-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fall-back to username for DevWorkspace creator label if UID is not present. #1245
Comments
After further discussion with the OpenShift console team, we've decided to change the proposed fix for this issue:
What is not clear yet is how to safely require that devworkspaces have both labels without breaking existing devworkspaces that only have the original We could allow for the mutating webhook to verify on DevWorkspace update that a DevWorkspace with the It's much safer to require devworkspaces to be deleted and re-created with both the @ibuziuk IMO we should go with the second approach of requiring users to delete and re-create their workspaces, but this may cause issues for users who haven't backed up all the data on their PVCs. They'd have to perform some manual PVC backup workaround, which could cause frustration. If you have any thoughts, please share them with me on this issue, offline or on a call sometime soon. |
@AObuchow let's keep it simple and just fix kubeadmin (aka kube:admin / kube-admin) case. To my knowledge, this is the only 4.15 case where Regarding the niche rosa HCP case related to https://issues.redhat.com/browse/XCMSTRAT-365 |
If we're only concerned with the kubeadmin case, then it might make more sense to keep things as simple as possible and go with my original proposal: in the case the creator of a workspace is kubeadmin, we encode their username and use it to populate the I began testing this approach and ran into a few things:
When I return from PTO, I'll have to think more of the pro's and con's of re-using the existing label for this specific case versus introducing a new label. |
After discussion with the OpenShift Console team, it seems like we are going to revert the change that caused a bug in WTO which led to the creation of this DWO issue. We have gotten approval from our PM regarding the revert, and are currently waiting for the revert to happen before closing this issue. |
The OCP change that caused the bug related to this issue in WTO has now been backported to all affected versions, see redhat-developer/web-terminal-operator#162 (comment). Closing this issue. |
OpenShift 4.15 allows an OIDC provider to be configured directly with the kube-apiserver options, which removes the usage of OpenShift oauth-server and results in no OpenShift UID being provided when interacting with the cluster.
Thus, we can no longer expect that a UID will be provided when a DevWorkspace is created by a client. In order to ensure the creator of a DevWorkspace is still uniquely identifiable, we should fall-back to using the requesting client's username for the
controller.devfile.io/creator
label when a DevWorkspace is created. This is the approach that the OpenShift console has taken for OCP >= 4.15.Another option would be to have a new creator label that uses the username, and to continue using the old (current) label for the UID.
The text was updated successfully, but these errors were encountered: