-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SingleHost + TLS on OpenShift #201
Conversation
Skipping CI for Draft Pull Request. |
7302dc0
to
66d885d
Compare
/test v5-devworkspaces-operator-e2e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor comments below, but LGTM at its core. I'll test it later today, once I get crc
up and running
controllers/controller/workspacerouting/solvers/openshift_oauth_solver.go
Outdated
Show resolved
Hide resolved
controllers/controller/workspacerouting/solvers/openshift_oauth_solver.go
Show resolved
Hide resolved
controllers/controller/workspacerouting/solvers/openshift_oauth_solver.go
Outdated
Show resolved
Hide resolved
controllers/controller/workspacerouting/solvers/resolve_endpoints.go
Outdated
Show resolved
Hide resolved
samples/cloud-shell.yaml
Outdated
@@ -2,8 +2,13 @@ kind: DevWorkspace | |||
apiVersion: workspace.devfile.io/v1alpha1 | |||
metadata: | |||
name: cloud-shell | |||
annotations: | |||
# it's important to make workspace immutable to make sure nobody with right access |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# it's important to make workspace immutable to make sure nobody with right access | |
# it's important to restrict access to the workspace to make sure other users with sufficient privileges |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we add this annotation in four places, I think it makes sense to remove these comments from our samples. Instead, it's better to start describing annotation which is supposed to be used by users somewhere, we can start with README.md. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I like the idea of putting these annotations in the README
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added the corresponding section into README.md. I've used the format as https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ has. Feedback or remarks are welcome.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, sleshchenko The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
New changes are detected. LGTM label has been removed. |
samples/cloud-shell.yaml
Outdated
@@ -2,8 +2,13 @@ kind: DevWorkspace | |||
apiVersion: workspace.devfile.io/v1alpha1 | |||
metadata: | |||
name: cloud-shell | |||
annotations: | |||
# it's important to make workspace immutable to make sure nobody with right access |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I like the idea of putting these annotations in the README
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran into a few issues on crc
. I'm not sure if this is expected at this point, but during theia startup I see the error message
2020-11-30 22:03:44.880 root ERROR Security problem: Unable to configure separate webviews domain: Params: Error: Unable to get workspace containers. Cause: [object Object]
logged. This may also be related to the issue below.
} | ||
|
||
func EndpointPath(endpointName string) string { | ||
return "/" + endpointName + "/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In testing on crc
I found a few issues with our approach to paths:
- When we suffix the path with
/
, that exact string must be used to access the endpoint. This is an issue because the ideURL ends up without the trailing/
so clicking the ideURL takes you to the OpenShift "application not available" page. - The workspace never enters a
Running
state -- it's stuck inStarting
. I believe (but haven't verified) that this is because we useideURL
incheckServerStatus()
:since I'm seeingideUrl := workspace.Status.IdeUrl healthz, err := url.Parse(ideUrl) healthz.Path = healthz.Path + "healthz"
IdeURL
as e.g. https://workspace99cfef48974c4fef.apps-crc.testing/theia it would appear that we're trying to pinghttps://workspace99cfef48974c4fef.apps-crc.testing/theiahealthz
, which returns 503 instead of a 4xx that we're expecting. This causes the readiness check to fail at the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ideUrl was with trailing /
... probably it went after Path.join stuff
Interesting that theia is not loaded when you access it without a trailing slash, seems Theia needs the right redirect:
without trailing slash
with trailing slash
So, I'll make sure that endpoints have trailing slash if it's path rule, and it should be possible to specify endpoint path without a slash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be fixed with db048ad
/test v5-devworkspaces-operator-e2e |
Unreal, even e2e tests passed :-D |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Testing on crc
+ firefox and chrome, I can start up theia-next
and see the webview (no images are loaded). However, once Theia is loaded, I see a tight loop on requests to https://workspace918799a646044762.apps-crc.testing/che/client-ip
which all return 503 -- this route does not exist on the cluster (there's probably >50 req/sec here)
I don't know enough about theia internals to debug further, and the theia logs become enormous pretty quickly with an (probably related) error
Promise rejection not handled in one second: Error: Request failed with status code 503 , reason: Error: Request failed with status code 503
With stack trace: UJUX/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:212:2276
MkyZ/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:116:5450
hR+n/e.exports/</p.onreadystatechange@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:293:2425
2020-12-01 18:56:12.186 root ERROR [hosted-plugin: 47] Promise rejection not handled in one second: Error: Request failed with status code 503 , reason: Error: Request failed with status code 503
With stack trace: UJUX/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:212:2276
MkyZ/e.exports@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:116:5450
hR+n/e.exports/</p.onreadystatechange@https://workspace918799a646044762.apps-crc.testing/theia/vendors.c8bdf28598a14f9b5776.js:293:2425
For
it may just be a bit of weird trivia, but I think we can get around this by making sure che-rest-apis is the first container in the pod spec. Kube starts containers in the order they're listed, iirc. If che-rest-apis is temporary this may be a worthwhile workaround. |
Known bug, Artem will take a look at that. See PR description ) |
Ah missed that line, apologies. |
New happy path check helps me to figure out that creator-access only is broken. I'll take a look tomorrow on that |
Creator access only is recovered in bd01489 Also, I think it may be redundant to deny workspace update for workspace with not-restricted-access, so it's done in 1250c5c Note that all workspace-related objects, route, service, deployment are still immutable for both workspace types (with and without restricted access). We may keep it only for restricted access related workspace if we decide, but it may be done in a separate PR as well. |
/test v5-devworkspaces-operator-e2e |
/test v5-devworkspaces-operator-e2e |
Just tested on cluster bot cluster and ran into a few things: For samples/theia-next.yamlCloning when using For samples/all-in-one-theia-nodejs.devworkspace.yamlSeems like i'm getting errors when its trying to find other containers so the workspace view isn't working :
The workspace view isn't populated, project didn't clone etc. Not exactly sure why though |
I assume permissions issues could be related to mkdir which currently implemented in a wrong way, and it's actual for master branch as well. |
There are no critical objections against this PR, so, I'm merging it not to inflate this PR even more. I will be happy to address any feedback with separate PRs if any. |
🤦♂️ I forgot to push made fixes, so they are merged in #213 |
|
I was quick in my conclusion. The error above is caused by Theia 7.20 which has issues with single host. Seems it helps to workaround an issue and I'll create PR |
What does this PR do?
This PR enables Single host + TLS on OpenShift for basic routing.
It has self-describing commits.
Now creator access only access is provided only for workspaces annotated with
controller.devfile.io/restricted-access: true
Now CloudShell workspace (not web-terminal) can be opened only with OpenShift OAuth routing.
CloudShell workspace also does not support single-host feature because it uses absolute references at this point.
TODOs:
Theia Webview
It works depending on the container startup sequence.
Theia needs to try again when Che is not available for such fundamental stuff like Webview or che-api-sidecar may be moved to a dedicated pod which we start first, but no one of them worths attention because Che API Sidecar is just a temporary solution and it should be reworked in a proper way where Theia access like K8s cluster to get needed info;
OpenShift OAuth expects to be the only application on the host and sends an absolute redirect
Endpoint name is not unique. Should we include the component name to path rule as well?
What issues does this PR fix or reference?
#200
Is it tested? How?
Minikube
Verified that on minikube everything works as previously + now terminal works fine for:
CRC
Verified that on crc now:
for:
CloudShell works as it used to work with host per endpoint approach.