Improve set active or create new project/namespace workflow

[vrubezhny]

• Now, when switching projects/namespaces, one can manually type in a project name to be set as an active one
• No more 'Missing project/namespace' item for a project/namespace that doesn't exist on a cluster. This allows
  working normally on clusters with restrictions on list for projects.

Fixes: #3999

• The project listing is fixed, so annotated projects are shown now

Fixes: #4101

• For a Sandbox cluster a project which name contains current user name is used as a default one when logging in (A follow up to Fix login to sandbox workflow #4109)

Issue: #4080 (?)

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 42.16867% with 48 lines in your changes are missing coverage. Please review.

Project coverage is 44.60%. Comparing base (da60441) to head (beaaeec).
Report is 235 commits behind head on main.

❗ Current head beaaeec differs from pull request most recent head 0c81c4e

Please upload reports for the commit 0c81c4e to get more accurate results.

Files	Patch %	Lines
src/oc/ocWrapper.ts	53.48%	20 Missing ⚠️
src/explorer.ts	34.78%	15 Missing ⚠️
src/openshift/project.ts	20.00%	12 Missing ⚠️
src/util/loginUtil.ts	50.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #4122       +/-   ##
===========================================
+ Coverage   32.37%   44.60%   +12.23%     
===========================================
  Files          85       88        +3     
  Lines        6505     7113      +608     
  Branches     1349     1502      +153     
===========================================
+ Hits         2106     3173     +1067     
+ Misses       4399     3940      -459     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[datho7561]

getActiveProject() fails with a null dereference if you can't list projects, since the return value of fixActiveProject is null. One consequence of this failure is that the Application Explorer says you are logged out, even if you are allowed to perform some actions on the cluster (such as listing pods on all namespaces).

oc projects fails if the user cannot list namespaces, so you might need to use another method to detect the current project. Probably the best (and maybe only) approach is to read the kubeconfig.

I haven't tried this on an OpenShift instance, I've been using kind. I can do a short write up on creating a service account that can't list projects on a kind cluster if you are interested.

[vrubezhny]

I haven't tried this on an OpenShift instance, I've been using kind. I can do a short write up on creating a service account that can't list projects on a kind cluster if you are interested.

@datho7561 This would be really helpful.

[vrubezhny]

oc projects fails if the user cannot list namespaces, so you might need to use another method to detect the current project. Probably the best (and maybe only) approach is to read the kubeconfig.

I use Kube config to detect an active project, because the way I run oc projects, even if it succeeds, doesn't allow to get the active project info from its output (I execute it with -q argument, which makes its output more short and not requiring any special parsing, but also make it to lack an info on which project is currently set as active. (However I expect oc also to use Kube config in order to get the active project)

The problem may happen when Kube config has active project set, but that project doesn't really exist on the cluster.
Previously a Missing project was shown on the tree with the selected name, while with this fix (if there are any projects exist on the cluster) the first available project will be actually selected, but not the chosen one (either thru Kube config or by entering its name manually). This probably is worth to be restored.

[vrubezhny]

Changed fixActiveProject so:

• it never returns null.
• If Kube Config has a namespace set that doesn't exists in the cluster projects, it doesn't change the active property of any cluster project , but still sets such "manually" set project as a active in Kube config (So it won't be changed neither to default nor to the first listed project, thus making it possible to correctly select active project when a cluster doesn't allow to get the list of projects)

[adietish]

Things dont work for me properly when only listing pods is allowed (as instructed in #3999):
The current namespace ("default") is displayed but reported as missing.

This is erroneous since I can list pods that exist in this namespace:

$ kubectl get pod -n default
NAME                           READY   STATUS             RESTARTS           AGE
apple-app                      1/1     Running            0                  67m
banana-app                     1/1     Running            0                  67m
frontend-9cr6z                 0/1     ImagePullBackOff   0                  67m
frontend-kjrpx                 0/1     ErrImagePull       0                  67m
frontend-vbhb7                 0/1     ErrImagePull       0                  67m
mehdb-0                        0/1     CrashLoopBackOff   18 (15s ago)       68m
sise-deploy-69d88467b4-vhfsd   0/1     CrashLoopBackOff   3415 (2m10s ago)   58d

I think that you cannot know if a namespace exists or not if you're not allowed to get the namespace resource or all the namespaces.
If you're not allowed to list all the namespaces or a specific namespace, you always get 401 Forbidden, whether it exists or not.

1. When trying to get a namespace that exists:

$ kubectl get ns default
Error from server (Forbidden): namespaces "default2" is forbidden: User "user1" cannot get resource "namespaces" in API group "" in the namespace "default"

2. When trying to get a namespace that DOESNT exist:

$ kubectl get ns default2
Error from server (Forbidden): namespaces "default2" is forbidden: User "user1" cannot get resource "namespaces" in API group "" in the namespace "default2"

401 Forbidden in both cases.

[adietish]

Furthermore I cannot select my current namespace. I cannot confirm the upcoming prompt by hitting the return key, it stays open (namespace "default" exists, I simply cannot retrieve it. I can only retrieve pods within it):

Screen.Recording.2024-05-15.at.17.04.57.mov

[vrubezhny]

Furthermore I cannot select my current namespace. I cannot confirm the upcoming prompt by hitting the return key, it stays open (namespace "default" exists, I simply cannot retrieve it. I can only retrieve pods within it):

It's a filter, not an input field for a project/namespace name, you should click Create new... or Manually set... item first, then type in a project name:

Screencast.from.2024-05-15.18-17-48.webm

[vrubezhny]

I've made no item like xxx - Missing project/namespace to appear anymore. For a project/namespace that doesn't exist on a cluster or exist but cannot be listed due to restrictions in cluster configuration a normal project/namespace item will appear with all its children. The content of the children items Deployments/Workloads/etc is to be defined depending on the existence or applied restrictions.

[adietish]

@vrubezhny Things work fine now 😄

I can use the namespace "default", there's no warning "Missing Namespace" any more and I can list the pods that are running and that I am allowed to list (according to my custom, restrictive RBAC).

The only thing that I am wondering about is that listing forbidden resources cause error notifications to appear while the cathegory stays empty.

I am wondering if a child node with the error would be preferrable (screenshot of intellij-kubernetes)?

[vrubezhny]

I am wondering if a child node with the error would be preferrable (screenshot of intellij-kubernetes)?

@datho7561 What do you think about this proposal?
If we can detect (by oc auth can-i get ... or somehow else) that listing a node objects is restricted, we can create some meaningful labels like Deployments cannot be shown due to the cluster configuration restrictions or similar and not to try to get, f.i., Deployments children which definitely leads into the mentioned error message appearance.

[datho7561]

@datho7561 What do you think about this proposal? If we can detect (by oc auth can-i get ... or somehow else) that listing a node objects is restricted, we can create some meaningful labels like Deployments cannot be shown due to the cluster configuration restrictions or similar and not to try to get, f.i., Deployments children which definitely leads into the mentioned error message appearance.

I like this idea.

[datho7561]

I think we can use kubectl api-versions to detect if a user is authenticated with the server when they are using a non-OpenShift cluster. I'll double check, but I think this API is available when a user is authenticated with a server, regardless of the roles they have been assigned.

[vrubezhny]

I think we can use kubectl api-versions to detect if a user is authenticated with the server when they are using a non-OpenShift cluster. I'll double check, but I think this API is available when a user is authenticated with a server, regardless of the roles they have been assigned.

The current PR version is updated to use oc whoami --show-server followed by (if successful) oc api-versions (if not empty response) to detect whether we're really logged in to a cluster or not.

Also, Delete project/namespace context menu action isn't shown when the project/namespace doesn't exist on the cluster or it's not allowed to list projects/namespaces on the cluster due to restricted configuration

[vrubezhny]

The Change Active Project/Namespace inline and context menu actions are now enabled without any restrictions on OpenShift and Kubernates cluster projects. The contents of quick pick is limited according to the restrictions applied to the cluster: in the most restricted case (when it's not allowed to create or list projects/namespaces) it will contain the only one item Manually set active Namespace/Project:

Screencast.from.2024-05-16.22-39-15.webm

Tested using the "restricted" Kind cluster service account created according the redhat-developer/idetools.dev#49

[vrubezhny]

Now the App. Explorer Tree on a "restricted" cluster looks like the following:

cc @adietish

[datho7561]

Seems good to me!

[datho7561]

@vrubezhny feel free to merge, unless you want to wait on feedback from Andre on the appearance of the error tree nodes.