Attach dockercfg secrets as pull image secret

[sleshchenko]

What does this PR do?

This PR add an ability to label secrets with types kubernetes.io/dockercfg and kubernetes.io/dockerconfigjson which controller.devfile.io/devworkspace_pullsecret: true and it will be used as pull secret for DevWorkspace-related deployment.

What issues does this PR fix or reference?

fixes #264

Is it tested? How?

I created two robots and mirror che theia in my private repo, so, they can be used for testing:

# 1. Created patched sample with private image
sed -e 's|image: "quay.io/eclipse/che-theia:next"|image: "quay.io/sleshche/che-theia:latest"|g' ./samples/flattened_theia-next.yaml \
  | kubectl apply -f -

# 2. it won't be started due
#         message: 'rpc error: code = Unknown desc = Error response from daemon: unauthorized:
#         access to the requested resource is not authorized'


# 3. Create tests robots
# Robot without any permissions, just to check that it's ignored since there is no needed label
cat <<EOF | kubectl apply -f -
apiVersion: v1
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJxdWF5LmlvIjogewoJCQkiYXV0aCI6ICJjMnhsYzJoamFHVXJhVjlqWVc1ZmJtOTBhR2x1WnpwUE4xcFVSRVExVUZvMFFWVlNWRGxEVlU5VVNEUlZSVXBhUWxBMVRVUXdOVGd5UVRGR1RFWk5NbGxKVkZGQ1R6QTNSMXBEUmtrelZUYzBVRmxTTWpNMCIKCQl9Cgl9Cn0=
kind: Secret
metadata:
  name: blank-robot
  labels: {}
type: kubernetes.io/dockerconfigjson
EOF

# Robot with read access to private quay.io/sleshche/che-theia
cat <<EOF | kubectl apply -f -
apiVersion: v1
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJxdWF5LmlvIjogewoJCQkiYXV0aCI6ICJjMnhsYzJoamFHVXJZMmhsWDNSb1pXbGhYM0psWVdSdmJteDVPa1ZOV1ZJeE5sRlRORXBVVVUweFdUZFROVkZHUVZaWlJFazNOME5KVWtaSFVsaGFRMFJVVms0MlUwVXpXRWRSVTFZNVZqTktTVEJXUVZoT09GTTBTVkk9IgoJCX0KCX0KfQ==
kind: Secret
metadata:
  name: che-theia-readonly
  labels:
    controller.devfile.io/devworkspace_pullsecret: "true"
type: kubernetes.io/dockerconfigjson
EOF

# 4. Restart a workspace 

kubectl patch dw theia --type merge --patch '                                     
spec:
  started: false
'
kubectl patch dw theia --type merge --patch '                                     
spec:
  started: true
'

# 5. Workspace now is started.

[openshift-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[sleshchenko]

Note that it will be exposed in Workspace status as WAITING FOR DEPLOYMENT, not sure if we should update devfile/api or introduce our own conditions instead

[sleshchenko]

I've added a8cfd71, but note that it will be exposed on workspace status only in case pull secrets failed from first try.

[amisevsk]

LGTM with a few comments

[amisevsk]

Are we sure this is the right logic? I would assume that if the PullSecretsReady condition is true, then the pull secrets have been prepared and we're not actually waiting on them.

The general approach to this progress message I've taken is once a condition is set, we're waiting on the next condition, i.e.

Suggested change

	if _, ok := conditions[devworkspace.WorkspaceServiceAccountReady]; ok {
	return "Waiting for deployment to be ready"
	}
	if _, ok := conditions[PullSecretsReadyCondition]; ok {
	return "Waiting for workspace pull secrets"
	}
	if _, ok := conditions[devworkspace.WorkspaceRoutingReady]; ok {
	return "Waiting for workspace serviceaccount"
	}
	if _, ok := conditions[devworkspace.WorkspaceServiceAccountReady]; ok {
	return "Waiting for deployment to be ready"
	}
	if _, ok := conditions[PullSecretsReadyCondition]; ok {
	return "Waiting for workspace service account"
	}
	if _, ok := conditions[devworkspace.WorkspaceRoutingReady]; ok {
	return "Waiting for workspace pull secrets"
	}

Each condition gets set in sequence, so the idea is once a condition is set, the workspace is waiting on the next condition in the list -- If conditions[devworkspace.WorkspaceServiceAccountReady] is set, then we know conditions[PullSecretsReadyCondition] is set, etc.

[sleshchenko]

Good catch.
it's downside of multitasking :-D

I'll fix it

[sleshchenko]

I refactored the way how we expose info message d208482

And it seems to work fine but I will need to take a look why
waiting for editor did not appeared, maybe it just passed too fast

> kc get dw theia -w
NAME    WORKSPACE ID                PHASE   INFO
theia   workspace60395b9042b94129           
theia   workspace60395b9042b94129           
theia   workspace60395b9042b94129           
theia   workspace60395b9042b94129   Starting   Processing DevWorkspace components
theia   workspace60395b9042b94129   Starting   Processing DevWorkspace components
theia   workspace60395b9042b94129   Starting   Waiting for workspace routing objects
theia   workspace60395b9042b94129   Starting   Waiting for workspace routing objects
theia   workspace60395b9042b94129   Starting   Waiting for workspace routing objects
theia   workspace60395b9042b94129   Starting   Waiting for workspace serviceaccount
theia   workspace60395b9042b94129   Starting   Waiting for workspace serviceaccount
theia   workspace60395b9042b94129   Starting   Waiting for workspace serviceaccount
theia   workspace60395b9042b94129   Starting   Waiting for deployment to be ready
theia   workspace60395b9042b94129   Starting   Waiting for deployment to be ready
theia   workspace60395b9042b94129   Starting   Waiting for deployment to be ready
theia   workspace60395b9042b94129   Running    https://workspace60395b9042b94129.apps.cluster-4237.4237.sandbox422.opentlc.com/theia/
theia   workspace60395b9042b94129   Running    https://workspace60395b9042b94129.apps.cluster-4237.4237.sandbox422.opentlc.com/theia/
theia   workspace60395b9042b94129   Running    https://workspace60395b9042b94129.apps.cluster-4237.4237.sandbox422.opentlc.com/theia/
theia   workspace60395b9042b94129   Running    https://workspace60395b9042b94129.apps.cluster-4237.4237.sandbox422.opentlc.com/theia/

[amisevsk]

Sometimes it starts quickly :)

[JPinkney]

Other than Angel's comments it looks good to me

[amisevsk]

👍 good idea!

We should consider (in a separate PR) using WorkspaceReady to be the final condition (i.e. after health checks) and add our own DeploymentReady condition to use in its place.

[JPinkney]

New changes LGTM

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, JPinkney, sleshchenko

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JPinkney,amisevsk,sleshchenko]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[amisevsk]

I also checked that workspaces enter a terminating phase correctly -- we don't have a phase for terminating/deleting, so that is unchanged but the devworkspace shows Cleaning up resources for deletion in the message.

[sleshchenko]

/test v5-devworkspaces-operator-e2e