Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add a predefined secret to store credentials #68

Merged
merged 9 commits into from
Aug 17, 2021
Merged

fix: Add a predefined secret to store credentials #68

merged 9 commits into from
Aug 17, 2021

Conversation

vinokurig
Copy link
Contributor

@vinokurig vinokurig commented Jul 28, 2021
edited
Loading

Signed-off-by: Igor Vinokur ivinokur@redhat.com

What does this PR do?

  • Create a predefined K8s secret per nemaespace to store credentials.
  • Add a specific secret role for the credentials secret. This role allows to edit only this predefined secret. Other secrets are not controlled by this role.

depends on eclipse-che/che-operator#971

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#19837

How to test this PR?

  1. Start a workspace and open a terminal from ide container
  2. Send an HTTP request to kubernetes API to edit the credentials-secret: curl -X POST <kubernetes API url>/api/v1/namespaces/<namespace name>/secrets--header "Content-Type: application/json-patch+json" -d '[{ "op": "add", "path": "/data", "value": { "key": "" } }]'

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@vinokurig vinokurig mentioned this pull request Jul 28, 2021
Closed
11 tasks
@che-bot
Copy link
Contributor

che-bot commented Jul 28, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

amisevsk
amisevsk approved these changes Jul 28, 2021
View reviewed changes
Copy link
Contributor

@amisevsk amisevsk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this approach is better than the previous, but would prefer the predefined secret to have an abstract name, e.g. workspace-credentials-secret. This sort of name maps more naturally onto what is provisioned in the DevWorkspace Operator, since it would look strange for Web Terminals to come with access to che-credentials-secret.

...lipse/che/workspace/infrastructure/kubernetes/namespace/AbstractWorkspaceServiceAccount.java Outdated
k8sClient,
SECRETS_ROLE_NAME,
singletonList("secrets"),
singletonList("che-credentials-secret"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we choose a Che-agnostic name -- e.g. workspace-credentials-secret? If we want to do a similar thing in DWO, it's a lot easier to justify if it's not labelled with a specific platform.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for workspace-credentials-secret

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+ please consider moving that secret name somewhere to constants

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

sleshchenko
sleshchenko approved these changes Jul 29, 2021
View reviewed changes
...lipse/che/workspace/infrastructure/kubernetes/namespace/AbstractWorkspaceServiceAccount.java Outdated
k8sClient,
SECRETS_ROLE_NAME,
singletonList("secrets"),
singletonList("che-credentials-secret"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+ please consider moving that secret name somewhere to constants

@che-bot
Copy link
Contributor

che-bot commented Aug 2, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@skabashnyuk
Copy link
Contributor

@vinokurig can you merge latest "main" please?

@che-bot
Copy link
Contributor

che-bot commented Aug 3, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@che-bot
Copy link
Contributor

che-bot commented Aug 4, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@che-bot
Copy link
Contributor

che-bot commented Aug 4, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@vinokurig
merge with main
65e5e20 
Signed-off-by: Igor Vinokur <ivinokur@redhat.com>
@che-bot
Copy link
Contributor

che-bot commented Aug 4, 2021

✅ E2E Happy path tests succeed 🎉

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@vinokurig
Copy link
Contributor Author

@skabashnyuk @sparkoo @mshaposhnik I am going to merge this PR tomorrow if no objections?

sparkoo
sparkoo reviewed Aug 5, 2021
View reviewed changes
...lipse/che/workspace/infrastructure/kubernetes/namespace/AbstractWorkspaceServiceAccount.java Outdated Show resolved Hide resolved
...eclipse/che/workspace/infrastructure/openshift/project/OpenShiftWorkspaceServiceAccount.java Outdated
String name, List<String> resources, List<String> apiGroups, List<String> verbs) {
String name,
List<String> resources,
@Nullable List<String> resourceNames,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pass empty list, instread of nullable

...lipse/che/workspace/infrastructure/kubernetes/namespace/AbstractWorkspaceServiceAccount.java Outdated Show resolved Hide resolved
@che-bot
Copy link
Contributor

che-bot commented Aug 5, 2021

✅ E2E Happy path tests succeed 🎉

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@che-bot
Copy link
Contributor

che-bot commented Aug 6, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@che-bot
Copy link
Contributor

che-bot commented Aug 9, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

sparkoo
sparkoo reviewed Aug 10, 2021
View reviewed changes
...rg/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java Outdated
canCreateNamespace(identity),
labelNamespaces ? namespaceLabels : emptyMap(),
annotateNamespaces ? namespaceAnnotationsEvaluated : emptyMap());
if (newNamespace) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, this will be true only in case that we've created the namespace in previous namespace.prepare call. So what if namespace already exists? Don't we need the secret then? The namespace could be prepared by admins or created by older Che version. What if user removed/modified the secret ? Don't we need to reconcile ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, reworked to check if the secret exists.

sparkoo
sparkoo reviewed Aug 10, 2021
View reviewed changes
Copy link
Member

@sparkoo sparkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code looks good to me, thanks.

@che-bot
Copy link
Contributor

che-bot commented Aug 10, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@che-bot
Copy link
Contributor

che-bot commented Aug 11, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@vinokurig
Copy link
Contributor Author

[crw-ci-test]

@che-bot
Copy link
Contributor

che-bot commented Aug 16, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@vinokurig
Copy link
Contributor Author

[crw-ci-test --rebuild]

@che-bot
Copy link
Contributor

che-bot commented Aug 16, 2021

❌ E2E Happy path tests failed ❗

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@eclipse-che eclipse-che deleted a comment from che-bot Aug 17, 2021
@dmytro-ndp
Copy link
Contributor

[crw-ci-test --rebuild]

@che-bot
Copy link
Contributor

che-bot commented Aug 17, 2021

✅ E2E Happy path tests succeed 🎉

See Details

Test product:

  • Use comment "[crw-ci-test]" to rerun happy path E2E test.
  • Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

Eclipse Che QE channel: https://mattermost.eclipse.org/eclipse/channels/eclipse-che-qe

@vinokurig vinokurig merged commit 5934e97 into main Aug 17, 2021
@vinokurig vinokurig deleted the che-19837 branch August 17, 2021 09:22
@che-bot che-bot added this to the 7.35 milestone Aug 17, 2021
@vinokurig vinokurig mentioned this pull request Aug 17, 2021
Merged
9 tasks
@vinokurig vinokurig mentioned this pull request Dec 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sparkoo sparkoo sparkoo approved these changes

@skabashnyuk skabashnyuk skabashnyuk approved these changes

@mshaposhnik mshaposhnik mshaposhnik approved these changes

@sleshchenko sleshchenko sleshchenko approved these changes

@amisevsk amisevsk amisevsk approved these changes

@metlos metlos Awaiting requested review from metlos

@nickboldt nickboldt Awaiting requested review from nickboldt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.35
Development

Successfully merging this pull request may close these issues.
8 participants
@vinokurig @che-bot @skabashnyuk @dmytro-ndp @sparkoo @mshaposhnik @sleshchenko @amisevsk