Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use che.infrastructure.kubernetes.namespace.default during workspace namespace resolution #14828

Merged
merged 27 commits into from
Oct 23, 2019
Merged

Use che.infrastructure.kubernetes.namespace.default during workspace namespace resolution #14828

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
7ed6b18
Load the workspace during then namespace resolution so that we can check
metlos Oct 9, 2019
8776439
Adapt the namespace checking for Openshift infra and fix the tests.
metlos Oct 10, 2019
bb586f6
Fix the Openshift tests to faithfully simulate the Openshift client b…
metlos Oct 10, 2019
12c3fcf
Switch the default to <username>-che.
metlos Oct 10, 2019
c6e29c1
Update the javadoc a little.
metlos Oct 10, 2019
a240d74
Update the property descriptions in che.properties and use the new
metlos Oct 10, 2019
a19ebb8
Provide the default cheWorkspaceNamespace in the helm chart
metlos Oct 11, 2019
8e242a5
Add some debugging to be able to trace namespace resolution in the debug
metlos Oct 11, 2019
17ba3e4
Make sure workspace startup finishers doesn't overwrite
metlos Oct 11, 2019
e30bfa5
Fix the test regression - we need to use a different override for the
metlos Oct 11, 2019
5449389
Fix the helm chart to detect workspace namespace with placeholders.
metlos Oct 11, 2019
4627ea9
The check for forbidden namespace access is required on Kubernetes as…
metlos Oct 14, 2019
0fbc552
Do not try to base the logic on whether the workspace is static/prede…
metlos Oct 15, 2019
6c23342
Revert "Do not try to base the logic on whether the workspace is stat…
metlos Oct 15, 2019
8b4e40f
The decision on whether a namespace is static or not cannot be made
metlos Oct 15, 2019
2b16123
Update the OpenShiftProjectFactoryTest.
metlos Oct 15, 2019
dd3c4ac
* Move the delete to the KubernetesNamespace/OpenShiftProject to
metlos Oct 18, 2019
f47c40f
Fix the tests and actually make them test anything..
metlos Oct 18, 2019
d5de2e6
Merge remote-tracking branch 'upstream/master' into bug/14795-use-new…
metlos Oct 21, 2019
ff782f8
Improve error handling while the namespace/project is being deleted.
metlos Oct 21, 2019
dda0993
Rename isManagingNamespaces -> isManagingNamespace
metlos Oct 21, 2019
b936f18
Merge remote-tracking branch 'upstream/master' into bug/14795-use-new…
metlos Oct 22, 2019
26bacf8
Clarified the logic in isManagingNamespace, updated the javadoc.
metlos Oct 22, 2019
1663ab5
Include the original error message when evaluating the namespace name…
metlos Oct 22, 2019
5d530b1
javadoc clarifications, simplification of isCreatingNamespace()
metlos Oct 22, 2019
639e989
Improve error messages and logging.
metlos Oct 22, 2019
1bcfc51
Formatting.
metlos Oct 22, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,31 +377,33 @@ che.infra.kubernetes.server_strategy=default-host
# Used to generate domain for a server in a workspace in case property `che.infra.kubernetes.server_strategy` is set to `multi-host`
che.infra.kubernetes.ingress.domain=

# DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not
# set it on new installations.
#
metlos marked this conversation as resolved.
Show resolved Hide resolved
# Defines Kubernetes namespace in which all workspaces will be created.
# If not set, every workspace will be created in a new namespace, where namespace = workspace id
# It's possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>).
# In that case, new namespace will be created for each user. Service account with permission
# to create new namespace must be used.
#
# Ignored for OpenShift infra. Use `che.infra.openshift.project` instead
#
# If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist,
# the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.
che.infra.kubernetes.namespace=

# Defines Kubernetes default namespace in which user's workspaces are created
# if user does not override it.
# It's possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>).
# In that case, new namespace will be created for each user.
# It's possible to use <username>, <userid> and <workspaceid> placeholders (e.g.: che-workspace-<username>).
# In that case, new namespace will be created for each user (or workspace).
# Is used by OpenShift infra as well to specify Project
#
# BETA It's not fully supported by infra.
# Use che.infra.kubernetes.namespace to configure workspaces' namespace
che.infra.kubernetes.namespace.default=<username>-che

# Defines if a user is able to specify Kubernetes namespace different from default.
# It's NOT RECOMMENDED to configured true without OAuth configured.
# Is used by OpenShift infra as well to allows users choose Project
#
# BETA It's not fully supported by infra.
# Use che.infra.kubernetes.namespace to configure workspaces' namespace
# BETA This is not currently supported and setting it to true doesn't have any effect.
che.infra.kubernetes.namespace.allow_user_defined=false

# Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods.
Expand Down Expand Up @@ -606,11 +608,17 @@ che.infra.kubernetes.runtimes_consistency_check_period_min=-1
# OpenShift infrastructure reuse most of the Kubernetes configuration attributes.
#

# DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not
# set it on new installations.
#
metlos marked this conversation as resolved.
Show resolved Hide resolved
# Defines OpenShift namespace in which all workspaces will be created.
# If not set, every workspace will be created in a new project, where project name = workspace id
# It's possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>).
# In that case, new project will be created for each user. OpenShift oauth or service account with
# permission to create new projects must be used.
#
# If the project pointed to by this property exists, it will be used for all workspaces. If it does not exist,
# the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.
che.infra.openshift.project=

# Single port mode wildcard domain host & port. nip.io is used by default
Expand Down
2 changes: 1 addition & 1 deletion deploy/kubernetes/helm/che/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ data:
{{- if and .Values.global.multiuser .Values.customOidcUsernameClaim }}
CHE_KEYCLOAK_USERNAME__CLAIM: {{ .Values.customOidcUsernameClaim }}
{{- end }}
CHE_INFRA_KUBERNETES_NAMESPACE: {{ .Values.global.cheWorkspacesNamespace | quote}}
CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT: {{ .Values.global.cheWorkspacesNamespace | quote}}
CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME: {{ .Values.global.cheWorkspaceServiceAccount }}
CHE_INFRA_KUBERNETES_TRUST__CERTS: "false"
CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common"
Expand Down
4 changes: 2 additions & 2 deletions deploy/kubernetes/helm/che/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,9 @@ spec:
optional: false
{{- end }}

# If workspaces are created in different namespace than Che Server's one
# If workspaces are created in a separate precreated namespace
# then configure Che Server to propagate TLS secret to workspaces' namespaces
{{- if ne .Release.Namespace .Values.global.cheWorkspacesNamespace }}
{{- if not (contains "<" .Values.global.cheWorkspacesNamespace) }}
- name: "CHE_INFRA_KUBERNETES_TLS__CERT"
valueFrom:
secretKeyRef:
Expand Down
2 changes: 1 addition & 1 deletion deploy/kubernetes/helm/che/templates/exec-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# SPDX-License-Identifier: EPL-2.0
#

{{- if (.Values.global.cheWorkspacesNamespace) }}
{{- if not (contains "<" .Values.global.cheWorkspacesNamespace) }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
Expand Down
2 changes: 1 addition & 1 deletion deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# SPDX-License-Identifier: EPL-2.0
#

{{- if (.Values.global.cheWorkspacesNamespace) }}
{{- if not (contains "<" .Values.global.cheWorkspacesNamespace) }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
Expand Down
2 changes: 1 addition & 1 deletion deploy/kubernetes/helm/che/templates/workspace-service-account.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# SPDX-License-Identifier: EPL-2.0
#

{{- if (.Values.global.cheWorkspacesNamespace) }}
{{- if not (contains "<" .Values.global.cheWorkspacesNamespace) }}
kind: ServiceAccount
apiVersion: v1
metadata:
Expand Down
2 changes: 1 addition & 1 deletion deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# SPDX-License-Identifier: EPL-2.0
#

{{- if (.Values.global.cheWorkspacesNamespace) }}
{{- if not (contains "<" .Values.global.cheWorkspacesNamespace) }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
Expand Down
2 changes: 1 addition & 1 deletion deploy/kubernetes/helm/che/templates/workspace-view-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# SPDX-License-Identifier: EPL-2.0
#

{{- if (.Values.global.cheWorkspacesNamespace) }}
{{- if not (contains "<" .Values.global.cheWorkspacesNamespace) }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
Expand Down
6 changes: 3 additions & 3 deletions deploy/kubernetes/helm/che/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,11 @@ global:
gitHubClientID: ""
gitHubClientSecret: ""
pvcClaim: "1Gi"
cheWorkspacesNamespace: ""
cheWorkspacesNamespace: "<username>-che"
# Service account name that will be mounted to workspaces pods
# Note that:
# if `cheWorkspacesNamespace` is configured then service account with configured name will be created by helm chart during deploying Che
# if `cheWorkspacesNamespace` is empty then Che Server creates new namespace for each workspace and ensures that configured SA exists there
# if `cheWorkspacesNamespace` doesn't contain placeholders then service account with configured name will be created by helm chart during deploying Che
# if `cheWorkspacesNamespace` contains placeholders then Che Server creates new namespaces accordingly and ensures that configured SA exists there
cheWorkspaceServiceAccount: "che-workspace"
# If set, Che will bind the specified cluster role to the workspace service account when creating a workspace.
cheWorkspaceClusterRole: ""
Expand Down
27 changes: 27 additions & 0 deletions ...va/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
*/
package org.eclipse.che.workspace.infrastructure.kubernetes.namespace;

import static java.lang.String.format;

import com.google.common.annotations.VisibleForTesting;
import io.fabric8.kubernetes.api.model.ConfigMap;
import io.fabric8.kubernetes.api.model.DoneableServiceAccount;
Expand Down Expand Up @@ -117,6 +119,12 @@ void prepare() throws InfrastructureException {
}
}

void delete() throws InfrastructureException {

metlos marked this conversation as resolved.
Show resolved Hide resolved
KubernetesClient client = clientFactory.create(workspaceId);
delete(name, client);
}

/** Returns namespace name */
public String getName() {
return name;
Expand Down Expand Up @@ -214,6 +222,25 @@ private void create(String namespaceName, KubernetesClient client)
}
}

private void delete(String namespaceName, KubernetesClient client)
throws InfrastructureException {
try {
client.namespaces().withName(namespaceName).delete();
} catch (KubernetesClientException e) {
if (e.getCode() == 404) {
LOG.warn(
format(
"Tried to delete namespace '%s' but it doesn't exist in the cluster.",
namespaceName),
e);
} else if (e.getCode() == 409) {
LOG.info(format("The namespace '%s' is currently being deleted.", namespaceName), e);
} else {
throw new KubernetesInfrastructureException(e);
}
}
}

/**
* Waits few seconds until 'default' service account become available otherwise an infrastructure
* exception will be thrown.
Expand Down
Loading