You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The DevWorkspace Operator allows mounting a Personal Access Token to workspaces, enabling access to private repos in cases where SSH keys aren't convenient. This is currently done by
Collecting all secrets labelled controller.devfile.io/git-credential in the current namespace
Merging them into a secret called devworkspace-merged-git-credentials (in order to allow multiple credentials to be specified)
Mounting this secret using a subpath volume mount to a mount path specified by the original secrets
The downside of this approach is that using a subpath volume mount prevents changes to the on-cluster secret from being propagated to the workspace, which can cause issues if PATs expire.
Instead, we should consider updating the DevWorkspace Operator to:
Mount the merged git credentials secret as files (rather than subpaths) to allow changes to be propagated into the workspace.
Ignore mount paths on git-credential secrets, and mount the credentials file to a fixed directory (this is required for the point above, as otherwise mounting to / will overwrite the entire filesystem).
Additional context
Originally brought up as an issue in eclipse-che/che#21291. Note the GitLab PATs expire after 2 hours, so even if they are refreshed as expected, the workspace would have to be restarted frequently.
Details on how controller.devfile.io/mount-path is currently used:
If no secret specifies a mount path, the default / is used and the credentials file is mounted to /credentials
If any secret specifies a mount path, that is used instead. Multiple secrets can specify the same mount path
If two or more secrets specify conflicting mount paths, it is treated as an error
The text was updated successfully, but these errors were encountered:
Description
The DevWorkspace Operator allows mounting a Personal Access Token to workspaces, enabling access to private repos in cases where SSH keys aren't convenient. This is currently done by
controller.devfile.io/git-credential
in the current namespacedevworkspace-merged-git-credentials
(in order to allow multiple credentials to be specified)The downside of this approach is that using a subpath volume mount prevents changes to the on-cluster secret from being propagated to the workspace, which can cause issues if PATs expire.
Instead, we should consider updating the DevWorkspace Operator to:
/
will overwrite the entire filesystem).Additional context
Originally brought up as an issue in eclipse-che/che#21291. Note the GitLab PATs expire after 2 hours, so even if they are refreshed as expected, the workspace would have to be restarted frequently.
Details on how
controller.devfile.io/mount-path
is currently used:/
is used and the credentials file is mounted to/credentials
The text was updated successfully, but these errors were encountered: