Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: native user authentication #861

Merged
merged 27 commits into from
Jul 2, 2021
Merged

feat: native user authentication #861

merged 27 commits into from
Jul 2, 2021

Conversation

sparkoo
Copy link
Member

@sparkoo sparkoo commented Jun 8, 2021
edited
Loading

Signed-off-by: Michal Vala [email protected]

What does this PR do?

This is adding support for new authentication without Keycloak. Currently it's only for OpenShift using OpenShift OAuth. It's using oauth-proxy (https://github.com/openshift/oauth-proxy) in the gateway.

Technically, it's adding auth.nativeUserMode field in the CR. When enabled, che-operator does not deploy keycloak AND deploys the gateway with authentication and authorization capabilities.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#19705

How to test this PR?

I keep latest image of this PR here quay.io/mvala/che-operator:gh19705-newAuth

Deploy with this patch:

apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
  name: eclipse-che
spec:
  auth:
    nativeUserMode: true

and deploy templates from https://github.com/sparkoo/che-operator/tree/gh19705-newAuth/deploy

with chectl server:deploy --platform=openshift --installer=operator --workspace-engine=dev-workspace --che-operator-image=quay.io/mvala/che-operator:gh19705-newAuth --che-operator-cr-patch-yaml=/tmp/che_cr.yaml --templates=/tmp/cheop-templates

Chectl will fail waiting for a keycloak, which is not deployed in nativeUserMode. However, che-operator will deploy che successfully underneath. Get the route oc get route -n eclipse-che and open it in browser as usual. You should be redirected to OpenShift login page, so login as any OpenShift user. After login, you should get immediately to the dashboard and you can start any devworkspace.

To logout, you need to delete site cookies, this is not done yet.

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@sparkoo
native user authentication
71a0399 
Signed-off-by: Michal Vala <[email protected]>
@openshift-ci
Copy link

openshift-ci bot commented Jun 8, 2021

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@sparkoo
configurable images
be3798e 
Signed-off-by: Michal Vala <[email protected]>
@sparkoo sparkoo changed the title native user authentication WIP - native user authentication Jun 10, 2021
@sparkoo
Merge branch 'main' into gh19705-newAuth
4ecbcb0 
# Conflicts:
#	deploy/olm-catalog/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
#	deploy/olm-catalog/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@sparkoo sparkoo marked this pull request as ready for review June 10, 2021 05:31
@sparkoo
re-enable tests
8bfc6f8 
Signed-off-by: Michal Vala <[email protected]>
@tolusha
Copy link
Contributor

tolusha commented Jun 10, 2021

Files under generated folder as well as olm/bundle_tmp.... must not be committed.

tolusha
tolusha reviewed Jun 10, 2021
View reviewed changes
Copy link
Contributor

@tolusha tolusha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general sounds good

pkg/deploy/oauthclient.go Outdated Show resolved Hide resolved
pkg/deploy/gateway/gateway.go Outdated Show resolved Hide resolved
@sparkoo sparkoo changed the title WIP - native user authentication native user authentication Jun 21, 2021
sparkoo added 2 commits June 22, 2021 07:13
@sparkoo
format
5fd76f9 
Signed-off-by: Michal Vala <[email protected]>
@sparkoo
cleanup component configs
9ef6b2b 
Signed-off-by: Michal Vala <[email protected]>
@sparkoo
Copy link
Member Author

sparkoo commented Jun 30, 2021

/retest

sparkoo added 2 commits June 30, 2021 14:44
@sparkoo
Merge branch 'main' into gh19705-newAuth
a4231cc 
# Conflicts:
#	deploy/olm-catalog/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
#	deploy/olm-catalog/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@sparkoo
update resources
d3755f6 
Signed-off-by: Michal Vala <[email protected]>
@openshift-ci openshift-ci bot removed the lgtm label Jun 30, 2021
@sparkoo
Copy link
Member Author

sparkoo commented Jun 30, 2021

/retest

1 similar comment
@sparkoo
Copy link
Member Author

sparkoo commented Jul 1, 2021

/retest

@flacatus flacatus mentioned this pull request Jul 1, 2021
Merged
11 tasks
@flacatus
Copy link
Contributor

flacatus commented Jul 1, 2021

/retest

@sparkoo
Copy link
Member Author

sparkoo commented Jul 1, 2021

@tolusha any other comments? I'd like to merge it on Friday.

metlos
metlos reviewed Jul 1, 2021
View reviewed changes
pkg/apis/org/v1/che_types.go
// Gateway sidecar responsible for authentication when NativeUserMode is enabled.
// See link:https://github.com/oauth2-proxy/oauth2-proxy[oauth2-proxy] or link:https://github.com/openshift/oauth-proxy[openshift/oauth-proxy].
// +optional
GatewayAuthenticationSidecarImage string `json:"gatewayAuthenticationSidecarImage,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to add the *Image config options to checluster v2 and modify the v1<->v2 conversion, too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how to do that. Is v2 in che-operator already?

sparkoo added 2 commits July 2, 2021 10:09
@sparkoo
Merge branch 'main' into gh19705-newAuth
85708ce 
# Conflicts:
#	deploy/olm-catalog/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
#	deploy/olm-catalog/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@sparkoo
update resources
71d7c08 
Signed-off-by: Michal Vala <[email protected]>
@openshift-ci openshift-ci bot added the lgtm label Jul 2, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 2, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: flacatus, mmorhun, sparkoo, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sparkoo
Copy link
Member Author

sparkoo commented Jul 2, 2021

/retest

3 similar comments
@sparkoo
Copy link
Member Author

sparkoo commented Jul 2, 2021

/retest

@sparkoo
Copy link
Member Author

sparkoo commented Jul 2, 2021

/retest

@flacatus
Copy link
Contributor

flacatus commented Jul 2, 2021

/retest

@openshift-ci
Copy link

openshift-ci bot commented Jul 2, 2021

@sparkoo: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/v8-single-host-nightly-deployment 71d7c08 link /test v8-single-host-nightly-deployment
ci/prow/v8-multi-host-nightly-deployment 71d7c08 link /test v8-multi-host-nightly-deployment
ci/prow/v7-multi-host-nightly-deployment 71d7c08 link /test v7-multi-host-nightly-deployment
ci/prow/v7-single-host-nightly-deployment 71d7c08 link /test v7-single-host-nightly-deployment

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@sparkoo
Copy link
Member Author

sparkoo commented Jul 2, 2021

/retest

@sparkoo sparkoo merged commit b9ccdb7 into eclipse-che:main Jul 2, 2021
@sparkoo sparkoo deleted the gh19705-newAuth branch July 2, 2021 14:12
@sparkoo sparkoo mentioned this pull request Jul 2, 2021
Closed
@che-bot che-bot added this to the 7.33 milestone Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@metlos metlos metlos left review comments

@flacatus flacatus flacatus approved these changes

@mmorhun mmorhun mmorhun approved these changes

@tolusha tolusha tolusha approved these changes

@AndrienkoAleksandr AndrienkoAleksandr Awaiting requested review from AndrienkoAleksandr

@nickboldt nickboldt Awaiting requested review from nickboldt

@mshaposhnik mshaposhnik Awaiting requested review from mshaposhnik

@skabashnyuk skabashnyuk Awaiting requested review from skabashnyuk

@xbaran4 xbaran4 Awaiting requested review from xbaran4

Assignees

@tolusha tolusha

Labels
lgtm
Projects
None yet
Milestone
7.33
Development

Successfully merging this pull request may close these issues.
6 participants
@sparkoo @tolusha @flacatus @metlos @mmorhun @che-bot