From 32e2cc91c5fea427c4e4ccb78ba7c32823ab91ea Mon Sep 17 00:00:00 2001 From: Ilya Buziuk Date: Tue, 21 Apr 2020 12:38:22 +0200 Subject: [PATCH] che #15906 Adding 'che.workspace.stop.role.enabled' property in order to have a possibility to disable the 'OpenShiftStopWorkspaceRoleProvisioner' Signed-off-by: Ilya Buziuk --- .../webapp/WEB-INF/classes/che/che.properties | 4 +++ ...OpenShiftStopWorkspaceRoleProvisioner.java | 15 ++++++++--- ...ShiftStopWorkspaceRoleProvisionerTest.java | 26 ++++++++++++++++++- 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index bb47d175dea..e23237cbd55 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -157,6 +157,10 @@ che.workspace.server.liveness_probes=wsagent/http,exec-agent/http,terminal,theia # default 10MB=10485760 che.workspace.startup_debug_log_limit_bytes=10485760 +# If true, 'stop-workspace' role with the edit privileges will be granted to the 'che' ServiceAccount. +# This configuration is mainly required for workspace idling when the OpenShift OAuth is enabled. +che.workspace.stop.role.enabled=true + ### Templates # Folder that contains JSON files with code templates and samples diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisioner.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisioner.java index 03e4fc72ebc..97ec21dd88c 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisioner.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisioner.java @@ -11,10 +11,11 @@ */ package org.eclipse.che.workspace.infrastructure.openshift.provision; -import com.google.inject.Inject; import io.fabric8.kubernetes.api.model.ObjectReferenceBuilder; import io.fabric8.openshift.api.model.*; import io.fabric8.openshift.client.OpenShiftClient; +import javax.inject.Inject; +import javax.inject.Named; import org.eclipse.che.api.workspace.server.spi.InfrastructureException; import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftClientFactory; import org.eclipse.che.workspace.infrastructure.openshift.environment.OpenShiftCheInstallationLocation; @@ -31,18 +32,22 @@ public class OpenShiftStopWorkspaceRoleProvisioner { private final OpenShiftClientFactory clientFactory; private final String installationLocation; + private final boolean stopWorkspaceRoleEnabled; private static final Logger LOG = LoggerFactory.getLogger(OpenShiftCheInstallationLocation.class); @Inject public OpenShiftStopWorkspaceRoleProvisioner( - OpenShiftClientFactory clientFactory, OpenShiftCheInstallationLocation installationLocation) { + OpenShiftClientFactory clientFactory, + OpenShiftCheInstallationLocation installationLocation, + @Named("che.workspace.stop.role.enabled") boolean stopWorkspaceRoleEnabled) { this.clientFactory = clientFactory; this.installationLocation = installationLocation.getInstallationLocationNamespace(); + this.stopWorkspaceRoleEnabled = stopWorkspaceRoleEnabled; } public void provision(String projectName) throws InfrastructureException { - if (installationLocation != null) { + if (stopWorkspaceRoleEnabled && installationLocation != null) { OpenShiftClient osClient = clientFactory.createOC(); String stopWorkspacesRoleName = "workspace-stop"; if (osClient.roles().inNamespace(projectName).withName(stopWorkspacesRoleName).get() @@ -58,7 +63,9 @@ public void provision(String projectName) throws InfrastructureException { .createOrReplace(createStopWorkspacesRoleBinding(projectName)); } else { LOG.warn( - "Could not determine Che installation location. Did not provision stop workspace Role and RoleBinding."); + "Stop workspace Role and RoleBinding will not be provisioned to the '{}' namespace. 'che.workspace.stop.role.enabled' property is set to '{}'", + installationLocation, + stopWorkspaceRoleEnabled); } } diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisionerTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisionerTest.java index 26bc3810a98..81bcb637b20 100644 --- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisionerTest.java +++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenShiftStopWorkspaceRoleProvisionerTest.java @@ -132,7 +132,7 @@ public class OpenShiftStopWorkspaceRoleProvisionerTest { public void setUp() throws Exception { lenient().when(cheInstallationLocation.getInstallationLocationNamespace()).thenReturn("che"); stopWorkspaceRoleProvisioner = - new OpenShiftStopWorkspaceRoleProvisioner(clientFactory, cheInstallationLocation); + new OpenShiftStopWorkspaceRoleProvisioner(clientFactory, cheInstallationLocation, true); lenient().when(clientFactory.createOC()).thenReturn(osClient); lenient().when(osClient.roles()).thenReturn(mixedRoleOperation); lenient().when(osClient.roleBindings()).thenReturn(mixedRoleBindingOperation); @@ -191,4 +191,28 @@ public void shouldCreateRoleBindingWhenRoleAlreadyExists() throws Infrastructure verify(osClient.roleBindings().inNamespace("developer-che")) .createOrReplace(expectedRoleBinding); } + + @Test + public void shouldNotCreateRoleBindingWhenStopWorkspaceRolePropertyIsDisabled() + throws InfrastructureException { + OpenShiftStopWorkspaceRoleProvisioner disabledStopWorkspaceRoleProvisioner = + new OpenShiftStopWorkspaceRoleProvisioner(clientFactory, cheInstallationLocation, false); + disabledStopWorkspaceRoleProvisioner.provision("developer-che"); + verify(osClient, never()).roles(); + verify(osClient, never()).roleBindings(); + verify(osClient.roleBindings(), never()).inNamespace("developer-che"); + } + + @Test + public void shouldNotCreateRoleBindingWhenInstallationLocationIsNull() + throws InfrastructureException { + lenient().when(cheInstallationLocation.getInstallationLocationNamespace()).thenReturn(null); + OpenShiftStopWorkspaceRoleProvisioner + stopWorkspaceRoleProvisionerWithoutValidInstallationLocation = + new OpenShiftStopWorkspaceRoleProvisioner(clientFactory, cheInstallationLocation, true); + stopWorkspaceRoleProvisionerWithoutValidInstallationLocation.provision("developer-che"); + verify(osClient, never()).roles(); + verify(osClient, never()).roleBindings(); + verify(osClient.roleBindings(), never()).inNamespace("developer-che"); + } }