Cloud Shell Che Workspace

[l0rd]

This epic is about the technical work needed to implement a cloud shell component that would be used on OpenShift Console:

Using the DevWorkspace CRD

The cloud shell should use the DevWorkspace CRD that is described in #15425

Using a new CheEditor

A Theia based Che workspace is a waste of compute resources if used only to get a terminal. And it takes way too long to bootstrap. So the idea is to implement an alternative cheEditor and a cloud shell workspace could be defined using the following devfile:

 ---
apiVersion: 1.0.0
components:
- type: cheEditor
  id: redhat/cloud-shell/latest
- type: dockerimage
 image: quay.io/eclipse/openshift-tooling:latest

Other considerations

• Exec denial: exec into the pod should be denied for any user other than the owner
• Auth: The terminal service should be secured using OpenShift OAuth and RBAC
• Autoscale to zero: After a few minute of inactivity cloud shell pods should be deleted

Subtasks

• Implementation of the cloud shell editor (deploy team)
  • Find out how we can avoid to have machine-exec automatically added to a workspace
  • Build a new image based on the current machine-exec image that serves the static content needed for the terminal widget (HTML + JS scripts)
  • Implement a mechanism that, if there is just one container in the workspace, automatically select it as the machine exec target (no need to communicate with wsmaster)
• Submit an OpenShift enhancement PR:
  • Implement an exec denial mechanism PoC and document it
  • Review the auth mechanism: investigate kube-rbac-proxy and oauth-proxy, compare it to jwt proxy and document it
  • Describe the CloudShell Lifecycle including the autoscale to zero mechanism
• Plan the DevWorkspace work to start with the features needed for the CloudShell implementation
• Adapt DevWorkspace Controller POC to satisfy Cloud Shell needs:
  • Introduce Admission Webhook that would allow forbidding using CloudShell by no-creator [devworkspace] Introduce Admission Webhook that would allow forbidding using CloudShell by no-creator #16056
  • Revise DevWorkspace CR structure [devworkspace] Revise DevWorkspace CR structure #15783
  • Rework WorkspaceRouting to run container inside workspace pod [devworkspace] Rework WorkspaceRouting to run container inside workspace pod #15786
  • Make DevWorkspace CR prerequisites(PVC, CheRestAPI) optional [devworkspace] Make CheRestAPI optional and depending on che-theia editor #15790
  • CloudShell should provide an option to use users token instead of SA's one CloudShell should provide an option to use users token instead of SA's one #16250
  • Cloud shell must propagate error when it failed to initialize terminal Cloud shell must propagate error when it failed to initialize terminal #16249
  • Make workspace controller generating TLS certs for its webhook server Make workspace controller generating TLS certs for its webhook server #16251
  • Deny to access CloudShell to everybody except creator Deny to access CloudShell to everybody except creator #16252
  • Investigate the alternative for plugin-registry for CloudShell run with controller [devworkspace] Investigate the alternative for plugin-registry for CloudShell run with controller #16313
  • Finalize Workspace Reconcile loop rework [devworkspace] Finalize Workspace Reconcile loop rework #16494
  • Investigate authentication/authorization for CloudShell [devworkspace] Investigate authentication/authorization for CloudShell #15782
  • Make workspace operator reuse devworkspace-api [devworkspace] Make workspace operator reuse devworkspace-api #16626
  • Configure OpenShift OAuth to get for cloud-shell user:full rights [devworkspace] Configure OpenShift OAuth to get for cloud-shell user:full rights #16515
  • Initialize kubeconfig with user's token if useBearerToken is configured [devworkspace] Initialize kubeconfig with user's token if useBearerToken is configured #16576
  • Set up OLM installation for WorkspaceOperator [dev-workspace] Set up OLM installation for OpenShift Terminal Operator #16311
  • MutatingWebhooks are not compatible with 4.5.0-0.ci-x [devworkspace] MutatingWebhooks are not compatible with 4.5.0-0.ci-x #16587
  • OpenShift OAuth proxy seems to break OpenShift OAuth on the cluster [devworkspace] OpenShift OAuth proxy seems to break OpenShift OAuth on the cluster #16553
  • Investigate if OpenShift Console Proxy could be used to avoid user's reauthentication Investigate if OpenShift Console Proxy could be used to avoid user's reauthentication #16633

Timeline

2020-03-31 (Che v7.11.0)

• Test the proposals for the open questions in the Cloud Shell OpenShift Enhancement PR and prove that they work as expected.

2020-04-20 (Che v7.12.0)

• Solve the problem with the OpenShift OAuth Proxy: how can we avoid to re-authenticate users? Is it possible to use the existing Console Proxy? And avoid the creation of a route per cloud shell?
• Release the first version of the che-workspace-operator based on the devworkspace-api (there is no need to publish to the Operator Hub yet) and that includes the solution proved to work in the previous iteration.

2020-05-12 (Che v7.13.0)

• Implement the scale-to-zero after a period of inactivity [devworkspace] Investigate the scale-to-zero after a period of inactivity #16683
• Implement a CloudShell "happy path" e2e test that deploys the operator, creates a cloud-shell devworkspace, inject the user token, use kubectl (or oc) and is scaled to zero after a period of inactivity CloudShell Happy Path Test #16667
• [OPTIONAL] Implement a PoC to include a cloudShell in the dashboard

2020-06-02 (Che v7.13.0)

• Include the build of the che-workspace-operator and devworkspace-api in the CRW build
• Publish the cloud shell operator on the Operator Hub
• Include the CloudShell e2e happy path test in the QE team CRW release validation check CloudShell Happy Path Test #16667
• [OPTIONAL] Add a che property to switch using the DevWorkspace API instead of the Kubernetes infrastructure to create Devfile based Che workspaces. That will allow to start testing the creation of DevWorkspaces using the Che dashboard and other wsmaster clients.

2020-06-18

• OpenShift 4.5 is release with CloudShell support based on DevWorkspace operator.

[ibuziuk]

@l0rd according to the description this is an epic, but I'm not sure which team label should be applied

[davidwindell]

It would be awesome to be able to do this from the Che dashboard too - so one could quickly make a change to a project without booting the whole IDE up.