Add a role allowing che SA to stop workspaces #16532
Conversation
tomgeorge
requested review from
amisevsk,
l0rd,
metlos,
nickboldt,
rhopp and
sleshchenko
as code owners
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
che-bot
added
status/code-review
|
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) |
There was a problem hiding this comment.
If I'm not mistaken, #15906 suggests to also add creation privs for the SA - see #15906 (comment).
...eclipse/che/workspace/infrastructure/openshift/project/OpenShiftWorkspaceServiceAccount.java
Outdated
Show resolved
Hide resolved
| new ObjectReferenceBuilder() | ||
| .withKind("ServiceAccount") | ||
| .withName("che") | ||
| .withNamespace("che") |
There was a problem hiding this comment.
Namespace is configurable. Use the projectName field.
There was a problem hiding this comment.
projectName and serviceAccountName refer to the user namespace and the user serviceaccount. The che ServiceAccount in the che namespace need to be able to manage resources in a user namespace.
There was a problem hiding this comment.
yeah, here we need to provide a namespace where che-server is deployed. Not sure if the SA name is configurable though cc: @davidfestal
There was a problem hiding this comment.
it looks like we need to create a @Singleton that would be bound in the OpenShiftInfraModule / KubernetesInfraModule and expose information about the namespace / sa.
My observations are that che SA name is hardcoded and not configurable and namespace name can be obtained via System.getenv (Need to check if this will work in all the cases e.g.:
- the operator uses
KUBERNETES_NAMESPACEenv var - helm
POD_NAMESPACE
The user who is creating the workspace has enough permissions to create the workspace resources, and the che SA stops the workspace in the case of idling. It doesn't seem like the che SA strictly needs create privileges in a user service account, and it's a good idea to assign the minimal level of access. |
|
in regards to not hard-coding the service account names/namespaces, is there a way to reference the che service account and che namespace? |
| @@ -142,6 +151,37 @@ private void createViewRole(OpenShiftClient osClient, String name) { | |||
| osClient.roles().inNamespace(projectName).create(viewRole); | |||
| } | |||
|
|
|||
| private void createStopWorkspacesRole(OpenShiftClient osClient, String name) { | |||
There was a problem hiding this comment.
I would probably move the logic of granting the rights on the level above to the OpenShiftProjectFactory / getOrCreate + extract the logic of the role / rb to a separate class smth like OpenShiftStopWorkspaceRoleProvisioner with docs and tests
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
...eclipse/che/workspace/infrastructure/openshift/project/OpenShiftWorkspaceServiceAccount.java
Outdated
Show resolved
Hide resolved
...eclipse/che/workspace/infrastructure/openshift/project/OpenShiftWorkspaceServiceAccount.java
Outdated
Show resolved
Hide resolved
| import javax.inject.Singleton; | ||
|
|
||
| @Singleton | ||
| public class OpenShiftCheInstallationLocation { |
There was a problem hiding this comment.
nice, IMO in future we need to standardize the env var name and always use KUBERNETES_NAMESPACE that is defined in the operator
There was a problem hiding this comment.
Adding docs would be also really nice to have
| String kubernetesNamespace = System.getenv("KUBERNETES_NAMESPACE"); | ||
| String podNamespace = System.getenv("POD_NAMESPACE"); |
There was a problem hiding this comment.
Probably we can move the logic of obtaining the env vars to @PostConstruct to avoid reading env vars on every call
There was a problem hiding this comment.
can you inject them as env. KUBERNETES_NAMESPACE in the constructor?
There was a problem hiding this comment.
is this env vars are set by k8s or che-operator?
There was a problem hiding this comment.
the problem is that helm & operator are using different env vars (POD_NAMESPACE - helm / KUBERNETES_NAMESPACE - operator)
There was a problem hiding this comment.
Is it possible to change the helm chart to also call this KUBERNETES_NAMESPACE or does helm define this dynamically?
There was a problem hiding this comment.
I'm also voting for this to be somehow injected in a constructor or at least having a no-arg ctor determining the value from the env vars and another ctor initializing the namespace from a provided argument.
Also we should probably throw an exception if we're not able to determine the namespace. There's little point in continuing to deploy che if it won't be able to correctly handle workspaces..
There was a problem hiding this comment.
+1 for Helm update - https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/deployment.yaml#L38
-1 for throwing the exception (there might be some cases when the namespace can not be obtained for any reason)
for this particular issue let's just do nothing if the namepsace can not be obtained - https://github.com/eclipse/che/pull/16532/files#r406635675
There was a problem hiding this comment.
Moved to @PostConstruct
There was a problem hiding this comment.
why not injection in the constructor?
| this.installationLocation = installationLocation; | ||
| } | ||
|
|
||
| public void provision(String projectName) throws InfrastructureException { |
There was a problem hiding this comment.
technically speaking installationLocation can be null based on implementation, so in this case can we log error and avoid doing anything in the provision method?
There was a problem hiding this comment.
@tomgeorge can we check getInstallationLocationNamespace here and do nothing (log error) if null?
.../che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisioner.java
Show resolved
Hide resolved
| String kubernetesNamespace = System.getenv("KUBERNETES_NAMESPACE"); | ||
| String podNamespace = System.getenv("POD_NAMESPACE"); |
There was a problem hiding this comment.
can you inject them as env. KUBERNETES_NAMESPACE in the constructor?
...pse/che/workspace/infrastructure/openshift/environment/OpenShiftCheInstallationLocation.java
Show resolved
Hide resolved
| String kubernetesNamespace = System.getenv("KUBERNETES_NAMESPACE"); | ||
| String podNamespace = System.getenv("POD_NAMESPACE"); |
There was a problem hiding this comment.
is this env vars are set by k8s or che-operator?
...eclipse/che/workspace/infrastructure/openshift/project/OpenShiftWorkspaceServiceAccount.java
Outdated
Show resolved
Hide resolved
.../che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisioner.java
Show resolved
Hide resolved
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
|
@metlos @skabashnyuk @sleshchenko folks, are you ok to merge this PR in the current state or some changes are still expected to be done before merging? Please, let us know since we do expect the fix in 7.12.0 |
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
|
crw-ci-test |
|
thanks, @tomgeorge (left minor comments in review) + looks like there is a conflict now after 06a34e3 :/ |
…t to stop a workspace in another namespace Signed-off-by: Tom George <tgeorge@redhat.com>
…nd OpenShiftStopWorkspaceRoleProvisioner to provision necessary permissions for stopping workspaces Signed-off-by: Tom George <tgeorge@redhat.com>
| * @author Tom George | ||
| */ | ||
| @Singleton | ||
| public class OpenShiftCheInstallationLocation { |
There was a problem hiding this comment.
While this PR is to address an issue with OpenShift, it's a little strange to me that this class is in the openshift infra rather than k8s. Not a huge issue though.
There was a problem hiding this comment.
good point, the problem is that we do need this PR in 7.12.0 and I'm not sure if @tomgeorge has time for further refactoring
| LOG.info( | ||
| "Neither KUBERNETES_NAMESPACE nor POD_NAMESPACE is defined. Unable to determine Che installation location"); | ||
| } | ||
| return kubernetesNamespace == null ? podNamespace : kubernetesNamespace; |
There was a problem hiding this comment.
Maybe a warn if both podNamespace and kubernetesNamespace are defined but not matching would also make sense? I don't know if this can occur naturally but might be a hard-to-debug issue.
There was a problem hiding this comment.
in general, we do need to standardize the env var name (use only KUBERNETES_NAMESPACE) and remove usage of POD_NAMESPACE e.g. in helm chart https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/deployment.yaml#L38
But we should do it in a separate PRs I beleive after 7.12.0
| public OpenShiftStopWorkspaceRoleProvisioner( | ||
| OpenShiftClientFactory clientFactory, OpenShiftCheInstallationLocation installationLocation) { | ||
| this.clientFactory = clientFactory; | ||
| this.installationLocation = installationLocation; |
There was a problem hiding this comment.
I think it makes more sense to inject OpenShiftCheInstallationLocation but store OpenShiftCheInstallationLocation.getInstallationLocationNamespace() as a String in the class. It shouldn't change while Che is running, right?
…ronment variables into OpenShiftCheInstallationLocation Signed-off-by: Tom George <tgeorge@redhat.com>
|
The conflict should be resolved, and made the change to |
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
|
crw-ci-test |
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
|
crw-ci-test |
|
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) |
|
ci-build |
| * | ||
| * @author Tom George | ||
| */ | ||
| @Singleton |
There was a problem hiding this comment.
Can we have test for this class?
| private static final Logger LOG = LoggerFactory.getLogger(OpenShiftCheInstallationLocation.class); | ||
|
|
||
| @Inject(optional = true) | ||
| @Named("env.KUBERNETES_NAMESPACE") |
There was a problem hiding this comment.
I suggest using constructor injection. It would be much easier to test.
There was a problem hiding this comment.
And javax.inject instead of google inject.
There was a problem hiding this comment.
@skabashnyuk I believe we need to refactor this class based on the valid comments in the review e.g. move to different location + remove completely the usage of env.POD_NAMESPACE. wondering if this will be ok do in a separate PR though, since we really need to have a fix in 7.12.0
There was a problem hiding this comment.
@skabashnyuk unfortunately Guice does not support constructor injection with optional dependencies[1]. We need to have these dependencies be optional for now because each installation method uses a different environment variable to specify the installation location. Perhaps when we refactor the installation methods to use the same environment variable, we can revisit this?
There was a problem hiding this comment.
what about import org.eclipse.che.commons.annotation.Nullable?
There was a problem hiding this comment.
I assume it's not working this way
@Inject
public OpenShiftCheInstallationLocation(
@Named("env.KUBERNETES_NAMESPACE") String kubernetesNamespace,
@Named("env.POD_NAMESPACE") String podNamespace) {
this.kubernetesNamespace = kubernetesNamespace;
this.podNamespace = podNamespace;
}but should work
@Inject
public OpenShiftCheInstallationLocation(
@Nullable @Named("env.KUBERNETES_NAMESPACE") String kubernetesNamespace,
@Nullable @Named("env.POD_NAMESPACE") String podNamespace) {
this.kubernetesNamespace = kubernetesNamespace;
this.podNamespace = podNamespace;
}No?
There was a problem hiding this comment.
No, neither one worked. They both complained about not being able to find a binding for env.POD_NAMESPACE when it was not defined in the container, even though it was defined as @Nullable
There was a problem hiding this comment.
I think those work because they are defined in che.properties, either null or with a value. POD_NAMESPACE and KUBERNETES_NAMESPACE are not defined in those files, and @Nullable @Named("env.POD_NAMESPACE") String podNamespace fails to create the injector because there is no implementation bound to it.
There was a problem hiding this comment.
you right. Probably the first variant without injection was good too.
|
ci-build |
…ty in order to have a possibility to disable the 'OpenShiftStopWorkspaceRoleProvisioner' Signed-off-by: Ilya Buziuk <ibuziuk@redhat.com>
|
@tomgeorge it occurred to me that we will need to disable the provisioner for Hosted-Che (multicluster) environment. Please, consider applying this PR to your brarch which adds |
che eclipse-che#15906 Adding 'che.workspace.stop.role.enabled' property in order to have a possibility to disable the 'OpenShiftStopWorkspaceRoleProvisioner'
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
|
crw-ci-test |
|
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) |
|
[ci-build] |
1 similar comment
|
[ci-build] |
che-bot
removed
the
status/code-review
What does this PR do?
Adds another
stop-workspacerole in a user namespace that gives thecheserviceaccount to correctly stop workspaces.What issues does this PR fix or reference?
#15906
Release Notes
Docs PR