[che-dev] Mounting credentials and configuration in workspace containers

[Mario Loriedo <mario.loriedo@xxxxxxxxx>]

It's since a few releases that we are suggesting the use of Kubernetes secrets to mount config files and credentials in users' workspaces [1].

For example if I create a Kubernetes secrets in my "mario-che" namespaces with the following labels:

    app.kubernetes.io/part-of: che.eclipse.org

    app.kubernetes.io/component: workspace-secret

and annotations:

    che.eclipse.org/mount-path: /etc/a_tool/
    che.eclipse.org/mount-as: file

The secret data will be mounted as a file in all my workspace containers in folder /etc/a_tool/.

This mechanism works with tools configurable via a file or env variable (any tool I guess?).

And the responsibility to persist the sensible data is delegated to the platform (Kubernetes).

These are two important points that make this mechanism powerful.

The problem is that we are asking Che users to create Kubernetes secrets. That's not ideal.

We want to hide Kubernetes complexity from developers. That's why we have an issue to manage secrets from the UD [2].

But for the time being users will have to manually use kubectl.  

I am sending this out to clarify that the creation of those secrets is a Che user task.

That's not an admin task: users are not supposed to share their credentials with Che administrators, hence we cannot expect administrators to create those secrets.

[1] https://www.eclipse.org/che/docs/che-7/end-user-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-workspace-container/

[2] https://github.com/eclipse/che/issues/17954