Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret and deployment name normalization required when using SCM username in PersonalAccessToken management #19700

Closed
cccs-eric opened this issue Apr 28, 2021 · 1 comment
Closed

Secret and deployment name normalization required when using SCM username in PersonalAccessToken management #19700

cccs-eric opened this issue Apr 28, 2021 · 1 comment
Assignees
@skabashnyuk
Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system. sprint/current sprint/next
Milestone
7.30

Comments

@cccs-eric
Copy link
Contributor

Describe the bug

I have seen the following problems when dealing with Gitlab PersonalAccessTokens (PATs), but I can't see why it would not apply to other SCMs.

My corporate gitlab username is <firstname>.<lastname>. This username is causing the following two errors in che-server:

1- Uppercase letters in the username are not valid
My goal was to register a k8s secret as described in the documentation. So here is the YAML for the secret:

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-myuser-access-token-secret
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: scm-personal-access-token
  annotations:
    che.eclipse.org/expired-after: '-1'
    che.eclipse.org/che-userid: '1e09e618-a40c-4fdd-915f-46d818223fd5'
    che.eclipse.org/scm-userid: '19'
    che.eclipse.org/scm-username: 'First.Last'
    che.eclipse.org/scm-url: 'https://my.gitlab..net'
data:
  token: <redacted>

Notice the uppercase letters in the scm-username annotation. When KubernetesGitCredentialManager tries to create a secret using this username, I get the following error:

Secret "First.Last-git-credentials-secret-2l5wo" is invalid: metadata.name: Invalid value: "First.Last-git-credentials-secret-2l5wo": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:507)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:251)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:815)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:333)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:394)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:391)
        at org.eclipse.che.api.factory.server.scm.kubernetes.KubernetesGitCredentialManager.createOrReplace(KubernetesGitCredentialManager.java:150)
        at org.eclipse.che.api.factory.server.scm.AuthorizingFileContentProvider.fetchContent(AuthorizingFileContentProvider.java:72)
        at org.eclipse.che.api.factory.server.urlfactory.URLFactoryBuilder.createFactoryFromDevfile(URLFactoryBuilder.java:107)
        at org.eclipse.che.api.factory.server.gitlab.GitlabFactoryParametersResolver.createFactory(GitlabFactoryParametersResolver.java:88)
        at org.eclipse.che.api.factory.server.FactoryService.resolveFactory(FactoryService.java:98)

I easily fixed that one by updating the secret to che.eclipse.org/scm-username: 'first.last'. I think it would be nice at this stage to call a lowercase() function on the provided username to normalize it.

2- '.' character is not allowed
A little bit further down when it's time to create the deployment, the '.' character in the username creates a problem:

Message: Deployment.apps "workspaceoc8dj2lck468sfs7.pyspark" is invalid: [spec.template.spec.volumes[7].name: Invalid value: "first.last-git-credentials-secret-facn6": a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')
        at org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesDeployments.createDeployment(KubernetesDeployments.java:213)
        at org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesDeployments.deploy(KubernetesDeployments.java:188)
        at org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInternalRuntime.doStartMachine(KubernetesInternalRuntime.java:789)
        at org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInternalRuntime.startMachines(KubernetesInternalRuntime.java:632)
        at org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInternalRuntime.internalStart(KubernetesInternalRuntime.java:214)
        at org.eclipse.che.api.workspace.server.spi.InternalRuntime.start(InternalRuntime.java:141)
        at org.eclipse.che.api.workspace.server.WorkspaceRuntimes$StartRuntimeTask.run(WorkspaceRuntimes.java:969)
        at org.eclipse.che.commons.lang.concurrent.CopyThreadLocalRunnable.run(CopyThreadLocalRunnable.java:38)

This second problem might have greater ramifications in the system, so might be tougher to fix.

Che version

7.29.1
@cccs-eric cccs-eric added the kind/bug Outline of a bug - must adhere to the bug report template. label Apr 28, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Apr 28, 2021
@tolusha tolusha added team/platform area/che-server severity/P1 Has a major impact to usage or development of the system. and removed team/platform labels Apr 28, 2021
@skabashnyuk skabashnyuk added sprint/next and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Apr 29, 2021
@skabashnyuk skabashnyuk self-assigned this Apr 29, 2021
@skabashnyuk skabashnyuk added this to the 7.30 milestone Apr 29, 2021
@skabashnyuk skabashnyuk mentioned this issue Apr 29, 2021
Closed
12 tasks
@skabashnyuk
Copy link
Contributor

Fixed in #19715

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skabashnyuk skabashnyuk

Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system. sprint/current sprint/next
Projects
None yet
Milestone
7.30
Development

No branches or pull requests
4 participants
@skabashnyuk @tolusha @che-bot @cccs-eric