Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve oauth handling. #551

Merged
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .vscode/tasks.json
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,8 @@
"group": "build"
},
{
"label": "Update csv bundle files",
"command": "./olm/update-nightly-bundle.sh",
"label": "Update OLM bundle files",
"command": "./olm/update-crd-files.sh && ./olm/update-nightly-bundle.sh",
"type": "shell",
"args": [],
"problemMatcher": [
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ RUN export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH=
GOOS=linux GOARCH=${ARCH} CGO_ENABLED=0 go build -mod=vendor -o /tmp/che-operator/che-operator cmd/manager/main.go

# https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/ubi8-minimal
FROM registry.access.redhat.com/ubi8-minimal:8.3-201
FROM registry.access.redhat.com/ubi8-minimal:8.3-230

COPY --from=builder /tmp/che-operator/che-operator /usr/local/bin/che-operator
COPY --from=builder /che-operator/templates/keycloak_provision /tmp/keycloak_provision
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,7 @@ Sometimes, during development, you need to modify some YAML definitions in the `
- Che cluster custom resource definition `pkg/apis/org/v1/che_types.go`. For example you want to fix some properties description or apply new Che type properties with default values. These changes affect CRD `deploy/crds/org_v1_che_crd.yaml`.
- add Openshift ui annotations for Che types properties (`pkg/apis/org/v1/che_types.go`) to display information or interactive elements on the Openshift user interface.

For all these cases it's a necessary to generate a new OLM bundle to make these changes working with OLM. Run the VSCode tasks `Update csv bundle files` or use the terminal:
For all these cases it's a necessary to generate a new OLM bundle to make these changes working with OLM. Run the VSCode tasks `Update OLM bundle files` or use the terminal:

```bash
$ olm/update-nightly-bundle.sh
Expand Down
3 changes: 0 additions & 3 deletions deploy/crds/org_v1_che_cr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -124,9 +124,6 @@ spec:
identityProviderRealm: ''
# id of a keycloak client. This client will be created, when externalIdentityProvider is false, otherwise passed to Che server
identityProviderClientId: ''
# instructs an Operator to enable OpenShift v3 identity provider in Keycloak,
# as well as create respective oAuthClient and configure Che configMap accordingly
openShiftoAuth: true
# name of oAuthClient used in OpenShift v3 identity provider in Keycloak realm. Auto generated if left blank
oAuthClientName: ''
# secret used in oAuthClient. Auto generated if left blank
Expand Down
15 changes: 9 additions & 6 deletions deploy/crds/org_v1_che_crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,15 @@ spec:
type: string
openShiftoAuth:
description: 'Enables the integration of the identity provider (Keycloak
/ RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
This will allow users to directly login with their Openshift user
through the Openshift login, and have their workspaces created
under personal OpenShift namespaces. WARNING: the `kubeadmin`
user is NOT supported, and logging through it will NOT allow accessing
the Che Dashboard.'
/ RHSSO) with OpenShift OAuth. Empty value on the OpenShift platform
by default. If user changes this empty value to true/false, then
che-operator respect this value. Otherwise che-operator tries
to auto detect if Openshift oAuth can be enabled and change empty
value, correspondly to auto-detection result. This property allows
users to directly login with their Openshift user through the
Openshift login, and have their workspaces created under personal
OpenShift namespaces. WARNING: the `kubeadmin` user is NOT supported,
and logging through it will NOT allow accessing the Che Dashboard.'
type: boolean
updateAdminPassword:
description: Forces the default `admin` Che user to update password
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,13 +84,13 @@ metadata:
categories: Developer Tools
certified: "false"
containerImage: quay.io/eclipse/che-operator:nightly
createdAt: "2020-12-14T15:43:45Z"
createdAt: "2020-12-17T10:09:13Z"
description: A Kube-native development solution that delivers portable and collaborative
developer workspaces.
operatorframework.io/suggested-namespace: eclipse-che
repository: https://github.com/eclipse/che-operator
support: Eclipse Foundation
name: eclipse-che-preview-kubernetes.v7.23.0-48.nightly
name: eclipse-che-preview-kubernetes.v7.24.0-52.nightly
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -322,7 +322,7 @@ spec:
- name: RELATED_IMAGE_che_tls_secrets_creation_job
value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad
- name: RELATED_IMAGE_pvc_jobs
value: registry.access.redhat.com/ubi8-minimal:8.3-201
value: registry.access.redhat.com/ubi8-minimal:8.3-230
- name: RELATED_IMAGE_postgres
value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
- name: RELATED_IMAGE_keycloak
Expand Down Expand Up @@ -494,4 +494,4 @@ spec:
maturity: stable
provider:
name: Eclipse Foundation
version: 7.23.0-48.nightly
version: 7.24.0-52.nightly
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,15 @@ spec:
type: string
openShiftoAuth:
description: 'Enables the integration of the identity provider (Keycloak
/ RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
This will allow users to directly login with their Openshift user
through the Openshift login, and have their workspaces created
under personal OpenShift namespaces. WARNING: the `kubeadmin`
user is NOT supported, and logging through it will NOT allow accessing
the Che Dashboard.'
/ RHSSO) with OpenShift OAuth. Empty value on the OpenShift platform
by default. If user changes this empty value to true/false, then
che-operator respect this value. Otherwise che-operator tries
to auto detect if Openshift oAuth can be enabled and change empty
value, correspondly to auto-detection result. This property allows
users to directly login with their Openshift user through the
Openshift login, and have their workspaces created under personal
OpenShift namespaces. WARNING: the `kubeadmin` user is NOT supported,
and logging through it will NOT allow accessing the Che Dashboard.'
type: boolean
updateAdminPassword:
description: Forces the default `admin` Che user to update password
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@ metadata:
"identityProviderRealm": "",
"identityProviderURL": "",
"oAuthClientName": "",
"oAuthSecret": "",
"openShiftoAuth": true
"oAuthSecret": ""
},
"database": {
"chePostgresDb": "",
Expand Down Expand Up @@ -76,13 +75,13 @@ metadata:
categories: Developer Tools, OpenShift Optional
certified: "false"
containerImage: quay.io/eclipse/che-operator:nightly
createdAt: "2020-12-14T15:43:55Z"
createdAt: "2020-12-17T10:09:20Z"
description: A Kube-native development solution that delivers portable and collaborative
developer workspaces in OpenShift.
operatorframework.io/suggested-namespace: eclipse-che
repository: https://github.com/eclipse/che-operator
support: Eclipse Foundation
name: eclipse-che-preview-openshift.v7.23.0-48.nightly
name: eclipse-che-preview-openshift.v7.24.0-52.nightly
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -336,7 +335,7 @@ spec:
- name: RELATED_IMAGE_devfile_registry
value: quay.io/eclipse/che-devfile-registry:nightly
- name: RELATED_IMAGE_pvc_jobs
value: registry.access.redhat.com/ubi8-minimal:8.3-201
value: registry.access.redhat.com/ubi8-minimal:8.3-230
- name: RELATED_IMAGE_postgres
value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
- name: RELATED_IMAGE_keycloak
Expand Down Expand Up @@ -514,4 +513,4 @@ spec:
maturity: stable
provider:
name: Eclipse Foundation
version: 7.23.0-48.nightly
version: 7.24.0-52.nightly
Original file line number Diff line number Diff line change
Expand Up @@ -160,12 +160,15 @@ spec:
type: string
openShiftoAuth:
description: 'Enables the integration of the identity provider (Keycloak
/ RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
This will allow users to directly login with their Openshift user
through the Openshift login, and have their workspaces created
under personal OpenShift namespaces. WARNING: the `kubeadmin`
user is NOT supported, and logging through it will NOT allow accessing
the Che Dashboard.'
/ RHSSO) with OpenShift OAuth. Empty value on the OpenShift platform
by default. If user changes this empty value to true/false, then
che-operator respect this value. Otherwise che-operator tries
to auto detect if Openshift oAuth can be enabled and change empty
value, correspondly to auto-detection result. This property allows
users to directly login with their Openshift user through the
Openshift login, and have their workspaces created under personal
OpenShift namespaces. WARNING: the `kubeadmin` user is NOT supported,
and logging through it will NOT allow accessing the Che Dashboard.'
type: boolean
updateAdminPassword:
description: Forces the default `admin` Che user to update password
Expand Down
2 changes: 1 addition & 1 deletion deploy/operator-local.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ spec:
- name: RELATED_IMAGE_che_tls_secrets_creation_job
value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad
- name: RELATED_IMAGE_pvc_jobs
value: registry.access.redhat.com/ubi8-minimal:8.3-201
value: registry.access.redhat.com/ubi8-minimal:8.3-230
- name: RELATED_IMAGE_postgres
value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
- name: RELATED_IMAGE_keycloak
Expand Down
2 changes: 1 addition & 1 deletion deploy/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ spec:
- name: RELATED_IMAGE_che_tls_secrets_creation_job
value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad
- name: RELATED_IMAGE_pvc_jobs
value: registry.access.redhat.com/ubi8-minimal:8.3-201
value: registry.access.redhat.com/ubi8-minimal:8.3-230
- name: RELATED_IMAGE_postgres
value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
- name: RELATED_IMAGE_keycloak
Expand Down
4 changes: 4 additions & 0 deletions e2e/create.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ package main

import (
orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
"github.com/eclipse/che-operator/pkg/util"
"github.com/sirupsen/logrus"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -122,6 +123,9 @@ func newCheCluster() (cr *orgv1.CheCluster) {
Server: orgv1.CheClusterSpecServer{
UseInternalClusterSVCNames: true,
},
Auth: orgv1.CheClusterSpecAuth{
OpenShiftoAuth: util.NewBoolPointer(true),
},
},
}
return cr
Expand Down
10 changes: 7 additions & 3 deletions pkg/apis/org/v1/che_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -405,12 +405,16 @@ type CheClusterSpecAuth struct {
// Forces the default `admin` Che user to update password on first login. Defaults to `false`.
// +optional
UpdateAdminPassword bool `json:"updateAdminPassword"`
// Enables the integration of the identity provider (Keycloak / RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
// This will allow users to directly login with their Openshift user through the Openshift login,
// Enables the integration of the identity provider (Keycloak / RHSSO) with OpenShift OAuth.
// Empty value on the OpenShift platform by default.
// If user changes this empty value to true/false, then che-operator respect this value.
// Otherwise che-operator tries to auto detect if Openshift oAuth can be enabled and change empty value,
// correspondly to auto-detection result.
// This property allows users to directly login with their Openshift user through the Openshift login,
// and have their workspaces created under personal OpenShift namespaces.
// WARNING: the `kubeadmin` user is NOT supported, and logging through it will NOT allow accessing the Che Dashboard.
// +optional
OpenShiftoAuth bool `json:"openShiftoAuth"`
OpenShiftoAuth *bool `json:"openShiftoAuth"`
AndrienkoAleksandr marked this conversation as resolved.
Show resolved Hide resolved
// Name of the OpenShift `OAuthClient` resource used to setup identity federation on the OpenShift side. Auto-generated if left blank.
// See also the `OpenShiftoAuth` field.
// +optional
Expand Down
7 changes: 6 additions & 1 deletion pkg/apis/org/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

103 changes: 58 additions & 45 deletions pkg/controller/che/che_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -340,55 +340,21 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
host, err := getDefaultCheHost(deployContext)
if host == "" {
return reconcile.Result{RequeueAfter: 1 * time.Second}, err
} else {
deployContext.DefaultCheHost = host
}
deployContext.DefaultCheHost = host
}
}

if isOpenShift && instance.Spec.Auth.OpenShiftoAuth {
if isOpenShift4 {
oauthv1 := &oauthv1.OAuth{}
if err := r.nonCachedClient.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, oauthv1); err != nil {
getOAuthV1ErrMsg := failedUnableToGetOAuth + " Cause: " + err.Error()
logrus.Errorf(getOAuthV1ErrMsg)
if err := r.SetStatusDetails(instance, request, failedNoOpenshiftUserReason, getOAuthV1ErrMsg, ""); err != nil {
return reconcile.Result{}, err
}
return reconcile.Result{}, err
}
if len(oauthv1.Spec.IdentityProviders) < 1 {
logrus.Warn(warningNoIdentityProvidersMessage, " ", howToAddIdentityProviderLinkOS4)
instance.Spec.Auth.OpenShiftoAuth = false
if err := r.UpdateCheCRSpec(instance, "OpenShiftoAuth", strconv.FormatBool(false)); err != nil {
return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, err
}
}
} else {
users := &userv1.UserList{}
listOptions := &client.ListOptions{}
if err := r.nonCachedClient.List(context.TODO(), users, listOptions); err != nil {
getUsersErrMsg := failedUnableToGetOpenshiftUsers + " Cause: " + err.Error()
logrus.Errorf(getUsersErrMsg)
if err := r.SetStatusDetails(instance, request, failedNoOpenshiftUserReason, getUsersErrMsg, ""); err != nil {
return reconcile.Result{}, err
}
return reconcile.Result{}, err
}
if len(users.Items) < 1 {
logrus.Warn(warningNoRealUsersMessage, " ", howToConfigureOAuthLinkOS3)
instance.Spec.Auth.OpenShiftoAuth = false
if err := r.UpdateCheCRSpec(instance, "OpenShiftoAuth", strconv.FormatBool(false)); err != nil {
return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, err
}
}
if isOpenShift && instance.Spec.Auth.OpenShiftoAuth == nil {
if reconcileResult, err := r.autoEnableOAuth(instance, request, isOpenShift4); err != nil {
return reconcileResult, err
}
}

// delete oAuthClient before CR is deleted
if instance.Spec.Auth.OpenShiftoAuth {
if err := r.ReconcileFinalizer(instance); err != nil {
return reconcile.Result{}, err
}
// delete oAuthClient before CR is deleted
if util.IsOAuthEnabled(instance) {
if err := r.ReconcileFinalizer(instance); err != nil {
return reconcile.Result{}, err
}

}
Expand Down Expand Up @@ -431,7 +397,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
// To use Openshift v4 OAuth, the OAuth endpoints are served from a namespace
// and NOT from the Openshift API Master URL (as in v3)
// So we also need the self-signed certificate to access them (same as the Che server)
(isOpenShift4 && instance.Spec.Auth.OpenShiftoAuth && !instance.Spec.Server.TlsSupport) {
(isOpenShift4 && util.IsOAuthEnabled(instance) && !instance.Spec.Server.TlsSupport) {
if err := deploy.CreateTLSSecretFromEndpoint(deployContext, "", deploy.CheTLSSelfSignedCertificateSecretName); err != nil {
return reconcile.Result{}, err
}
Expand All @@ -447,7 +413,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
}
}

if instance.Spec.Auth.OpenShiftoAuth {
if util.IsOAuthEnabled(instance) {
// create a secret with OpenShift API crt to be added to keystore that RH SSO will consume
baseURL, err := util.GetClusterPublicHostname(isOpenShift4)
if err != nil {
Expand Down Expand Up @@ -1123,3 +1089,50 @@ func isTrustedBundleConfigMap(mgr manager.Manager, obj handler.MapObject) (bool,
},
}
}

func (r *ReconcileChe) autoEnableOAuth(cr *orgv1.CheCluster, request reconcile.Request, isOpenShift4 bool) (reconcile.Result, error) {
var message, reason string
AndrienkoAleksandr marked this conversation as resolved.
Show resolved Hide resolved
oauth := false
if isOpenShift4 {
oauthv1 := &oauthv1.OAuth{}
if err := r.nonCachedClient.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, oauthv1); err != nil {
getOAuthV1ErrMsg := failedUnableToGetOAuth + " Cause: " + err.Error()
logrus.Errorf(getOAuthV1ErrMsg)
message = getOAuthV1ErrMsg
reason = failedNoOpenshiftUserReason
} else {
oauth = len(oauthv1.Spec.IdentityProviders) >= 1
if !oauth {
logrus.Warn(warningNoIdentityProvidersMessage, " ", howToAddIdentityProviderLinkOS4)
}
}
// openshift 3
} else {
users := &userv1.UserList{}
listOptions := &client.ListOptions{}
if err := r.nonCachedClient.List(context.TODO(), users, listOptions); err != nil {
getUsersErrMsg := failedUnableToGetOpenshiftUsers + " Cause: " + err.Error()
logrus.Errorf(getUsersErrMsg)
message = getUsersErrMsg
reason = failedNoOpenshiftUserReason
} else {
oauth = len(users.Items) >= 1
if !oauth {
logrus.Warn(warningNoRealUsersMessage, " ", howToConfigureOAuthLinkOS3)
}
}
}

cr.Spec.Auth.OpenShiftoAuth = util.NewBoolPointer(oauth)
if err := r.UpdateCheCRSpec(cr, "OpenShiftoAuth", strconv.FormatBool(oauth)); err != nil {
return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, err
}

if message != "" && reason != "" {
if err := r.SetStatusDetails(cr, request, message, reason, ""); err != nil {
return reconcile.Result{}, err
}
}

return reconcile.Result{}, nil
}
Loading