[Hosted Che] OpenShift Connector plugin does not work properly

[ibuziuk]

Is your task related to a problem? Please describe.

As part of redhat-developer/rh-che#1832 we would like to enable the OpenShift Connector for every single workspace on Hosted Che. However, there are a couple of things that need to be fixed first:

• on Hosted Che console link is displayed via internal IP instead of full cluster link e.g. https://api.starter-us-east-2.openshift.com/
• user is logged in to the *-che namespace (should use username namespace)

Describe the solution you'd like

OpenShift Connector plugin works properly on Hosted Che - console link is displayed correctly + user is logged to the user namespace by default.

[ibuziuk]

@ericwill could you please take a look and try openshift connector flow on Hosted Che?

[l0rd]

cc @vinokurig

[vinokurig]

For changing the cluster link changes in the upstream plugin project are required. To apply auto login we can add the related functionality to our openshift oauth plugin

[vinokurig]

But we would still need to ask the openshift username because it may be different from Che username.

[gorkem]

This behavior is the expected behavior for tools like kubectl and derivatives. These tools detect the context when inside a cluster using environment variables such as KUBERNETES_SERVICE_PORT, KUBERNETES_PORT, KUBERNETES_SERVICE_HOST. You can see all of those if you do a env | grep KUBE on the workspace.

The namespace and token comes from /var/run/secrets/kubernetes.io/serviceaccount/*.

I think the problem with the console URL is going to correct itself on a 4.x cluster because openshift extension has corrected the changed behavior which should cover incluster case for 4.x too.

[ibuziuk]

Based on the discussion in the #17020 openshift oauth plugin from che-incubator is using Authorization: Bearer <user token>' https://che.openshift.io/api/oauth/token?oauth_provider=openshift

@vinokurig for Hosted Che it should be possible to use https://auth.openshift.io/api/token?for=openshift that will provide the cluster url, token & username

[vinokurig]

@ibuziuk thanks, your request works!

[ibuziuk]

@ericwill @vinokurig there is a PR opened eclipse-che/che-theia#773 can we have this merged in 7.15.0 ?

[ibuziuk]

FYI this issue blocks redhat-developer/rh-che#1832 at this point of time

[vinokurig]

depends on #17332

[azatsarynnyy]

@vinokurig could you please clarify a bit more how exactly it depends on #17332?

[vinokurig]

@azatsarynnyy

could you please clarify a bit more how exactly it depends on #17332?

To fix it I've added getUser() Plugin API function (eclipse-che/che-theia#784). To apply it in the OpenShift oauth plugin the sources must be updated in the npm registry: https://www.npmjs.com/package/@eclipse-che/plugin. AFAIK this build invokes the npm build of the @eclipse-che/plugin module.

[azatsarynnyy]

I see. Thanks @vinokurig
We're looking at #17332 now.

[azatsarynnyy]

@vinokurig done, @eclipse-che/plugin is updated

[vinokurig]

@azatsarynnyy Nice!, Thank you