Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[devWorkspace] Adapt ssh-plugin to avoid requesting che-server API #20859

Closed
Tracked by #20830
svor opened this issue Dec 1, 2021 · 8 comments · Fixed by eclipse-che/che-theia#1277
Closed
Tracked by #20830

[devWorkspace] Adapt ssh-plugin to avoid requesting che-server API #20859

svor opened this issue Dec 1, 2021 · 8 comments · Fixed by eclipse-che/che-theia#1277
Assignees
@vinokurig
Labels
area/plugins kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Milestone
7.43

Comments

@svor
Copy link
Contributor

svor commented Dec 1, 2021
edited
Loading

Is your task related to a problem? Please describe

For now ssh-plugin uses che-server API to work with ssh keys (generate, store, read, ...). When deWorkspace engine is enabled it shouldn't request che-server API.

Describe the solution you'd like

Ssh plug-in should create/use secrets as reported there: devfile/devworkspace-operator#613 (comment)
@svor svor added kind/task Internal things, technical debt, and to-do tasks to be performed. sprint/current team/plugins severity/P1 Has a major impact to usage or development of the system. area/plugins labels Dec 1, 2021
This was referenced Dec 1, 2021
Closed
Closed
@vinokurig
Copy link
Contributor

The approach I am going to follow is:

  • For now SSH mechanism is located in the che-server side, and is retrieved by API calls. We need to implement the SSH logic to be executed directly in the che-theia container to avoid API calls.
  • To store SSH keys we need to have another predefined secret like the workspace-credentials-secret with a corresponding access role.

@l0rd @benoitf Is it OK for you?

@svor svor mentioned this issue Dec 8, 2021
Closed
19 tasks
@l0rd
Copy link
Contributor

l0rd commented Dec 8, 2021

@vinokurig that's ok for me. @JPinkney @amisevsk is that consistent with secrets injection in DevWorkspaces?

@amisevsk
Copy link
Contributor

amisevsk commented Dec 8, 2021

How does this interact with this PR eclipse-che/che-server#192? With the changes from that PR, and Che-side SSH keys will be mounted to /.ssh/.

Is there a reason the existing workspace-credentials-secret cannot be used? My understanding is that this was the original purpose of adding this secret.

@vinokurig
Copy link
Contributor

@amisevsk

How does this interact with this PR eclipse-che/che-server#192? With the changes from that PR, and Che-side SSH keys will be mounted to /.ssh/.

This PR retrieves SSH keys from che-server database: https://github.com/eclipse-che/che-server/pull/192/files#diff-e507f35404ee3af31b7d37cea6a97dbe19ff8d3d8cad0f65de3dbc8b25058541R114. In DevWorkspace Che, che-server will not contain any user SSH keys as we can't make requests to the SSH API service. The idea of this issue is to avoid API requests, for that we need to generate SSH key by the editor container.

Is there a reason the existing workspace-credentials-secret cannot be used? My understanding is that this was the original purpose of adding this secret.

workspace-credentials-secret initially was added to handle theia's credentials plugin API. I am not sure that SSH key = credentials.

@amisevsk
Copy link
Contributor

amisevsk commented Dec 9, 2021

In DevWorkspace Che, che-server will not contain any user SSH keys as we can't make requests to the SSH API service.

So then is eclipse-che/che-server#192 unnecessary?

workspace-credentials-secret initially was added to handle theia's credentials plugin API. I am not sure that SSH key = credentials.

We can certainly add more secrets to the workspace RBAC set, but I'm not sure we should be catering to what Theia needs at the moment. Why can't Theia use a secret like

apiVersion: v1
kind: Secret
metadata:
  name: workspace-credentials-secret
type: Opaque
data:
  theia-credentials: "<blob>"
  ssh-keys: "<blob>"

@benoitf
Copy link
Contributor

benoitf commented Dec 9, 2021

main advantage with Angel's proposal is that ssh keys are more user specific rather than IDE specific so using intellij or VSCode might reuse those keys more easily

@l0rd
Copy link
Contributor

l0rd commented Dec 10, 2021

@vinokurig does that work for you?

@vinokurig
Copy link
Contributor

Yes, I agree to use the workspace-credentials-secret for SSH keys

@vinokurig vinokurig mentioned this issue Dec 17, 2021
Merged
10 tasks
@svor svor mentioned this issue Dec 20, 2021
Closed
15 tasks
@svor svor mentioned this issue Jan 11, 2022
Closed
17 tasks
@svor svor modified the milestones: 7.42, 7.43 Jan 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinokurig vinokurig

Labels
area/plugins kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Projects
None yet
Milestone
7.43
Development

Successfully merging a pull request may close this issue.

chore: [dev-workspace] Rework SSH plugin to store keys in the K8s secret eclipse-che/che-theia
5 participants
@benoitf @l0rd @svor @vinokurig @amisevsk