Use label-selector for namespace discovery instead of iterating#6
Conversation
…all projects - Replace oc projects -q with label-selector query on app.kubernetes.io/component=workspaces-namespace to find only DevSpaces workspace namespaces in a single API call - Filter by che.eclipse.org/username annotation for current user - Add getProjectFromWorkspaceURL() to resolve namespace directly from workspace URL via field-selector on DevWorkspace CR - Check isLoggedIn() before getProjects() during activation - Quote IdentityFile path in SSH config to handle spaces in paths - Add skipLibCheck to tsconfig for compatibility with global @types
rgrunber
left a comment
rgrunber
left a comment
There was a problem hiding this comment.
Thanks for proposing something for this. The problem seems to be that by default, users may not have permissions to call these commands, which is probably why oc projects -q was used. I've included some feedback.
If not enough time to respond/update, I'm happy to take over.
…covery - Use 'oc get projects -l' (Project API) instead of 'oc get namespaces -l' to avoid cluster-scoped permission errors for regular users - Case-insensitive exact match on che.eclipse.org/username annotation to correctly resolve the user's namespace(s) - Return all matching namespaces (users may have more than one) - Simplify getOpenShiftApiURL() to discover the API URL via the unauthenticated /oauth/start redirect, replacing .apps. hostname parsing — works for both standard and custom DevSpaces domains - Use Node.js https module instead of curl for cross-platform compatibility - Quote IdentityFile path in SSH config to handle spaces (macOS) - Remove skipLibCheck from tsconfig.json
achdmbp
force-pushed
the
fix/namespace-discovery-performance
branch
from
89a07e9 to
11d7018
Compare
|
Thanks for the review @rgrunber. Addressed all feedback:
Tested end-to-end with both an admin user (2,300+ namespaces) and a regular user with no cluster-scoped permissions. Both work correctly, including with a custom DevSpaces domain. Happy to adjust further if needed |
- Satisfy linter by avoiding dynamic 'require' and just use 'import' - Avoid destructuring API sensitive types (statusCode can also be undefined) - Fall back to basic approach of extracting API URL if '/oath/start' redirect fails Signed-off-by: Roland Grunberg <rgrunber@redhat.com>
rgrunber
left a comment
rgrunber
left a comment
There was a problem hiding this comment.
Overall, this looks good to me. The changes in getOpenShiftApiURL seem to work well. I'm not competely sure that 302 will always be the case (maybe should check >= 300 && < 400 ) or whether oauth-openshift.apps will always be the name of the oauth service, but it's a better approach than what was there. I just kept the old approach in case this fails for any reason.
oc get project -l app.kubernetes.io/component=workspaces-namespace is definitely the better approach 👍 . Seems to be confirmed by https://docs.redhat.com/en/documentation/red_hat_openshift_dev_spaces/3.27/html/administration_guide/assembly_configuring-projects_administration_guide#proc_provisioning-projects-in-advance_administration_guide .
Only other things I changed were related to some linting/type compatibility issues. I plan to merge this soon, and kick off a pre-release build.
rgrunber
changed the title
|
|
2 participants
Problem
getProjects()callsoc projects -qwhich returns every namespace the user has access to. For users with broad RBAC (cluster admins, platform teams), this can be thousands of namespaces. The extension then iterates each one sequentially, making it unusable.Changes
src/utils/cluster.tsgetProjects()— replacedoc projects -qwith a label-selector query (app.kubernetes.io/component=workspaces-namespace) that returns only DevSpaces workspace namespaces. Filters byche.eclipse.org/usernameannotation to match the current user. Falls back gracefully if the query fails.getProjectFromWorkspaceURL()(new) — when connecting via workspace URL, extracts the workspace name from the URL path and resolves the namespace withoc get devworkspace --all-namespaces --field-selector=metadata.name=<name>. Single API call, no iteration.generateHostEntry()— quoted theIdentityFilepath to handle paths with spaces (e.g.,Application Supporton macOS).src/extension.tsisLoggedIn()before callinggetProjects()to prevent activation failures when not authenticated.getProjectFromWorkspaceURL()for direct namespace resolution from the provided URL.Testing
Tested on a ROSA cluster where the authenticated user has access to 2,302 namespaces. Before this change, the extension never finished loading. After, workspace discovery completes in under 2 seconds.
Both the Remote Explorer view and the "Connect to Dev Spaces" URL flow work correctly.
Thank you for considering this contribution — happy to adjust anything based on your feedback.