[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [che-dev] Devworksapces and authentication & authorization
|
Hello,
I would like to provide an update where we are with new authentication
& authorization for devworkspaces a.k.a. `nativeUserMode`. All this
applies to DevWorkspace engine only. There are no changes with the
Che-Server workspace engine.
TLDR:
Done on OpenShift. Barely started on Kubernetes.
On OpenShift:
- all major tasks are done and merged in the main branch, especially
workspace protection [1] [2]
- nativeUserMode is now enabled by default
- there is no Keycloak in nativeUserMode
- It's important to say here that we haven't focused on the update
scenario, so deployments that were first deployed with the che-server
engine and are later reconfigured into DevWorkspace engine, might not
work as expected. If you want a smooth experience with DevWorkspaces,
we recommend a fresh deployment with DevWorkspace engine from the
beginning.
- there are still minor tweaks and issues here and there [3][4][7],
but we're handling those outside of the main epic
On Kubernetes:
- I believe the Deploy team has started working on the first task -
deploying Dex as OIDC provider on minikube[5]
- There is no more `native` single-host with DevWorkspaces. It was
possible before to expose subpath endpoints with Ingresses, but that
does not go well together with nativeUserMode. All subpath endpoints
are now routed with che-gateway
- Other than that, we haven't really started working on Kubernetes.
There will be a chunk of work needed on the Che-Server part as well as
in Che-Operator. Currently it's tracked under [6], but I think we will
need to split it.
[1] - [che-auth] - secure workspace subpath endpoints in new auth
gateway #19707 https://github.com/eclipse/che/issues/19707
[2] - [che-auth] secure workspace services #20190
https://github.com/eclipse/che/issues/20190
[3] - Unable to request plugins/devfiles without authentication
#20449 https://github.com/eclipse/che/issues/20449
[4] - [single-host] none existing URLs to workspace should respond
with 404 #20148 https://github.com/eclipse/che/issues/20148
[5] - [che-auth] Chectl Setup Che7 with Dex instead of Keycaloak as
OIDC provider for minikube #19366
https://github.com/eclipse/che/issues/19366
[6] - [che-auth] Che with Devworkspaces should be able to use Dex as
identity provider on OIDC enabled k8s #20362
https://github.com/eclipse/che/issues/20362
[7] - main DevWorkspace Endpoint is considered as ready/available
while it's not #20481 https://github.com/eclipse/che/issues/20481
On Wed, Aug 4, 2021 at 2:11 PM Sergii Kabashniuk <skabashn@xxxxxxxxxx> wrote:
>
> Hello
> I would like to uncover some details [1] about the current state of the work
> and share some insights about our plans
>
>
> First of all why we are doing that. There are multiple reasons. Most noticeable is:
> - Use standard protocols and techniques as much as possible.
> - Get rid of Keycloak as a mandatory dependency
> - Have the same identity in all tools. In kubectl, oc , browser.
>
> Where we are?
> We are at the stage when we are ready [2] to enable it for OpenShift with devworkspaces by default.
> OpenShift was our first choice because it has OAuth and identities out of the box.
> I have to admit that workspaces endpoints are not protected yet from outside [3] and inside [4].
>
> What about Kubernetes?
> There would be some prerequisites for k8s. OIDC has to be enabled [5].
> That might bring additional complexity on chectl side.
>
> What we are doing now?
> - Protection from outside [3] is our first priority.
> It has some dependencies [6] [7] which we hope would be resolved soon.
>
> What is the plan with Che Workspace and Devworkspaces on the same instance?
>
> At this point, we don't expect them to work together at the same time.
> Our plan is to provide guidance on how to migrate the configuration from the stopped Che workspace to Devworkspaces. Additionally, we are going to forcable stop all
> Che workspace in case if Devworkspaces engine would be turned on.
>
>
>
> [1] Epic Simplify authentication and authorization with a more flexible and lightweight approach https://github.com/eclipse/che/issues/19182
> [2] [che-auth] - enable nativeUserMode by default on openshift with devworkspaces https://github.com/eclipse/che/issues/20203
> [3] [che-auth] - secure workspace subpath endpoints in new auth gateway https://github.com/eclipse/che/issues/19707
> [4] [che-auth] secure workspace services https://github.com/eclipse/che/issues/20190
> [5] https://kubernetes.io/docs/reference/access-authn-authz/authentication
> [6] Enable subpath mode for Che Theia editor in devworkspaces https://github.com/eclipse/che/issues/20180
> [7] Merge DWCO and CO in a single codebase https://github.com/eclipse/che/issues/19408
>
> --
>
> Sergii Kabashniuk
>
> Principal Software Engineer, DevTools
>
> Red Hat
>
> skabashniuk@xxxxxxxxxx
>
> _______________________________________________
> che-dev mailing list
> che-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/che-dev
--
Michal Vala
Senior Software Engineer, Eclipse Che
Red Hat Czech
