Update how personal access token git credentials are mounted into workspaces #915
Description
Description
The DevWorkspace Operator allows mounting a Personal Access Token to workspaces, enabling access to private repos in cases where SSH keys aren't convenient. This is currently done by
- Collecting all secrets labelled
controller.devfile.io/git-credentialin the current namespace - Merging them into a secret called
devworkspace-merged-git-credentials(in order to allow multiple credentials to be specified) - Mounting this secret using a subpath volume mount to a mount path specified by the original secrets
The downside of this approach is that using a subpath volume mount prevents changes to the on-cluster secret from being propagated to the workspace, which can cause issues if PATs expire.
Instead, we should consider updating the DevWorkspace Operator to:
- Mount the merged git credentials secret as files (rather than subpaths) to allow changes to be propagated into the workspace.
- Ignore mount paths on git-credential secrets, and mount the credentials file to a fixed directory (this is required for the point above, as otherwise mounting to
/will overwrite the entire filesystem).
Additional context
Originally brought up as an issue in eclipse-che/che#21291. Note the GitLab PATs expire after 2 hours, so even if they are refreshed as expected, the workspace would have to be restarted frequently.
Details on how controller.devfile.io/mount-path is currently used:
- If no secret specifies a mount path, the default
/is used and the credentials file is mounted to/credentials - If any secret specifies a mount path, that is used instead. Multiple secrets can specify the same mount path
- If two or more secrets specify conflicting mount paths, it is treated as an error