* Don't bind 'user' role to test user
Signed-off-by: Dmytro Nochevnov <dnochevn@redhat.com>
* Remove role 'user' from keycloak
Signed-off-by: Dmytro Nochevnov <dnochevn@redhat.com>
Currently in Che there are still a number of requirements in upstream that are not required by the OIDC specification, so that Che still cannot be used with a number of OIDC compliant providers.
For example, in order to have Che working with the [`node-oidc-provider`](https://github.com/panva/node-oidc-provider), the following changes were necessary:
- Remove the requirement to have the email as a claim in the JWT access
token: this is not required the specification and is not supported by a
number of OIDC providers. Normally, the Id token contains such claims.
So now if the email is not in the JWT token the first time the user connects to Che, ten the email is retrieved from the OIDC provider through its `user-profile` endpoint.
- Explicitely specify the the `openid email profile` scope when requesting the access token. Because OIDC providers, when answering to the `userInfo` endpoint, are expected to return claims that corresponds to the scopes of the access token. So if an access token has the `openid` scope only, the `userinfo` might return no claim at all (according to the specification).
Until now it was working since keycloak allows adding claims to the returned tokens anyway.
- Allow supporting fixed redirect Uris: most OIDC providers support having a list of redirect URIs to come back to after the authorization step. But these authorized Uris don't necessarily support wildcards or prefix. Che doesn't support this currently, and these changes introduce 2 fixed callback HTML pages that redirect to the Dashboard / IDE URL of the final page we want to come back to after authentication. This makes Che compatible with more OIDC providers
We introduced a new boolean property to enable / disable fixed redirect URLs:
`che.keycloak.use_fixed_redirect_urls`
whose default value is `false`
- The previous points required some light changes in the Keycloak Javascript adapter file, that we will submit as a PR to the Keycloak project. I, the meantime the `OIDCKeycloak.js` file is still used, but has been updated to be now based on the `keycloak.js` file of the last `4.5.0-final` Keycloak release. This will make this Keycloak PR easier to get accepted.
Please keep in mind that this version upgrade only impacts the alternate OIDC provider case: when using a real Keycloak server, Che *always uses the `keycloak.js` file provided by the Keycloak server*.
Signed-off-by: David Festal <dfestal@redhat.com>
- Make Resource memory request configurable for k8s and OpenShift.
- Add alias for backwards compatibility to che.workspace.default_memory_limit_mb.
- set memory request to 512Mb.
- document CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB in che.env.
- Configure helm scripts to allow memory attributes on deployment.
Signed-off-by: Sergey Kuperman <sergey.kuperman@sap.com>
Removes properties
- che.infra.kubernetes.username : can change, requiring reconfiguration
- che.infra.kubernetes.password : can change, requiring reconfiguration
- che.infra.kubernetes.oauth_token : expires
as they complicate setup and all represent suboptimal running scenarios.
Use che serviceaccount instead.
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Introduce an External Server Exposer Strategy,
responsible for exposing service ports associated with external servers,
making them accessible from outside the cluster.
Move server exposure to shared k8s infra level:
- multi-host: unique hostname for each component, like Che Openshift infrastructure.
- single-host: single hostname for all components. Can be used in conjunction with TLS.
- default-host: default ingress hostname. Can be used for local development without dynamic DNS (based on ingress IP).
Add basic TLS support.
Signed-off-by: Guy Daich <guy.daich@sap.com>
Enable single-level DNS domains (*.domain.tld) in SINGLE_PORT mode to simplify HTTPS setup.
Use whole folder for traefik conf to inject SSL certificates and custom configuration.
CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS to che.env.
Signed-off-by: Hanno Kolvenbach <kolvenbach@silexica.com>
Allow switching to an alternate OIDC provider (provided that it emits access tokens as JWT tokens).
This is the implementation required in upstream Che, for issues
redhat-developer/rh-che#502 and
redhat-developer/rh-che#525
Signed-off-by: David Festal <dfestal@redhat.com>
Move openshift/k8s deployment files from dockerfiles/init folder
to deploy folder with a better structure because they are not
related to init dockerfile.
Add readme files in each deployment target folder with links to
Che docs where the process of deployment is described.
Remove delivery of deployment files by init image which is
useless.
Remove empty docs files from the repo and init image.
Fix some minor typos and trailing spaces.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Allows to use NULL as a value of JDBC config to simplify usage of
environment variables for JDBC settings in k8s/Openshift
deployment files. NULL is treated as unset variable.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
* Experimenting with deployment config based approach to Che multi user on OCP
* Service pod
* Remove s2i
* Remove s2i
* EOF
* Cleanup
* Cleanup
* Cleanup
* Cleanup
* Make Keycloak util image configurable
* Update webdriver.sh
* Increase postgres and keycloak PVC for OpenShift to be 1gb
For compatibility and portability between OSO, OSD, and OCP this needs to be 1Gi as anything under that is not allowed in Online environments. Having it set to 100Mi results in errors and the deployment fails.
Mykola Morhun