Added namespace configurator for existing user SSH keys

[mshaposhnik]

Signed-off-by: Max Shaposhnik mshaposh@redhat.com

What does this PR do?

Added namespace configurator for mounting existing user SSH keys into namespace during provision

Screenshot/screencast of this PR

Generated secret data will looks like:

What issues does this PR fix or reference?

eclipse-che/che#20832

How to test this PR?

• Deploy Che with devworkspaces enabled;
• Add SSH key via Swagger API (since SSH plugin in Theia is disabled on DVW mode)
• Remove user namespace and refresh dashboard to force namespace provision again
• Check secret is created

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: quay.io/crw_pr/che-server:192

Test product:

• tested with Eclipse Che on K8S (minikube v1.22.0)
• E2E test scenario
• E2E test pipeline source code

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

[amisevsk]

LGTM from a DWO perspective.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: quay.io/crw_pr/che-server:192

Test product:

• tested with Eclipse Che on K8S (minikube v1.22.0)
• E2E test scenario
• E2E test pipeline source code

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

[skabashnyuk]

@amisevsk @JPinkney can you confirm that the path of ssh key should be /.ssh/ as described here devfile/devworkspace-operator#613 (comment) we used to have it /etc/ssh see

che-server/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/SshKeysProvisioner.java

Line 86 in fb8735b

private static String SSH_BASE_CONFIG_PATH = "/etc/ssh/";

[ibuziuk]

@amisevsk wondering if we need to process the internal ssh keys for async-storage. I'm not sure how the DevWorkspace handles the key management for it

[ibuziuk]

che-server/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/AsyncStorageProvisioner.java

Line 204 in 98b66ff

sshPairs = sshManager.getPairs(userId, "internal");

[mshaposhnik]

Yes, correct path should be /etc/ssh/ssh_config, pushed the fix.

[amisevsk]

/etc/ssh should work, however note that currently async storage mounts its own ssh key to /etc/ssh/private for the async storage sidecar, so that's a sticking point we may need to work around in some way.

[mshaposhnik]

Maybe separate secret with different mount path-s for them ? (but ssh_config file should remain the same IMHO....)

[amisevsk]

Maybe separate secret with different mount path-s for them ? (but ssh_config file should remain the same IMHO....)

I think DWO needs to isolate the async-storage sidecar from automount, etc. It only has a single responsibility (communicate with async server) and so should not be impacted by anything else. I've created devfile/devworkspace-operator#707 to track this issue.

[skabashnyuk]

[crw-ci-test --rebuild]

[skabashnyuk]

@amisevsk @ibuziuk does it make sense to handle async-storage keys as a separate task? Because it is not really clear what to do now.

[mshaposhnik]

@skabashnyuk Yes that's why devfile/devworkspace-operator#707 created AFAIU

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: quay.io/crw_pr/che-server:192

Test product:

• tested with Eclipse Che on K8S (minikube v1.22.0)
• E2E test scenario
• E2E test pipeline source code

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

[amisevsk]

To clarify, DWO currently creates the keypair for the async storage usecase, so no intervention from Che Server is needed to make that happen (Che should not have to do anything for the async storage case). The issue is that currently the keypair provisioned by DWO will collide with an automount to that directory, which is what's described in devfile/devworkspace-operator#707.