SingleHost + TLS on OpenShift #201
Conversation
|
Skipping CI for Draft Pull Request. |
sleshchenko
force-pushed
the
tls
branch
2 times, most recently
from
7302dc0
to
66d885d
Compare
|
/test v5-devworkspaces-operator-e2e |
controllers/controller/workspacerouting/solvers/openshift_oauth_solver.go
Outdated
Show resolved
Hide resolved
controllers/controller/workspacerouting/solvers/openshift_oauth_solver.go
Show resolved
Hide resolved
controllers/controller/workspacerouting/solvers/openshift_oauth_solver.go
Outdated
Show resolved
Hide resolved
controllers/controller/workspacerouting/solvers/resolve_endpoints.go
Outdated
Show resolved
Hide resolved
samples/cloud-shell.yaml
Outdated
| @@ -2,8 +2,13 @@ kind: DevWorkspace | |||
| apiVersion: workspace.devfile.io/v1alpha1 | |||
| metadata: | |||
| name: cloud-shell | |||
| annotations: | |||
| # it's important to make workspace immutable to make sure nobody with right access | |||
There was a problem hiding this comment.
| # it's important to make workspace immutable to make sure nobody with right access | |
| # it's important to restrict access to the workspace to make sure other users with sufficient privileges |
There was a problem hiding this comment.
Since we add this annotation in four places, I think it makes sense to remove these comments from our samples. Instead, it's better to start describing annotation which is supposed to be used by users somewhere, we can start with README.md. WDYT?
There was a problem hiding this comment.
Yeah, I like the idea of putting these annotations in the README
There was a problem hiding this comment.
I've added the corresponding section into README.md. I've used the format as https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ has. Feedback or remarks are welcome.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, sleshchenko The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
New changes are detected. LGTM label has been removed. |
samples/cloud-shell.yaml
Outdated
| @@ -2,8 +2,13 @@ kind: DevWorkspace | |||
| apiVersion: workspace.devfile.io/v1alpha1 | |||
| metadata: | |||
| name: cloud-shell | |||
| annotations: | |||
| # it's important to make workspace immutable to make sure nobody with right access | |||
There was a problem hiding this comment.
Yeah, I like the idea of putting these annotations in the README
There was a problem hiding this comment.
I ran into a few issues on crc. I'm not sure if this is expected at this point, but during theia startup I see the error message
2020-11-30 22:03:44.880 root ERROR Security problem: Unable to configure separate webviews domain: Params: Error: Unable to get workspace containers. Cause: [object Object]
logged. This may also be related to the issue below.
| } | ||
|
|
||
| func EndpointPath(endpointName string) string { | ||
| return "/" + endpointName + "/" |
There was a problem hiding this comment.
In testing on crc I found a few issues with our approach to paths:
- When we suffix the path with
/, that exact string must be used to access the endpoint. This is an issue because the ideURL ends up without the trailing/so clicking the ideURL takes you to the OpenShift "application not available" page. - The workspace never enters a
Runningstate -- it's stuck inStarting. I believe (but haven't verified) that this is because we useideURLincheckServerStatus():since I'm seeingideUrl := workspace.Status.IdeUrl healthz, err := url.Parse(ideUrl) healthz.Path = healthz.Path + "healthz"
IdeURLas e.g. https://workspace99cfef48974c4fef.apps-crc.testing/theia it would appear that we're trying to pinghttps://workspace99cfef48974c4fef.apps-crc.testing/theiahealthz, which returns 503 instead of a 4xx that we're expecting. This causes the readiness check to fail at the end.
There was a problem hiding this comment.
ideUrl was with trailing /... probably it went after Path.join stuff
Interesting that theia is not loaded when you access it without a trailing slash, seems Theia needs the right redirect:
without trailing slash
with trailing slash
So, I'll make sure that endpoints have trailing slash if it's path rule, and it should be possible to specify endpoint path without a slash.
There was a problem hiding this comment.
Should be fixed with db048ad
|
/test v5-devworkspaces-operator-e2e |
|
Unreal, even e2e tests passed :-D |
There was a problem hiding this comment.
Testing on crc + firefox and chrome, I can start up theia-next and see the webview (no images are loaded). However, once Theia is loaded, I see a tight loop on requests to https://workspace918799a646044762.apps-crc.testing/che/client-ip which all return 503 -- this route does not exist on the cluster (there's probably >50 req/sec here)
I don't know enough about theia internals to debug further, and the theia logs become enormous pretty quickly with an (probably related) error
Promise rejection not handled in one second: Error: Request failed with status code 503 , reason: Error: Request failed with status code 503
With stack trace: UJUX/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:212:2276
MkyZ/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:116:5450
hR+n/e.exports/</p.onreadystatechange@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:293:2425
2020-12-01 18:56:12.186 root ERROR [hosted-plugin: 47] Promise rejection not handled in one second: Error: Request failed with status code 503 , reason: Error: Request failed with status code 503
With stack trace: UJUX/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:212:2276
MkyZ/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:116:5450
hR+n/e.exports/</p.onreadystatechange@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:293:2425
|
For
it may just be a bit of weird trivia, but I think we can get around this by making sure che-rest-apis is the first container in the pod spec. Kube starts containers in the order they're listed, iirc. If che-rest-apis is temporary this may be a worthwhile workaround. |
Known bug, Artem will take a look at that. See PR description ) |
Ah missed that line, apologies. |
|
New happy path check helps me to figure out that creator-access only is broken. I'll take a look tomorrow on that |
sleshchenko
changed the title
sleshchenko
changed the title
|
Creator access only is recovered in bd01489 Also, I think it may be redundant to deny workspace update for workspace with not-restricted-access, so it's done in 1250c5c Note that all workspace-related objects, route, service, deployment are still immutable for both workspace types (with and without restricted access). We may keep it only for restricted access related workspace if we decide, but it may be done in a separate PR as well. |
|
/test v5-devworkspaces-operator-e2e |
|
|
|
/test v5-devworkspaces-operator-e2e |
|
Just tested on cluster bot cluster and ran into a few things: For samples/theia-next.yamlCloning when using For samples/all-in-one-theia-nodejs.devworkspace.yamlSeems like i'm getting errors when its trying to find other containers so the workspace view isn't working :
The workspace view isn't populated, project didn't clone etc. Not exactly sure why though |
|
After I found and fixed bug with empty annotations (I had introduced before), AllInOne Theia and Theia Next work just fine on OpenShift 4.7 powered by cluster bot. |
|
I assume permissions issues could be related to mkdir which currently implemented in a wrong way, and it's actual for master branch as well. |
|
There are no critical objections against this PR, so, I'm merging it not to inflate this PR even more. I will be happy to address any feedback with separate PRs if any. |
|
🤦♂️ I forgot to push made fixes, so they are merged in #213 |
Quickly tried and it does not help |
|
I was quick in my conclusion. The error above is caused by Theia 7.20 which has issues with single host. Seems it helps to workaround an issue and I'll create PR |
What does this PR do?
This PR enables Single host + TLS on OpenShift for basic routing.
It has self-describing commits.
Now creator access only access is provided only for workspaces annotated with
controller.devfile.io/restricted-access: trueNow CloudShell workspace (not web-terminal) can be opened only with OpenShift OAuth routing.
CloudShell workspace also does not support single-host feature because it uses absolute references at this point.
TODOs:
Theia Webview
It works depending on the container startup sequence.
Theia needs to try again when Che is not available for such fundamental stuff like Webview or che-api-sidecar may be moved to a dedicated pod which we start first, but no one of them worths attention because Che API Sidecar is just a temporary solution and it should be reworked in a proper way where Theia access like K8s cluster to get needed info;
OpenShift OAuth expects to be the only application on the host and sends an absolute redirect
Endpoint name is not unique. Should we include the component name to path rule as well?
What issues does this PR fix or reference?
#200
Is it tested? How?
Minikube
Verified that on minikube everything works as previously + now terminal works fine for:
CRC
Verified that on crc now:
for:
CloudShell works as it used to work with host per endpoint approach.