feat: Add user-preferences/profile secrets to the workspace-secret role

[vinokurig]

Signed-off-by: Igor Vinokur ivinokur@redhat.com

What does this PR do?

Include the user-preferences and user-profile secrets to the workspace-secrets role. This gives an ability to read and edit those secrets.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#20622

How to test this PR?

1. Start a workspace and open a terminal from the ide container.
2. Send an HTTP request to the kubernetes API to edit user-preferences secret: curl -X POST <kubernetes API url>/api/v1/namespaces/<namespace name>/secrets/user-preferences --header "Content-Type: application/json-patch+json" -d '[{ "op": "add", "path": "/data", "value": { "key": "" } }]'

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: quay.io/crw_pr/che-server:172

Test product:

• tested with Eclipse Che on K8S (minikube v1.22.0)
• E2E test scenario
• E2E test pipeline source code

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

[skabashnyuk]

@vinokurig we don't expect someone will write directly to that secrets. On the next provisioning check, the content will be overwritten.

[skabashnyuk]

@vinokurig have you checked that data is not overwritten on the next /namespace/provision call that is going to be called from dashboard on each workspace/factory related operations?

[vinokurig]

@skabashnyuk yes, you are right, the data is overwritten after workspace restart.

[l0rd]

@skabashnyuk @vinokurig @svor what I think we should do

• drepecating che-server user preferences API
• having workspace-secrets created and managed by che-server (theia can read but cannot write) for user preferences managed by Che.
• having theia-secrets created by che-server at first workspace startup but managed by che-theia (in the future we will have similar secrets for vscode and idea IDEs)

My questions are:

• Does Theia even need read access to workspace-secrets? If the preferences are the ones mentioned here, Theia doesn't need them right?
• I think that loosing Theia preferences when migrating from che-server to devworkspace is acceptable but I may miss some important use case. Are you ok with that?

[vinokurig]

@l0rd @skabashnyuk @svor Opened another PR for the secrets approach #174