feat: inject SCC attribute when creating DevWorkspaceTemplate

Add SCC attribute to DevWorkspaceTemplate during workspace creation
when container run or build capabilities are enabled. This ensures
new workspaces get the correct SCC configuration.

Signed-off-by: Oleksii Orel <oorel@redhat.com>

Author: olexii4

packages/dashboard-frontend/src/services/workspace-client/devworkspace/__tests__/devWorkspaceClient.create.spec.ts

@@ -103,13 +103,20 @@ describe('DevWorkspace client, create', () => {
       const internalPluginRegistryUrl = 'http://internal.plugin.registry.url';
       const openVSXUrl = 'http://openvsx.url';
 
+      const config = {
+        pluginRegistryURL: pluginRegistryUrl,
+        pluginRegistryInternalURL: internalPluginRegistryUrl,
+        pluginRegistry: {
+          disableInternalRegistry: false,
+          openVSXURL: openVSXUrl,
+        },
+      } as any;
+
       await client.createDevWorkspaceTemplate(
         namespace,
         testDevWorkspace,
         testDevWorkspaceTemplate,
-        pluginRegistryUrl,
-        internalPluginRegistryUrl,
-        openVSXUrl,
+        config,
       );
 
       expect(spyCreateWorkspaceTemplate).toHaveBeenCalledWith(
@@ -148,13 +155,17 @@ describe('DevWorkspace client, create', () => {
         title: clusterConsoleTitle,
       };
 
+      const config = {
+        pluginRegistry: {
+          disableInternalRegistry: true,
+        },
+      } as any;
+
       await client.createDevWorkspaceTemplate(
         namespace,
         testDevWorkspace,
         testDevWorkspaceTemplate,
-        undefined,
-        undefined,
-        undefined,
+        config,
         clusterConsole,
       );
 
@@ -183,17 +194,20 @@ describe('DevWorkspace client, create', () => {
     });
 
     it('should add owner reference to devWorkspace template to allow automatic cleanup', async () => {
-      const pluginRegistryUrl = 'http://plugin.registry.url';
-      const internalPluginRegistryUrl = 'http://internal.plugin.registry.url';
-      const openVSXUrl = 'http://openvsx.url';
+      const config = {
+        pluginRegistryURL: 'http://plugin.registry.url',
+        pluginRegistryInternalURL: 'http://internal.plugin.registry.url',
+        pluginRegistry: {
+          disableInternalRegistry: false,
+          openVSXURL: 'http://openvsx.url',
+        },
+      } as any;
 
       await client.createDevWorkspaceTemplate(
         namespace,
         testDevWorkspace,
         testDevWorkspaceTemplate,
-        pluginRegistryUrl,
-        internalPluginRegistryUrl,
-        openVSXUrl,
+        config,
       );
 
       expect(spyCreateWorkspaceTemplate).toHaveBeenCalledWith(
@@ -210,6 +224,102 @@ describe('DevWorkspace client, create', () => {
       );
     });
 
+    it('should add SCC attribute when containerRun capabilities are enabled', async () => {
+      const config = {
+        pluginRegistry: {
+          disableInternalRegistry: true,
+        },
+        containerRun: {
+          disableContainerRunCapabilities: false,
+          containerRunConfiguration: {
+            openShiftSecurityContextConstraint: 'container-run',
+          },
+        },
+      } as any;
+
+      await client.createDevWorkspaceTemplate(
+        namespace,
+        testDevWorkspace,
+        testDevWorkspaceTemplate,
+        config,
+      );
+
+      expect(spyCreateWorkspaceTemplate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          spec: expect.objectContaining({
+            attributes: expect.objectContaining({
+              'controller.devfile.io/scc': 'container-run',
+            }),
+          }),
+        }),
+      );
+    });
+
+    it('should add SCC attribute from containerBuild when containerRun is disabled', async () => {
+      const config = {
+        pluginRegistry: {
+          disableInternalRegistry: true,
+        },
+        containerRun: {
+          disableContainerRunCapabilities: true,
+        },
+        containerBuild: {
+          disableContainerBuildCapabilities: false,
+          containerBuildConfiguration: {
+            openShiftSecurityContextConstraint: 'container-build',
+          },
+        },
+      } as any;
+
+      await client.createDevWorkspaceTemplate(
+        namespace,
+        testDevWorkspace,
+        testDevWorkspaceTemplate,
+        config,
+      );
+
+      expect(spyCreateWorkspaceTemplate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          spec: expect.objectContaining({
+            attributes: expect.objectContaining({
+              'controller.devfile.io/scc': 'container-build',
+            }),
+          }),
+        }),
+      );
+    });
+
+    it('should not add SCC attribute when both container capabilities are disabled', async () => {
+      const config = {
+        pluginRegistry: {
+          disableInternalRegistry: true,
+        },
+        containerRun: {
+          disableContainerRunCapabilities: true,
+        },
+        containerBuild: {
+          disableContainerBuildCapabilities: true,
+        },
+      } as any;
+
+      await client.createDevWorkspaceTemplate(
+        namespace,
+        testDevWorkspace,
+        testDevWorkspaceTemplate,
+        config,
+      );
+
+      expect(spyCreateWorkspaceTemplate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          spec: expect.not.objectContaining({
+            attributes: expect.objectContaining({
+              'controller.devfile.io/scc': expect.anything(),
+            }),
+          }),
+        }),
+      );
+    });
+
     it('should add routingClass if it does not exist', async () => {
       const routingClass = 'che';
       const response = {

packages/dashboard-frontend/src/services/workspace-client/devworkspace/devWorkspaceClient.ts

@@ -188,9 +188,7 @@ export class DevWorkspaceClient {
     defaultNamespace: string,
     devWorkspace: devfileApi.DevWorkspace,
     devWorkspaceTemplateResource: devfileApi.DevWorkspaceTemplate,
-    pluginRegistryUrl: string | undefined,
-    pluginRegistryInternalUrl: string | undefined,
-    openVSXUrl: string | undefined,
+    config: api.IServerConfig,
     clusterConsole?: {
       url: string;
       title: string;
@@ -208,6 +206,13 @@ export class DevWorkspaceClient {
       },
     ];
 
+    // Extract URLs from config
+    const pluginRegistryUrl = !config.pluginRegistry?.disableInternalRegistry
+      ? config.pluginRegistryURL
+      : config.pluginRegistry?.externalPluginRegistries?.[0]?.url;
+    const pluginRegistryInternalUrl = config.pluginRegistryInternalURL;
+    const openVSXUrl = config.pluginRegistry?.openVSXURL;
+
     this.addEnvVarsToContainers(
       devWorkspaceTemplateResource.spec?.components,
       pluginRegistryUrl,
@@ -216,9 +221,89 @@ export class DevWorkspaceClient {
       clusterConsole,
     );
 
+    // Add SCC attribute if container capabilities are enabled
+    this.addSccAttributeToTemplate(devWorkspaceTemplateResource, config);
+
     return DwtApi.createTemplate(devWorkspaceTemplateResource);
   }
 
+  /**
+   * Injects the container scc attribute into the DevWorkspaceTemplateResource
+   * and adds HOST_USERS environment variable to all containers
+   * based on the CR `disableContainerBuildCapabilities` or `disableContainerRunCapabilities` fields value.
+   */
+  private addSccAttributeToTemplate(
+    devWorkspaceTemplateResource: devfileApi.DevWorkspaceTemplate,
+    config: api.IServerConfig,
+  ): void {
+    let sccName: string | undefined;
+    let hostUsers = true;
+
+    if (!config.containerRun?.disableContainerRunCapabilities) {
+      // container run capabilities is enabled.
+      sccName = config.containerRun?.containerRunConfiguration?.openShiftSecurityContextConstraint;
+      hostUsers = false;
+    } else if (!config.containerBuild?.disableContainerBuildCapabilities) {
+      // container build capabilities is enabled.
+      sccName =
+        config.containerBuild?.containerBuildConfiguration?.openShiftSecurityContextConstraint;
+      hostUsers = false;
+    }
+
+    if (!sccName) {
+      return;
+    }
+
+    if (!devWorkspaceTemplateResource.spec) {
+      devWorkspaceTemplateResource.spec = {};
+    }
+    if (!devWorkspaceTemplateResource.spec.attributes) {
+      devWorkspaceTemplateResource.spec.attributes = {};
+    }
+    devWorkspaceTemplateResource.spec.attributes[DEVWORKSPACE_CONTAINER_SCC_ATTR] = sccName;
+
+    // Add HOST_USERS environment variable to all containers
+    this.addHostUsersEnvVarToTemplate(devWorkspaceTemplateResource, hostUsers);
+  }
+
+  /**
+   * Adds HOST_USERS environment variable to all containers in the DevWorkspaceTemplate.
+   */
+  private addHostUsersEnvVarToTemplate(
+    devWorkspaceTemplateResource: devfileApi.DevWorkspaceTemplate,
+    hostUsers: boolean,
+  ): void {
+    const components = devWorkspaceTemplateResource.spec?.components;
+    if (!components) {
+      return;
+    }
+
+    const envVar = { name: this.hostUsersEnvName, value: hostUsers.toString() };
+
+    for (const component of components) {
+      const container = component.container;
+      if (container === undefined) {
+        continue;
+      }
+
+      if (!container.env) {
+        container.env = [envVar];
+        continue;
+      }
+
+      const existingEnvIndex = container.env.findIndex(env => env.name === this.hostUsersEnvName);
+      if (existingEnvIndex >= 0) {
+        // If value is different, replace it
+        if (container.env[existingEnvIndex].value !== hostUsers.toString()) {
+          container.env[existingEnvIndex] = envVar;
+        }
+      } else {
+        // If environment variable is absent, add it
+        container.env.push(envVar);
+      }
+    }
+  }
+
   /**
    * propagate the plugin registry, plugin internal registry,
    * and dashboard URLs into the components containers

packages/dashboard-frontend/src/store/Workspaces/devWorkspaces/actions/actionCreators/createWorkspaceFromResources.ts

@@ -18,12 +18,8 @@ import { AppThunk } from '@/store';
 import { selectApplications } from '@/store/ClusterInfo';
 import { selectDefaultNamespace } from '@/store/InfrastructureNamespaces';
 import { verifyAuthorized } from '@/store/SanityCheck';
-import {
-  selectDefaultEditor,
-  selectOpenVSXUrl,
-  selectPluginRegistryInternalUrl,
-  selectPluginRegistryUrl,
-} from '@/store/ServerConfig';
+import { getDefaultEditor } from '@/store/ServerConfig/helpers';
+import { selectServerConfigState } from '@/store/ServerConfig/selectors';
 import { getDevWorkspaceClient } from '@/store/Workspaces/devWorkspaces/actions/actionCreators/helpers';
 import { updateDevWorkspaceTemplate } from '@/store/Workspaces/devWorkspaces/actions/actionCreators/helpers/editorImage';
 import {
@@ -43,10 +39,8 @@ export const createWorkspaceFromResources =
   async (dispatch, getState) => {
     const state = getState();
     const defaultKubernetesNamespace = selectDefaultNamespace(state);
-    const openVSXUrl = selectOpenVSXUrl(state);
-    const pluginRegistryUrl = selectPluginRegistryUrl(state);
-    const pluginRegistryInternalUrl = selectPluginRegistryInternalUrl(state);
-    const cheEditor = editor ? editor : selectDefaultEditor(state);
+    const serverConfig = selectServerConfigState(state).config;
+    const cheEditor = editor || getDefaultEditor(serverConfig);
     const defaultNamespace = defaultKubernetesNamespace.name;
     const customName = params.name;
 
@@ -84,9 +78,7 @@ export const createWorkspaceFromResources =
         defaultNamespace,
         createResp.devWorkspace,
         devWorkspaceTemplate,
-        pluginRegistryUrl,
-        pluginRegistryInternalUrl,
-        openVSXUrl,
+        serverConfig,
         clusterConsole,
       );