Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't allow installing Che with Openshift Oauth when no OAuth user exist #14013

Closed
3 of 23 tasks
davidfestal opened this issue Jul 24, 2019 · 5 comments
Closed
3 of 23 tasks

Don't allow installing Che with Openshift Oauth when no OAuth user exist #14013

davidfestal opened this issue Jul 24, 2019 · 5 comments
Assignees
@davidfestal
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator

Comments

@davidfestal
Copy link
Contributor

Describe the bug

On a brand new Openshift 4 cluster, you have only the kubeadmin user (which is not part of the OS 4 OAuth system). If you try to connect to Che Dashboard through the Openshift login as kubeadmin, you will get a bad Keycloak error message with no error at all, and nothing in Che logs.

So we have to find a way to prevent the Che operator to start a Che workspace if the operator detects that there is no OAuth login method / users available (if there is only kubeadmin)
We have to be sure that we tackle the use-case when a tester would try to start a Che server on a brand new cluster (without having setup real users first)

Che version

  • latest
  • nightly
  • other: please specify

Steps to reproduce

On a new Openshift 4 cluster:

  1. Install a Che server through the Che operator
  2. Try to access the Che Dashboard
  3. On the login page, Click the openshift-v4 link
  4. Login to Openshift with the kube:admin method under the kubeadmin user
  5. You will get a Keycloak authentication failure error

Expected behavior

The installation of the Che server should fail with a decent error message (in the CheCluster resource status) if the Openshift cluster OAuth hasn't been setup and no Openshift user is available apart from the temporary / special kubeadmin user.

Runtime

  • kubernetes (include output of kubectl version)
  • Openshift 4
  • minikube (include output of minikube version and kubectl version)
  • minishift (include output of minishift version and oc version)
  • docker-desktop + K8S (include output of docker version and kubectl version)
  • other: (please specify)

Screenshots

Installation method

  • chectl
  • che-operator
  • minishift-addon
  • I don't know

Environment

  • my computer
    • Windows
    • Linux
    • macOS
  • Cloud
    • Amazon
    • Azure
    • GCE
    • other (please specify)
  • other: please specify
@davidfestal davidfestal added area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jul 24, 2019
@slemeur slemeur added this to the 7.1.0 milestone Jul 24, 2019
@slemeur
Copy link
Contributor

slemeur commented Jul 24, 2019

linking to: #13975

@slemeur slemeur removed the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 24, 2019
@slemeur slemeur mentioned this issue Aug 12, 2019
Closed
@ibuziuk ibuziuk mentioned this issue Aug 14, 2019
Closed
@davidfestal davidfestal self-assigned this Aug 29, 2019
@davidfestal davidfestal mentioned this issue Sep 2, 2019
Merged
@tolusha
Copy link
Contributor

tolusha commented Feb 17, 2020

@davidfestal Can we close the issue since eclipse-che/che-operator#74 is merged?

@tolusha tolusha added team/deploy status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. labels Feb 17, 2020
@tolusha tolusha removed this from the 7.1.0 milestone Mar 20, 2020
@tolusha tolusha closed this as completed Apr 10, 2020
@tolusha tolusha removed the status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. label Apr 10, 2020
@smarterclayton
Copy link

I don’t understand what “ On a brand new Openshift 4 cluster, you have only the kubeadmin user (which is not part of the OS 4 OAuth system)” means. The kubeadmin user is certainly supported for oauth flows as part of its design (console and prometheus both can do oauth).

Can you describe exactly what is broken with kubeadmin so we can fix it and CRW can work ootb on an openshift cluster?

@dmytro-ndp
Copy link
Contributor

The issue must have been fixed in keycloak 8.0.0, but CRW depends on RH SSO.
Anyway, we can probably switch che-keycloak to 8.0.0 and check fixup in Eclipse Che.
@tolusha, @skabashnyuk, @l0rd, @davidfestal: WDYT?

This was referenced May 4, 2020
Closed
Closed
@l0rd
Copy link
Contributor

l0rd commented May 4, 2020

Discussed with @davidfestal and @tolusha this morning. I have described our plan to overcome this limitation here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidfestal davidfestal

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@l0rd @davidfestal @smarterclayton @dmytro-ndp @slemeur @tolusha