Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [che-dev] Mounting credentials and configuration in workspace containers
Hi Mario,
that is sounds logical. Does that imply also that the user should be able to create his own namespace as well,
i mean, if he wants to configure something _before_ creating first WS?
Because in this case he must know the rules of the namespaces naming (i mean template) or at least having available
options listed somewhere.


On Fri, Jan 22, 2021 at 3:40 PM Mario Loriedo <mario.loriedo@xxxxxxxxx> wrote:
It's since a few releases that we are suggesting the use of Kubernetes secrets to mount config files and credentials in users' workspaces [1].

For example if I create a Kubernetes secrets in my "mario-che" namespaces with the following labels:

    app.kubernetes.io/component: workspace-secret

and annotations:


The secret data will be mounted as a file in all my workspace containers in folder /etc/a_tool/.

This mechanism works with tools configurable via a file or env variable (any tool I guess?).
And the responsibility to persist the sensible data is delegated to the platform (Kubernetes).
These are two important points that make this mechanism powerful.

The problem is that we are asking Che users to create Kubernetes secrets. That's not ideal.
We want to hide Kubernetes complexity from developers. That's why we have an issue to manage secrets from the UD [2].
But for the time being users will have to manually use kubectl.  

I am sending this out to clarify that the creation of those secrets is a Che user task.
That's not an admin task: users are not supposed to share their credentials with Che administrators, hence we cannot expect administrators to create those secrets.



_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/che-dev


--
Max Shaposhnyk,

senior software engineer

Red Hat

Back to the top