Create a valid user if no one exist when deploying on OpenShift

[l0rd]

Is your enhancement related to a problem? Please describe.

If, at the moment of installation on OpenShift, kubeadmin is the only user the operator doesn't enable OpenShift OAuth.

Describe the solution you'd like

Create a new OpenShift user through htpasswd (automatically generate password) and enable OpenShift OAuth.

[tolusha]

I assume we should do it while using chectl.
If installation is done via OperatorHub there is no way to deliver this information to end user,

[sleshchenko]

For me, it's not clear why we should configure authentication/create users on the OpenShift cluster.
AFAIU it should not prevent che or crw to be installed on the cluster.
I believe that setting up identity provider on the cluster should be admin duties, and we can help them with a separate documentation article on how to enable OpenShift OAuth, where we just reference to OpenShift documentation https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html
I think just documentation is better because:

• I believe in most production cases, admin eventually should remove the generated identity provider and configure their own;
• not every installation mode supports exposing generated credentials to the user. As Anatoliy already mentioned, if we install with OperatorHub - it's tricky to provide that info to a user. It might be a created secret which user (if they know about it) should decode from base64... But setting up identity provide from the scratch can be even easier.

[l0rd]

@tolusha ideally that should be done by the operator, not chectl.

@sleshchenko this is one of the 2 main problems that users report when deploying Che for the first time (the other one being TLS) and that's the reason I have opened this issue. You are right about the fact that a prod installation of Che would assume a proper configuration of the users/cluster. But we need to provide a good first impression to a developer/admin/architect/pm that knows nothing about Che and just want to try it out.

[l0rd]

The flow is I see again and again is: the user setup an OpenShift cluster (with default values) and deploy Che on it through OLM. Installation works pretty well now but as soon as they start a workspace they get the untrusted TLS error and they figure out that the Che user is not an OpenShift user.

For the letting know the password to the user: how does it work today? I mean when OpenShift OAuth is disabled how do we inform the user about Che username/password?

[sleshchenko]

For the letting know the password to the user: how does it work today? I mean when OpenShift OAuth is disabled how do we inform the user about Che username/password?

I think self-registration is allowed by default and users just register a new user with keycloak. @tolusha Could you confirm or provide the right flow here?

[l0rd]

Raising this issue priority as I keep hearing about users confused by this.

[tolusha]

depends on eclipse-che/che-operator#551