Add recipe support for Kubernetes secrets / OpenShift routes

[amisevsk]

What does this PR do?

Add support for Secrets and Routes in OpenShift/Kubernetes recipes.

• Routes will only work in OpenShift recipes, as they are not a Kubernetes object.
• There is some minimal user dashboard validation (metadata + fields on secrets only) since all validation is done through the Kubernetes side (and so it doesn't make sense to mention routes there). Since this is more involved and will likely be harder to read, it should be done in a separate PR / issue.
  • Additionally, more validation for secrets could be beneficial, as e.g. data values must be base64 encoded.
• Routes are renamed by the existing mechanism in Che. This should not affect behavior.
• Secrets are left unmodified. Renaming can be added later if we find it is necessary (I don't really see a use case, personally).

This PR is broken up into 3 commits:

• The first commit adds support for routes on the infra side
• The second commit adds support for secrets on the infra side.
• The third commit adds the necessary framework for UD validation.

A sample recipe for testing:

kind: List
apiVersion: v1
items:
  - 
    apiVersion: v1
    kind: Pod
    metadata:
      name: ws
    spec:
      containers:
        - 
          image: 'eclipse/che-dev:nightly'
          name: dev
          resources:
            limits:
              memory: 512Mi
          volumeMounts:
          - name: test
            mountPath: "/test"
            readOnly: true
      volumes:
      - name: test
        secret:
          secretName: test-secret
  -
    apiVersion: v1
    kind: Secret
    metadata:
      name: test-secret
    data:
      test1: dGVzdDE=
    stringData:
      test2: test2
  -
    apiVersion: v1
    kind: Route
    metadata:
      name: test-route
    spec:
      host: test.192.168.42.162.nip.io
      port:
        targetPort: http
      to:
        kind: Service
        name: che-host

What issues does this PR fix or reference?

#11508, #11530, #12522

Release Notes

Add support for secrets and routes in Kubernetes/OpenShift recipes

Docs PR

TODO

[garagatyi]

Looks good! Your commits have leftovers of conflict resolution error. Please, use squash when you merge.

[garagatyi]

ci-test

[garagatyi]

@ashumilova There is the 3rd commit in this PR that contains changes in UD. Please, review that part.

[ibuziuk]

@amisevsk could you please provide a recipe for testing?

[amisevsk]

@ibuziuk It's hidden in the original PR message :)

kind: List
apiVersion: v1
items:
  - 
    apiVersion: v1
    kind: Pod
    metadata:
      name: ws
    spec:
      containers:
        - 
          image: 'eclipse/che-dev:nightly'
          name: dev
          resources:
            limits:
              memory: 512Mi
          volumeMounts:
          - name: test
            mountPath: "/test"
            readOnly: true
      volumes:
      - name: test
        secret:
          secretName: test-secret
  -
    apiVersion: v1
    kind: Secret
    metadata:
      name: test-secret
    data:
      test1: dGVzdDE=
    stringData:
      test2: test2
  -
    apiVersion: v1
    kind: Route
    metadata:
      name: test-route
    spec:
      host: test.192.168.42.162.nip.io
      port:
        targetPort: http
      to:
        kind: Service
        name: che-host

[amisevsk]

@garagatyi I thought I had caught all the merge conflicts, don't know where that one came from. I'll remove it in rebase before merging.

[garagatyi]

@amisevsk there are no leftovers in the final diff. But since you prepared PR with the commit-by-commit approach (thanks for that) I found it in one of the commits and found that it was fixed in the following one

[ibuziuk]

ci-test

[ibuziuk]

@amisevsk great job! tested on minishift and routes / secrets are created / deleted with workspace just fine

[ibuziuk]

@ashumilova could you please take a look at UD part of the PR, before we proceed with merging ?

[che-bot]

Results of automated E2E tests of Eclipse Che Multiuser on OCP:
Build details
Test report
docker image: eclipseche/che-server:12486
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

[ibuziuk]

@vkuznyetsov @rhopp could QA provide their approval based on the test report. There are 6 test failures, but I do not think those are related to the PR

[amisevsk]

Rebased onto current master and removed artifacts from a merge conflict in first commit.

[sleshchenko]

1
During manual testing, I successfully created a stack from Kubernetes recipe with content you provide. But then I failed to create a workspace from such stack with the following error

1. Can we improve validation on Dashboard in this PR or in another issue?
2. Please improve the validation message in EnvFactories to contain object kind and name instead of ObjectMeta json.

2 Then I created a stack using OpenShift recipe you provided. I edited config of created workspace and changed Route kind to Route1, as result I get 500 exception from workspace API


The same question about improving UX. It would be nice to improve dashboard, API to handle such cases

3
A workspace created from your provided recipe is started successfully. But what I see here there is no any integrity validation, recipe contains Route that references service that is not present in recipe. Do you think is there use case for such workspace? Or maybe we should add integrity validation for Routes, like we have for PVC (Pods can not reference PVCs which are not present in the recipe). See https://github.com/eclipse/che/blob/master/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/environment/KubernetesEnvironmentPodsValidator.java#L59

4
The same question about recipe integrity validation but about secrets. Should we allow using Secret sources volumes that are not defined in the recipe?
It's just a question since I don't know what the right approach and just wanted to raise discussion.

[amisevsk]

@sleshchenko Regarding the big issues in your review: the short of it is that Route validation is a bigger task than this PR (in my opinion). All validation goes through kubernetes-machine-recipe-parser.ts, and Routes are not Kubernetes objects. As a result:

1. While we should block creation of Kube stacks with Routes, enabling the check (which is implemented here) would block creation of OpenShift stacks as well
2. I agree that this should be improved -- I'll work on it. Should be relatively easy to implement on the infra side. Note that this will happen for any errors of this sort, not Routes specifically (thrown here-- WDYT about moving it to a new issue?
3. Will look into this before Monday.
4. I think there's a use case for secrets outside the recipe, because otherwise we require secrets used in workspace to be stored in a trivially decodable format in recipes. There's definitely a case in my mind where a user would want to create a secret more securely and still use it in a workspace.

[amisevsk]

Created an issue for point 2. above: #12522

To add: validation on the dashboard side is currently not possible, and requires the more significant refactor to allow different validation paths for OpenShift vs. Kubernetes.

[sleshchenko]

4. I think there's a use case for secrets outside the recipe, because otherwise we require secrets used in workspace to be stored in a trivially decodable format in recipes. There's definitely a case in my mind where a user would want to create a secret more securely and still use it in a workspace.

Makes sense for me, thanks for the explanation.

[amisevsk]

@sleshchenko I've added a commit to fix some of the validation issues:

1. Avoid the internal server error when a recipe cannot be loaded (e.g. with kind: Route1) (Point 2 above)
2. Show message like Found unknown object type in recipe -- name: 'test-route', kind: 'Route' when unsupported object is in recipe (Point 1 above)
3. Throw validation exception if route refers to service that is not in recipe.

Anything I missed?

[sleshchenko]

Great job 👍

Please take a look my minor inline comments

[sleshchenko]

e.getMessage() but e.getCause().getLocalizedMessage() <- Did you make it on the purpose?

[amisevsk]

No, was an accident trying to find a decent way to avoid the newlines and messy cause. Fixed.

[sleshchenko]

you use the only first element, so you can limit elements

[amisevsk]

Done.

[sleshchenko]

The same as in KubernetesEnvironmentFactory

[amisevsk]

Done.

[sleshchenko]

please execute mvn license:format to add missing license

[amisevsk]

Thanks, missed that.

[sleshchenko]

A check may be a bit improved by checking Route target port.

[sleshchenko]

Please consider adding unit tests for added test case

[amisevsk]

Added tests for this validation step.

I agree that the check could be improved by the docs on routes are not very good, and it seems that port options can get complicated. At a certain point it's going to be caveat emptor on validation.

[amisevsk]

@ashumilova If you have a moment, could you take a look at commit 81ea06f ? I'd like to merge this some time this week.

[ibuziuk]

ci-test

[che-bot]

Results of automated E2E tests of Eclipse Che Multiuser on OCP:
Build details
Test report
docker image: eclipseche/che-server:12486
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

[amisevsk]

PR Quality Review is a false positive, the unused field is necessary for injection.

[ibuziuk]

@vkuznyetsov could you please clarify, who from QA side should provide approval for this PR ?

[amisevsk]

Rebased and squashed fixup commits.

[artaleks9]

Selenium tests execution on Eclipse Che Multiuser on OCP (https://ci.codenvycorp.com/job/che-pullrequests-test-ocp/1496/) doesn't show any regression against this Pull Request.