Fix issue where /exec/init calls put kubeconfig in first container #129
Conversation
amisevsk
requested review from
AndrienkoAleksandr,
evidolob and
l0rd
as code owners
api/rest/execInit.go
Outdated
| @@ -52,7 +52,7 @@ func HandleInit(c *gin.Context) { | |||
| return | |||
| } | |||
|
|
|||
| err := HandleKubeConfigCreation(c, &initConfigParams, token) | |||
| err := HandleKubeConfigCreation(&initConfigParams.KubeConfigParams, token, execRequest.ContainerName) | |||
There was a problem hiding this comment.
I believe it could work in more optimal way.
execRequest already has pod name, while HandleKubeConfigCreation resolves it again in https://github.com/eclipse/che-machine-exec/blob/35dff49aa0ac5db3d847569a24e9f97ff7b7bf66/filter/kubernetes_filter.go#L104
So, the whole ContainerInfo could be propagated instead of just container name.
There was a problem hiding this comment.
The issue is that the other flow (execKubeConfig) currently doesn't do the resolve step and uses containerName from initConfigParams, so we would have to change that process as well.
There was a problem hiding this comment.
Consider updating https://github.com/eclipse/che-machine-exec/blob/cd2b12bb456cb720fbe32b5486e50ae458496a0c/api/model/model_types.go#L102
to say something like // first suitable (with shell available)
|
On more thing that we would need to do for WebTerminal and DevWorkspace on Che - make che-machine-exec independent from CHE_MACHINE_NAME env var. But it's for sure deserves a dedicated issue |
Technically neither doc is accurate -- |
|
@sleshchenko I tried to rework the flow slightly to avoid having to filter twice, but I'm not sure it's clearer. I think long-term a large refactor pass is necessary as there's some confusing constructs. Please re-review |
api/rest/execInit.go
Outdated
| execRequest := handleContainerResolve(c, token, initConfigParams.ContainerName) | ||
| if execRequest == nil { | ||
| rest.WriteResponse(c, http.StatusInternalServerError, "Could not retrieve exec request") | ||
| return | ||
| } | ||
|
|
||
| err := HandleKubeConfigCreation(&initConfigParams.KubeConfigParams, token, execRequest.ContainerName) | ||
| err := HandleKubeConfigCreation(&kubeConfigParams, execRequest) |
There was a problem hiding this comment.
Does that func really needs execRequest? I think it's better to convert it to containerInfo as soon as possible. Or even avoid converting like in the following sleshchenko@5de74ca
There was a problem hiding this comment.
^ that's not tested, maybe I missed some point and it's better to avoid extending. If you have any concern about it, feel free to just ignore the proposal
There was a problem hiding this comment.
Mostly just me avoiding making too many changes for a simple fix :)
I did find it strange we had two almost identical structs.
api/rest/execKubeConfig.go
Outdated
| return | ||
| } | ||
|
|
||
| err := HandleKubeConfigCreation(&kubeConfigParams, execRequest) |
There was a problem hiding this comment.
As far as I understand you dropped token argument to make args list shorter, but now you kind of re-purposing kubeConfigParams.BearerToken, because in addition to propagate into kubeconfig, you also use it to create K8s API and make API call.
Ideally, I think K8sAPI should be created per request(on demand since there is requests in exec manager which does not need it) and reused in places where it's needed, without need to propagate the token.
If I made this PR I would introduce one more argument without dropping token, but I'm not against the made change here as well.
There was a problem hiding this comment.
Perhaps I misunderstood the existing code -- my understanding is that token is derived from the same value, i.e.
- if
initConfigParams.KubeConfigParams.BearerTokenis set, it is used - if it's unset, we log in via username/password and get the token
Both current flows explictly set initConfigParams.BearerToken = token in HandleKubeConfigCreation, so I thought I woudl move this step earlier in the call stack and avoid having to pass initConfigParams and the token only to apply the token to initConfigParams.
|
I can't tell if this s390x issue is my fault or not. |
I can tell for sure, it's not your fault. It's the same instability as Dashboard used to have |
When /exec/init is called (e.g. in the web terminal operator), it resolves the first container that supports a shell, but does not use this container for injecting kubeconfig. When no container name is provided, the kubeconfig is injected into the first container, which causes kubeconfig injection to fail when the first container in the pod does not support a shell. Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
amisevsk
force-pushed
the
fix-exec-init
branch
from
a07de39 to
22b830a
Compare
Description
When /exec/init is called (e.g. in the web terminal operator), it resolves the first container that supports a shell, but does not use this container for injecting kubeconfig. When no container name is provided, the kubeconfig is injected into the first container, which causes kubeconfig injection to fail when the first container in the pod does not support a shell.
Issue
Fixes devfile/devworkspace-operator#258