Online terminal
Description
Having terminal access to running containers is essential for debugging, and eventually for active development. Openshift has an online terminal capability, but Kubernetes doesn't (yet), so for GCE/CoreOS/etc., we need to build something ourselves. Let's offer online terminal access for environments, and especially review apps.
Proposal
Like https://github.com/openshift/origin-web-console we use the API call GET /api/v1/namespaces/{namespace}/pods/{name}/exec which is listed under 'connect GET requests to exec of Pod' on http://kubernetes.io/docs/api-reference/v1/operations/.
Not sure if we should use https://github.com/openshift/origin-web-console, xterm.js, or make our own thing in vue. Keybindings might be hard to get right. @jschatz1 will inspect the Angular app from openshift.
Because of cross-site scripting protections the terminal will have to talk to the container via GitLab. We'll use Workhorse to forward those requests.
This is for accessing (review) apps only, CI/Runner access should be discussed in a new issue. The editor is in https://gitlab.com/gitlab-org/gitlab-ce/issues/22863.
- Support OpenShift and Kubernetes.
- Connect to Kubernetes using direct API
- Create project-level Service for Kubernetes to store the credentials to Kubernetes (and OpenShift).
- Only support Bearer authentication. User/Password and Mutual authentication are left for later.
- Use the same credentials for deployment and for terminal access.
- [Stretch] Prefill the project service if you run GitLab on Kubernetes.
-
Enabling the Kubernetes Service for a project will turn all deployments (jobs with an
environmentspecified) into Kubernetes deployments. -
No changes are needed to
.gitlab-ci.ymlto support this. -
Getting terminal access will require developers to adhere to specific labels. This will be documented as well as updated in the Openshift
.gitlab-ci.ymltemplate. Overriding the label will be left until later. -
Use intelligent defaults for namespace and labels based on the project name. i.e.
namespace=$CI_PROJECT_NAME,app=environment.name. - Extend builds with deployment information (namespace and labels).
- Add a column to deployment and attach deployment information when creating deployment on GitLab.
- Show Terminal button only if we have deployment properties and we have kubernetes credentials in Kubernetes Service.
- Use https://github.com/abonas/kubeclient to find Pods filtered by namespace and app label.
- Connect to the first pod in the list.
- Connect to first container in Pod.
- [Stretch] Extend the terminal view with ability to choose the Pod and service to connect to, to support cases with multiple pods and services.
- Terminal library will open Websocket connection to GitLab.
- Authorize the connection GitLab and return to workhorse the credentials stored in Service and a URL to connect to.
- Terminal will be only accessible for master users of the project. (Debatable?)
Service Credentials
We would require user to add these values to the Kubernetes Service:
-
api_url(KUBE_URL) -
or
token(KUBE_TOKEN) -
ca_pem- if HTTPS is using self-signed certificates (KUBE_CA_PEM)
Additionally:
- These variables may be passed to the GitLab runner as environment variables.
Note: It was deemed easier to create a new Service rather than special case Secret Variables. It's also a better experience, so win-win!
Mockups
Terminal icon can be found: https://gitlab.com/gitlab-org/gitlab-design/blob/master/production/_assets/svg/icon-terminal.svg
Links
- Early MVP, only works in openshift: #22843 (closed)
- Smart Kubernetes Deployments which would automatically create a deployment with all informations: #24197 (moved)
- Easy to use credentials interface: #22958 (moved)