feat: Allow configuring user namespaces with OpenShift template

[tolusha]

What does this PR do?

feat: Allow configuring user namespaces with OpenShift template

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#23176

How to test this PR?

1. Deploy the operator:

./build/scripts/olm/test-catalog-from-sources.sh

2. Create Template

apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
- kind: ConfigMap
  apiVersion: v1
  metadata:
    name: user-cm
    labels:
      app.kubernetes.io/part-of: che.eclipse.org
      app.kubernetes.io/component: workspaces-config
    annotations:
      controller.devfile.io/mount-as: subpath
      controller.devfile.io/mount-path: /home/user/
  data:
    test-config-map-file: "configmap"
- kind: Secret
  apiVersion: v1
  metadata:
    name: user-secret
    labels:
      app.kubernetes.io/part-of: che.eclipse.org
      app.kubernetes.io/component: workspaces-config
    annotations:
      controller.devfile.io/mount-as: subpath
      controller.devfile.io/mount-path: /home/user/
  stringData:
    test-secret-file: "secret"
- apiVersion: v1
  kind: PersistentVolumeClaim
  metadata:
    name: user-pvc
    labels:
      app.kubernetes.io/part-of: che.eclipse.org
      app.kubernetes.io/component: workspaces-config
      controller.devfile.io/mount-to-devworkspace: 'true'
    annotations:
      controller.devfile.io/mount-path: /home/user/user-pvc
      controller.devfile.io/read-only: 'false'
  spec:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 5Gi
    volumeMode: Filesystem
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: che-roles
  rules:  
    - apiGroups:
        - template.openshift.io
      resources:
        - templates
      verbs:
        - get
        - list
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: che-rolebinding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: che-roles
  subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: ${PROJECT_ADMIN_USER}
parameters:
- name: PROJECT_NAME
- name: PROJECT_ADMIN_USER

3. Login as non admin user and start a workspace
4. Check in a terminal

$ cat /home/user/test-config-map-file
configmap
$ cat /home/user/test-secret-file 
secret
$ oc get template
No resources found in user2-che namespace
$ ls /home/user/user-pvc -l
total 20
drwxrws---. 2 root user 16384 Oct 28 11:29 lost+found

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Development resource are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[dmytro-ndp]

@tolusha: do you think it’s possible to verify this PR on an existing OCP cluster by deploying Eclipse Che Next with an operator image built using the codebase of this PR?

[ibuziuk]

@tolusha have a question about the PROJECT_NAME parameter from the sample in the description. It looks like it is currently not used at all. Also in the docs, there is a reference to PROJECT_ADMIN_USER and in the templated for testing it is PROJECT_USER.

[tolusha]

PROJECT_NAME is not used right now.
Template is updated to use PROJECT_ADMIN_USER parameter

[ibuziuk]

tested on workspaces.openshift.com against rosa 4.17.2 with the following template:

kind: Template
apiVersion: template.openshift.io/v1
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  uid: 68fa1f1a-9d15-41cd-8cbf-ba491221b915
  resourceVersion: '50502'
  creationTimestamp: '2024-10-30T10:46:36Z'
  labels:
    app.kubernetes.io/component: workspaces-config
    app.kubernetes.io/part-of: che.eclipse.org
  managedFields:
    - manager: Mozilla
      operation: Update
      apiVersion: template.openshift.io/v1
      time: '2024-10-30T11:27:14Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:labels':
            .: {}
            'f:app.kubernetes.io/component': {}
            'f:app.kubernetes.io/part-of': {}
        'f:objects': {}
objects:
  - kind: ConfigMap
    apiVersion: v1
    metadata:
      name: user-cm
      labels:
        app.kubernetes.io/part-of: che.eclipse.org
        app.kubernetes.io/component: workspaces-config
      annotations:
        controller.devfile.io/mount-as: subpath
        controller.devfile.io/mount-path: /home/user/
    data:
      test-config-map-file: configmap
  - kind: Secret
    apiVersion: v1
    metadata:
      name: user-secret
      labels:
        app.kubernetes.io/part-of: che.eclipse.org
        app.kubernetes.io/component: workspaces-config
      annotations:
        controller.devfile.io/mount-as: subpath
        controller.devfile.io/mount-path: /home/user/
    stringData:
      test-secret-file: secret
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: user-pvc
      labels:
        app.kubernetes.io/part-of: che.eclipse.org
        app.kubernetes.io/component: workspaces-config
        controller.devfile.io/mount-to-devworkspace: 'true'
      annotations:
        controller.devfile.io/mount-path: /home/user/user-pvc
        controller.devfile.io/read-only: 'false'
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 5Gi
      volumeMode: Filesystem
  - apiVersion: v1
    kind: LimitRange
    metadata:
      name: cpu-resource-constraint
    spec:
      limits:
        - default:
            cpu: 500m
          defaultRequest:
            cpu: 500m
          max:
            cpu: '1'
          min:
            cpu: 100m
          type: Container
  - apiVersion: v1
    kind: ResourceQuota
    metadata:
      name: my-resource-quota
    spec:
      hard:
        cpu: '10'
        memory: 10Gi
        pods: '10'

The only thing that is important is properly documenting optional parameters and cross-link it with OpenShift docs

[dmytro-ndp]

@tolusha : hello,

Thank you for the test scenario in PR description.

I had faced error message Error: unknown shorthand flag: 'r' in -rYi when executed first step Deploy the operator: on Fedora with installed yq (https://github.com/mikefarah/yq/) version 4.21.1. been logged into the ROSA cluster
(full script output: https://gist.github.com/dmytro-ndp/269e13e18f4d5e0057254c989cfad58a ).

Also, it's not completely clear if it was needed to log into Eclipse Che at step Login as non admin user and start a workspace.
In my case Eclipse Che hasn't been installed into eclipse-che namespace.
There was also "deployment-validation-operator" subscription error shown in openshift-deployment-validation-operator namespace:

error using catalogsource openshift-deployment-validation-operator/deployment-validation-operator-catalog: no registry client established for catalogsource openshift-deployment-validation-operator/deployment-validation-operator-catalog

And I am not sure if ${PROJECT_ADMIN_USER}, PROJECT_NAME, PROJECT_ADMIN_USER should be replaced with a real values in the template when create it in OpenShift at the step 2.

Could you, please, help to sort the errors above out?

[tolusha]

Hello.

Install yq following the command:
pip install yq

Login as non admin user and start a workspace.

Add a new user to the OpenShift and log in

In my case Eclipse Che hasn't been installed into eclipse-che namespace.

Use script to for proper testing /build/scripts/olm/test-catalog-from-sources.sh

PROJECT_NAME, PROJECT_ADMIN_USER should be replaced with a real values

No, it shouldn't

[dmytro-ndp]

@tolusha : thank you for the help
I have managed to install Eclipse Che on test OCP 4.17 instance following your answers.
Could you please make sure the test results bollow doesn't introduce any regressions?

Test results as non admin user

Test with factory URL https://github.com/che-incubator/quarkus-api-example

After login into Eclipse Che as non admin user workspace had been created from factory URL https://github.com/che-incubator/quarkus-api-example successfully, but oc get template command failed to execute:

$ cat /home/user/test-config-map-file
configmapquarkus-api-example (main) $ cat /home/user/test-secret-file 
secretquarkus-api-example (main) $ oc get template
Error from server (Forbidden): templates.template.openshift.io is forbidden: User "user" cannot list resource "templates" in API group "template.openshift.io" in the namespace "user-devspaces": RBAC: [clusterrole.rbac.authorization.k8s.io "devspaces-user-container-build" not found, clusterrole.rbac.authorization.k8s.io "openshift-devspaces-cheworkspaces-clusterrole" not found, clusterrole.rbac.authorization.k8s.io "openshift-devspaces-cheworkspaces-devworkspace-clusterrole" not found]
quarkus-api-example (main) $ ls /home/user/user-pvc -l
total 16
drwxrws---. 2 root user 16384 Nov  4 10:27 lost+found

Test Empty Workspace sample

Empty Workspace started successfully being logged as non admin user, but oc get template command failed in the workspace terminal:

$ oc get template
Error from server (Forbidden): templates.template.openshift.io is forbidden: User "user" cannot list resource "templates" in API group "template.openshift.io" in the namespace "user-devspaces": RBAC: [clusterrole.rbac.authorization.k8s.io "devspaces-user-container-build" not found, clusterrole.rbac.authorization.k8s.io "openshift-devspaces-cheworkspaces-clusterrole" not found, clusterrole.rbac.authorization.k8s.io "openshift-devspaces-cheworkspaces-devworkspace-clusterrole" not found]

Test .NET 5.0 sample

Non-empty sample .NET 5.0 started successfully as non admin user, but there was no oc command available in the terminal to run oc get template

bash-4.4$ cat /home/user/test-config-map-file
configmapbash-4.4$ cat /home/user/test-secret-file 
secretbash-4.4$ oc get template
bash: oc: command not found
bash-4.4$ ls /home/user/user-pvc -l
total 16
drwxrws---. 2 root 1000740000 16384 Nov  4 10:27 lost+found

Test results as admin user

Test with factory URL https://github.com/che-incubator/quarkus-api-example

Workspace started successfully, and there was expected output in the terminal:

Test Empty Workspace sample

Start of Empty Workspace as cluster admin user had failed because of error creating DevWorkspace deployment: Container universal-developer-image has state ImagePullBackOff

12:04:10
Failed to pull image "quay.io/devfile/universal-developer-image:ubi8-latest": rpc error: code = Canceled desc = copying layer: context canceled

DevWorkspace.yaml: https://gist.github.com/dmytro-ndp/b9aecb75d1a25d85c7e2424c418cdc90

Second start of Empty Workspace as cluster admin user was successful with expected output in the workspace terminal:

projects $ cat /home/user/test-config-map-file
configmapprojects $ cat /home/user/test-secret-file 
secretprojects $ oc get template
No resources found in admin-devspaces namespace.
projects $ ls /home/user/user-pvc -l
total 16
drwxrws---. 2 root user 16384 Nov  4 10:02 lost+found

Test .NET 5.0 sample

Non-empty sample .NET 5.0 started successfully as cluster admin user, but there was no oc command available in the terminal to run oc get template

[dmytro-ndp]

@tolusha : it's also interesting to know if it's expected to see workspace route config maps in the eclipse-che namespace?

Shouldn't they being created in the user namespaces?

[tolusha]

Shouldn't they being created in the user namespaces?

No, they are fine

[dmytro-ndp]

@tolusha: I have faced the same error message when checked commands in workspace terminal as non admin user in redeployed Eclipse Che from this PR:

$ cat /home/user/test-config-map-file
configmapprojects $ cat /home/user/test-secret-file 
secretprojects $ oc get template
Error from server (Forbidden): templates.template.openshift.io is forbidden: User "user" cannot list resource "templates" in API group "template.openshift.io" in the namespace "user-devspaces": RBAC: [clusterrole.rbac.authorization.k8s.io "devspaces-user-container-build" not found, clusterrole.rbac.authorization.k8s.io "openshift-devspaces-cheworkspaces-devworkspace-clusterrole" not found, clusterrole.rbac.authorization.k8s.io "openshift-devspaces-cheworkspaces-clusterrole" not found]
projects $ ls /home/user/user-pvc -l
total 16
drwxrws---. 2 root user 16384 Nov  4 16:55 lost+found
```

[devstudio-release]

Build 3.18 :: operator_3.x/427: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8006: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8084: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: operator-bundle_3.x/3805: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8007: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8085: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8084:

devspaces-operator : 3.x :: Failed in 65725932 : operator-3.18-17
FAILURE: atomic_reactor.tasks.binary_container_build.BuildProcessError: Build failed (rc=125): Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: Signature for identity registry.access.redhat.com/rhel9-2-els/rhel:9.2 is not accepted; Signature for identity registry.access.redhat.com/rhel9-2-els/rhel:9.2-1362 is not accepted; Signature for identity registry.access.redhat.com/rhel9-2-els/rhel:latest is not accepted; copied to quay

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8085:

devspaces-operator-bundle : 3.x :: Failed in 65728338 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

[devstudio-release]

Build 3.18 :: operator-bundle_3.x/3807: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8011: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8089: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8089:

devspaces-operator-bundle : 3.x :: Failed in 65733171 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

[devstudio-release]

Build 3.18 :: operator-bundle_3.x/3808: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8012: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8090: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8090:

devspaces-operator-bundle : 3.x :: Failed in 65740261 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

[devstudio-release]

Build 3.18 :: operator-bundle_3.x/3809: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8013: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8091: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8091:

devspaces-operator-bundle : 3.x :: Failed in 65746878 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

[devstudio-release]

Build 3.18 :: operator-bundle_3.x/3810: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8014: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8092: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8092:

devspaces-operator-bundle : 3.x :: Failed in 65757204 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

[devstudio-release]

Build 3.18 :: operator-bundle_3.x/3811: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: sync-to-downstream_3.x/8015: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8093: Console, Changes, Git Data

[devstudio-release]

Build 3.18 :: get-sources-rhpkg-container-build_3.x/8093:

devspaces-operator-bundle : 3.x :: Failed in 65761388 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay