diff --git a/.gitignore b/.gitignore index 1f09eee91..75dbeb221 100644 --- a/.gitignore +++ b/.gitignore @@ -121,4 +121,4 @@ bundle/stable/eclipse-che-preview-openshift/generated testbin/setup-envtest.sh -.DS_Store \ No newline at end of file +.DS_Store diff --git a/Dockerfile b/Dockerfile index 8b6cca817..75993b6e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,7 @@ ENV GOPATH=/go/ ENV RESTIC_TAG=v0.12.0 ARG DEV_WORKSPACE_CONTROLLER_VERSION="main" ARG DEV_WORKSPACE_CHE_OPERATOR_VERSION="main" +ARG DEV_HEADER_REWRITE_TRAEFIK_PLUGIN="main" USER root # upstream, download zips for every build @@ -23,7 +24,8 @@ RUN mkdir -p $GOPATH/restic && \ curl -sSLo- https://api.github.com/repos/restic/restic/tarball/${RESTIC_TAG} | tar --strip-components=1 -xz -C $GOPATH/restic && \ cd $GOPATH/restic && go mod vendor && \ curl -sSLo /tmp/asset-devworkspace-operator.zip https://api.github.com/repos/devfile/devworkspace-operator/zipball/${DEV_WORKSPACE_CONTROLLER_VERSION} && \ - curl -sSLo /tmp/asset-devworkspace-che-operator.zip https://api.github.com/repos/che-incubator/devworkspace-che-operator/zipball/${DEV_WORKSPACE_CHE_OPERATOR_VERSION} + curl -sSLo /tmp/asset-devworkspace-che-operator.zip https://api.github.com/repos/che-incubator/devworkspace-che-operator/zipball/${DEV_WORKSPACE_CHE_OPERATOR_VERSION} && \ + curl -sSLo /tmp/asset-header-rewrite-traefik-plugin.zip https://api.github.com/repos/che-incubator/header-rewrite-traefik-plugin/zipball/${DEV_HEADER_REWRITE_TRAEFIK_PLUGIN} WORKDIR /che-operator # Copy the Go Modules manifests @@ -50,6 +52,10 @@ RUN unzip /tmp/asset-devworkspace-che-operator.zip */deploy/deployment/* -d /tmp mkdir -p /tmp/devworkspace-che-operator/templates/ && \ mv /tmp/che-incubator-devworkspace-che-operator-*/deploy /tmp/devworkspace-che-operator/templates/ +RUN unzip /tmp/asset-header-rewrite-traefik-plugin.zip -d /tmp && \ + mkdir -p /tmp/header-rewrite-traefik-plugin && \ + mv /tmp/*-header-rewrite-traefik-plugin-*/headerRewrite.go /tmp/*-header-rewrite-traefik-plugin-*/.traefik.yml /tmp/header-rewrite-traefik-plugin + # Build restic. Needed for backup / restore capabilities RUN cd $GOPATH/restic && \ export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH="amd64"; elif [[ ${ARCH} == "aarch64" ]]; then export ARCH="arm64"; fi && \ @@ -62,6 +68,7 @@ COPY --from=builder /che-operator/che-operator /manager COPY --from=builder /che-operator/templates/*.sh /tmp/ COPY --from=builder /tmp/devworkspace-operator/templates/deploy /tmp/devworkspace-operator/templates COPY --from=builder /tmp/devworkspace-che-operator/templates/deploy /tmp/devworkspace-che-operator/templates +COPY --from=builder /tmp/header-rewrite-traefik-plugin /tmp/header-rewrite-traefik-plugin COPY --from=builder /tmp/restic/restic /usr/local/bin/restic COPY --from=builder /go/restic/LICENSE /usr/local/bin/restic-LICENSE.txt diff --git a/api/v1/checluster_types.go b/api/v1/checluster_types.go index 827df802b..1a531239f 100644 --- a/api/v1/checluster_types.go +++ b/api/v1/checluster_types.go @@ -475,8 +475,7 @@ type CheClusterSpecAuth struct { // See link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy] // +optional GatewayAuthorizationSidecarImage string `json:"gatewayAuthorizationSidecarImage,omitempty"` - // Header Rewrite Proxy sidecar image is used to properly set authorization header. - // See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy] + // Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin. GatewayHeaderRewriteSidecarImage string `json:"gatewayHeaderRewriteSidecarImage,omitempty"` } diff --git a/bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml b/bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml index 81b4d124e..92fd81cc3 100644 --- a/bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml @@ -83,7 +83,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-kubernetes.v7.34.0-265.nightly + name: eclipse-che-preview-kubernetes.v7.34.0-266.nightly namespace: placeholder spec: apiservicedefinitions: {} @@ -911,6 +911,8 @@ spec: value: quay.io/eclipse/che-jwtproxy:0.10.0 - name: RELATED_IMAGE_single_host_gateway value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23 + - name: RELATED_IMAGE_single_host_gateway_native_user_mode + value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e - name: RELATED_IMAGE_single_host_gateway_config_sidecar value: quay.io/che-incubator/configbump:0.1.4 - name: RELATED_IMAGE_devworkspace_che_operator @@ -1217,4 +1219,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.34.0-265.nightly + version: 7.34.0-266.nightly diff --git a/bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml b/bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml index a39eab731..d19104c9e 100644 --- a/bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml +++ b/bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml @@ -52,7 +52,7 @@ spec: description: Gateway sidecar responsible for authorization when NativeUserMode is enabled. See link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy] type: string gatewayHeaderRewriteSidecarImage: - description: Header Rewrite Proxy sidecar image is used to properly set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy] + description: Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin. type: string identityProviderAdminUserName: description: Overrides the name of the Identity Provider administrator user. Defaults to `admin`. diff --git a/bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index 3def23fda..81749e2e6 100644 --- a/bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-openshift.v7.34.0-265.nightly + name: eclipse-che-preview-openshift.v7.34.0-266.nightly namespace: placeholder spec: apiservicedefinitions: {} @@ -1043,6 +1043,8 @@ spec: value: quay.io/eclipse/che-jwtproxy:0.10.0 - name: RELATED_IMAGE_single_host_gateway value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23 + - name: RELATED_IMAGE_single_host_gateway_native_user_mode + value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e - name: RELATED_IMAGE_single_host_gateway_config_sidecar value: quay.io/che-incubator/configbump:0.1.4 - name: RELATED_IMAGE_devworkspace_che_operator @@ -1360,4 +1362,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.34.0-265.nightly + version: 7.34.0-266.nightly diff --git a/bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml b/bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml index 4664f5a37..f91f9ed4c 100644 --- a/bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml +++ b/bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml @@ -75,8 +75,8 @@ spec: or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy] type: string gatewayHeaderRewriteSidecarImage: - description: Header Rewrite Proxy sidecar image is used to properly - set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy] + description: Deprecated. The value of this flag is ignored. + Sidecar functionality is now implemented in Traefik plugin. type: string identityProviderAdminUserName: description: Overrides the name of the Identity Provider administrator diff --git a/config/crd/bases/org_v1_che_crd-v1beta1.yaml b/config/crd/bases/org_v1_che_crd-v1beta1.yaml index f1a944eaa..ff8cb8e32 100644 --- a/config/crd/bases/org_v1_che_crd-v1beta1.yaml +++ b/config/crd/bases/org_v1_che_crd-v1beta1.yaml @@ -71,8 +71,8 @@ spec: or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy] type: string gatewayHeaderRewriteSidecarImage: - description: Header Rewrite Proxy sidecar image is used to properly - set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy] + description: Deprecated. The value of this flag is ignored. Sidecar + functionality is now implemented in Traefik plugin. type: string identityProviderAdminUserName: description: Overrides the name of the Identity Provider administrator diff --git a/config/crd/bases/org_v1_che_crd.yaml b/config/crd/bases/org_v1_che_crd.yaml index bfa487aa4..e44213b24 100644 --- a/config/crd/bases/org_v1_che_crd.yaml +++ b/config/crd/bases/org_v1_che_crd.yaml @@ -75,8 +75,8 @@ spec: or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy] type: string gatewayHeaderRewriteSidecarImage: - description: Header Rewrite Proxy sidecar image is used to properly - set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy] + description: Deprecated. The value of this flag is ignored. + Sidecar functionality is now implemented in Traefik plugin. type: string identityProviderAdminUserName: description: Overrides the name of the Identity Provider administrator diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 68f3a0660..d280dbac1 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -71,6 +71,8 @@ spec: value: quay.io/eclipse/che-jwtproxy:0.10.0 - name: RELATED_IMAGE_single_host_gateway value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23 + - name: RELATED_IMAGE_single_host_gateway_native_user_mode + value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e - name: RELATED_IMAGE_single_host_gateway_config_sidecar value: quay.io/che-incubator/configbump:0.1.4 - name: RELATED_IMAGE_devworkspace_che_operator diff --git a/pkg/deploy/defaults.go b/pkg/deploy/defaults.go index fe4d18448..3b31be140 100644 --- a/pkg/deploy/defaults.go +++ b/pkg/deploy/defaults.go @@ -27,23 +27,24 @@ import ( ) var ( - defaultCheServerImage string - defaultCheVersion string - defaultDashboardImage string - defaultDevworkspaceCheOperatorImage string - defaultDevworkspaceControllerImage string - defaultPluginRegistryImage string - defaultDevfileRegistryImage string - defaultCheTLSSecretsCreationJobImage string - defaultPvcJobsImage string - defaultPostgresImage string - defaultKeycloakImage string - defaultSingleHostGatewayImage string - defaultSingleHostGatewayConfigSidecarImage string - defaultInternalRestBackupServerImage string - defaultGatewayAuthenticationSidecarImage string - defaultGatewayAuthorizationSidecarImage string - defaultGatewayHeaderProxySidecarImage string + defaultCheServerImage string + defaultCheVersion string + defaultDashboardImage string + defaultDevworkspaceCheOperatorImage string + defaultDevworkspaceControllerImage string + defaultPluginRegistryImage string + defaultDevfileRegistryImage string + defaultCheTLSSecretsCreationJobImage string + defaultPvcJobsImage string + defaultPostgresImage string + defaultKeycloakImage string + defaultSingleHostGatewayImage string + defaultSingleHostGatewayImageNativeUserMode string + defaultSingleHostGatewayConfigSidecarImage string + defaultInternalRestBackupServerImage string + defaultGatewayAuthenticationSidecarImage string + defaultGatewayAuthorizationSidecarImage string + defaultGatewayHeaderProxySidecarImage string defaultCheWorkspacePluginBrokerMetadataImage string defaultCheWorkspacePluginBrokerArtifactsImage string @@ -183,6 +184,7 @@ func InitDefaultsFromFile(defaultsPath string) { defaultPostgresImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_postgres")) defaultKeycloakImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_keycloak")) defaultSingleHostGatewayImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway")) + defaultSingleHostGatewayImageNativeUserMode = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_native_user_mode")) defaultSingleHostGatewayConfigSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_config_sidecar")) defaultGatewayAuthenticationSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authentication_sidecar")) defaultGatewayAuthorizationSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authorization_sidecar")) @@ -329,7 +331,15 @@ func DefaultCheServerSecureExposerJwtProxyImage(cr *orgv1.CheCluster) string { } func DefaultSingleHostGatewayImage(cr *orgv1.CheCluster) string { - return patchDefaultImageName(cr, defaultSingleHostGatewayImage) + // `nativeUserMode` uses Traefik local plugins, which is supported from version 2.5 that is + // currently in Release Candidate. As we don't want to use RC version in our stable release, + // we're using 2 images now. As soon as Traefik 2.5 stable will be releases, we will remove + // `defaultSingleHostGatewayImageNativeUserMode` and use single image again. + if util.IsNativeUserModeEnabled(cr) { + return patchDefaultImageName(cr, defaultSingleHostGatewayImageNativeUserMode) + } else { + return patchDefaultImageName(cr, defaultSingleHostGatewayImage) + } } func DefaultSingleHostGatewayConfigSidecarImage(cr *orgv1.CheCluster) string { @@ -455,6 +465,7 @@ func InitDefaultsFromEnv() { defaultPostgresImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_postgres")) defaultKeycloakImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_keycloak")) defaultSingleHostGatewayImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway")) + defaultSingleHostGatewayImageNativeUserMode = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_native_user_mode")) defaultSingleHostGatewayConfigSidecarImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_config_sidecar")) defaultInternalRestBackupServerImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_internal_rest_backup_server")) defaultGatewayAuthenticationSidecarImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authentication_sidecar")) diff --git a/pkg/deploy/gateway/gateway.go b/pkg/deploy/gateway/gateway.go index 462309e38..85b4208d9 100644 --- a/pkg/deploy/gateway/gateway.go +++ b/pkg/deploy/gateway/gateway.go @@ -15,6 +15,7 @@ import ( "context" "encoding/base64" "fmt" + "io/ioutil" "strconv" "github.com/sirupsen/logrus" @@ -93,8 +94,11 @@ func syncAll(deployContext *deploy.DeployContext) error { return err } - headerRewriteProxyConfig := getGatewayHeaderRewriteProxyConfigSpec(instance) - if _, err := deploy.Sync(deployContext, &headerRewriteProxyConfig, configMapDiffOpts); err != nil { + if headerRewritePluginConfig, err := getGatewayHeaderRewritePluginConfigSpec(instance); err == nil { + if _, err := deploy.Sync(deployContext, headerRewritePluginConfig, configMapDiffOpts); err != nil { + return err + } + } else { return err } } @@ -241,6 +245,7 @@ func delete(clusterAPI deploy.ClusterAPI, obj metav1.Object) error { // new configuration for workspaces, so the name should not resemble any of the names created by the Che server. func GetGatewayRouteConfig(deployContext *deploy.DeployContext, component string, serviceName string, pathPrefix string, priority int, internalUrl string, stripPrefix bool) corev1.ConfigMap { pathRewrite := pathPrefix != "/" && stripPrefix + nativeUser := util.IsNativeUserModeEnabled(deployContext.CheCluster) data := `--- http: @@ -248,11 +253,16 @@ http: ` + serviceName + `: rule: "PathPrefix(` + "`" + pathPrefix + "`" + `)" service: ` + serviceName + ` - priority: ` + strconv.Itoa(priority) + priority: ` + strconv.Itoa(priority) + ` + middlewares: ` + + if nativeUser { + data += ` + - "` + serviceName + `-header"` + } if pathRewrite { data += ` - middlewares: - "` + serviceName + `"` } @@ -261,11 +271,20 @@ http: ` + serviceName + `: loadBalancer: servers: - - url: '` + internalUrl + `'` + - url: '` + internalUrl + `' + middlewares:` + if nativeUser { + data += ` + ` + serviceName + `-header: + plugin: + header-rewrite: + from: X-Forwarded-Access-Token + to: Authorization + prefix: 'Bearer '` + } if pathRewrite { data += ` - middlewares: ` + serviceName + `: stripPrefix: prefixes: @@ -408,45 +427,43 @@ func generateRandomCookieSecret() []byte { return []byte(base64.StdEncoding.EncodeToString([]byte(util.GeneratePasswd(16)))) } -func getGatewayHeaderRewriteProxyConfigSpec(instance *orgv1.CheCluster) corev1.ConfigMap { - return corev1.ConfigMap{ +func getGatewayHeaderRewritePluginConfigSpec(instance *orgv1.CheCluster) (*corev1.ConfigMap, error) { + headerRewrite, err := ioutil.ReadFile("/tmp/header-rewrite-traefik-plugin/headerRewrite.go") + if err != nil { + if !util.IsTestMode() { + return nil, err + } + } + pluginMeta, err := ioutil.ReadFile("/tmp/header-rewrite-traefik-plugin/.traefik.yml") + if err != nil { + if !util.IsTestMode() { + return nil, err + } + } + + return &corev1.ConfigMap{ TypeMeta: metav1.TypeMeta{ APIVersion: corev1.SchemeGroupVersion.String(), Kind: "ConfigMap", }, ObjectMeta: metav1.ObjectMeta{ - Name: "che-gateway-config-header-rewrite-proxy", + Name: "che-gateway-config-header-rewrite-traefik-plugin", Namespace: instance.Namespace, Labels: deploy.GetLabels(instance, GatewayServiceName), }, Data: map[string]string{ - "rules.yaml": ` -rules: -- from: X-Forwarded-Access-Token - to: Authorization - prefix: 'Bearer ' -`, + "headerRewrite.go": string(headerRewrite), + ".traefik.yml": string(pluginMeta), }, - } + }, nil } func getGatewayTraefikConfigSpec(instance *orgv1.CheCluster) corev1.ConfigMap { traefikPort := 8080 if util.IsNativeUserModeEnabled(instance) { - traefikPort = 8088 + traefikPort = 8081 } - return corev1.ConfigMap{ - TypeMeta: metav1.TypeMeta{ - APIVersion: corev1.SchemeGroupVersion.String(), - Kind: "ConfigMap", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "che-gateway-config", - Namespace: instance.Namespace, - Labels: deploy.GetLabels(instance, GatewayServiceName), - }, - Data: map[string]string{ - "traefik.yml": fmt.Sprintf(` + data := fmt.Sprintf(` entrypoints: http: address: ":%d" @@ -464,7 +481,28 @@ providers: directory: "/dynamic-config" watch: true log: - level: "INFO"`, traefikPort), + level: "INFO"`, traefikPort) + + if util.IsNativeUserModeEnabled(instance) { + data += ` +experimental: + localPlugins: + header-rewrite: + moduleName: github.com/che-incubator/header-rewrite-traefik-plugin` + } + + return corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: corev1.SchemeGroupVersion.String(), + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "che-gateway-config", + Namespace: instance.Namespace, + Labels: deploy.GetLabels(instance, GatewayServiceName), + }, + Data: map[string]string{ + "traefik.yml": data, }, } } @@ -513,7 +551,6 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container { configSidecarImage := util.GetValue(instance.Spec.Server.SingleHostGatewayConfigSidecarImage, deploy.DefaultSingleHostGatewayConfigSidecarImage(instance)) authnImage := util.GetValue(instance.Spec.Auth.GatewayAuthenticationSidecarImage, deploy.DefaultGatewayAuthenticationSidecarImage(instance)) authzImage := util.GetValue(instance.Spec.Auth.GatewayAuthorizationSidecarImage, deploy.DefaultGatewayAuthorizationSidecarImage(instance)) - headerProxyImage := util.GetValue(instance.Spec.Auth.GatewayHeaderRewriteSidecarImage, deploy.DefaultGatewayHeaderProxySidecarImage(instance)) configLabels := labels.FormatLabels(configLabelsMap) containers := []corev1.Container{ @@ -521,16 +558,7 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container { Name: "gateway", Image: gatewayImage, ImagePullPolicy: corev1.PullAlways, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "static-config", - MountPath: "/etc/traefik", - }, - { - Name: "dynamic-config", - MountPath: "/dynamic-config", - }, - }, + VolumeMounts: getTraefikContainerVolumeMounts(instance), }, { Name: "configbump", @@ -583,18 +611,6 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container { {ContainerPort: 8080}, }, }, - corev1.Container{ - Name: "header-rewrite-proxy", - Image: headerProxyImage, - ImagePullPolicy: corev1.PullAlways, - Args: []string{"--upstream=http://127.0.0.1:8088", "--bind=127.0.0.1:8081", "--rules=/etc/rules/rules.yaml"}, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "header-rewrite-proxy-rules", - MountPath: "/etc/rules", - }, - }, - }, corev1.Container{ Name: "kube-rbac-proxy", Image: authzImage, @@ -603,7 +619,6 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container { "--insecure-listen-address=127.0.0.1:8089", "--upstream=http://127.0.0.1:8090/ping", "--logtostderr=true", - "--v=10", }, }) } @@ -611,6 +626,27 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container { return containers } +func getTraefikContainerVolumeMounts(instance *orgv1.CheCluster) []corev1.VolumeMount { + mounts := []corev1.VolumeMount{ + { + Name: "static-config", + MountPath: "/etc/traefik", + }, + { + Name: "dynamic-config", + MountPath: "/dynamic-config", + }, + } + if util.IsNativeUserModeEnabled(instance) { + mounts = append(mounts, corev1.VolumeMount{ + Name: "header-rewrite-traefik-plugin", + MountPath: "/plugins-local/src/github.com/che-incubator/header-rewrite-traefik-plugin", + }) + } + + return mounts +} + func getVolumesSpec(instance *orgv1.CheCluster) []corev1.Volume { volumes := []corev1.Volume{ { @@ -644,11 +680,11 @@ func getVolumesSpec(instance *orgv1.CheCluster) []corev1.Volume { }) volumes = append(volumes, corev1.Volume{ - Name: "header-rewrite-proxy-rules", + Name: "header-rewrite-traefik-plugin", VolumeSource: corev1.VolumeSource{ ConfigMap: &corev1.ConfigMapVolumeSource{ LocalObjectReference: corev1.LocalObjectReference{ - Name: "che-gateway-config-header-rewrite-proxy", + Name: "che-gateway-config-header-rewrite-traefik-plugin", }, }, }, diff --git a/pkg/deploy/gateway/gateway_test.go b/pkg/deploy/gateway/gateway_test.go index 13283cbce..aa348513c 100644 --- a/pkg/deploy/gateway/gateway_test.go +++ b/pkg/deploy/gateway/gateway_test.go @@ -102,8 +102,16 @@ func TestNativeUserGateway(t *testing.T) { t.Fatalf("Failed to get deployment: %v", err) } - if len(deployment.Spec.Template.Spec.Containers) != 5 { - t.Fatalf("With native user mode, there should be 5 containers in the gateway.. But it has '%d' containers.", len(deployment.Spec.Template.Spec.Containers)) + if len(deployment.Spec.Template.Spec.Containers) != 4 { + t.Fatalf("With native user mode, there should be 4 containers in the gateway.. But it has '%d' containers.", len(deployment.Spec.Template.Spec.Containers)) + } + + for _, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "gateway" { + if len(c.VolumeMounts) != 3 { + t.Fatalf("gateway container should have 3 mounts, but it has '%d' ... \n%+v", len(c.VolumeMounts), c.VolumeMounts) + } + } } service := &corev1.Service{}