Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[STEP3] user's namespace provisioning #20168

Closed
9 tasks done
skabashnyuk opened this issue Jul 21, 2021 · 7 comments
Closed
9 tasks done

[STEP3] user's namespace provisioning #20168

skabashnyuk opened this issue Jul 21, 2021 · 7 comments
Labels
engine/devworkspace Issues related to Che configured to use the devworkspace controller as workspace engine. kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Milestone
DevWorkspace Int...

Comments

@skabashnyuk
Copy link
Contributor

skabashnyuk commented Jul 21, 2021
edited
Loading

Is your task related to a problem? Please describe.

Che server is able to use its configuration to set various settings on the workspace pod and/or user's namespace. We should think about supporting them on the DevWorkspaces, too:

Describe the solution you'd like

  1. Create new custom resource CheUser like
apiVersion: org.eclipse.che/v1beta1
kind: CheUser
metadata:
 name: username
spec:
  id: 238409230-2349023049-24509i
  firstName: John
  lastName: Doe
  profile:
    attributes:
       a1:v1
  1. On CheUser creation/update run k8s namespace reconcile loop that will create k8s secret with custom certificates
apiVersion: v1
kind: Secret
metadata:
  name: ca-crt-secret
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
  annotations:
    controller.devfile.io/mount-path: '/tmp/che/secret/'
data:
  ca.crt: <base64 encoded data content here>
  1. Create secret with proxy settings
apiVersion: v1
  kind: Secret
metadata:
  name: env-var-secret
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
  annotations:
    controller.devfile.io/mount-as: env
data:
  https_proxy: value
  http_proxy: value
  no_proxy: value

Describe alternatives you've considered

All the settings that would be in the CheUser instance can also be placed in variously labeled config maps and secrets and the user information can be drawn from OpenShift's User object or, hopefully, from the user info of the OIDC provider of Kubernetes.

Additional context
@skabashnyuk skabashnyuk added kind/task Internal things, technical debt, and to-do tasks to be performed. area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator labels Jul 21, 2021
@skabashnyuk skabashnyuk mentioned this issue Jul 21, 2021
Closed
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 21, 2021
@skabashnyuk skabashnyuk mentioned this issue Jul 21, 2021
Closed
@AndrienkoAleksandr AndrienkoAleksandr added severity/P2 Has a minor but important impact to the usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jul 21, 2021
@skabashnyuk skabashnyuk changed the title [che-operator] user's namespace provisioning [devworkspace-che-operator] user's namespace provisioning Jul 22, 2021
@skabashnyuk skabashnyuk added engine/devworkspace Issues related to Che configured to use the devworkspace controller as workspace engine. severity/P1 Has a major impact to usage or development of the system. and removed area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator severity/P2 Has a minor but important impact to the usage or development of the system. labels Jul 22, 2021
@tolusha
Copy link
Contributor

tolusha commented Jul 22, 2021
edited
Loading

  1. All certificates are put into ca-certs-merged configmap
  2. All workspace options are put into che configmap:
    CHE_WORKSPACE_JAVA__OPTIONS
    CHE_WORKSPACE_MAVEN__OPTIONS
    CHE_WORKSPACE_HTTP__PROXY__JAVA__OPTIONS
    CHE_WORKSPACE_HTTP__PROXY
    CHE_WORKSPACE_HTTPS__PROXY
    CHE_WORKSPACE_NO__PROXY

@skabashnyuk skabashnyuk mentioned this issue Jul 28, 2021
Closed
@l0rd l0rd added kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. roadmap/3-months Epics that are planned to complete in the short term (within 3 months) labels Aug 5, 2021
@metlos metlos mentioned this issue Aug 20, 2021
Merged
11 tasks
@metlos
Copy link
Contributor

metlos commented Aug 31, 2021

In the PR eclipse-che/che-operator#1027 we're implementing this by watching namespace events (or project events on OpenShift). This way, we can pre-deploy the namespace with all necessary objects for different secrets and other settings as soon as the namespace is marked as a workspace namespace for a particular user using a dedicated label.

This means that we don't have to do additional checks on workspace startup and let the devworkspace operator do its magic of auto-mounting the secrets and configmaps into the workspace pod as configured (either as files or as env vars).

@skabashnyuk
Copy link
Contributor Author

@tolusha I propose to cover *_OPTS issue with #20501
CC @metlos @l0rd

@tolusha
Copy link
Contributor

tolusha commented Sep 21, 2021

@skabashnyuk
ok for me

@metlos metlos closed this as completed Sep 21, 2021
@metlos metlos reopened this Sep 23, 2021
@metlos
Copy link
Contributor

metlos commented Sep 24, 2021

Note that since this is an epic issue, I updated it with a list of subtasks for each of the things that the che server is currently provisioning into the workspace pod. We need to figure out the priority of those and if or how to implement them. Some of the tasks are implementable only on the DWO side, some can be implemented in che-operator, some will probably require changes in both.

@skabashnyuk
Copy link
Contributor Author

@l0rd could you please review the list of remainings and wrote your option about what is mandatory/option for Step 3.

@l0rd
Copy link
Contributor

l0rd commented Sep 27, 2021
edited
Loading

As a rule of thumb: higher priority to features that existed in che-server land but do not exist in devworkspace land, lower priority to new features that didn't exist in che-server land.

In STEP 3 milestone and ordered by priority:

Not in STEP 3 milestone:

Closed

@l0rd l0rd removed the roadmap/3-months Epics that are planned to complete in the short term (within 3 months) label Oct 5, 2021
@skabashnyuk skabashnyuk changed the title [devworkspace-che-operator] user's namespace provisioning [STEP3][devworkspace-che-operator] user's namespace provisioning Nov 24, 2021
@skabashnyuk skabashnyuk changed the title [STEP3][devworkspace-che-operator] user's namespace provisioning [STEP3] user's namespace provisioning Nov 25, 2021
@skabashnyuk skabashnyuk mentioned this issue Dec 15, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
engine/devworkspace Issues related to Che configured to use the devworkspace controller as workspace engine. kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
DevWorkspace Integration - STEP3
Development

No branches or pull requests
6 participants
@metlos @l0rd @skabashnyuk @tolusha @AndrienkoAleksandr @che-bot