diff --git a/api/v2/checluster_types.go b/api/v2/checluster_types.go index 61ace034b..400f5deb1 100644 --- a/api/v2/checluster_types.go +++ b/api/v2/checluster_types.go @@ -387,6 +387,14 @@ type Auth struct { // This field is specific to Che installations made for Kubernetes only and ignored for OpenShift. // +optional OAuthScope string `json:"oAuthScope,omitempty"` + // Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. + // 0 means tokens for this client never time out. + // +optional + OAuthAccessTokenInactivityTimeoutSeconds *int32 `json:"oAuthAccessTokenInactivityTimeoutSeconds,omitempty"` + // Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. + // 0 means no expiration. + // +optional + OAuthAccessTokenMaxAgeSeconds *int32 `json:"oAuthAccessTokenMaxAgeSeconds,omitempty"` // Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`. // Default value is `id_token`. // This field is specific to Che installations made for Kubernetes only and ignored for OpenShift. diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go index 5c005f82f..b4bb521d2 100644 --- a/api/v2/zz_generated.deepcopy.go +++ b/api/v2/zz_generated.deepcopy.go @@ -25,6 +25,16 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Auth) DeepCopyInto(out *Auth) { *out = *in + if in.OAuthAccessTokenInactivityTimeoutSeconds != nil { + in, out := &in.OAuthAccessTokenInactivityTimeoutSeconds, &out.OAuthAccessTokenInactivityTimeoutSeconds + *out = new(int32) + **out = **in + } + if in.OAuthAccessTokenMaxAgeSeconds != nil { + in, out := &in.OAuthAccessTokenMaxAgeSeconds, &out.OAuthAccessTokenMaxAgeSeconds + *out = new(int32) + **out = **in + } in.Gateway.DeepCopyInto(&out.Gateway) } diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index dd5b3e12d..0892b296b 100644 --- a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -76,7 +76,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-openshift.v7.50.0-618.next + name: eclipse-che-preview-openshift.v7.50.0-620.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1387,7 +1387,7 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.50.0-618.next + version: 7.50.0-620.next webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml index 594ceeba0..1148e4dbd 100644 --- a/bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml +++ b/bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml @@ -5408,6 +5408,19 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the + OpenShift `OAuthClient` resource used to set up identity + federation on the OpenShift side. 0 means tokens for this + client never time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the + OpenShift `OAuthClient` resource used to set up identity + federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. diff --git a/config/crd/bases/org.eclipse.che_checlusters.yaml b/config/crd/bases/org.eclipse.che_checlusters.yaml index 6fafcf5e9..73a23d391 100644 --- a/config/crd/bases/org.eclipse.che_checlusters.yaml +++ b/config/crd/bases/org.eclipse.che_checlusters.yaml @@ -5252,6 +5252,19 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the OpenShift + `OAuthClient` resource used to set up identity federation + on the OpenShift side. 0 means tokens for this client never + time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the + OpenShift `OAuthClient` resource used to set up identity + federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 06fa29905..58d6b7d0c 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -3526,6 +3526,14 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. type: string diff --git a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 71364eeb7..8f9fdec6f 100644 --- a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -3521,6 +3521,14 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. type: string diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index 04466dacb..2523026bd 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -3526,6 +3526,14 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. type: string diff --git a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index d6244e2e3..9557d3430 100644 --- a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -3521,6 +3521,14 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. type: string diff --git a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 71364eeb7..8f9fdec6f 100644 --- a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -3521,6 +3521,14 @@ spec: - id_token - access_token type: string + oAuthAccessTokenInactivityTimeoutSeconds: + description: Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out. + format: int32 + type: integer + oAuthAccessTokenMaxAgeSeconds: + description: Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. 0 means no expiration. + format: int32 + type: integer oAuthClientName: description: Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side. type: string diff --git a/pkg/deploy/identity-provider/identity_provider_reconciler.go b/pkg/deploy/identity-provider/identity_provider_reconciler.go index ac14d289a..f49ec5802 100644 --- a/pkg/deploy/identity-provider/identity_provider_reconciler.go +++ b/pkg/deploy/identity-provider/identity_provider_reconciler.go @@ -99,7 +99,12 @@ func syncOAuthClient(ctx *chetypes.DeployContext) (bool, error) { oauthClientName = utils.GetValue(oauthClientName, ctx.CheCluster.Name+"-openshift-identity-provider-"+strings.ToLower(utils.GeneratePassword(6))) redirectURIs := []string{"https://" + ctx.CheHost + "/oauth/callback"} - oauthClientSpec := GetOAuthClientSpec(oauthClientName, oauthSecret, redirectURIs) + oauthClientSpec := GetOAuthClientSpec( + oauthClientName, + oauthSecret, + redirectURIs, + ctx.CheCluster.Spec.Networking.Auth.OAuthAccessTokenInactivityTimeoutSeconds, + ctx.CheCluster.Spec.Networking.Auth.OAuthAccessTokenMaxAgeSeconds) done, err := deploy.Sync(ctx, oauthClientSpec, oAuthClientDiffOpts) if !done { return false, err diff --git a/pkg/deploy/identity-provider/identity_provider_reconciler_test.go b/pkg/deploy/identity-provider/identity_provider_reconciler_test.go index 1f4bb3779..524e0ec2f 100644 --- a/pkg/deploy/identity-provider/identity_provider_reconciler_test.go +++ b/pkg/deploy/identity-provider/identity_provider_reconciler_test.go @@ -15,6 +15,8 @@ import ( "os" "testing" + "k8s.io/utils/pointer" + chev2 "github.com/eclipse-che/che-operator/api/v2" "github.com/eclipse-che/che-operator/pkg/common/test" oauthv1 "github.com/openshift/api/oauth/v1" @@ -27,9 +29,9 @@ import ( ) func TestFinalize(t *testing.T) { - oauthClient1 := GetOAuthClientSpec("test1", "secret", []string{"https://che-host/oauth/callback"}) - oauthClient2 := GetOAuthClientSpec("test2", "secret", []string{"https://che-host/oauth/callback"}) - oauthClient3 := GetOAuthClientSpec("test3", "secret", []string{"https://che-host/oauth/callback"}) + oauthClient1 := GetOAuthClientSpec("test1", "secret", []string{"https://che-host/oauth/callback"}, nil, nil) + oauthClient2 := GetOAuthClientSpec("test2", "secret", []string{"https://che-host/oauth/callback"}, nil, nil) + oauthClient3 := GetOAuthClientSpec("test3", "secret", []string{"https://che-host/oauth/callback"}, nil, nil) oauthClient3.ObjectMeta.Labels = map[string]string{} checluster := &chev2.CheCluster{ @@ -55,7 +57,7 @@ func TestFinalize(t *testing.T) { assert.Equal(t, 0, len(checluster.Finalizers)) } -func TestSyncOAuthClientGenerateSecret(t *testing.T) { +func TestSyncOAuthClientShouldSyncTokenTimeout(t *testing.T) { checluster := &chev2.CheCluster{ ObjectMeta: metav1.ObjectMeta{ Name: "eclipse-che", @@ -64,7 +66,8 @@ func TestSyncOAuthClientGenerateSecret(t *testing.T) { Spec: chev2.CheClusterSpec{ Networking: chev2.CheClusterSpecNetworking{ Auth: chev2.Auth{ - OAuthClientName: "name", + OAuthAccessTokenInactivityTimeoutSeconds: pointer.Int32Ptr(10), + OAuthAccessTokenMaxAgeSeconds: pointer.Int32Ptr(20), }, }, }, @@ -74,13 +77,11 @@ func TestSyncOAuthClientGenerateSecret(t *testing.T) { done, err := syncOAuthClient(ctx) assert.True(t, done) assert.Nil(t, err) - assert.Empty(t, checluster.Spec.Networking.Auth.OAuthSecret) oauthClients, err := FindAllEclipseCheOAuthClients(ctx) assert.Nil(t, err) - assert.Equal(t, 1, len(oauthClients)) - assert.Equal(t, "name", oauthClients[0].Name) - assert.NotEmpty(t, oauthClients[0].Secret) + assert.Equal(t, int32(10), *oauthClients[0].AccessTokenInactivityTimeoutSeconds) + assert.Equal(t, int32(20), *oauthClients[0].AccessTokenMaxAgeSeconds) } func TestSyncOAuthClient(t *testing.T) { @@ -178,7 +179,7 @@ func TestSyncOAuthClient(t *testing.T) { } func TestSyncExistedOAuthClient(t *testing.T) { - oauthClient := GetOAuthClientSpec("test", "secret", []string{}) + oauthClient := GetOAuthClientSpec("test", "secret", []string{}, nil, nil) type testCase struct { name string diff --git a/pkg/deploy/identity-provider/identity_provider_util.go b/pkg/deploy/identity-provider/identity_provider_util.go index b03704efa..cc1b0d5c0 100644 --- a/pkg/deploy/identity-provider/identity_provider_util.go +++ b/pkg/deploy/identity-provider/identity_provider_util.go @@ -23,7 +23,12 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -func GetOAuthClientSpec(name string, oauthSecret string, redirectURIs []string) *oauth.OAuthClient { +func GetOAuthClientSpec( + name string, + secret string, + redirectURIs []string, + accessTokenInactivityTimeoutSeconds *int32, + accessTokenMaxAgeSeconds *int32) *oauth.OAuthClient { return &oauth.OAuthClient{ TypeMeta: metav1.TypeMeta{ Kind: "OAuthClient", @@ -34,9 +39,11 @@ func GetOAuthClientSpec(name string, oauthSecret string, redirectURIs []string) Labels: map[string]string{constants.KubernetesPartOfLabelKey: constants.CheEclipseOrg}, }, - Secret: oauthSecret, - RedirectURIs: redirectURIs, - GrantMethod: oauth.GrantHandlerPrompt, + Secret: secret, + RedirectURIs: redirectURIs, + GrantMethod: oauth.GrantHandlerPrompt, + AccessTokenInactivityTimeoutSeconds: accessTokenInactivityTimeoutSeconds, + AccessTokenMaxAgeSeconds: accessTokenMaxAgeSeconds, } }