Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: native auth on Kubernetes #171

Merged
merged 38 commits into from
Nov 25, 2021

Conversation

sparkoo
Copy link
Member

@sparkoo sparkoo commented Oct 27, 2021

Signed-off-by: Michal Vala mvala@redhat.com

What does this PR do?

  • removed che.infra.kubernetes.enable_unsupported_k8s + any checks to it
  • Implemented OIDCTokenInitializationFilter that checks token from Authorization header, decodes it and creates Che user from token claims.
  • Moved multiple Keycloak* classes into new OIDC module and keep generic OIDC stuff there. Where needed, Keycloak implementation extends these OIDC ones.
  • Moved namespace configuration into NamespaceConfigurators. This makes KubernetesNamespaceFactory and OpenShiftProjectFactory simpler.
  • Move calling of NamespaceConfigurator from NamespaceProvisioner into KubernetesNamespaceFactory/OpenShiftProjectFactory. This makes factories slightly more complex, but still better than doing all configuration/provisioning directly by Factory.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#20633

How to test this PR?

che-server image: quay.io/mvala/che-server:gh20633-nativeAuthKube
che-operator image: quay.io/mvala/che-operator:gh20635-nativeAuthKube

  1. start minikube
  2. create CheCluster patch.yaml, replace {{MINIKUBE_IP}} with your minikube IP:
spec:
  auth:
    nativeUserMode: true
    identityProviderURL: http://dex.dex:5556
    gatewayAuthenticationSidecarImage: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
    gatewayAuthorizationSidecarImage: quay.io/brancz/kube-rbac-proxy:v0.11.0
  server:
    cheHost: 'che-eclipse-che.{{MINIKUBE_IP}}.nip.io'
    customCheProperties:
      CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: 'http://dex.dex:5556'
  1. deploy with devworkspaces engine and images (you'll have to accept the risk that chectl prompts) ^^
    chectl server:deploy --platform=minikube --installer=operator --cheimage=quay.io/mvala/che-server:gh20633-nativeAuthKube --che-operator-image=quay.io/mvala/che-operator:gh20635-nativeAuthKube --workspace-engine=dev-workspace --che-operator-cr-patch-yaml=patch.yaml
  2. wait until che is fully deployed (there should be no keycloak), then you can open che url as usual and import the CA cert
  3. You get into Dex login page. There are couple of predefined users. che@eclipse.org:admin or userN@che:password where N is 1-5. After you login, you should get to dashboard as you know.

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@sparkoo sparkoo changed the title native auth on Kubernetes feat: native auth on Kubernetes Nov 10, 2021
@sparkoo sparkoo marked this pull request as ready for review November 10, 2021 14:23
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
@sparkoo sparkoo force-pushed the gh20633-nativeAuthKube branch from e94344a to 847cd43 Compare November 11, 2021 15:31
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 23, 2021
Signed-off-by: Michal Vala <mvala@redhat.com>
@eclipse-che eclipse-che deleted a comment from che-bot Nov 24, 2021
@sparkoo
Copy link
Member Author

sparkoo commented Nov 24, 2021

@skabashnyuk
Copy link
Contributor

mvn clean install
cd assembly/ws-maser/war
docker run --rm -t -v ~/.m2:/root/.m2   -v ${PWD}/:/workspace/project  quay.io/che-incubator/dash-licenses:next --generate 

# Conflicts:
#	infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java
#	infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactoryTest.java
#	infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java
#	infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java
Copy link
Contributor

@metlos metlos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nicely done. Just 1 more nitpick about a todo in tests but don't consider being blocked by it...

Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
Signed-off-by: Michal Vala <mvala@redhat.com>
@eclipse-che eclipse-che deleted a comment from che-bot Nov 25, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 25, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 25, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 25, 2021
@eclipse-che eclipse-che deleted a comment from che-bot Nov 25, 2021
@sparkoo sparkoo merged commit 388a518 into eclipse-che:main Nov 25, 2021
@sparkoo sparkoo deleted the gh20633-nativeAuthKube branch November 25, 2021 13:49
@che-bot che-bot added this to the 7.40 milestone Nov 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants