Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[devworkspace-che-operator] Prototype and plan of controller that is reconciling resources in user's namespace #20219

Closed
Tracked by #20218 ...
skabashnyuk opened this issue Jul 28, 2021 · 7 comments
Assignees
Labels
kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Milestone

Comments

@skabashnyuk
Copy link
Contributor

skabashnyuk commented Jul 28, 2021

Is your task related to a problem? Please describe.

The goal of this task is to have Prototype and plan version of #20168

Describe the solution you'd like

We need to understand what will be a trigger to start. It could be

  1. New CR, for Example, CheUser
  2. Namespace create/update/delete with proper labels.

If we decide to go in the direction of 1. we need to define a model of this CustomeResource.
Here #20168 we want to reconcile certs and secretes, however
for the prototype I think we can choose one. What is easier.

apiVersion: org.eclipse.che/v1beta1
kind: CheUser
metadata:
 name: username
spec:
  id: 238409230-2349023049-24509i
  firstName: John
  lastName: Doe
  profile:
    attributes:
       a1:v1
  • Q1. What if the user changes the username/id?

Describe alternatives you've considered

Trigger on Namespace create/update/delete with proper labels.

Additional context

#20164

@skabashnyuk skabashnyuk added kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. team/platform sprint/current labels Jul 28, 2021
@sparkoo
Copy link
Member

sparkoo commented Jul 28, 2021

we should explore what oidc guarantees us for user https://openid.net/specs/openid-connect-core-1_0.html#UserInfo and how it is implemented on OpenShift

@sparkoo
Copy link
Member

sparkoo commented Aug 3, 2021

This is what I've got from dex on /userinfo request as configured here https://github.com/che-incubator/che-auth-playground/tree/master/minikube_dex

[~/dev/che-auth-playground/minikube_dex] (master ✘)✹✭ λ curl -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjQwMDczNTI1NzBmYzFhNGZiMjM3MTcxYzE5YjZlN2RlYjA4NmQ5NzkifQ.eyJpc3MiOiJodHRwczovL2RleC4xOTIuMTY4LjM5LjE2NS5uaXAuaW86MzIwMDAiLCJzdWIiOiJDZ0V4RWdWc2IyTmhiQSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNjI4MDk1NjcwLCJpYXQiOjE2MjgwMDkyNzAsImF0X2hhc2giOiJHcDgzdXFVV0N6bVVlajkzRFVNYXNnIiwiZW1haWwiOiJ1c2VyMUBjaGUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InVzZXIxIn0.k2T1RQgOjCU8wli0p5RUEgAXftMjqFnR3pDxgERcHZvxk0uHMiytyjRf6HoKckAg0IcnGLOu63CfX1nsB1CIICtff6E3HwVxOLJupGiZ2g7i9PcxiNHEj-LnqC6mQ7Io13T_DW_dRc9y7mVBiu8G6DP91uETFVy23AVREsbDSKkeQcgJOFUFakWpcLoSUlY-vfORmdpubYqj4XVSEOOpzp4-tRzNr200vSDj4idMv2fyFpRouEdgzGbk3W6KLluY-2kTQFC0Qh72Wki2AYNVJGBTUqKQH4pPAY_SFFu2E71TxU2HjWkmyNLTrW2VmkuP2k3L8gmbvS_-6AsczYKeuA" https://dex.192.168.39.165.nip.io:32000/userinfo | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   218  100   218    0     0   6606      0 --:--:-- --:--:-- --:--:--  6812
{
  "iss": "https://dex.192.168.39.165.nip.io:32000",
  "sub": "CgExEgVsb2NhbA",
  "aud": "example-app",
  "exp": 1628095670,
  "iat": 1628009270,
  "at_hash": "Gp83uqUWCzmUej93DUMasg",
  "email": "user1@che",
  "email_verified": true,
  "name": "user1"
}

Openshift implementation does not have /userinfo endpoint at all, so we have to access it thgrough openshift client, as we're already doing here https://github.com/eclipse-che/che-server/blob/main/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java#L113

@metlos
Copy link
Contributor

metlos commented Aug 16, 2021

According to https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo the ID token should contain the same information as userinfo.. does openshift oauth give access to the id token?

@sparkoo
Copy link
Member

sparkoo commented Aug 17, 2021

does openshift oauth give access to the id token?

IMHO openshift uses only sha256 token so we can't get anything from the token itself. I've never seen anything else on openshift (You can get it in openshift console https://docs.openshift.com/online/pro/cli_reference/get_started_cli.html#installing-the-cli see the 1st paragraph)

@skabashnyuk skabashnyuk changed the title [devworkspace-che-operator] MVP of controller that is reconciling resources in user's namespace [devworkspace-che-operator] Prototype and plan of controller that is reconciling resources in user's namespace Aug 18, 2021
@skabashnyuk skabashnyuk added this to the 7.36 milestone Aug 18, 2021
@skabashnyuk
Copy link
Contributor Author

skabashnyuk commented Sep 6, 2021

@skabashnyuk skabashnyuk modified the milestones: 7.36, 7.37 Sep 8, 2021
@metlos
Copy link
Contributor

metlos commented Sep 22, 2021

I've compiled a list of "settings" that the che-server is currently provisioning into the workspace pod that are not yet explicitly done in DWO or che-operator. @sleshchenko , @skabashnyuk, could you please take a look if I missed or misinterpreted something there?

@metlos
Copy link
Contributor

metlos commented Sep 24, 2021

I've updated #20168 with the list of issues for the above findings and the MVP has been merged into the che-operator, so I'm closing this MVP and planning issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Development

No branches or pull requests

4 participants