Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Adding ability to use kubernetes API proxy on Kubernetes #6

Merged
merged 15 commits into from
Jun 8, 2021
Merged

fix: Adding ability to use kubernetes API proxy on Kubernetes #6

merged 15 commits into from
Jun 8, 2021

Conversation

xbaran4
Copy link
Contributor

@xbaran4 xbaran4 commented May 24, 2021
edited by skabashnyuk
Loading

Signed-off-by: xbaran4 pbaran@redhat.com

What does this PR do?

Adds property, that will allow the use of /unsupported/k8s even when on Kubernetes infrastructure.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#19813

How to test this PR?

  • run tests
  1. have or deploy che instance on minikube with chectl
  2. run
kubectl patch checluster/eclipse-che -n eclipse-che --type=merge -p "$(cat patch.yaml)"

where patch.yaml contains:

spec:
  server:
    cheImage: "quay.io/pbaran/che-server"
    cheImageTag: "unsupported-k8s"
  1. Enable unsupported k8s api on k8s
kubectl patch checluster/eclipse-che --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_INFRA_KUBERNETES_ENABLE__UNSUPPORTED__K8S\": \"true\"}}}}" --type=merge -n eclipse-che

3.run

curl -k ${CHE_HOST}/api/unsupported/k8s/api/v1/namespaces?token=${TOKEN}

where CHE_HOST is the URL of your che-server instance and TOKEN is your users keycloak token

  1. you should see something similar to this:
    image

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@xbaran4
enable unsupported/api on kubernetes
1c8115d 
Signed-off-by: xbaran4 <pbaran@redhat.com>
@xbaran4
namings improved
1830032 
Signed-off-by: xbaran4 <pbaran@redhat.com>
sparkoo
sparkoo reviewed May 24, 2021
View reviewed changes
Copy link
Member

@sparkoo sparkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm.
Can you please build docker image and write some better "how to test"? How to deploy it, with what CheCluster patch and how to test actual endpoint (with curl? some example?)

assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties Show resolved Hide resolved
@sleshchenko
Copy link
Member

Can you please build docker image

Ideally, you should not ask for it PR author.
Dashboard and Che Theia have images built automatically for each PR, which makes testing easier. =)

sleshchenko
sleshchenko approved these changes May 24, 2021
View reviewed changes
Copy link
Member

@sleshchenko sleshchenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sparkoo
Copy link
Member

sparkoo commented May 24, 2021

Can you please build docker image

Ideally, you should not ask for it PR author.

Yes, ideally. I agree :))

metlos
metlos reviewed May 25, 2021
View reviewed changes
Copy link
Contributor

@metlos metlos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @sparkoo that the config property description needs to mention that it poses no security risk on OpenShift. Otherwise LGTM, good job!

@che-bot
Copy link
Contributor

che-bot commented May 26, 2021

Can one of the admins verify this patch?

@xbaran4
enabled proxy on kubernetes and fixes
560b1f1 
Signed-off-by: xbaran4 <pbaran@redhat.com>
@xbaran4 xbaran4 requested a review from amisevsk as a code owner May 26, 2021 13:09
@xbaran4
removed duplicated tests
c6494eb 
Signed-off-by: xbaran4 <pbaran@redhat.com>
metlos
metlos approved these changes May 26, 2021
View reviewed changes
Copy link
Contributor

@metlos metlos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - just a small comment about getAuthenticatedHttpClient but feel free to merge without addressing it.

...c/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesClientFactory.java Outdated Show resolved Hide resolved
@xbaran4
moved comment to javadoc
370bafb 
Signed-off-by: xbaran4 <pbaran@redhat.com>
@sparkoo
Copy link
Member

sparkoo commented May 27, 2021

I'm trying to run it on minikube with quay.io/pbaran/che-server:unsupported-k8s but I have some issues. First with default configuration (no env variables set to enable k8s endpoint on kubernetes), it is still set to true.

Even though it tries to request k8s api, it fails with Error sending the direct infrastructure request. (https://github.com/xbaran4/che-server/blob/unsupported_api/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/DirectKubernetesAPIAccessHelper.java#L80). And che-server log reports Caused by: java.io.FileNotFoundException: /.kube/config (No such file or directory)

Is image up to date?

full exception log:

2021-05-27 08:18:46,950[nio-8080-exec-3]  [DEBUG] [o.e.c.i.m.DefaultMethodInvoker 145]  - null
java.lang.reflect.InvocationTargetException: null
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.everrest.core.impl.method.DefaultMethodInvoker.invokeMethod(DefaultMethodInvoker.java:141)
	at org.everrest.core.impl.method.DefaultMethodInvoker.invokeMethod(DefaultMethodInvoker.java:61)
	at org.everrest.core.impl.RequestDispatcher.doInvokeResource(RequestDispatcher.java:307)
	at org.everrest.core.impl.RequestDispatcher.invokeSubResourceMethod(RequestDispatcher.java:298)
	at org.everrest.core.impl.RequestDispatcher.dispatch(RequestDispatcher.java:234)
	at org.everrest.core.impl.RequestDispatcher.dispatch(RequestDispatcher.java:129)
	at org.everrest.core.impl.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:63)
	at org.everrest.core.impl.EverrestProcessor.process(EverrestProcessor.java:121)
	at org.everrest.core.servlet.EverrestServlet.service(EverrestServlet.java:62)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
	at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:290)
	at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:280)
	at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)
	at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
	at org.eclipse.che.core.metrics.ApiResponseMetricFilter.doFilter(ApiResponseMetricFilter.java:46)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at org.eclipse.che.commons.logback.filter.IdentityIdLoggerFilter.doFilter(IdentityIdLoggerFilter.java:49)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:142)
	at org.eclipse.che.multiuser.keycloak.server.KeycloakEnvironmentInitializationFilter.doFilter(KeycloakEnvironmentInitializationFilter.java:99)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at org.eclipse.che.multiuser.machine.authentication.server.MachineLoginFilter.doFilter(MachineLoginFilter.java:76)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1629)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.che.api.workspace.server.spi.InfrastructureException: Error sending the direct infrastructure request.
	at org.eclipse.che.workspace.infrastructure.kubernetes.DirectKubernetesAPIAccessHelper.call(DirectKubernetesAPIAccessHelper.java:80)
	at org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure.sendDirectInfrastructureRequest(KubernetesInfrastructure.java:90)
	at org.eclipse.che.api.infraproxy.server.InfrastructureApiService.request(InfrastructureApiService.java:149)
	at org.eclipse.che.api.infraproxy.server.InfrastructureApiService.get(InfrastructureApiService.java:94)
	... 51 common frames omitted
Caused by: java.io.FileNotFoundException: /.kube/config (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(Unknown Source)
	at java.base/java.io.FileInputStream.<init>(Unknown Source)
	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:343)
	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:14)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3331)
	at io.fabric8.kubernetes.client.internal.KubeConfigUtils.parseConfig(KubeConfigUtils.java:42)
	at io.fabric8.kubernetes.client.utils.TokenRefreshInterceptor.intercept(TokenRefreshInterceptor.java:44)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
	at io.fabric8.kubernetes.client.utils.ImpersonatorInterceptor.intercept(ImpersonatorInterceptor.java:68)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
	at io.fabric8.kubernetes.client.utils.HttpClientUtils.lambda$createApplicableInterceptors$6(HttpClientUtils.java:284)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
	at okhttp3.RealCall.execute(RealCall.java:93)
	at org.eclipse.che.workspace.infrastructure.kubernetes.DirectKubernetesAPIAccessHelper.callApi(DirectKubernetesAPIAccessHelper.java:105)
	at org.eclipse.che.workspace.infrastructure.kubernetes.DirectKubernetesAPIAccessHelper.call(DirectKubernetesAPIAccessHelper.java:75)
	... 54 common frames omitted

skabashnyuk and others added 4 commits May 27, 2021 12:41
@skabashnyuk @themr0c
Update assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes…
a6ebab3 
…/che/che.properties

Co-authored-by: Fabrice Flore-Thébault <ffloreth@redhat.com>
@skabashnyuk @themr0c
Update assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes…
ac8fe29 
…/che/che.properties

Co-authored-by: Fabrice Flore-Thébault <ffloreth@redhat.com>
@skabashnyuk @themr0c
Update assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes…
2d0c3e9 
…/che/che.properties

Co-authored-by: Fabrice Flore-Thébault <ffloreth@redhat.com>
@skabashnyuk
Merge remote-tracking branch 'upstream/main' into unsupported_api
874997c
@skabashnyuk
Copy link
Contributor

had the same thing as @sparkoo

Знімок екрана 2021-05-31 о 18 10 59

Will take a look tomorrow

@skabashnyuk skabashnyuk changed the title Adding ability to use kubernetes API proxy on Kubernetes fix: Adding ability to use kubernetes API proxy on Kubernetes Jun 3, 2021
@xbaran4 xbaran4 requested a review from mshaposhnik as a code owner June 3, 2021 11:15
sleshchenko
sleshchenko reviewed Jun 3, 2021
View reviewed changes
Copy link
Member

@sleshchenko sleshchenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems https://www.eclipse.org/che/docs/che-7/installation-guide/enabling-dev-workspace-engine/ needs to be adapted

@skabashnyuk
Copy link
Contributor

after enabling devworspaces on minikube I got.

devworkspaces.workspace.devfile.io is forbidden: User \"system:serviceaccount:eclipse-che:che\" cannot list resource \"devworkspaces\" in API group \"workspace.devfile.io\" in the namespace \"admin-che\""
metadata: {}

@skabashnyuk skabashnyuk mentioned this pull request Jun 3, 2021
Closed
@skabashnyuk
Copy link
Contributor

I think we do need support of headers. At least content-type.

Request PATCH devworkspacetemplate

{kind: "Status", apiVersion: "v1", metadata: {}, status: "Failure",…}
apiVersion: "v1"
code: 415
kind: "Status"
message: "the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml"
metadata: {}
reason: "UnsupportedMediaType"
status: "Failure"
```

sparkoo
sparkoo approved these changes Jun 8, 2021
View reviewed changes
Copy link
Member

@sparkoo sparkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@skabashnyuk skabashnyuk merged commit eaf450e into eclipse-che:main Jun 8, 2021
@skabashnyuk skabashnyuk added this to the 7.32 milestone Jun 9, 2021
@skabashnyuk skabashnyuk mentioned this pull request Jul 14, 2021
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@themr0c themr0c themr0c left review comments

@sleshchenko sleshchenko sleshchenko approved these changes

@metlos metlos metlos approved these changes

@sparkoo sparkoo sparkoo approved these changes

@MichalMaler MichalMaler MichalMaler approved these changes

@yhontyk yhontyk Awaiting requested review from yhontyk

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@nickboldt nickboldt Awaiting requested review from nickboldt

@skabashnyuk skabashnyuk Awaiting requested review from skabashnyuk

@amisevsk amisevsk Awaiting requested review from amisevsk

@mshaposhnik mshaposhnik Awaiting requested review from mshaposhnik

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.32
Development

Successfully merging this pull request may close these issues.
8 participants
@xbaran4 @sleshchenko @sparkoo @che-bot @skabashnyuk @metlos @themr0c @MichalMaler