Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[devWorkspace] Adapt ssh-plugin to avoid requesting che-server API #20859

Closed
Tracked by #20830
svor opened this issue Dec 1, 2021 · 8 comments · Fixed by eclipse-che/che-theia#1277
Closed
Tracked by #20830
Assignees
Labels
area/plugins kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Milestone

Comments

@svor
Copy link
Contributor

svor commented Dec 1, 2021

Is your task related to a problem? Please describe

For now ssh-plugin uses che-server API to work with ssh keys (generate, store, read, ...). When deWorkspace engine is enabled it shouldn't request che-server API.

Describe the solution you'd like

Ssh plug-in should create/use secrets as reported there: devfile/devworkspace-operator#613 (comment)

@svor svor added kind/task Internal things, technical debt, and to-do tasks to be performed. sprint/current team/plugins severity/P1 Has a major impact to usage or development of the system. area/plugins labels Dec 1, 2021
@vinokurig
Copy link
Contributor

The approach I am going to follow is:

  • For now SSH mechanism is located in the che-server side, and is retrieved by API calls. We need to implement the SSH logic to be executed directly in the che-theia container to avoid API calls.
  • To store SSH keys we need to have another predefined secret like the workspace-credentials-secret with a corresponding access role.

@l0rd @benoitf Is it OK for you?

@svor svor mentioned this issue Dec 8, 2021
19 tasks
@l0rd
Copy link
Contributor

l0rd commented Dec 8, 2021

@vinokurig that's ok for me. @JPinkney @amisevsk is that consistent with secrets injection in DevWorkspaces?

@amisevsk
Copy link
Contributor

amisevsk commented Dec 8, 2021

How does this interact with this PR eclipse-che/che-server#192? With the changes from that PR, and Che-side SSH keys will be mounted to /.ssh/.

Is there a reason the existing workspace-credentials-secret cannot be used? My understanding is that this was the original purpose of adding this secret.

@vinokurig
Copy link
Contributor

@amisevsk

How does this interact with this PR eclipse-che/che-server#192? With the changes from that PR, and Che-side SSH keys will be mounted to /.ssh/.

This PR retrieves SSH keys from che-server database: https://github.com/eclipse-che/che-server/pull/192/files#diff-e507f35404ee3af31b7d37cea6a97dbe19ff8d3d8cad0f65de3dbc8b25058541R114. In DevWorkspace Che, che-server will not contain any user SSH keys as we can't make requests to the SSH API service. The idea of this issue is to avoid API requests, for that we need to generate SSH key by the editor container.

Is there a reason the existing workspace-credentials-secret cannot be used? My understanding is that this was the original purpose of adding this secret.

workspace-credentials-secret initially was added to handle theia's credentials plugin API. I am not sure that SSH key = credentials.

@amisevsk
Copy link
Contributor

amisevsk commented Dec 9, 2021

In DevWorkspace Che, che-server will not contain any user SSH keys as we can't make requests to the SSH API service.

So then is eclipse-che/che-server#192 unnecessary?

workspace-credentials-secret initially was added to handle theia's credentials plugin API. I am not sure that SSH key = credentials.

We can certainly add more secrets to the workspace RBAC set, but I'm not sure we should be catering to what Theia needs at the moment. Why can't Theia use a secret like

apiVersion: v1
kind: Secret
metadata:
  name: workspace-credentials-secret
type: Opaque
data:
  theia-credentials: "<blob>"
  ssh-keys: "<blob>"

@benoitf
Copy link
Contributor

benoitf commented Dec 9, 2021

main advantage with Angel's proposal is that ssh keys are more user specific rather than IDE specific so using intellij or VSCode might reuse those keys more easily

@l0rd
Copy link
Contributor

l0rd commented Dec 10, 2021

@vinokurig does that work for you?

@vinokurig
Copy link
Contributor

Yes, I agree to use the workspace-credentials-secret for SSH keys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/plugins kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants