Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply OpenShift OAuth provider #15963

Merged
merged 17 commits into from
Mar 4, 2020
Merged

Apply OpenShift OAuth provider #15963

merged 17 commits into from
Mar 4, 2020

Conversation

vinokurig
Copy link
Contributor

What does this PR do?

Add OpenShift OAuth provider to be able to retrieve openshift token.

What issues does this PR fix or reference?

fixes #15670

Release Notes

Docs PR

@che-bot
Copy link
Contributor

che-bot commented Feb 7, 2020

Can one of the admins verify this patch?

@che-bot che-bot added kind/task Internal things, technical debt, and to-do tasks to be performed. status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. labels Feb 7, 2020
@che-bot
Copy link
Contributor

che-bot commented Feb 7, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@che-bot
Copy link
Contributor

che-bot commented Feb 7, 2020

E2E tests of Eclipse Che Multiuser on OCP has been successful:

@skabashnyuk
Copy link
Contributor

CC @tolusha
Do we need any changes in che-operator?

@che-bot
Copy link
Contributor

che-bot commented Feb 10, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@che-bot
Copy link
Contributor

che-bot commented Feb 10, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@tolusha
Copy link
Contributor

tolusha commented Feb 10, 2020

@skabashnyuk
I hope @vinokurig will test changes with operator to figure that out.

@che-bot
Copy link
Contributor

che-bot commented Feb 10, 2020

E2E tests of Eclipse Che Multiuser on OCP has failed:

@che-bot
Copy link
Contributor

che-bot commented Feb 10, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@che-bot
Copy link
Contributor

che-bot commented Feb 26, 2020

E2E tests of Eclipse Che Multiuser on OCP has failed:

Use command [ci-test] to rerun the test.

@che-bot
Copy link
Contributor

che-bot commented Feb 26, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@davidfestal
Copy link
Contributor

davidfestal commented Feb 26, 2020
edited
Loading

I don't see any problems with OpenShift OAuth mode. The che OpenShift OAuth provider requires creating an own OpenShift OAuth client https://docs.openshift.com/container-platform/4.3/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth

Not sure I followed the whole story about this issue, but does this mean that now, by default, in order to have Openshift integration, users will have to manually create an additional OAuth client in Openshift in addition to the one already automatically created by the Che operator when Openshift OAuth is enabled (to support Keycloak-Openshift identity provider) ?

If it's the case I'm a bit worried about the fact that it might be a problem in some situations, such as deployment on OSD for example, where it would expected that any required change is done by the operator itself afaik, and no manual step is expected, apart the creation of a CheCluster custom resource.

In such a case I would suggest that, on the operator side, when OpenShift OAuth is enabled, the same OpenShift OAuth Client would be used to configure the Che server (of this PR) as the one already used for the Keycloak OpenShift identity provider.
So maybe there is still some work on the operator here.

cc @tolusha @l0rd

davidfestal
davidfestal requested changes Feb 26, 2020
View reviewed changes
Copy link
Contributor

@davidfestal davidfestal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please could you answer the question I asked here: #15963 (comment) ?

Thanks !

@vinokurig
Copy link
Contributor Author

@davidfestal
We have similar situation with the GitHub oAuth provider, it requires creating the GitHub oAuth client on the GitHub side. We can automate creating the OpenShift oAuth client by the operator but it will mean that the OpenShift oAuth provider is supported only for operator installation.

@davidfestal
Copy link
Contributor

@vinokurig

We have similar situation with the GitHub oAuth provider, it requires creating the GitHub oAuth client on the GitHub side.

GitHub is a bit different since, afaik, you cannot automate the creation of the GitHub OAuth client easily, and the GitHub OAuth client is somehow something expected to be owned by the Che admin user in a self-service mode.

OTOH setting up an OpenShift OAuth client requires cluster admin rights into the cluster, and the installer user of Che/CRW on OpenShift doesn't necessarily own the cluster on which it installs Che (think of OSD addon for example). So this should be done by the Che operator, and is already done to support Keycloak Openshift identity provider setup.

We can automate creating the OpenShift oAuth client by the operator but it will mean that the OpenShift oAuth provider is supported only for operator installation.

Afaik the operator-based installation is the official installation mode for OpenShift, either through chectl for OpenShift 3.11, or though OLM + OperatorHub for OpenShift 4.x (+ OSD, indirectly via addon).
Of course, for anyone having cluster admin rights, and wanting to use raw yaml files to deploy Che on OpenShift, he could still create the OAuth Client by hand by following the doc.

But it seems that requiring a manual setup of an additional OAuth client inside the OpenShift cluster before being able to use the OpenShift integration tools (OpenShift plugin ?) will be a no-go in a number of contexts we aim to support.

@ericwill ericwill mentioned this pull request Feb 28, 2020
Closed
21 tasks
l0rd
l0rd approved these changes Mar 2, 2020
View reviewed changes
Copy link
Contributor

@l0rd l0rd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussing with @vinokurig I consider that the user experience doesn't get worse with this PR. If we merge this PR Che will still use OpenShift OAuth as identity provider even if the administrator doesn't create the extra OpenShift OAuth client. But the administrator would have a new (manual) option to enable the OpenShift OAuth provider for the workspaces.

For this reason I consider it as a good first step and the PR can be merged as it is (and even cherry picked to 7.9.x if we have time cc @nickboldt). But as mentioned by @davidfestal there are some important improvements that need to be introduced (update the operator to automatically create the client for instance). Such improvements can be done in a second PR.

@vinokurig vinokurig mentioned this pull request Mar 2, 2020
Closed
@vinokurig
Copy link
Contributor Author

@l0rd @davidfestal Created sub-issue: #16199

@nickboldt nickboldt mentioned this pull request Mar 2, 2020
Closed
24 tasks
@vinokurig
Copy link
Contributor Author

crw-ci-test

@vinokurig
Copy link
Contributor Author

[ci-test]

@che-bot
Copy link
Contributor

che-bot commented Mar 3, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@che-bot
Copy link
Contributor

che-bot commented Mar 3, 2020

E2E tests of Eclipse Che Multiuser on OCP has been successful:

@vinokurig
Copy link
Contributor Author

crw-ci-test

@davidfestal
Copy link
Contributor

After discussing with @vinokurig I consider that the user experience doesn't get worse with this PR.

For this reason I consider it as a good first step and the PR can be merged as it is

Thanks @l0rd for providing more context.

Created sub-issue: #16199

Thanks @vinokurig

Let me approve this PR then.

@vinokurig
Copy link
Contributor Author

crw-ci-test

@che-bot
Copy link
Contributor

che-bot commented Mar 3, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@vinokurig
Copy link
Contributor Author

crw-ci-test

@che-bot
Copy link
Contributor

che-bot commented Mar 3, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@dmytro-ndp
Copy link
Contributor

crw-ci-test

@che-bot
Copy link
Contributor

che-bot commented Mar 3, 2020

❌ E2E Happy path tests failed ❗

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

@dmytro-ndp
Copy link
Contributor

crw-ci-test

@che-bot
Copy link
Contributor

che-bot commented Mar 3, 2020

✅ E2E Happy path tests succeed 🎉

See Details

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

@vinokurig vinokurig merged commit cbaf94e into master Mar 4, 2020
@vinokurig vinokurig deleted the che-15670 branch March 4, 2020 08:49
@che-bot che-bot added this to the 7.10.0 milestone Mar 4, 2020
@che-bot che-bot removed the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Mar 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@l0rd l0rd l0rd approved these changes

@davidfestal davidfestal davidfestal approved these changes

@skabashnyuk skabashnyuk skabashnyuk approved these changes

@tolusha tolusha tolusha approved these changes

@mshaposhnik mshaposhnik mshaposhnik approved these changes

@ibuziuk ibuziuk Awaiting requested review from ibuziuk

@nickboldt nickboldt Awaiting requested review from nickboldt

@rhopp rhopp Awaiting requested review from rhopp

@sleshchenko sleshchenko Awaiting requested review from sleshchenko

@vparfonov vparfonov Awaiting requested review from vparfonov

@ashumilova ashumilova Awaiting requested review from ashumilova

@benoitf benoitf Awaiting requested review from benoitf

Assignees
No one assigned
Labels
kind/task Internal things, technical debt, and to-do tasks to be performed.
Projects
None yet
Milestone
7.10
Development

Successfully merging this pull request may close these issues.

Make it possible to get OpenShift oauth token from theia IDE container
8 participants
@vinokurig @che-bot @skabashnyuk @tolusha @davidfestal @dmytro-ndp @l0rd @mshaposhnik