Load the workspace during then namespace resolution so that we can check
for the attribute stored in the workspace attributes.
Switch the default namespace to `<username>-che`.
Update the property descriptions in che.properties and use the new
CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT in the helm chart.
Move the delete to the KubernetesNamespace/OpenShiftProject to
concentrate the handling in one place.
Split the isNamespaceStatic() (previously called isPredefined()) into
isCreatingNamespaces() and isManagingNamespaces() to separately capture
the two usecases in which that single method was previously incorrectly
called. Also make these methods workspace-specific to be able to
consistently work with the legacy logic across all methods.
Signed-off-by: Lukas Krejci <lkrejci@redhat.com>
* namespace for workspace with username and userid placeholders
* write meaningful error message when failed to create namespace/project due to lack of permissions
* describe placeholders in kubernetes.namespace/openshift.project properties
* refactor detect placeholders in namespace to stream
* check if namespace name is predefined when evaluating
Support single-host mode on the multi-user server. Note that this depends
changes in the che-jwtproxy component.
* Add a distinction between service name and path base in the external
server exposer to be able to correctly expose a service through a proxy
* the async authentication in loader.js doesn't truncate the path
anymore so that it can correctly locate /jwt/auth even in single-host mode
* enhance the jwt proxy configuration with the ability use custom uri
prefixes for the redirects on auth failure - this can be used to pass in
the information about the external path the proxy is available on even if
hidden behind a path rewriting ingress
* Make sure pathname doesn't contain duplicated slashes when constructing
the auth request.
* Made the cookie path server-strategy sensitive
Store the container-machine mapping using a pair of annotations with a
predictable name length to prevent breaking the 63 character limit on the
k8s annotation names.
Signed-off-by: Lukas Krejci <lkrejci@redhat.com>
Merge api-devfile and api-workspace together and put the infrastructure-dependent code behind injectable interfaces.
Signed-off-by: Lukas Krejci <lkrejci@redhat.com>
Instead of downloading metas from plugin registry and passing them to
plugin broker, provide plugin broker with serialized plugin fully
qualified names and allow broker to download necessary metas.
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
* Allow workspace pods to list Kubernetes services by default
* Update workspace-view-role.yaml to allow listing
of Kubernetes services
* Allow sidecar containers to list services on OpenShift
* Add services resource to workspace-view role for OpenShift
Signed-off-by: John Collier <John.J.Collier@ibm.com>
* Create view role rather than rely on view clusterRole
* Create view role for k8s. Fix typo
* Typo and Java doc sync
* Add namespaced role to k8s and openshift templates. Role instead ClusterRole for k8s
* Rename view role to workspace-view
* Fix formatting
* Fix javadoc. Revent erroneous changes to postgres template
* Remove hidden Dockerfile
* Revert pg changes
- Allow KubernetesDeployments#watchEvents to handle events from
Deployments and ReplicaSets as well as Pods.
- Necessary to handle quota events (e.g. exceeding quota)
- Fix regression where sometimes unrecoverable events weren't handled
at all due to pod naming issues
- Add 'FailedCreate' to unrecoverable events list (this event occurs
when quota is exceeded.
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
This is needed to help clients in figuring out which port led
to creating a server in a workspace.
Also, refactor some code.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Michal Vala