need be.

[amisevsk]

This might make more sense as a dashboard option (rather than DevWorkspace). Currently, the dashboard is what imposes the limit on running workspaces, and DWO does not have functionality to do this.

[amisevsk]

Is this only an ID or can it also be a URI?

[amisevsk]

I might have missed it in reading this file, but consider adding +kubebuilder:printcolumn:name annotations here to automatically print the dashboard URL, etc. when listing objects on the cluster. For example, something like

// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.cheClusterRunning",description="Status for the CheCluster"
// +kubebuilder:printcolumn:name="Dashboard URL",type="string",JSONPath=".status.cheURL",description="The URL for the Che Dashboard"

If this is handled by the +operator-sdk annotations, then ignore this comment.

[amisevsk]

An example of how this is used in the DevWorkspace CR: [link]

[tolusha]

I think it is covered by +operator-sdk annotations

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amisevsk, ibuziuk, l0rd, mmorhun, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[tolusha]

/retest

[deerskindoll]

Hi, I tried to spot every potential edit in the document but I might end up suggesting another batch of edits.

[tolusha]

@deerskindoll
Thank you for review!

[openshift-ci]

@tolusha: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v9-operator-test	7463489	link	true	/test v9-operator-test
ci/prow/v8-operator-test	7463489	link	true	/test v8-operator-test

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.