Make workspace routes more user-friendly

[dkwon17]

Fixes eclipse-che/che#20598

Depends on eclipse-che/che-server#508

What does this PR do?

Workspace URL

Before this PR, the workspace url would be something like:

https://che-dogfooding.apps.che-dev.x6e0.p1.openshiftapps.com/workspace13c0f27b694b4943/universal-developer-image/3100/

After this PR, the workspace URL becomes:

https://che-dogfooding.apps.che-dev.x6e0.p1.openshiftapps.com/<username>/<workspace name>/3100/

Public endpoints defined in devfile

For public endpoints defined in the devfile (example)

Before this PR:

http://workspace294df8373ccb4bda-4.apps.che-dev.x6e0.p1.openshiftapps.com/food

After this PR:

http://<username>.<workspace name>.<endpoint name>.apps.che-dev.x6e0.p1.openshiftapps.com/food

Screenshot/screencast of this PR

Workspace URL:

Route spec.host:

What issues does this PR fix or reference?

eclipse-che/che#20598

How to test this PR?

chectl server:deploy \
     --installer operator \
     --platform openshift \
     --che-operator-image quay.io/dkwon17/che-operator:friendlypath 

1. After deploying Che, update the che-server image: (CheCluster patch not needed anymore)

spec:
  components:
    cheServer:
      deployment:
        containers:
          - image: 'quay.io/dkwon17/che-server:user-profile-che-operator'
            name: che

2. Create and start a workspace with this project: https://github.com/che-incubator/quarkus-api-example
3. After workspace start, verify that the workspace IDE url is: {CHE-HOST}/{USERNAME}/{DW-NAME}/3100/
4. Confirm that there is an OpenShift route named {DW-ID}-tools-8080-list-all-food, where the spec.host is {USERNAME}.{DW-NAME}.list-all-food.{INGRESS-DOMAIN}

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Development resource are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

Merging #1672 (2d0d278) into main (a716caf) will increase coverage by 0.25%.
The diff coverage is 85.00%.

@@            Coverage Diff             @@
##             main    #1672      +/-   ##
==========================================
+ Coverage   59.93%   60.18%   +0.25%     
==========================================
  Files          70       71       +1     
  Lines        8332     8430      +98     
==========================================
+ Hits         4994     5074      +80     
- Misses       2992     3008      +16     
- Partials      346      348       +2     

Impacted Files	Coverage Δ
controllers/devworkspace/solver/che_routing.go	78.40% <79.78%> (-0.64%)	⬇️
...ntrollers/devworkspace/solver/endpoint_strategy.go	95.23% <95.23%> (ø)
...ontrollers/devworkspace/solver/endpoint_exposer.go	93.06% <100.00%> (-0.08%)	⬇️

[dkwon17]

This function is based off of https://github.com/eclipse-che/che-server/blob/75979a6d6a914e80c873d91778e20a93f920e8a4/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java#L636

[dkwon17]

The username is being read from the user-profile secret created by che-server, which is why this PR depends on eclipse-che/che-server#508

Another way to read the username could be to read the che.eclipse.org/username annotation from the user namespace

[tolusha]

BTW, che.eclipse.org/username annotation might not exist

[tolusha]

Do we have a backup plan instead of throwing an error if Secret doesn't exist ?

[dkwon17]

I'm afraid there is no backup plan right now if that secret does not exist, are there other ways to detect the username?

[tolusha]

What about using the legacy route name if username is unknown?

[ibuziuk]

whereas a backup plan could be nice to have, using user-profile section should be robust in general e.g. if it is deleted from the namespace it would be re-created next time user access the dashboard

[dkwon17]

After more investigation, I think the minikube tests are failing because the user-profile secret is not created when the user namespace and workspace is created by applying templates (ie, without using the dashboard)

As a result, workspaces cannot start

[ibuziuk]

@dkwon17 thanks for the investigation, so in this case the flow when devworkspace is created using oc apply command is going to also fail if there is no user-profile secret in the namespace, right?

[dkwon17]

@ibuziuk yes, that's right

[dkwon17]

I am currently working on the legacy routes in this case, as suggested by @tolusha

[tolusha]

/retest

[ibuziuk]

/retest

[dkwon17]

I'm quite confident the test failure is because this PR depends on eclipse-che/che-server#508 See #1672 (comment)

Without the che-server side PR, the user's username would not be found and workspaces would not start.

I've also added a new commit to deal with providing the Che-operator ClusterRole permissions to update ingresses, which is needed for this PR for allowing starting older workspaces to start minikube. This is needed because, this PR will update older workspaces' ingresses to have an updated spec.host.

The ClusterRole update likely fixes eclipse-che/che#22166, although I haven't confirmed that

[ibuziuk]

/retest

[ibuziuk]

@dkwon17 important note, that we should cherry-pick the PR to 7.67.x for 3.7 once merged

[dkwon17]

I've updated the PR to use legacy routing if the username and devworkspace name cannot be detected

To test the legacy routing:

1. Create a namespace where the username is not specified as an annotation:

kind: Namespace
apiVersion: v1
metadata:
  name: my-namespace
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-namespace

2. Create a devworkspace within the new namespace

kind: DevWorkspace
apiVersion: workspace.devfile.io/v1alpha2
metadata:
  name: my-devworkspace
  namespace: my-namespace
spec:
  routingClass: che
  started: false
  contributions:
    - name: ide
      uri: http://plugin-registry.eclipse-che.svc:8080/v3/plugins/che-incubator/che-code/insiders/devfile.yaml
  template:
    components:
      - name: tooling-container
        container:
          image: quay.io/devfile/universal-developer-image:ubi8-latest
          cpuLimit: 100m

3. When the workspace starts, verify that the status.mainUrl of the devworkspace follows this format (the old format):

<CHE-HOST>/workspace13c0f27b694b4943/tooling-container/3100/

[dkwon17]

The username is also being read from the namespace as well, in the case that the admin has pre-provisioned the namespaces following the doc, since in this case, the user-profile secret would not be created

[dkwon17]

Hi @dmytro-ndp for your comment #1672 (comment), I noticed that the devfile registry pod scheduling happens when the quay.io/eclipse/che-operator:next che-operator pod terminates and is replaced by the che-operator pod with quay.io/dkwon17/che-operator:friendlypath image.

I wonder if replacing the che-operator pod with the custom container image affects the scheduling for the devfile registry pod, potentially causing the devfile registry pod scheduling to take longer

Hi @tolusha , could this be the reason for the chectl failure occuring in [1]?

[1] https://main-jenkins-csb-crwqe.apps.ocp-c1.prod.psi.redhat.com/job/Che/job/ocp/job/basic/job/install-che-to-ocp/15/consoleFull

[dkwon17]

IMHO, it's somehow related to quay.io/dkwon17/che-operator:friendlypath, because Eclipse Che Next has installed successfully using chectl with quay.io/eclipse/che-operator:next operator on the same cluster [3].

@dmytro-ndp I cannot reproduce the issue with clusterbot, but by any chance, do you know if the same error will happen if you use a different che-operator image, like quay.io/eclipse/che-operator:7.67.0?

[tolusha]

Hi @tolusha , could this be the reason for the chectl failure occuring in [1]?

No, that can't be a reason.

I can't reproduce the issue either.
https://main-jenkins-csb-crwqe.apps.ocp-c1.prod.psi.redhat.com/job/Che/job/ocp/job/basic/job/install-che-to-ocp/23/console

[tolusha]

We are ok to merge as long as all checks passed.

[tolusha]

Conflicts resolved.

[dmytro-ndp]

@tolusha , @dkwon17 : is there fresh che-operator image with recent changes available for testing?

[tolusha]

Please use this one quay.io/abazko/operator:friendlyroute

[devstudio-release]

Build 3.8 :: operator-bundle_3.x/1437: Console, Changes, Git Data

[dmytro-ndp]

"chectl server:deploy" command had failed when deploy to test OCP cluster with even though there was --k8spoderrorrechecktimeout=600000 parameter added https://main-jenkins-csb-crwqe.apps.ocp-c1.prod.psi.redhat.com/job/Che/job/ocp/job/basic/job/install-che-to-ocp/25/console :

chectl server:deploy --platform=openshift --che-operator-cr-patch-yaml=custom-resource-patch.yaml --che-operator-image=quay.io/abazko/operator:friendlyroute --k8spoderrorrechecktimeout=600000

...

 [07:31:00] Scheduling [started]
 [07:32:03] Scheduling [failed]
 [07:32:03] → Timeout: there are no pods in the namespace: eclipse-che, selector: app.kubernetes.io/name=che,app.kubernetes.io/component=devfile-registry. Check Eclipse Che logs for details. Consider increasing error recheck timeout with --k8spoderrorrechecktimeout flag.
 [07:32:03] Devfile Registry pod bootstrap [failed]
 [07:32:03] → Timeout: there are no pods in the namespace: eclipse-che, selector: app.kubernetes.io/name=che,app.kubernetes.io/component=devfile-registry. Check Eclipse Che logs for details. Consider increasing error recheck timeout with --k8spoderrorrechecktimeout flag.
 [07:32:03] Wait for Eclipse Che ready [failed]
 [07:32:03] → Timeout: there are no pods in the namespace: eclipse-che, selector: app.kubernetes.io/name=che,app.kubernetes.io/component=devfile-registry. Check Eclipse Che logs for details. Consider increasing error recheck timeout with --k8spoderrorrechecktimeout flag.
     Error: Command server:deploy failed with the error: Timeout: there are no 
     pods in the namespace: eclipse-che, selector: 
     app.kubernetes.io/name=che,app.kubernetes.io/component=devfile-registry. 
     Check Eclipse Che logs for details. Consider increasing error recheck 
     timeout with --k8spoderrorrechecktimeout flag. See details: 
     /home/hudson/.cache/chectl/error.log. Eclipse Che logs: 
     /tmp/chectl-logs/1685532564341.

At the same time Eclipse Che has deployed successful after doesn't matter chectl command had failed.
"Apache Camel K" workspace has started successfully as well, with correct workspace URL: https://eclipse-che.apps.ocp410-dnochev.crw-qe.com/**admin**/**apache-camel-k**/3100/
and "EmptyWorkspace": https://eclipse-che.apps.ocp410-dnochev.crw-qe.com/admin/empty-8gqu/3100/
and "Java Spring Boot": https://eclipse-che.apps.ocp410-dnochev.crw-qe.com/admin/spring-petclinic/3100/

I have also checked new endpoint URL additionally, using "spring-petclinic" sample > "devfile: run-with-mysql" task - it worked as expected:

• endpoint "http://admin.spring-petclinic.8080-tcp.apps.ocp410-dnochev.crw-qe.com/"
  
  
  
  screencast-eclipse-che.apps.ocp410-dnochev.crw-qe.com-2023.05.31-20_09_26.webm

I have also checked the case when there are several workspaces using the same endpoint.
URLs http://<username>.<workspace name>.<endpoint name>.<ocp host> looked unique to particular workspace:

• http://admin.spring-petclinic.8080-tcp.apps.ocp410-dnochev.crw-qe.com/
• http://admin.spring-petclinic.code-redirect-3.apps.ocp410-dnochev.crw-qe.com/
  vs
• http://admin.spring-petclinic-dd6t.8080-tcp.apps.ocp410-dnochev.crw-qe.com
• http://admin.spring-petclinic-dd6t.8080-tcp.apps.ocp410-dnochev.crw-qe.com
  

Conclusion: PR looked good to merge.

[devstudio-release]

Build 3.8 :: operator-bundle_3.x/1438: Console, Changes, Git Data

[devstudio-release]

Build 3.8 :: operator-bundle_3.x/1439: Console, Changes, Git Data

[devstudio-release]

Build 3.8 :: operator-bundle_3.x/1440: Console, Changes, Git Data

[devstudio-release]

Build 3.8 :: operator-bundle_3.x/1441: Console, Changes, Git Data

[l0rd]

@dkwon17 my understanding is that for the editor endpoint we use <endpoint port> rather than <endpoint name> and this is not consistent with other workspaces endpoints for which we use the <endpoint name>. Is it for a technical reason?

[dkwon17]

@l0rd I didn't have a technical reason, I used <endpoint port> to follow the suggested url in the original issue: eclipse-che/che#20598

[brandonp42]

@dkwon17 is there a strong reason you decided that external ingress host names should have a period in them causing them to be treated as subdomains? I'm struggling with this choice to make it work properly with real SSL certificates. Please see the eclipse/che issue I tagged this on above and if you have any thoughts on workarounds I'd appreciate it.