Enable single-level DNS domains (*.domain.tld) in SINGLE_PORT mode to simplify HTTPS setup

[hkolvenbach]

What does this PR do?

This PR changes the behavior how DNS names for SINGLE_PORT mode are generated, if the new ENV variable CHE_SINGLEPORT_CUSTOM_DNS is set to true. It will then generate DNS names with underscores instead of dots, such that all subdomains are conforming to *.domain.tld, which is important for a HTTPS setup using a wildcard certificate (usually only *.domain.tld is supported by wildcard certificates, not *.*.domain.tld and so on). This requires a wildcard DNS entry for your domain in the form of *.domain.tld and won't use any service like nip.io.

CHE_SINGLEPORT_WILDCARD__DOMAIN_HOST needs to be set to domain.tld in that case.

Work to do:

• change the Java part to enable this only if the CHE_SINGLEPORT_CUSTOM_DNS flag is set (currently hardcoded)

I would like to get feedback if this is something upstream che would want. If yes, I will solve the outstanding issues and write documentation for it. It would certainly make HTTPS setup easier for everyone and I would not need to maintain a patched fork of che.

What issues does this PR fix or reference?

Release Notes

SINGLE_PORT mode now supports custom single level DNS domains *.domain.tld

Docs PR

eclipse-che/che-docs#371

[hkolvenbach]

@JamesDrummond this might be interesting for you. Did you solve the HTTPS setup already?

[benoitf]

in che 5.x we had a template so users could specify through a property the behavior on how subdomains were concatenated (like if some ppl wanted -or _)
Adding a property is fine for me but I would give a greater choice of possibility to che6 as for che5
@mshaposhnik

[hkolvenbach]

@benoitf like the idea, this would be even easier to implement. by the way: is there a good reason to use dots as default or should we just switch to _ or -?

[benoitf]

@hkolvenbach I would say that default could be -or _ it was just easy to use .as separators

[mshaposhnik]

We don't want hostnames\IP's in the labels. So need to cut URL either until any IP or first dot in case of custom DNS.

[hkolvenbach]

fixed

[mshaposhnik]

Property name doesnt looks very self-explained to me.. They're all is a DNS. The only difference is it requires explicit IP or not. So i propose something like CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS

[hkolvenbach]

good suggestion!

[benoitf]

maybe we could have done

CHE_SINGLEPORT_DOMAIN_WILDCARD "true/false"
CHE_SINGLEPORT_DOMAIN "foo.com" (or xip.io/nip.io, etc)

[hkolvenbach]

@benoitf i tried to do it like you described, but i am not sure how to elegantly get the configuration into the SinglePortHostnameBuilder (without passing it as an argument to the SinglePortHostnameBuilder each time), so I opted for the easier method.

[mshaposhnik]

Now it will be exec-agent-http_dev-machine_workspaceao6k83hkdav975g5

[hkolvenbach]

fixed

[JamesDrummond]

@hkolvenbach I have not :( . #8945 . Would be nice if there is a problem with java not trusting the cert to actually output useful information. Right now I just get broken pipe with no other information to solve the problem. Created custom image to include certs into trust store but has not fixed the problem. Would be great to get step-by-step of getting ocp to work. Would do it myself but need to get it working first ;)

[garagatyi]

Changing wildcard approach to something more widespread than multi-level wildcard certificates seems a good idea to me. Including default behavior.

On the other hand, adding more properties and options to it will lead, eventually, to a rule-based approach that we had in Che5. So I would opt for implementing something similar to it in Che 6. Since our code has significantly changed in Che 6 it is not easy to move that code from Che 5 and I even think it is better to reimplement it from scratch to avoid legacy baggage from the previous architecture.

[hkolvenbach]

@garagatyi I was thinking about porting https://github.com/codenvy/codenvy/blob/61c0113b00eaea22cd20381be6ecbe9dd0da56e0/dockerfiles/init/modules/codenvy/templates/machine.properties.erb#L67 and https://github.com/codenvy/codenvy/blob/fa4422ec95acc09f9daad591fd2f6edc08614028/plugins/plugin-hosted/codenvy-machine-hosted/src/main/java/com/codenvy/machine/UriTemplateServerProxyTransformer.java to Che 6, to be able to rewrite URLs to something like workspace_wsagent_xyz.domain.tld/node_port. Do you think this is a good idea?

Regarding the docker infrastructure, it would probably be better to do this through labeling the exposed ports for traefik, but I couldn't find a starting point in the source code for that. Do you know how exposed ports for wsagent etc are configured? Through labeling we could also treat SSH and HTTP/HTTPS differently.

[garagatyi]

@benoitf You have previously created another approach of URLs rewriting. WDYT about the suggested idea?

@mshaposhnik could you help with labeling ports in traefik here?

[benoitf]

@garagatyi yes I think than //%5$s/%3$s_%2$s/%4$s is hard to make it evolve like introducing new arguments while with ${server-reference} etc, it's easier to understand what are the new variables without breaking any existing users settings.
So I would prefer using specific variable pattern instead of 1, 2, 3

[garagatyi]

@hkolvenbach here are docs about previous (Che 5 specific) configuration of URLs templates https://www.eclipse.org/che/docs/setup/configuration/index.html#workspace-address-resolution-strategy.
An example of configuration is: che.docker.server_evaluation_strategy.custom.template=<serverName>.<machineName>.<workspaceId>.<wildcardNipDomain>:<chePort>
The code that implemented it is outdated since we reworked that area completely. But you can implement something like it.
You could ping us if you have any questions about it. BTW @benoitf was the author of that code

[hkolvenbach]

this is needed to place https certifactes in the config/traefik folder. not strictly necessary for single-level-subdomains

[hkolvenbach]

@benoitf @garagatyi @mshaposhnik I updated the pull request. I didn't implement a full URL rewriter, but I think the single-level-subdomain approach will solve the needs at least for HTTPS.

I changed the new ENV variable CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS and fixed the code to continue to support nip.io and xip.io. If someone could give me some hints how to best implement @benoitf comment #8983 (comment), i could give it a try, but my feeling is that it would require quite some rewriting effort.

[mshaposhnik]

Please, review logic here again. We dont need to replace dots anymore. Only cut until first dot and throw out any optional IP and wildcard domain.

[hkolvenbach]

good point!

[mshaposhnik]

Other is ok for me.

[skabashnyuk]

pr for docs?

[hkolvenbach]

created the docs pr here: eclipse-che/che-docs#371

[riuvshin]

I do not see where $che_keycloak_auth__server__url is used, do we need that?

[hkolvenbach]

yes, i think this is a leftover

[hkolvenbach]

i needed to change the joiner from _ to - because it would generate invalid hostnames otherwise (this becomes a problem if you try to generate a certificate from letsencrypt for it, browsers seem to not care about _ in hostnames

[hkolvenbach]

new docs pr: https://github.com/eclipse/che-docs/pull/373/files

[garagatyi]

@hkolvenbach is there something that needs to be added to this PR?
@benoitf Are you OK with the PR?

I would want to proceed with the PR to avoid possible issues because of changes from other PRs.
@hkolvenbach can you it one more time?

[hkolvenbach]

@garagatyi from my perspective, the PR is ready to be merged. or is there anything else i should do?

[garagatyi]

@hkolvenbach I've merged PR. Thank you for contributing this functionality!