Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount each private key into single kubernetes secret #14950

Merged
merged 1 commit into from
Oct 30, 2019
Merged

Mount each private key into single kubernetes secret #14950

merged 1 commit into from
Oct 30, 2019

Conversation

vzhukovs
Copy link
Contributor

What does this PR do?

This changes proposal changes default behavior of storing ssh private keys in Kubernetes secrets. There was a mechanism, that stored each private key in dedicated secret, that might faced with exception related to secret count limit in internal infrastructure. New behavior puts all ssh private keys in one Kubernetes secret in following structure: host_name:private_key. Location of private ssh keys was changes on file system and become: /etc/ssh/private/{private_key_with_host_name}. Kubernetes secret type was changed from kubernetes.io/ssh-auth to opaque to allow multi value secret.

Here is example of secret stored in Kubernetes 1 and file system structure 2.

Signed-off-by: Vlad Zhukovskyi vzhukovs@redhat.com

What issues does this PR fix or reference?

#14438

Mount each private key into single kubernetes secret

Release Notes

Mount each private key into single kubernetes secret

Docs PR

N/A

@vzhukovs vzhukovs added kind/task Internal things, technical debt, and to-do tasks to be performed. team/ide severity/P2 Has a minor but important impact to the usage or development of the system. labels Oct 22, 2019
@vzhukovs vzhukovs added this to the 7.4.0 milestone Oct 22, 2019
@vzhukovs vzhukovs self-assigned this Oct 22, 2019
@che-bot che-bot added the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Oct 22, 2019
@vzhukovs
Copy link
Contributor Author

Set status to draft. Need to be checked on OpenShift environment. Just checked only on Kubernetes.

@che-bot
Copy link
Contributor

che-bot commented Oct 22, 2019

E2E tests of Eclipse Che Multiuser on OCP has failed:

@che-bot
Copy link
Contributor

che-bot commented Oct 22, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has been successful:

@che-bot
Copy link
Contributor

che-bot commented Oct 22, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has been successful:

@che-bot
Copy link
Contributor

che-bot commented Oct 22, 2019

E2E tests of Eclipse Che Multiuser on OCP has been successful:

@vzhukovs vzhukovs requested review from ibuziuk and l0rd October 23, 2019 13:27
@vzhukovs vzhukovs marked this pull request as ready for review October 23, 2019 13:27
@vzhukovs
Copy link
Contributor Author

Checked on Minishift. All private keys stored in single secret.

@vzhukovs
Copy link
Contributor Author

ci-build

amisevsk
amisevsk reviewed Oct 24, 2019
View reviewed changes
Copy link
Contributor

@amisevsk amisevsk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally LGTM, a few comments inline.

...ava/org/eclipse/che/workspace/infrastructure/kubernetes/provision/VcsSshKeysProvisioner.java Show resolved Hide resolved
...ava/org/eclipse/che/workspace/infrastructure/kubernetes/provision/VcsSshKeysProvisioner.java Outdated Show resolved Hide resolved
...ava/org/eclipse/che/workspace/infrastructure/kubernetes/provision/VcsSshKeysProvisioner.java Outdated Show resolved Hide resolved
...ava/org/eclipse/che/workspace/infrastructure/kubernetes/provision/VcsSshKeysProvisioner.java Outdated Show resolved Hide resolved
@che-bot
Copy link
Contributor

che-bot commented Oct 28, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has failed:

@vzhukovs
Copy link
Contributor Author

crw-ci-test

@che-bot
Copy link
Contributor

che-bot commented Oct 28, 2019

E2E tests of Eclipse Che Multiuser on OCP has been successful:

@che-bot
Copy link
Contributor

che-bot commented Oct 28, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has been successful:

sleshchenko
sleshchenko reviewed Oct 29, 2019
View reviewed changes
...ava/org/eclipse/che/workspace/infrastructure/kubernetes/provision/VcsSshKeysProvisioner.java Outdated
.stream()
.filter(
sshPair ->
!isNullOrEmpty(sshPair.getName()) && !isNullOrEmpty(sshPair.getPrivateKey()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that name must not be null or empty https://github.com/eclipse/che/blob/07263f1e30089689d71b057f747a44a29283e3c4/wsmaster/che-core-api-ssh-shared/src/main/java/org/eclipse/che/api/ssh/shared/model/SshPair.java#L25

And PrivateKey may be null, so the check is needed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a filter that checks only non nullable ssh keys, isn't it?

sleshchenko
sleshchenko approved these changes Oct 29, 2019
View reviewed changes
Copy link
Member

@sleshchenko sleshchenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Please take a look my minor inline comments

@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E tests of Eclipse Che Multiuser on OCP has failed:

@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has been successful:

@skabashnyuk
Copy link
Contributor

Do we need any changes in docs?

@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has been successful:

@vzhukovs
Copy link
Contributor Author

@skabashnyuk no, this is an internal modification, that is not reflected in any docs.

@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E tests of Eclipse Che Multiuser on OCP has failed:

@vzhukovs
Copy link
Contributor Author

ci-test

@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E tests of Eclipse Che Multiuser on OCP has failed:

@vzhukovs
Copy link
Contributor Author

ci-test

@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E tests of Eclipse Che Multiuser on OCP has failed:

@dmytro-ndp
Copy link
Contributor

ci-test

@eclipse-che eclipse-che deleted a comment from che-bot Oct 29, 2019
@che-bot
Copy link
Contributor

che-bot commented Oct 29, 2019

E2E tests of Eclipse Che Multiuser on OCP has been successful:

@vzhukovs
Mount each private key into single kubernetes secret
906ea32 
Signed-off-by: Vlad Zhukovskyi <vzhukovs@redhat.com>
@vzhukovs vzhukovs merged commit 09c9de9 into master Oct 30, 2019
@vzhukovs vzhukovs deleted the che#14438 branch October 30, 2019 13:08
@che-bot
Copy link
Contributor

che-bot commented Oct 30, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has been successful:

@che-bot
Copy link
Contributor

che-bot commented Oct 30, 2019

E2E Happy path tests of Eclipse Che Single User on K8S (minikube v1.1.1) has failed:

@che-bot che-bot removed the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Oct 30, 2019
@che-bot
Copy link
Contributor

che-bot commented Oct 30, 2019

E2E tests of Eclipse Che Multiuser on OCP has failed:

@vparfonov vparfonov mentioned this pull request Oct 30, 2019
Closed
4 tasks
@monaka monaka mentioned this pull request Nov 15, 2019
Closed
@vinokurig vinokurig mentioned this pull request Apr 3, 2020
Closed
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vparfonov vparfonov vparfonov approved these changes

@sleshchenko sleshchenko sleshchenko approved these changes

@amisevsk amisevsk amisevsk approved these changes

@ibuziuk ibuziuk Awaiting requested review from ibuziuk

@l0rd l0rd Awaiting requested review from l0rd

@metlos metlos Awaiting requested review from metlos

@nickboldt nickboldt Awaiting requested review from nickboldt

@rhopp rhopp Awaiting requested review from rhopp

Assignees

@vzhukovs vzhukovs

Labels
kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P2 Has a minor but important impact to the usage or development of the system.
Projects
None yet
Milestone
7.4.0
Development

Successfully merging this pull request may close these issues.
7 participants
@vzhukovs @che-bot @skabashnyuk @dmytro-ndp @vparfonov @sleshchenko @amisevsk