Improve oauth handling.

.vscode/tasks.json

@@ -87,8 +87,8 @@
             "group": "build"
         },
         {
-            "label": "Update csv bundle files",
-            "command": "./olm/update-nightly-bundle.sh",
+            "label": "Update OLM bundle files",
+            "command": "./olm/update-crd-files.sh && ./olm/update-nightly-bundle.sh",
             "type": "shell",
             "args": [],
             "problemMatcher": [

Dockerfile

@@ -26,7 +26,7 @@ RUN export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH=
     GOOS=linux GOARCH=${ARCH} CGO_ENABLED=0 go build -mod=vendor -o /tmp/che-operator/che-operator cmd/manager/main.go
 
 # https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/ubi8-minimal
-FROM registry.access.redhat.com/ubi8-minimal:8.3-201
+FROM registry.access.redhat.com/ubi8-minimal:8.3-230
 
 COPY --from=builder /tmp/che-operator/che-operator /usr/local/bin/che-operator
 COPY --from=builder /che-operator/templates/keycloak_provision /tmp/keycloak_provision

README.md

@@ -326,7 +326,7 @@ Sometimes, during development, you need to modify some YAML definitions in the `
   - Che cluster custom resource definition `pkg/apis/org/v1/che_types.go`. For example you want to fix some properties description or apply new Che type properties with default values. These changes affect CRD `deploy/crds/org_v1_che_crd.yaml`.
   - add Openshift ui annotations for Che types properties (`pkg/apis/org/v1/che_types.go`) to display information or interactive elements on the Openshift user interface.
 
-For all these cases it's a necessary to generate a new OLM bundle to make these changes working with OLM. Run the VSCode tasks `Update csv bundle files` or use the terminal:
+For all these cases it's a necessary to generate a new OLM bundle to make these changes working with OLM. Run the VSCode tasks `Update OLM bundle files` or use the terminal:
 
 ```bash
 $ olm/update-nightly-bundle.sh

deploy/crds/org_v1_che_cr.yaml

@@ -124,9 +124,6 @@ spec:
     identityProviderRealm: ''
     # id of a keycloak client. This client will be created, when externalIdentityProvider is false, otherwise passed to Che server
     identityProviderClientId: ''
-    # instructs an Operator to enable OpenShift v3 identity provider in Keycloak,
-    # as well as create respective oAuthClient and configure Che configMap accordingly
-    openShiftoAuth: true
     # name of oAuthClient used in OpenShift v3 identity provider in Keycloak realm. Auto generated if left blank
     oAuthClientName: ''
     # secret used in oAuthClient. Auto generated if left blank

deploy/crds/org_v1_che_crd.yaml

@@ -159,12 +159,15 @@ spec:
                   type: string
                 openShiftoAuth:
                   description: 'Enables the integration of the identity provider (Keycloak
-                    / RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
-                    This will allow users to directly login with their Openshift user
-                    through the Openshift login, and have their workspaces created
-                    under personal OpenShift namespaces. WARNING: the `kubeadmin`
-                    user is NOT supported, and logging through it will NOT allow accessing
-                    the Che Dashboard.'
+                    / RHSSO) with OpenShift OAuth. Empty value on the OpenShift platform
+                    by default. If user changes this empty value to true/false, then
+                    che-operator respect this value. Otherwise che-operator tries
+                    to auto detect if Openshift oAuth can be enabled and change empty
+                    value, correspondly to auto-detection result. This property allows
+                    users to directly login with their Openshift user through the
+                    Openshift login, and have their workspaces created under personal
+                    OpenShift namespaces. WARNING: the `kubeadmin` user is NOT supported,
+                    and logging through it will NOT allow accessing the Che Dashboard.'
                   type: boolean
                 updateAdminPassword:
                   description: Forces the default `admin` Che user to update password

deploy/olm-catalog/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml

@@ -84,13 +84,13 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:nightly
-    createdAt: "2020-12-14T15:43:45Z"
+    createdAt: "2020-12-17T10:09:13Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     operatorframework.io/suggested-namespace: eclipse-che
     repository: https://github.com/eclipse/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-kubernetes.v7.23.0-48.nightly
+  name: eclipse-che-preview-kubernetes.v7.24.0-52.nightly
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -322,7 +322,7 @@ spec:
                       - name: RELATED_IMAGE_che_tls_secrets_creation_job
                         value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad
                       - name: RELATED_IMAGE_pvc_jobs
-                        value: registry.access.redhat.com/ubi8-minimal:8.3-201
+                        value: registry.access.redhat.com/ubi8-minimal:8.3-230
                       - name: RELATED_IMAGE_postgres
                         value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
                       - name: RELATED_IMAGE_keycloak
@@ -494,4 +494,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.23.0-48.nightly
+  version: 7.24.0-52.nightly

deploy/olm-catalog/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml

@@ -159,12 +159,15 @@ spec:
                   type: string
                 openShiftoAuth:
                   description: 'Enables the integration of the identity provider (Keycloak
-                    / RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
-                    This will allow users to directly login with their Openshift user
-                    through the Openshift login, and have their workspaces created
-                    under personal OpenShift namespaces. WARNING: the `kubeadmin`
-                    user is NOT supported, and logging through it will NOT allow accessing
-                    the Che Dashboard.'
+                    / RHSSO) with OpenShift OAuth. Empty value on the OpenShift platform
+                    by default. If user changes this empty value to true/false, then
+                    che-operator respect this value. Otherwise che-operator tries
+                    to auto detect if Openshift oAuth can be enabled and change empty
+                    value, correspondly to auto-detection result. This property allows
+                    users to directly login with their Openshift user through the
+                    Openshift login, and have their workspaces created under personal
+                    OpenShift namespaces. WARNING: the `kubeadmin` user is NOT supported,
+                    and logging through it will NOT allow accessing the Che Dashboard.'
                   type: boolean
                 updateAdminPassword:
                   description: Forces the default `admin` Che user to update password

deploy/olm-catalog/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml

@@ -20,8 +20,7 @@ metadata:
               "identityProviderRealm": "",
               "identityProviderURL": "",
               "oAuthClientName": "",
-              "oAuthSecret": "",
-              "openShiftoAuth": true
+              "oAuthSecret": ""
             },
             "database": {
               "chePostgresDb": "",
@@ -76,13 +75,13 @@ metadata:
     categories: Developer Tools, OpenShift Optional
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:nightly
-    createdAt: "2020-12-14T15:43:55Z"
+    createdAt: "2020-12-17T10:09:20Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces in OpenShift.
     operatorframework.io/suggested-namespace: eclipse-che
     repository: https://github.com/eclipse/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.23.0-48.nightly
+  name: eclipse-che-preview-openshift.v7.24.0-52.nightly
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -336,7 +335,7 @@ spec:
                       - name: RELATED_IMAGE_devfile_registry
                         value: quay.io/eclipse/che-devfile-registry:nightly
                       - name: RELATED_IMAGE_pvc_jobs
-                        value: registry.access.redhat.com/ubi8-minimal:8.3-201
+                        value: registry.access.redhat.com/ubi8-minimal:8.3-230
                       - name: RELATED_IMAGE_postgres
                         value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
                       - name: RELATED_IMAGE_keycloak
@@ -514,4 +513,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.23.0-48.nightly
+  version: 7.24.0-52.nightly

deploy/olm-catalog/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml

@@ -160,12 +160,15 @@ spec:
                   type: string
                 openShiftoAuth:
                   description: 'Enables the integration of the identity provider (Keycloak
-                    / RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
-                    This will allow users to directly login with their Openshift user
-                    through the Openshift login, and have their workspaces created
-                    under personal OpenShift namespaces. WARNING: the `kubeadmin`
-                    user is NOT supported, and logging through it will NOT allow accessing
-                    the Che Dashboard.'
+                    / RHSSO) with OpenShift OAuth. Empty value on the OpenShift platform
+                    by default. If user changes this empty value to true/false, then
+                    che-operator respect this value. Otherwise che-operator tries
+                    to auto detect if Openshift oAuth can be enabled and change empty
+                    value, correspondly to auto-detection result. This property allows
+                    users to directly login with their Openshift user through the
+                    Openshift login, and have their workspaces created under personal
+                    OpenShift namespaces. WARNING: the `kubeadmin` user is NOT supported,
+                    and logging through it will NOT allow accessing the Che Dashboard.'
                   type: boolean
                 updateAdminPassword:
                   description: Forces the default `admin` Che user to update password

deploy/operator-local.yaml

@@ -54,7 +54,7 @@ spec:
             - name: RELATED_IMAGE_che_tls_secrets_creation_job
               value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad
             - name: RELATED_IMAGE_pvc_jobs
-              value: registry.access.redhat.com/ubi8-minimal:8.3-201
+              value: registry.access.redhat.com/ubi8-minimal:8.3-230
             - name: RELATED_IMAGE_postgres
               value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
             - name: RELATED_IMAGE_keycloak

deploy/operator.yaml

@@ -53,7 +53,7 @@ spec:
             - name: RELATED_IMAGE_che_tls_secrets_creation_job
               value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad
             - name: RELATED_IMAGE_pvc_jobs
-              value: registry.access.redhat.com/ubi8-minimal:8.3-201
+              value: registry.access.redhat.com/ubi8-minimal:8.3-230
             - name: RELATED_IMAGE_postgres
               value: quay.io/eclipse/che--centos--postgresql-96-centos7:9.6-b681d78125361519180a6ac05242c296f8906c11eab7e207b5ca9a89b6344392
             - name: RELATED_IMAGE_keycloak

e2e/create.go

@@ -13,6 +13,7 @@ package main
 
 import (
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
+	"github.com/eclipse/che-operator/pkg/util"
 	"github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -122,6 +123,9 @@ func newCheCluster() (cr *orgv1.CheCluster) {
 			Server: orgv1.CheClusterSpecServer{
 				UseInternalClusterSVCNames: true,
 			},
+			Auth: orgv1.CheClusterSpecAuth{
+				OpenShiftoAuth: util.NewBoolPointer(true),
+			},
 		},
 	}
 	return cr

pkg/apis/org/v1/che_types.go

@@ -405,12 +405,16 @@ type CheClusterSpecAuth struct {
 	// Forces the default `admin` Che user to update password on first login. Defaults to `false`.
 	// +optional
 	UpdateAdminPassword bool `json:"updateAdminPassword"`
-	// Enables the integration of the identity provider (Keycloak / RHSSO) with OpenShift OAuth. Enabled by default on OpenShift.
-	// This will allow users to directly login with their Openshift user through the Openshift login,
+	// Enables the integration of the identity provider (Keycloak / RHSSO) with OpenShift OAuth.
+	// Empty value on the OpenShift platform by default.
+	// If user changes this empty value to true/false, then che-operator respect this value. 
+	// Otherwise che-operator tries to auto detect if Openshift oAuth can be enabled and change empty value,
+	// correspondly to auto-detection result.
+	// This property allows users to directly login with their Openshift user through the Openshift login,
 	// and have their workspaces created under personal OpenShift namespaces.
 	// WARNING: the `kubeadmin` user is NOT supported, and logging through it will NOT allow accessing the Che Dashboard.
 	// +optional
-	OpenShiftoAuth bool `json:"openShiftoAuth"`
+	OpenShiftoAuth *bool `json:"openShiftoAuth"`
 	// Name of the OpenShift `OAuthClient` resource used to setup identity federation on the OpenShift side. Auto-generated if left blank.
 	// See also the `OpenShiftoAuth` field.
 	// +optional

pkg/controller/che/che_controller.go

@@ -340,55 +340,21 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			host, err := getDefaultCheHost(deployContext)
 			if host == "" {
 				return reconcile.Result{RequeueAfter: 1 * time.Second}, err
-			} else {
-				deployContext.DefaultCheHost = host
 			}
+			deployContext.DefaultCheHost = host
 		}
 	}
 
-	if isOpenShift && instance.Spec.Auth.OpenShiftoAuth {
-		if isOpenShift4 {
-			oauthv1 := &oauthv1.OAuth{}
-			if err := r.nonCachedClient.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, oauthv1); err != nil {
-				getOAuthV1ErrMsg := failedUnableToGetOAuth + " Cause: " + err.Error()
-				logrus.Errorf(getOAuthV1ErrMsg)
-				if err := r.SetStatusDetails(instance, request, failedNoOpenshiftUserReason, getOAuthV1ErrMsg, ""); err != nil {
-					return reconcile.Result{}, err
-				}
-				return reconcile.Result{}, err
-			}
-			if len(oauthv1.Spec.IdentityProviders) < 1 {
-				logrus.Warn(warningNoIdentityProvidersMessage, " ", howToAddIdentityProviderLinkOS4)
-				instance.Spec.Auth.OpenShiftoAuth = false
-				if err := r.UpdateCheCRSpec(instance, "OpenShiftoAuth", strconv.FormatBool(false)); err != nil {
-					return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, err
-				}
-			}
-		} else {
-			users := &userv1.UserList{}
-			listOptions := &client.ListOptions{}
-			if err := r.nonCachedClient.List(context.TODO(), users, listOptions); err != nil {
-				getUsersErrMsg := failedUnableToGetOpenshiftUsers + " Cause: " + err.Error()
-				logrus.Errorf(getUsersErrMsg)
-				if err := r.SetStatusDetails(instance, request, failedNoOpenshiftUserReason, getUsersErrMsg, ""); err != nil {
-					return reconcile.Result{}, err
-				}
-				return reconcile.Result{}, err
-			}
-			if len(users.Items) < 1 {
-				logrus.Warn(warningNoRealUsersMessage, " ", howToConfigureOAuthLinkOS3)
-				instance.Spec.Auth.OpenShiftoAuth = false
-				if err := r.UpdateCheCRSpec(instance, "OpenShiftoAuth", strconv.FormatBool(false)); err != nil {
-					return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, err
-				}
-			}
+	if isOpenShift && instance.Spec.Auth.OpenShiftoAuth == nil {
+		if reconcileResult, err := r.autoEnableOAuth(instance, request, isOpenShift4); err != nil {
+			return reconcileResult, err
 		}
+	}
 
-		// delete oAuthClient before CR is deleted
-		if instance.Spec.Auth.OpenShiftoAuth {
-			if err := r.ReconcileFinalizer(instance); err != nil {
-				return reconcile.Result{}, err
-			}
+	// delete oAuthClient before CR is deleted
+	if util.IsOAuthEnabled(instance) {
+		if err := r.ReconcileFinalizer(instance); err != nil {
+			return reconcile.Result{}, err
 		}
 
 	}
@@ -431,7 +397,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			// To use Openshift v4 OAuth, the OAuth endpoints are served from a namespace
 			// and NOT from the Openshift API Master URL (as in v3)
 			// So we also need the self-signed certificate to access them (same as the Che server)
-			(isOpenShift4 && instance.Spec.Auth.OpenShiftoAuth && !instance.Spec.Server.TlsSupport) {
+			(isOpenShift4 && util.IsOAuthEnabled(instance) && !instance.Spec.Server.TlsSupport) {
 			if err := deploy.CreateTLSSecretFromEndpoint(deployContext, "", deploy.CheTLSSelfSignedCertificateSecretName); err != nil {
 				return reconcile.Result{}, err
 			}
@@ -447,7 +413,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			}
 		}
 
-		if instance.Spec.Auth.OpenShiftoAuth {
+		if util.IsOAuthEnabled(instance) {
 			// create a secret with OpenShift API crt to be added to keystore that RH SSO will consume
 			baseURL, err := util.GetClusterPublicHostname(isOpenShift4)
 			if err != nil {
@@ -1123,3 +1089,51 @@ func isTrustedBundleConfigMap(mgr manager.Manager, obj handler.MapObject) (bool,
 		},
 	}
 }
+
+func (r *ReconcileChe) autoEnableOAuth(cr *orgv1.CheCluster, request reconcile.Request, isOpenShift4 bool) (reconcile.Result, error) {
+	var message, reason string; var oauth bool
+	if isOpenShift4 {
+		oauthv1 := &oauthv1.OAuth{}
+		if err := r.nonCachedClient.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, oauthv1); err != nil {
+			getOAuthV1ErrMsg := failedUnableToGetOAuth + " Cause: " + err.Error()
+			logrus.Errorf(getOAuthV1ErrMsg)
+			message = getOAuthV1ErrMsg
+			reason = failedNoOpenshiftUserReason
+			oauth = false
+		} else {
+			oauth =len(oauthv1.Spec.IdentityProviders) >= 1
+			if !oauth {
+				logrus.Warn(warningNoIdentityProvidersMessage, " ", howToAddIdentityProviderLinkOS4)
+			}
+		}
+		// openshift 3
+	} else {
+		users := &userv1.UserList{}
+		listOptions := &client.ListOptions{}
+		if err := r.nonCachedClient.List(context.TODO(), users, listOptions); err != nil {
+			getUsersErrMsg := failedUnableToGetOpenshiftUsers + " Cause: " + err.Error()
+			logrus.Errorf(getUsersErrMsg)
+			message = getUsersErrMsg
+			reason = failedNoOpenshiftUserReason
+			oauth = false
+		}
+
+		oauth = len(users.Items) >= 1
+		if !oauth {
+			logrus.Warn(warningNoRealUsersMessage, " ", howToConfigureOAuthLinkOS3)
+		}
+	}
+
+	cr.Spec.Auth.OpenShiftoAuth = util.NewBoolPointer(oauth)
+	if err := r.UpdateCheCRSpec(cr, "OpenShiftoAuth", strconv.FormatBool(oauth)); err != nil {
+		return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, err
+	}
+
+	if message != "" && reason != "" {
+		if err := r.SetStatusDetails(cr, request, message, reason, ""); err != nil {
+			return reconcile.Result{}, err
+		}
+	}
+
+	return reconcile.Result{}, nil
+}