feat: Traefik plugin

.gitignore

@@ -121,4 +121,4 @@ bundle/stable/eclipse-che-preview-openshift/generated
 
 testbin/setup-envtest.sh
 
-.DS_Store
+.DS_Store

Dockerfile

@@ -15,6 +15,7 @@ ENV GOPATH=/go/
 ENV RESTIC_TAG=v0.12.0
 ARG DEV_WORKSPACE_CONTROLLER_VERSION="main"
 ARG DEV_WORKSPACE_CHE_OPERATOR_VERSION="main"
+ARG DEV_HEADER_REWRITE_TRAEFIK_PLUGIN="main"
 USER root
 
 # upstream, download zips for every build
@@ -23,7 +24,8 @@ RUN mkdir -p $GOPATH/restic && \
     curl -sSLo- https://api.github.com/repos/restic/restic/tarball/${RESTIC_TAG} | tar --strip-components=1 -xz -C $GOPATH/restic && \
     cd $GOPATH/restic && go mod vendor && \
     curl -sSLo /tmp/asset-devworkspace-operator.zip https://api.github.com/repos/devfile/devworkspace-operator/zipball/${DEV_WORKSPACE_CONTROLLER_VERSION} && \
-    curl -sSLo /tmp/asset-devworkspace-che-operator.zip https://api.github.com/repos/che-incubator/devworkspace-che-operator/zipball/${DEV_WORKSPACE_CHE_OPERATOR_VERSION}
+    curl -sSLo /tmp/asset-devworkspace-che-operator.zip https://api.github.com/repos/che-incubator/devworkspace-che-operator/zipball/${DEV_WORKSPACE_CHE_OPERATOR_VERSION} && \
+    curl -sSLo /tmp/asset-header-rewrite-traefik-plugin.zip https://api.github.com/repos/che-incubator/header-rewrite-traefik-plugin/zipball/${DEV_HEADER_REWRITE_TRAEFIK_PLUGIN}
 
 WORKDIR /che-operator
 # Copy the Go Modules manifests
@@ -50,6 +52,10 @@ RUN unzip /tmp/asset-devworkspace-che-operator.zip */deploy/deployment/* -d /tmp
     mkdir -p /tmp/devworkspace-che-operator/templates/ && \
     mv /tmp/che-incubator-devworkspace-che-operator-*/deploy /tmp/devworkspace-che-operator/templates/
 
+RUN unzip /tmp/asset-header-rewrite-traefik-plugin.zip -d /tmp && \
+    mkdir -p /tmp/header-rewrite-traefik-plugin && \
+    mv /tmp/*-header-rewrite-traefik-plugin-*/headerRewrite.go /tmp/*-header-rewrite-traefik-plugin-*/.traefik.yml /tmp/header-rewrite-traefik-plugin
+
 # Build restic. Needed for backup / restore capabilities
 RUN cd $GOPATH/restic && \
     export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH="amd64"; elif [[ ${ARCH} == "aarch64" ]]; then export ARCH="arm64"; fi && \
@@ -62,6 +68,7 @@ COPY --from=builder /che-operator/che-operator /manager
 COPY --from=builder /che-operator/templates/*.sh /tmp/
 COPY --from=builder /tmp/devworkspace-operator/templates/deploy /tmp/devworkspace-operator/templates
 COPY --from=builder /tmp/devworkspace-che-operator/templates/deploy /tmp/devworkspace-che-operator/templates
+COPY --from=builder /tmp/header-rewrite-traefik-plugin /tmp/header-rewrite-traefik-plugin
 COPY --from=builder /tmp/restic/restic /usr/local/bin/restic
 COPY --from=builder /go/restic/LICENSE /usr/local/bin/restic-LICENSE.txt
 

api/v1/checluster_types.go

@@ -475,8 +475,7 @@ type CheClusterSpecAuth struct {
 	// See link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
 	// +optional
 	GatewayAuthorizationSidecarImage string `json:"gatewayAuthorizationSidecarImage,omitempty"`
-	// Header Rewrite Proxy sidecar image is used to properly set authorization header.
-	// See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+	// Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin.
 	GatewayHeaderRewriteSidecarImage string `json:"gatewayHeaderRewriteSidecarImage,omitempty"`
 }
 

bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml

@@ -83,7 +83,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-kubernetes.v7.34.0-265.nightly
+  name: eclipse-che-preview-kubernetes.v7.34.0-266.nightly
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -911,6 +911,8 @@ spec:
                         value: quay.io/eclipse/che-jwtproxy:0.10.0
                       - name: RELATED_IMAGE_single_host_gateway
                         value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23
+                      - name: RELATED_IMAGE_single_host_gateway_native_user_mode
+                        value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e
                       - name: RELATED_IMAGE_single_host_gateway_config_sidecar
                         value: quay.io/che-incubator/configbump:0.1.4
                       - name: RELATED_IMAGE_devworkspace_che_operator
@@ -1217,4 +1219,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.34.0-265.nightly
+  version: 7.34.0-266.nightly

bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml

@@ -52,7 +52,7 @@ spec:
                     description: Gateway sidecar responsible for authorization when NativeUserMode is enabled. See link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                     type: string
                   gatewayHeaderRewriteSidecarImage:
-                    description: Header Rewrite Proxy sidecar image is used to properly set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                    description: Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin.
                     type: string
                   identityProviderAdminUserName:
                     description: Overrides the name of the Identity Provider administrator user. Defaults to `admin`.

bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml

@@ -74,7 +74,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.34.0-265.nightly
+  name: eclipse-che-preview-openshift.v7.34.0-266.nightly
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1043,6 +1043,8 @@ spec:
                         value: quay.io/eclipse/che-jwtproxy:0.10.0
                       - name: RELATED_IMAGE_single_host_gateway
                         value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23
+                      - name: RELATED_IMAGE_single_host_gateway_native_user_mode
+                        value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e
                       - name: RELATED_IMAGE_single_host_gateway_config_sidecar
                         value: quay.io/che-incubator/configbump:0.1.4
                       - name: RELATED_IMAGE_devworkspace_che_operator
@@ -1360,4 +1362,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.34.0-265.nightly
+  version: 7.34.0-266.nightly

bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml

@@ -75,8 +75,8 @@ spec:
                         or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                       type: string
                     gatewayHeaderRewriteSidecarImage:
-                      description: Header Rewrite Proxy sidecar image is used to properly
-                        set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                      description: Deprecated. The value of this flag is ignored.
+                        Sidecar functionality is now implemented in Traefik plugin.
                       type: string
                     identityProviderAdminUserName:
                       description: Overrides the name of the Identity Provider administrator

config/crd/bases/org_v1_che_crd-v1beta1.yaml

@@ -71,8 +71,8 @@ spec:
                     or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                   type: string
                 gatewayHeaderRewriteSidecarImage:
-                  description: Header Rewrite Proxy sidecar image is used to properly
-                    set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                  description: Deprecated. The value of this flag is ignored. Sidecar
+                    functionality is now implemented in Traefik plugin.
                   type: string
                 identityProviderAdminUserName:
                   description: Overrides the name of the Identity Provider administrator

config/crd/bases/org_v1_che_crd.yaml

@@ -75,8 +75,8 @@ spec:
                         or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                       type: string
                     gatewayHeaderRewriteSidecarImage:
-                      description: Header Rewrite Proxy sidecar image is used to properly
-                        set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                      description: Deprecated. The value of this flag is ignored.
+                        Sidecar functionality is now implemented in Traefik plugin.
                       type: string
                     identityProviderAdminUserName:
                       description: Overrides the name of the Identity Provider administrator

config/manager/manager.yaml

@@ -71,6 +71,8 @@ spec:
               value: quay.io/eclipse/che-jwtproxy:0.10.0
             - name: RELATED_IMAGE_single_host_gateway
               value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23
+            - name: RELATED_IMAGE_single_host_gateway_native_user_mode
+              value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e
             - name: RELATED_IMAGE_single_host_gateway_config_sidecar
               value: quay.io/che-incubator/configbump:0.1.4
             - name: RELATED_IMAGE_devworkspace_che_operator

pkg/deploy/defaults.go

@@ -27,23 +27,24 @@ import (
 )
 
 var (
-	defaultCheServerImage                      string
-	defaultCheVersion                          string
-	defaultDashboardImage                      string
-	defaultDevworkspaceCheOperatorImage        string
-	defaultDevworkspaceControllerImage         string
-	defaultPluginRegistryImage                 string
-	defaultDevfileRegistryImage                string
-	defaultCheTLSSecretsCreationJobImage       string
-	defaultPvcJobsImage                        string
-	defaultPostgresImage                       string
-	defaultKeycloakImage                       string
-	defaultSingleHostGatewayImage              string
-	defaultSingleHostGatewayConfigSidecarImage string
-	defaultInternalRestBackupServerImage       string
-	defaultGatewayAuthenticationSidecarImage   string
-	defaultGatewayAuthorizationSidecarImage    string
-	defaultGatewayHeaderProxySidecarImage      string
+	defaultCheServerImage                       string
+	defaultCheVersion                           string
+	defaultDashboardImage                       string
+	defaultDevworkspaceCheOperatorImage         string
+	defaultDevworkspaceControllerImage          string
+	defaultPluginRegistryImage                  string
+	defaultDevfileRegistryImage                 string
+	defaultCheTLSSecretsCreationJobImage        string
+	defaultPvcJobsImage                         string
+	defaultPostgresImage                        string
+	defaultKeycloakImage                        string
+	defaultSingleHostGatewayImage               string
+	defaultSingleHostGatewayImageNativeUserMode string
+	defaultSingleHostGatewayConfigSidecarImage  string
+	defaultInternalRestBackupServerImage        string
+	defaultGatewayAuthenticationSidecarImage    string
+	defaultGatewayAuthorizationSidecarImage     string
+	defaultGatewayHeaderProxySidecarImage       string
 
 	defaultCheWorkspacePluginBrokerMetadataImage  string
 	defaultCheWorkspacePluginBrokerArtifactsImage string
@@ -183,6 +184,7 @@ func InitDefaultsFromFile(defaultsPath string) {
 	defaultPostgresImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_postgres"))
 	defaultKeycloakImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_keycloak"))
 	defaultSingleHostGatewayImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway"))
+	defaultSingleHostGatewayImageNativeUserMode = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_native_user_mode"))
 	defaultSingleHostGatewayConfigSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_config_sidecar"))
 	defaultGatewayAuthenticationSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authentication_sidecar"))
 	defaultGatewayAuthorizationSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authorization_sidecar"))
@@ -329,7 +331,15 @@ func DefaultCheServerSecureExposerJwtProxyImage(cr *orgv1.CheCluster) string {
 }
 
 func DefaultSingleHostGatewayImage(cr *orgv1.CheCluster) string {
-	return patchDefaultImageName(cr, defaultSingleHostGatewayImage)
+	// `nativeUserMode` uses Traefik local plugins, which is supported from version 2.5 that is
+	// currently in Release Candidate. As we don't want to use RC version in our stable release,
+	// we're using 2 images now. As soon as Traefik 2.5 stable will be releases, we will remove
+	// `defaultSingleHostGatewayImageNativeUserMode` and use single image again.
+	if util.IsNativeUserModeEnabled(cr) {
+		return patchDefaultImageName(cr, defaultSingleHostGatewayImageNativeUserMode)
+	} else {
+		return patchDefaultImageName(cr, defaultSingleHostGatewayImage)
+	}
 }
 
 func DefaultSingleHostGatewayConfigSidecarImage(cr *orgv1.CheCluster) string {
@@ -455,6 +465,7 @@ func InitDefaultsFromEnv() {
 	defaultPostgresImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_postgres"))
 	defaultKeycloakImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_keycloak"))
 	defaultSingleHostGatewayImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway"))
+	defaultSingleHostGatewayImageNativeUserMode = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_native_user_mode"))
 	defaultSingleHostGatewayConfigSidecarImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_config_sidecar"))
 	defaultInternalRestBackupServerImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_internal_rest_backup_server"))
 	defaultGatewayAuthenticationSidecarImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authentication_sidecar"))