Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fallback to native Keycloak users if using OpenShift OAuth is not possible #16836

Closed
l0rd opened this issue May 4, 2020 · 6 comments
Closed

Fallback to native Keycloak users if using OpenShift OAuth is not possible #16836

l0rd opened this issue May 4, 2020 · 6 comments
Assignees
@AndrienkoAleksandr
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.13

Comments

@l0rd
Copy link
Contributor

l0rd commented May 4, 2020

Is your enhancement related to a problem? Please describe.

When a user deploys Che on OpenShift using the operator and specifying to use OpenShift OAuth:

spec:
  auth:
    openShiftoAuth: true

the deployment faisl if it's not possible to use OpenShift OAuth (e.g. kubeadmin is the only user).

Describe the solution you'd like

If using OpenShift OAuth is not possible we should NOT fail and instead:

  • issue a warning
  • fall back to openShiftoAuth: false
@l0rd l0rd added kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system. team/deploy labels May 4, 2020
@tolusha tolusha added this to the Backlog - Deploy milestone May 4, 2020
@l0rd l0rd mentioned this issue May 4, 2020
Closed
3 tasks
@tolusha
Copy link
Contributor

tolusha commented May 4, 2020

@davidfestal
Are you aware of another way to check if it is not possible to use OpenShift OAuth ?

@l0rd l0rd added the area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator label May 5, 2020
@tolusha tolusha mentioned this issue May 6, 2020
Closed
@davidfestal
Copy link
Contributor

@davidfestal
Are you aware of another way to check if it is not possible to use OpenShift OAuth ?

@tolusha I assume it's related to the sub-issue: #16837

Mainly OpenShift OAuth should be disabled if the list of identity providers returned by the followingoc command is empty:

╰─ oc get oauth/cluster -o jsonpath="{.spec.identityProviders}"

Of course in the controller logic you would probably get this using the API and the non-cached client.

@AndrienkoAleksandr AndrienkoAleksandr self-assigned this May 7, 2020
@AndrienkoAleksandr AndrienkoAleksandr mentioned this issue May 7, 2020
Merged
@tolusha tolusha mentioned this issue May 8, 2020
Closed
56 tasks
@AndrienkoAleksandr AndrienkoAleksandr mentioned this issue May 11, 2020
Merged
@AndrienkoAleksandr
Copy link
Contributor

AndrienkoAleksandr commented May 12, 2020
edited
Loading

Hello @l0rd @tolusha . We implemented check identity providers using oAuth, but it works only for Openshift 4. For openshift 3 'oauth' object was encapsulated in the configuration file https://docs.openshift.com/container-platform/3.11/install_config/master_node_configuration.html#master-node-config-manual and we don't have access to this object.
@davidfestal proposed:

Couldn't we manage both cases separately:

  • check OAUth for OpenShift 4 and
  • keep checking Users on OpenShift 3.11 ?

@l0rd @tolusha Is this propose OK to move forward?

@l0rd
Copy link
Contributor Author

l0rd commented May 12, 2020

@AndrienkoAleksandr ok from my side but I guess that this is a question related to #16837 rather then this issue right? In both cases, OCP 4 and OCP 3.11, you will fallback to native Keycloak users if you are not able to find a valid OAuth identity provider or user (this issue).

@tolusha
Copy link
Contributor

tolusha commented May 13, 2020

@l0rd
We've decided to handle both issues in the same PR since they are very related.

@AndrienkoAleksandr
ok for me too

@AndrienkoAleksandr
Copy link
Contributor

Pr's merged, so close this an issue.

@tolusha tolusha modified the milestones: Backlog - Deploy, 7.13 May 15, 2020
@l0rd l0rd mentioned this issue May 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndrienkoAleksandr AndrienkoAleksandr

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.13
Development

No branches or pull requests
4 participants
@l0rd @davidfestal @tolusha @AndrienkoAleksandr