I would like to uncover some details [1] about the current state of the work
and share some insights about our plans
First of all why we are doing that. There are multiple reasons. Most noticeable is:
- Use standard protocols and techniques as much as possible.
- Get rid of Keycloak as a mandatory dependency
- Have the same identity in all tools. In kubectl, oc , browser.
Where we are?
We are at the stage when we are ready [2] to enable it for OpenShift with devworkspaces by default.
OpenShift was our first choice because it has OAuth and identities out of the box.
I have to admit that workspaces endpoints are not protected yet from outside [3] and inside [4].
What about Kubernetes?
There would be some prerequisites for k8s. OIDC has to be enabled [5].
That might bring additional complexity on chectl side.
What we are doing now?
- Protection from outside [3] is our first priority.
It has some dependencies [6] [7] which we hope would be resolved soon.
What is the plan with Che Workspace and Devworkspaces on the same instance?
At this point, we don't expect them to work together at the same time.
Our plan is to provide guidance on how to migrate the configuration from the stopped Che workspace to Devworkspaces. Additionally, we are going to forcable stop all
Che workspace in case if Devworkspaces engine would be turned on.
[1] Epic Simplify authentication and authorization with a more flexible and lightweight approach
https://github.com/eclipse/che/issues/19182[2] [che-auth] - enable nativeUserMode by default on openshift with devworkspaces
https://github.com/eclipse/che/issues/20203[3] [che-auth] - secure workspace subpath endpoints in new auth gateway
https://github.com/eclipse/che/issues/19707[4] [che-auth] secure workspace services
https://github.com/eclipse/che/issues/20190[5]
https://kubernetes.io/docs/reference/access-authn-authz/authentication[6] Enable subpath mode for Che Theia editor in devworkspaces
https://github.com/eclipse/che/issues/20180[7] Merge DWCO and CO in a single codebase
https://github.com/eclipse/che/issues/19408