Chapter 4. Configuring CodeReady Workspaces

The following chapter describes configuration methods and options for Red Hat CodeReady Workspaces, with some user stories as example.

The next sections describe some specific user stories.

4.1. Advanced configuration options for the CodeReady Workspaces server component

The following section describes advanced deployment and configuration methods for the CodeReady Workspaces server component.

4.1.1. Understanding CodeReady Workspaces server advanced configuration using the Operator

The following section describes the CodeReady Workspaces server component advanced configuration method for a deployment using the Operator.

Advanced configuration is necessary to:

  • Add environment variables not automatically generated by the Operator from the standard CheCluster Custom Resource fields.
  • Override the properties automatically generated by the Operator from the standard CheCluster Custom Resource fields.

The customCheProperties field, part of the CheCluster Custom Resource server settings, contains a map of additional environment variables to apply to the CodeReady Workspaces server component.

Example 4.1. Override the default memory limit for workspaces

Add the CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB property to customCheProperties:

apiVersion: org.eclipse.che/v1
kind: CheCluster
# [...]
spec:
  server:
    # [...]
    customCheProperties:
      CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB: "2048"
# [...]
Note

Previous versions of the CodeReady Workspaces Operator had a ConfigMap named custom to fulfill this role. If the CodeReady Workspaces Operator finds a configMap with the name custom, it adds the data it contains into the customCheProperties field, redeploys CodeReady Workspaces, and deletes the custom configMap.

Additional resources

4.1.2. CodeReady Workspaces server component system properties reference

The following document describes all possible configuration properties of the CodeReady Workspaces server component.

4.1.2.1. CodeReady Workspaces server

Table 4.1. CodeReady Workspaces server

Environment Variable NameDefault valueDescription

CHE_DATABASE

${che.home}/storage

Folder where CodeReady Workspaces stores internal data objects.

CHE_API

http://${CHE_HOST}:${CHE_PORT}/api

API service. Browsers initiate REST communications to CodeReady Workspaces server with this URL.

CHE_API_INTERNAL

http://${CHE_HOST}:${CHE_PORT}/api

API service internal network URL. Back-end services should initiate REST communications to CodeReady Workspaces server with this URL

CHE_WEBSOCKET_ENDPOINT

ws://${CHE_HOST}:${CHE_PORT}/api/websocket

CodeReady Workspaces WebSocket major endpoint. Provides basic communication endpoint for major WebSocket interactions and messaging.

CHE_WORKSPACE_PROJECTS_STORAGE

/projects

Your projects are synchronized from the CodeReady Workspaces server into the machine running each workspace. This is the directory in the machine where your projects are placed.

CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE

1Gi

Used when OpenShift-type components in a devfile request project PVC creation (Applied in case of unique and per workspace PVC strategy. In case of the common PVC strategy, it is rewritten with the value of the che.infra.kubernetes.pvc.quantity property.)

CHE_WORKSPACE_LOGS_ROOT__DIR

/workspace_logs

Defines the directory inside the machine where all the workspace logs are placed. Provide this value into the machine, for example, as an environment variable. This is to ensure that agent developers can use this directory to back up agent logs.

CHE_WORKSPACE_HTTP__PROXY

 

Configures environment variable HTTP_PROXY to a specified value in containers powering workspaces.

CHE_WORKSPACE_HTTPS__PROXY

 

Configures environment variable HTTPS_PROXY to a specified value in containers powering workspaces.

CHE_WORKSPACE_NO__PROXY

 

Configures environment variable NO_PROXY to a specified value in containers powering workspaces.

CHE_WORKSPACE_AUTO__START

true

By default, when users access a workspace with its URL, the workspace automatically starts (if currently stopped). Set this to false to disable this behavior.

CHE_WORKSPACE_POOL_TYPE

fixed

Workspace threads pool configuration. This pool is used for workspace-related operations that require asynchronous execution, for example, starting and stopping. Possible values are fixed and cached.

CHE_WORKSPACE_POOL_EXACT__SIZE

30

This property is ignored when pool type is different from fixed. It configures the exact size of the pool. When set, the multiplier property is ignored. If this property is not set (0, <0, NULL), then the pool size equals the number of cores. See also che.workspace.pool.cores_multiplier.

CHE_WORKSPACE_POOL_CORES__MULTIPLIER

2

This property is ignored when pool type is not set to fixed, che.workspace.pool.exact_size is set. When set, the pool size is N_CORES * multiplier.

CHE_WORKSPACE_PROBE__POOL__SIZE

10

This property specifies how many threads to use for workspace server liveness probes.

CHE_WORKSPACE_HTTP__PROXY__JAVA__OPTIONS

NULL

HTTP proxy setting for workspace JVM.

CHE_WORKSPACE_JAVA__OPTIONS

-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom

Java command-line options added to JVMs running in workspaces.

CHE_WORKSPACE_MAVEN__OPTIONS

-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom

Maven command-line options added to JVMs running agents in workspaces.

CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB

1024

RAM limit default for each machine that has no RAM settings in its environment. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB

200

RAM request for each container that has no explicit RAM settings in its environment. This amount is allocated when the workspace container is created. This property may not be supported by all infrastructure implementations. Currently it is supported by OpenShift. A memory request exceeding the memory limit is ignored, and only the limit size is used. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES

-1

CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, 0.125, or using the OpenShift format, integer millicores, for example, 125m. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES

-1

CPU request for each container that has no CPU settings in environment. A CPU request exceeding the CPU limit is ignored, and only limit number is used. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB

128

RAM limit for each sidecar that has no RAM settings in the CodeReady Workspaces plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB

64

RAM request for each sidecar that has no RAM settings in the CodeReady Workspaces plug-in configuration.

CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES

-1

CPU limit default for each sidecar that has no CPU settings in the CodeReady Workspaces plug-in configuration. Specify either in floating point cores number, for example, 0.125, or using the OpenShift format, integer millicores, for example, 125m. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES

-1

CPU request default for each sidecar that has no CPU settings in the CodeReady Workspaces plug-in configuration. Specify either in floating point cores number, for example, 0.125, or using the OpenShift format, integer millicores, for example, 125m.

CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY

Always

Defines image-pulling strategy for sidecars. Possible values are: Always, Never, IfNotPresent. For any other value, Always is assumed for images with the :latest tag, or IfNotPresent for all other cases.

CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__PERIOD__S

60

Period of inactive workspaces suspend job execution.

CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__PERIOD__S

3600

The period of the cleanup of the activity table. The activity table can contain invalid or stale data if some unforeseen errors happen, as a server failure at a peculiar point in time. The default is to run the cleanup job every hour.

CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__INITIAL__DELAY__S

60

The delay after server startup to start the first activity clean up job.

CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__DELAY__S

180

Delay before first workspace idleness check job started to avoid mass suspend if CodeReady Workspaces server was unavailable for period close to inactivity timeout.

CHE_WORKSPACE_CLEANUP__TEMPORARY__INITIAL__DELAY__MIN

5

Time to delay the first execution of temporary workspaces cleanup job.

CHE_WORKSPACE_CLEANUP__TEMPORARY__PERIOD__MIN

180

Time to delay between the termination of one execution and the commencement of the next execution of temporary workspaces cleanup job

CHE_WORKSPACE_SERVER_PING__SUCCESS__THRESHOLD

1

Number of sequential successful pings to server after which it is treated as available. the CodeReady Workspaces Operator: the property is common for all servers, for example, workspace agent, terminal, exec.

CHE_WORKSPACE_SERVER_PING__INTERVAL__MILLISECONDS

3000

Interval, in milliseconds, between successive pings to workspace server.

CHE_WORKSPACE_SERVER_LIVENESS__PROBES

wsagent/http,exec-agent/http,terminal,theia,jupyter,dirigible,cloud-shell,intellij

List of servers names which require liveness probes

CHE_WORKSPACE_STARTUP__DEBUG__LOG__LIMIT__BYTES

10485760

Limit size of the logs collected from single container that can be observed by che-server when debugging workspace startup. default 10MB=10485760

CHE_WORKSPACE_STOP_ROLE_ENABLED

true

If true, 'stop-workspace' role with the edit privileges will be granted to the 'che' ServiceAccount if OpenShift OAuth is enabled. This configuration is mainly required for workspace idling when the OpenShift OAuth is enabled.

CHE_DEVWORKSPACES_ENABLED

false

Specifies whether CodeReady Workspaces is deployed with DevWorkspaces enabled. This property is set by the CodeReady Workspaces Operator if it also installed the support for DevWorkspaces. This property is used to advertise this fact to the CodeReady Workspaces dashboard. It does not make sense to change the value of this property manually.

4.1.2.2. Authentication parameters

Table 4.2. Authentication parameters

Environment Variable NameDefault valueDescription

CHE_AUTH_USER__SELF__CREATION

false

CodeReady Workspaces has a single identity implementation, so this does not change the user experience. If true, enables user creation at API level

CHE_AUTH_ACCESS__DENIED__ERROR__PAGE

/error-oauth

Authentication error page address

CHE_AUTH_RESERVED__USER__NAMES

 

Reserved user names

CHE_OAUTH_GITHUB_CLIENTID

NULL

Configuration of GitHub OAuth client. You can setup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth. GitHub OAuth client ID.

CHE_OAUTH_GITHUB_CLIENTSECRET

NULL

GitHub OAuth client secret.

CHE_OAUTH_GITHUB_AUTHURI

https://github.com/login/oauth/authorize

GitHub OAuth authorization URI.

CHE_OAUTH_GITHUB_TOKENURI

https://github.com/login/oauth/access_token

GitHub OAuth token URI.

CHE_OAUTH_GITHUB_REDIRECTURIS

http://localhost:${CHE_PORT}/api/oauth/callback

GitHub OAuth redirect URIs. Separate multiple values with comma, for example: URI,URI,URI

CHE_OAUTH_OPENSHIFT_CLIENTID

NULL

Configuration of OpenShift OAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID.

CHE_OAUTH_OPENSHIFT_CLIENTSECRET

NULL

Configurationof OpenShift OAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID. OpenShift OAuth client secret.

CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT

NULL

ConfigurationofOpenShift OAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID. OpenShift OAuth client secret. OpenShift OAuth endpoint.

CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL

NULL

ConfigurationofOpenShiftOAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID. OpenShift OAuth client secret. OpenShift OAuth endpoint. OpenShift OAuth verification token URL.

CHE_OAUTH1_BITBUCKET_CONSUMERKEYPATH

NULL

Configuration of Bitbucket Server OAuth1 client. Used to obtain Personal access tokens. Location of the file with Bitbucket Server application consumer key (equivalent to a username).

CHE_OAUTH1_BITBUCKET_PRIVATEKEYPATH

NULL

Configurationof Bitbucket Server OAuth1 client. Used to obtain Personal access tokens. Location of the file with Bitbucket Server application consumer key (equivalent to a username). Location of the file with Bitbucket Server application private key

CHE_OAUTH1_BITBUCKET_ENDPOINT

NULL

ConfigurationofBitbucket Server OAuth1 client. Used to obtain Personal access tokens. Location of the file with Bitbucket Server application consumer key (equivalent to a username). Location of the file with Bitbucket Server application private key Bitbucket Server URL. To work correctly with factories the same URL has to be part of che.integration.bitbucket.server_endpoints too.

4.1.2.3. Internal

Table 4.3. Internal

Environment Variable NameDefault valueDescription

SCHEDULE_CORE__POOL__SIZE

10

CodeReady Workspaces extensions can be scheduled executions on a time basis. This configures the size of the thread pool allocated to extensions that are launched on a recurring schedule.

DB_SCHEMA_FLYWAY_BASELINE_ENABLED

true

DB initialization and migration configuration If true, ignore scripts up to the version configured by baseline.version.

DB_SCHEMA_FLYWAY_BASELINE_VERSION

5.0.0.8.1

Scripts with version up to this are ignored. Note that scripts with version equal to baseline version are also ignored.

DB_SCHEMA_FLYWAY_SCRIPTS_PREFIX

 

Prefix of migration scripts.

DB_SCHEMA_FLYWAY_SCRIPTS_SUFFIX

.sql

Suffix of migration scripts.

DB_SCHEMA_FLYWAY_SCRIPTS_VERSION__SEPARATOR

__

Separator of version from the other part of script name.

DB_SCHEMA_FLYWAY_SCRIPTS_LOCATIONS

classpath:che-schema

Locations where to search migration scripts.

4.1.2.4. OpenShift Infra parameters

Table 4.4. OpenShift Infra parameters

Environment Variable NameDefault valueDescription

CHE_INFRA_KUBERNETES_MASTER__URL

 

Configuration of OpenShift client master URL that Infra will use.

CHE_INFRA_KUBERNETES_TRUST__CERTS

false

Boolean to configure OpenShift client to use trusted certificates.

CHE_INFRA_KUBERNETES_CLUSTER__DOMAIN

NULL

OpenShift cluster domain. If not set, svc names will not contain information about the cluster domain.

CHE_INFRA_KUBERNETES_SERVER__STRATEGY

multi-host

Defines the way how servers are exposed to the world in Kubernetes infra. List of strategies implemented in CodeReady Workspaces: default-host, multi-host, single-host.

CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE

native

Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: native:: Exposes servers using OpenShift Routees. Works only on Kubernetes. gateway:: Exposes servers using reverse-proxy gateway.

CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE

multi-host

Defines the way how to expose devfile endpoints, as end-user’s applications, in single-host server strategy. They can either follow the single-host strategy and be exposed on subpaths, or they can be exposed on subdomains. multi-host:: expose on subdomains single-host:: expose on subpaths

CHE_INFRA_KUBERNETES_SINGLEHOST_GATEWAY_CONFIGMAP__LABELS

app=che,component=che-gateway-config

Defines labels which will be set to ConfigMaps configuring single-host gateway.

CHE_INFRA_KUBERNETES_INGRESS_DOMAIN

 

Used to generate domain for a server in a workspace in case property che.infra.kubernetes.server_strategy is set to multi-host

CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED

true

Indicates whether CodeReady Workspaces server is allowed to create project for user workspaces, or they’re intended to be created manually by cluster administrator. This property is also used by the OpenShift infra.

CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT

<username>-che

Defines default OpenShift project in which user’s workspaces are created if user does not override it. It’s possible to use <username> and <userid> placeholders (for example: che-workspace-<username>). In that case, new namespace will be created for each user. Used by OpenShift infra as well to specify a Project. The <username> or <userid> placeholder is mandatory.

CHE_INFRA_KUBERNETES_NAMESPACE_LABEL

true

Defines whether che-server should try to label the workspace namespaces.

CHE_INFRA_KUBERNETES_NAMESPACE_LABELS

app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspaces-namespace

List of labels to find project that are used for CodeReady Workspaces Workspaces. They are used to: - find prepared project for users in combination with che.infra.kubernetes.namespace.annotations. - actively label project with any workspace.

CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS

che.eclipse.org/username=<username>

List of annotations to find project prepared for CodeReady Workspaces users workspaces. Only project matching the che.infra.kubernetes.namespace.labels will be matched against these annotations. project that matches both che.infra.kubernetes.namespace.labels and che.infra.kubernetes.namespace.annotations will be preferentially used for User’s workspaces. It’s possible to use <username> placeholder to specify the project to concrete user.

CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME

NULL

Defines Kubernetes Service Account name which should be specified to be bound to all workspaces Pods. the CodeReady Workspaces Operator that OpenShift Infrastructure will not create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if che.infra.openshift.project is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there

CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES

NULL

Specifies optional, additional cluster roles to use with the workspace service account. the CodeReady Workspaces Operator that the cluster role names must already exist, and the CodeReady Workspaces service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates che.infra.kubernetes.cluster_role_name.

CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN

8

Defines wait time that limits the Kubernetes workspace start time.

CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN

5

Defines the timeout in minutes that limits the period for which OpenShift Route become ready

CHE_INFRA_KUBERNETES_WORKSPACE__UNRECOVERABLE__EVENTS

FailedMount,FailedScheduling,MountVolume.SetUpfailed,Failed to pull image,FailedCreate,ReplicaSetCreateError

If during workspace startup an unrecoverable event defined in the property occurs, stop the workspace immediately rather than waiting until timeout. the CodeReady Workspaces Operator that this SHOULD NOT include a mere 'Failed' reason, because that might catch events that are not unrecoverable. A failed container startup is handled explicitly by CodeReady Workspaces server.

CHE_INFRA_KUBERNETES_PVC_ENABLED

true

Defines whether use the Persistent Volume Claim for CodeReady Workspaces workspace needs, for example: backup projects, logs, or disable it.

CHE_INFRA_KUBERNETES_PVC_STRATEGY

common

Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: common:: All workspaces in the same project will reuse the same PVC. Name of PVC may be configured with che.infra.kubernetes.pvc.name. Existing PVC will be used or a new one will be created if it does not exist. unique:: Separate PVC for each workspace’s volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'. Existing PVC will be used or a new one will be created if it does not exist. per-workspace:: Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'. Existing PVC will be used or a new one will be created if it doesn’t exist.

CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS

true

Defines whether to run a job that creates workspace’s subpath directories in persistent volume for the common strategy before launching a workspace. Necessary in some versions of OpenShift as workspace subpath volume mounts are created with root permissions, and therefore cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in CodeReady Workspaces). The default is true, but should be set to false if the version of OpenShift creates subdirectories with user permissions. See: subPath in volumeMount is not writable for non-root users #41638 the CodeReady Workspaces Operator that this property has effect only if the common PVC strategy used.

CHE_INFRA_KUBERNETES_PVC_NAME

claim-che-workspace

Defines the settings of PVC name for CodeReady Workspaces workspaces. Each PVC strategy supplies this value differently. See documentation for che.infra.kubernetes.pvc.strategy property

CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME

 

Defines the storage class of Persistent Volume Claim for the workspaces. Empty strings means 'use default'.

CHE_INFRA_KUBERNETES_PVC_QUANTITY

10Gi

Defines the size of Persistent Volume Claim of CodeReady Workspaces workspace. See: Understanding persistent storage

CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE

registry.access.redhat.com/ubi8-minimal:8.3-230

Pod that is launched when performing persistent volume claim maintenance jobs on OpenShift

CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE_PULL__POLICY

IfNotPresent

Image pull policy of container that used for the maintenance jobs on OpenShift cluster

CHE_INFRA_KUBERNETES_PVC_JOBS_MEMORYLIMIT

250Mi

Defines Pod memory limit for persistent volume claim maintenance jobs

CHE_INFRA_KUBERNETES_PVC_ACCESS__MODE

ReadWriteOnce

Defines Persistent Volume Claim access mode. the CodeReady Workspaces Operator that for common PVC strategy changing of access mode affects the number of simultaneously running workspaces. If the OpenShift instance running CodeReady Workspaces is using Persistent Volumes with RWX access mode, then a limit of running workspaces at the same time is bounded only by CodeReady Workspaces limits configuration: RAM, CPU, and so on. See: Understanding persistent storage

CHE_INFRA_KUBERNETES_PVC_WAIT__BOUND

true

Defines if CodeReady Workspaces Server should wait workspaces Persistent Volume Claims to become bound after creating. Default value is true. The parameter is used by all Persistent Volume Claim strategies. It should be set to false when volumeBindingMode is configured to WaitForFirstConsumer otherwise workspace starts will hangs up on phase of waiting PVCs.

CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON

NULL

Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes rather than Ingresses. the CodeReady Workspaces Operator that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers do not need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for Nginx ingress controller 0.22.0 and later the following value is recommended: {'ingress.kubernetes.io/rewrite-target': '/$1','ingress.kubernetes.io/ssl-redirect': 'false',\ 'ingress.kubernetes.io/proxy-connect-timeout': '3600','ingress.kubernetes.io/proxy-read-timeout': '3600', 'nginx.org/websocket-services': '<service-name>'} and the che.infra.kubernetes.ingress.path.rewrite_transform should be set to '%s(.*)'. For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely / and the path transform to %s (see the che.infra.kubernetes.ingress.path.rewrite_transform property). See the Nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression available in the ingress path and how it achieves the URL rewriting.

CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM

NULL

Defines a recipe on how to declare the path of the ingress that should expose a server. The %s represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format() method and contain exactly one reference to %s. See the description of the che.infra.kubernetes.ingress.annotations_json property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to %s (without the quotes) which means that the path is not transformed in any way for use with the ingress controller.

CHE_INFRA_KUBERNETES_INGRESS_LABELS

NULL

Additional labels to add into every Ingress created by CodeReady Workspaces server to allow clear identification.

CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER

NULL

Defines security context for Pods that will be created by OpenShift Infra This is ignored by OpenShift infra

CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP

NULL

Defines security context for Pods that will be created by OpenShift Infra. A special supplemental group that applies to all containers in a Pod. This is ignored by OpenShift infra.

CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC

0

Defines grace termination period for Pods that will be created by OpenShift infrastructures. Default value: 0. It allows to stop Pods quickly and significantly decrease the time required for stopping a workspace. the CodeReady Workspaces Operator: if terminationGracePeriodSeconds have been explicitly set in OpenShift recipe it will not be overridden.

CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX

1000

Number of maximum concurrent asynchronous web requests (HTTP requests or ongoing WebSocket calls) supported in the underlying shared HTTP client of the KubernetesClient instances. Default values: max=64, and max_per_host:5. Default values are not suitable for multi-user scenarios, as CodeReady Workspaces keeps open connections, for example for command or ws-agent logs.

CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST

1000

Number of maximum concurrent asynchronous web requests per host.

CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE

5

Max number of idle connections in the connection pool of the Kubernetes-client shared HTTP client.

CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN

5

Keep-alive timeout of the connection pool of the Kubernetes-client shared HTTP client in minutes.

CHE_INFRA_KUBERNETES_TLS__ENABLED

false

Creates Ingresses with Transport Layer Security (TLS) enabled. In OpenShift infrastructure, Routes will be TLS-enabled.

CHE_INFRA_KUBERNETES_TLS__SECRET

 

Name of a secret that should be used when creating workspace ingresses with TLS. This property is ignored by OpenShift infrastructure.

CHE_INFRA_KUBERNETES_TLS__KEY

NULL

Data for TLS Secret that should be used for workspaces Ingresses. cert and key should be encoded with Base64 algorithm. These properties are ignored by OpenShift infrastructure.

CHE_INFRA_KUBERNETES_TLS__CERT

NULL

Certificate data for TLS Secret that should be used for workspaces Ingresses. Certificate should be encoded with Base64 algorithm. This property is ignored by OpenShift infrastructure.

CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN

-1

Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or -1, where -1 means that checks won’t be performed at all. It is disabled by default because there is possible CodeReady Workspaces Server configuration when CodeReady Workspaces Server doesn’t have an ability to interact with Kubernetes API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where CodeReady Workspaces Server is located; - cluster-admin service account token is mounted to CodeReady Workspaces Server Pod. It DOES NOT work on the following configurations: - CodeReady Workspaces Server communicates with Kubernetes API using token from OAuth provider.

CHE_INFRA_KUBERNETES_TRUSTED__CA_SRC__CONFIGMAP

NULL

Name of the ConfigMap in CodeReady Workspaces server namespace with additional CA TLS certificates to be propagated into all user’s workspaces. If the property is set on OpenShift 4 infrastructure, and che.infra.openshift.trusted_ca.dest_configmap_labels includes the config.openshift.io/inject-trusted-cabundle=true label, then cluster CA bundle will be propagated too.

CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP

ca-certs

Name of the ConfigMap in a workspace namespace with additional CA TLS certificates. Holds the copy of che.infra.kubernetes.trusted_ca.src_configmap but in a workspace namespace. Content of this ConfigMap is mounted into all workspace containers including plugin brokers. Do not change the ConfigMap name unless it conflicts with the already existing ConfigMap. the CodeReady Workspaces Operator that the resulting ConfigMap name can be adjusted eventually to make it unique in project. The original name would be stored in che.original_name label.

CHE_INFRA_KUBERNETES_TRUSTED__CA_MOUNT__PATH

/public-certs

Configures path on workspace containers where the CA bundle should be mounted. Content of ConfigMap specified by che.infra.kubernetes.trusted_ca.dest_configmap is mounted.

CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP__LABELS

 

Comma separated list of labels to add to the CA certificates ConfigMap in user workspace. See the che.infra.kubernetes.trusted_ca.dest_configmap property.

CHE_INFRA_KUBERNETES_ENABLE__UNSUPPORTED__K8S

false

Enables the /unsupported/OpenShift endpoint to resolve calls on Kubernetes infrastructure. Provides direct access to the underlying infrastructure REST API. This results in huge privilege escalation. It impacts only Kubernetes infrastructure. Therefore it implies no security risk on OpenShift with OAuth. Do not enable this, unless you understand the risks.

4.1.2.5. OpenShift Infra parameters

Table 4.5. OpenShift Infra parameters

Environment Variable NameDefault valueDescription

CHE_INFRA_OPENSHIFT_TRUSTED__CA_DEST__CONFIGMAP__LABELS

config.openshift.io/inject-trusted-cabundle=true

Comma separated list of labels to add to the CA certificates ConfigMap in user workspace. See che.infra.kubernetes.trusted_ca.dest_configmap property. This default value is used for automatic cluster CA bundle injection in OpenShift 4.

CHE_INFRA_OPENSHIFT_ROUTE_LABELS

NULL

Additional labels to add into every Route created by CodeReady Workspaces server to allow clear identification.

CHE_INFRA_OPENSHIFT_ROUTE_HOST_DOMAIN__SUFFIX

NULL

The hostname that should be used as a suffix for the workspace routes. For example: Using domain_suffix=<codeready-<openshift_deployment_name>.<domain_name>>, the route resembles: routed3qrtk.<codeready-<openshift_deployment_name>.<domain_name>>. It has to be a valid DNS name.

CHE_INFRA_OPENSHIFT_PROJECT_INIT__WITH__SERVER__SA

true

Initialize OpenShift project with CodeReady Workspaces server’s service account if OpenShift OAuth is enabled.

4.1.2.6. Experimental properties

Table 4.6. Experimental properties

Environment Variable NameDefault valueDescription

CHE_WORKSPACE_PLUGIN__BROKER_METADATA_IMAGE

quay.io/eclipse/che-plugin-metadata-broker:v3.4.0

Docker image of CodeReady Workspaces plugin broker app that resolves workspace tools configuration and copies plugins dependencies to a workspace. The CodeReady Workspaces Operator overrides these images by default. Changing the images here will not have an effect if CodeReady Workspaces is installed using the Operator.

CHE_WORKSPACE_PLUGIN__BROKER_ARTIFACTS_IMAGE

quay.io/eclipse/che-plugin-artifacts-broker:v3.4.0

Docker image of CodeReady Workspaces plugin artifacts broker. This broker runs as an init container on the workspace Pod. Its job is to take in a list of plugin identifiers (either references to a plugin in the registry or a link to a plugin meta.yaml) and ensure that the correct .vsix and .theia extensions are downloaded into the /plugins directory, for each plugin requested for the workspace.

CHE_WORKSPACE_PLUGIN__BROKER_DEFAULT__MERGE__PLUGINS

false

Configures the default behavior of the plugin brokers when provisioning plugins into a workspace. If set to true, the plugin brokers will attempt to merge plugins when possible: they run in the same sidecar image and do not have conflicting settings. This value is the default setting used when the devfile does not specify the mergePlugins attribute.

CHE_WORKSPACE_PLUGIN__BROKER_PULL__POLICY

Always

Docker image of CodeReady Workspaces plugin broker app that resolves workspace tools configuration and copies plugins dependencies to a workspace

CHE_WORKSPACE_PLUGIN__BROKER_WAIT__TIMEOUT__MIN

3

Defines the timeout in minutes that limits the max period of result waiting for plugin broker.

CHE_WORKSPACE_PLUGIN__REGISTRY__URL

https://che-plugin-registry.prod-preview.openshift.io/v3

Workspace plug-ins registry endpoint. Should be a valid HTTP URL. Example: http://che-plugin-registry-eclipse-che.192.168.65.2.nip.io In case CodeReady Workspaces plug-ins registry is not needed value 'NULL' should be used

CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL

NULL

Workspace plugins registry internal endpoint. Should be a valid HTTP URL. Example: http://devfile-registry.che.svc.cluster.local:8080 In case CodeReady Workspaces plug-ins registry is not needed value 'NULL' should be used

CHE_WORKSPACE_DEVFILE__REGISTRY__URL

https://che-devfile-registry.prod-preview.openshift.io/

Devfile Registry endpoint. Should be a valid HTTP URL. Example: http://che-devfile-registry-eclipse-che.192.168.65.2.nip.io In case CodeReady Workspaces plug-ins registry is not needed value 'NULL' should be used

CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL

NULL

Devfile Registry 'internal' endpoint. Should be a valid HTTP URL. Example: http://plugin-registry.che.svc.cluster.local:8080 In case CodeReady Workspaces plug-ins registry is not needed value 'NULL' should be used

CHE_WORKSPACE_STORAGE_AVAILABLE__TYPES

persistent,ephemeral,async

The configuration property that defines available values for storage types that clients such as the Dashboard should propose to users during workspace creation and update. Available values: - persistent: Persistent Storage slow I/O but persistent. - ephemeral: Ephemeral Storage allows for faster I/O but may have limited storage and is not persistent. - async: Experimental feature: Asynchronous storage is combination of Ephemeral and Persistent storage. Allows for faster I/O and keep your changes, will backup on stop and restore on start workspace. Will work only if: - che.infra.kubernetes.pvc.strategy='common' - che.limits.user.workspaces.run.count=1 - che.infra.kubernetes.namespace.default contains <username> in other cases remove async from the list.

CHE_WORKSPACE_STORAGE_PREFERRED__TYPE

persistent

The configuration property that defines a default value for storage type that clients such as the Dashboard should propose to users during workspace creation and update. The async value is an experimental feature, not recommended as default type.

CHE_SERVER_SECURE__EXPOSER

jwtproxy

Configures in which way secure servers will be protected with authentication. Suitable values: - default: jwtproxy is configured in a pass-through mode. Servers should authenticate requests themselves. - jwtproxy: jwtproxy will authenticate requests. Servers will receive only authenticated requests.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_ISSUER

wsmaster

Jwtproxy issuer string, token lifetime, and optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_TTL

8800h

JWTProxy issuer token lifetime.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_AUTH_LOADER_PATH

/_app/loader.html

Optional authentication page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_IMAGE

quay.io/eclipse/che-jwtproxy:0.10.0

JWTProxy image.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_MEMORY__REQUEST

15mb

JWTProxy memory request.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_MEMORY__LIMIT

128mb

JWTProxy memory limit.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_CPU__REQUEST

0.03

JWTProxy CPU request.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_CPU__LIMIT

0.5

JWTProxy CPU limit.

4.1.2.7. Configuration of the major WebSocket endpoint

Table 4.7. Configuration of the major WebSocket endpoint

Environment Variable NameDefault valueDescription

CHE_CORE_JSONRPC_PROCESSOR__MAX__POOL__SIZE

50

Maximum size of the JSON RPC processing pool in case if pool size would be exceeded message execution will be rejected

CHE_CORE_JSONRPC_PROCESSOR__CORE__POOL__SIZE

5

Initial JSON processing pool. Minimum number of threads that used to process major JSON RPC messages.

CHE_CORE_JSONRPC_PROCESSOR__QUEUE__CAPACITY

100000

Configuration of queue used to process JSON RPC messages.

CHE_METRICS_PORT

8087

Port the HTTP server endpoint that would be exposed with Prometheus metrics.

4.1.2.8. CORS settings

Table 4.8. CORS settings

Environment Variable NameDefault valueDescription

CHE_CORS_ALLOWED__ORIGINS

*

Indicates which request origins are allowed. CORS filter on WS Master is turned off by default. Use environment variable 'CHE_CORS_ENABLED=true' to turn it on.

CHE_CORS_ALLOW__CREDENTIALS

false

Indicates if it allows processing of requests with credentials (in cookies, headers, TLS client certificates).

4.1.2.9. Factory defaults

Table 4.9. Factory defaults

Environment Variable NameDefault valueDescription

CHE_FACTORY_DEFAULT__PLUGINS

redhat/vscode-commons/latest

Editor and plugin which will be used for factories that are created from a remote Git repository which does not contain any CodeReady Workspaces-specific workspace descriptor Multiple plugins must be comma-separated, for example: pluginFooPublisher/pluginFooName/pluginFooVersion,pluginBarPublisher/pluginBarName/pluginBarVersion

CHE_FACTORY_DEFAULT__DEVFILE__FILENAMES

devfile.yaml,.devfile.yaml

Devfile filenames to look on repository-based factories (for example GitHub). Factory will try to locate those files in the order they enumerated in the property.

4.1.2.10. Devfile defaults

Table 4.10. Devfile defaults

Environment Variable NameDefault valueDescription

CHE_FACTORY_DEFAULT__EDITOR

eclipse/che-theia/latest

Editor that will be used for factories that are created from a remote Git repository which does not contain any CodeReady Workspaces-specific workspace descriptor.

CHE_FACTORY_SCM__FILE__FETCHER__LIMIT__BYTES

102400

File size limit for the URL fetcher which fetch files from the SCM repository.

CHE_FACTORY_DEVFILE2__FILES__RESOLUTION__LIST

.che/che-editor.yaml,.che/che-theia-plugins.yaml,.vscode/extensions.json

Additional files which may be present in repository to complement devfile v2, and should be referenced as links to SCM resolver service in factory to retrieve them.

CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR

eclipse/che-theia/latest

Default Editor that should be provisioned into Devfile if there is no specified Editor Format is editorPublisher/editorName/editorVersion value. NULL or absence of value means that default editor should not be provisioned.

CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR_PLUGINS

NULL

Default Plug-ins which should be provisioned for Default Editor. All the plugins from this list that are not explicitly mentioned in the user-defined devfile will be provisioned but only when the default editor is used or if the user-defined editor is the same as the default one (even if in different version). Format is comma-separated pluginPublisher/pluginName/pluginVersion values, and URLs. For example: eclipse/che-theia-exec-plugin/0.0.1,eclipse/che-theia-terminal-plugin/0.0.1,https://cdn.pluginregistry.com/vi-mode/meta.yaml If the plugin is a URL, the plugin’s meta.yaml is retrieved from that URL.

CHE_WORKSPACE_PROVISION_SECRET_LABELS

app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspace-secret

Defines comma-separated list of labels for selecting secrets from a user namespace, which will be mount into workspace containers as a files or environment variables. Only secrets that match ALL given labels will be selected.

CHE_WORKSPACE_DEVFILE_ASYNC_STORAGE_PLUGIN

eclipse/che-async-pv-plugin/latest

Plugin is added in case asynchronous storage feature will be enabled in workspace configuration and supported by environment

CHE_INFRA_KUBERNETES_ASYNC_STORAGE_IMAGE

quay.io/eclipse/che-workspace-data-sync-storage:0.0.1

Docker image for the CodeReady Workspaces asynchronous storage

CHE_WORKSPACE_POD_NODE__SELECTOR

NULL

Optionally configures node selector for workspace Pod. Format is comma-separated key=value pairs, for example: disktype=ssd,cpu=xlarge,foo=bar

CHE_WORKSPACE_POD_TOLERATIONS__JSON

NULL

Optionally configures tolerations for workspace Pod. Format is a string representing a JSON Array of taint tolerations, or NULL to disable it. The objects contained in the array have to follow the toleration v1 core specifications. Example: [{'effect':'NoExecute','key':'aNodeTaint','operator':'Equal','value':'aValue'}]

CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__TIMEOUT__MIN

120

The timeout for the Asynchronous Storage Pod shutdown after stopping the last used workspace. Value less or equal to 0 interpreted as disabling shutdown ability.

CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__CHECK__PERIOD__MIN

30

Defines the period with which the Asynchronous Storage Pod stopping ability will be performed (once in 30 minutes by default)

CHE_INTEGRATION_BITBUCKET_SERVER__ENDPOINTS

NULL

Bitbucket endpoints used for factory integrations. Comma separated list of Bitbucket server URLs or NULL if no integration expected.

CHE_INTEGRATION_GITLAB_SERVER__ENDPOINTS

NULL

GitLab endpoints used for factory integrations. Comma separated list of GitLab server URLs or NULL if no integration expected.

CHE_INTEGRATION_GITLAB_OAUTH__ENDPOINT

NULL#

Address of the GitLab server with configured OAuth 2 integration

4.1.2.11. Che system

Table 4.11. Che system

Environment Variable NameDefault valueDescription

CHE_SYSTEM_SUPER__PRIVILEGED__MODE

false

System Super Privileged Mode. Grants users with the manageSystem permission additional permissions for getByKey, getByNameSpace, stopWorkspaces, and getResourcesInformation. These are not given to admins by default and these permissions allow admins gain visibility to any workspace along with naming themselves with administrator privileges to those workspaces.

CHE_SYSTEM_ADMIN__NAME

admin

Grant system permission for che.admin.name user. If the user already exists it’ll happen on component startup, if not - during the first login when user is persisted in the database.

4.1.2.12. Workspace limits

Table 4.12. Workspace limits

Environment Variable NameDefault valueDescription

CHE_LIMITS_WORKSPACE_ENV_RAM

16gb

Workspaces are the fundamental runtime for users when doing development. You can set parameters that limit how workspaces are created and the resources that are consumed. The maximum amount of RAM that a user can allocate to a workspace when they create a new workspace. The RAM slider is adjusted to this maximum value.

CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT

1800000

The length of time in milliseconds that a user is idle with their workspace when the system will suspend the workspace and then stopping it. Idleness is the length of time that the user has not interacted with the workspace, meaning that one of the agents has not received interaction. Leaving a browser window open counts toward idleness.

CHE_LIMITS_WORKSPACE_RUN_TIMEOUT

0

The length of time in milliseconds that a workspace will run, regardless of activity, before the system will suspend it. Set this property if you want to automatically stop workspaces after a period of time. The default is zero, meaning that there is no run timeout.

4.1.2.13. Users workspace limits

Table 4.13. Users workspace limits

Environment Variable NameDefault valueDescription

CHE_LIMITS_USER_WORKSPACES_RAM

-1

The total amount of RAM that a single user is allowed to allocate to running workspaces. A user can allocate this RAM to a single workspace or spread it across multiple workspaces.

CHE_LIMITS_USER_WORKSPACES_COUNT

-1

The maximum number of workspaces that a user is allowed to create. The user will be presented with an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.

CHE_LIMITS_USER_WORKSPACES_RUN_COUNT

1

The maximum number of running workspaces that a single user is allowed to have. If the user has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The user will need to stop a running workspace to activate another.

4.1.2.14. Organizations workspace limits

Table 4.14. Organizations workspace limits

Environment Variable NameDefault valueDescription

CHE_LIMITS_ORGANIZATION_WORKSPACES_RAM

-1

The total amount of RAM that a single organization (team) is allowed to allocate to running workspaces. An organization owner can allocate this RAM however they see fit across the team’s workspaces.

CHE_LIMITS_ORGANIZATION_WORKSPACES_COUNT

-1

The maximum number of workspaces that a organization is allowed to own. The organization will be presented an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.

CHE_LIMITS_ORGANIZATION_WORKSPACES_RUN_COUNT

-1

The maximum number of running workspaces that a single organization is allowed. If the organization has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The organization will need to stop a running workspace to activate another.

4.1.2.15. Multi-user-specific OpenShift infrastructure configuration

Table 4.15. Multi-user-specific OpenShift infrastructure configuration

Environment Variable NameDefault valueDescription

CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER

NULL

Alias of the OpenShift identity provider registered in Keycloak, that should be used to create workspace OpenShift resources in OpenShift namespaces owned by the current CodeReady Workspaces user. Should be set to NULL if che.infra.openshift.project is set to a non-empty value. See: OpenShift identity provider

4.1.2.16. Keycloak configuration

Table 4.16. Keycloak configuration

Environment Variable NameDefault valueDescription

CHE_KEYCLOAK_AUTH__SERVER__URL

http://${CHE_HOST}:5050/auth

Url to keycloak identity provider server Can be set to NULL only if che.keycloak.oidcProvider is used

CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL

NULL

Internal network service Url to keycloak identity provider server

CHE_KEYCLOAK_REALM

che

Keycloak realm is used to authenticate users Can be set to NULL only if che.keycloak.oidcProvider is used

CHE_KEYCLOAK_CLIENT__ID

che-public

Keycloak client identifier in che.keycloak.realm to authenticate users in the dashboard, the IDE, and the CLI.

CHE_KEYCLOAK_OSO_ENDPOINT

NULL

URL to access OSO OAuth tokens

CHE_KEYCLOAK_GITHUB_ENDPOINT

NULL

URL to access Github OAuth tokens

CHE_KEYCLOAK_ALLOWED__CLOCK__SKEW__SEC

3

The number of seconds to tolerate for clock skew when verifying exp or nbf claims.

CHE_KEYCLOAK_USE__NONCE

true

Use the OIDC optional nonce feature to increase security.

CHE_KEYCLOAK_JS__ADAPTER__URL

NULL

URL to the Keycloak Javascript adapter to use. if set to NULL, then the default used value is ${che.keycloak.auth_server_url}/js/keycloak.js, or <che-server>/api/keycloak/OIDCKeycloak.js if an alternate oidc_provider is used

CHE_KEYCLOAK_OIDC__PROVIDER

NULL

Base URL of an alternate OIDC provider that provides a discovery endpoint as detailed in the following specification Obtaining OpenID Provider Configuration Information

CHE_KEYCLOAK_USE__FIXED__REDIRECT__URLS

false

Set to true when using an alternate OIDC provider that only supports fixed redirect Urls This property is ignored when che.keycloak.oidc_provider is NULL

CHE_KEYCLOAK_USERNAME__CLAIM

NULL

Username claim to be used as user display name when parsing JWT token if not defined the fallback value is 'preferred_username'

CHE_OAUTH_SERVICE__MODE

delegated

Configuration of OAuth Authentication Service that can be used in 'embedded' or 'delegated' mode. If set to 'embedded', then the service work as a wrapper to CodeReady Workspaces’s OAuthAuthenticator ( as in Single User mode). If set to 'delegated', then the service will use Keycloak IdentityProvider mechanism. Runtime Exception wii be thrown, in case if this property is not set properly.

CHE_KEYCLOAK_CASCADE__USER__REMOVAL__ENABLED

false

Configuration for enabling removing user from Keycloak server on removing user from CodeReady Workspaces database. By default it’s disabled. Can be enabled in some special cases when deleting a user in CodeReady Workspaces database should execute removing related-user from Keycloak. For correct work need to set administrator username ${che.keycloak.admin_username} and password ${che.keycloak.admin_password}.

CHE_KEYCLOAK_ADMIN__USERNAME

NULL

Keycloak administrator username. Will be used for deleting user from Keycloak on removing user from CodeReady Workspaces database. Make sense only in case ${che.keycloak.cascade_user_removal_enabled} set to 'true'

CHE_KEYCLOAK_ADMIN__PASSWORD

NULL

Keycloak administrator password. Will be used for deleting user from Keycloak on removing user from CodeReady Workspaces database. Make sense only in case ${che.keycloak.cascade_user_removal_enabled} set to 'true'

CHE_KEYCLOAK_USERNAME_REPLACEMENT__PATTERNS

NULL

User name adjustment configuration. CodeReady Workspaces needs to use the usernames as part of Kubernetes object names and labels and therefore has stricter requirements on their format than the identity providers usually allow (it needs them to be DNS-compliant). The adjustment is represented by comma-separated key-value pairs. These are sequentially used as arguments to the String.replaceAll function on the original username. The keys are regular expressions, values are replacement strings that replace the characters in the username that match the regular expression. The modified username will only be stored in the CodeReady Workspaces database and will not be advertised back to the identity provider. It is recommended to use DNS-compliant characters as replacement strings (values in the key-value pairs). Example: \\=-,@=-at- changes \ to - and @ to -at- so the username org\user@com becomes org-user-at-com.

4.2. Configuring workspace target project

The OpenShift project where a new workspace is deployed depends on the CodeReady Workspaces server configuration. CodeReady Workspaces deploys each workspace into a user’s dedicated project, which hosts all CodeReady Workspaces workspaces created by the user. The name of a OpenShift project must be provided as a CodeReady Workspaces server configuration property or pre-created by CodeReady Workspaces administrator.

With Operator installer, OpenShift project strategies are configured using server.workspaceNamespaceDefault property.

Operator CheCluster CR patch

apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
  name: <che-cluster-name>
spec:
  server:
    workspaceNamespaceDefault: <workspace-namespace> 1
1
- CodeReady Workspaces workspace project configuration
Note

The underlying environment variable that CodeReady Workspaces server uses is CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT.

Warning

By default, only one workspace in the same project can be running at one time. See Section 4.5, “Configuring the number of workspaces that a user can run”.

Warning

Kubernetes limits the length of a project name to 63 characters (this includes the evaluated placeholders). Additionally, the names (after placeholder evaluation) must be valid DNS names.

On OpenShift with multihost server exposure strategy, the length is further limited to 49 characters.

Be aware that the <userid> placeholder is evaluated into a 36 character long UUID string.

Warning

Use Section 4.2.3, “Pre-creating a project for each user” when:

  • che ServiceAccount does not have enough permissions when creating new project

  • OpenShift OAuth with a self-provisioner cluster role is not linked to the system:authenticated:oauth group

  • CodeReady Workspaces cannot create namespaces

4.2.1. One project per user strategy

The strategy isolates each user in their own project.

To use the strategy, set the CodeReady Workspaces workspace project configuration value to contain one or more user identifiers. Currently supported identifiers are <username> and <userid>.

Example 4.2. One project per user

To assign project names composed of a `codeready-ws` prefix and individual usernames (codeready-ws-user1, codeready-ws-user2), set:

Operator installer (CheCluster CustomResource)

...
spec:
  server:
    workspaceNamespaceDefault: codeready-ws-<username>
...

4.2.2. Handling incompatible usernames or user IDs

CodeReady Workspaces server automatically checks usernames and IDs for compatibility with OpenShift objects naming convention before creating a project from a template. Incompatible usernames or IDs are reduced to the nearest valid name by replacing groups of unsuitable symbols with the - symbol. The addition of a random 6-symbol suffix prevents IDs from collisions. The result is stored in preferences for reuse.

4.2.3. Pre-creating a project for each user

To pre-create a project for each user, use OpenShift labels and annotations. Such project is used in preference to CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT variable.

metadata:
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-namespace
  annotations:
    che.eclipse.org/username: <username>  1
1
target user’s username

To configure the labels, set the CHE_INFRA_KUBERNETES_NAMESPACE_LABELS to desired labels. To configure the annotations, set the CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS to desired annotations. See the CodeReady Workspaces server component system properties reference for more details.

Warning

Do not create multiple namespaces for a single user. It may lead to undefined behavior.

Important

On OpenShift with OAuth, the target user must have admin role privileges in the target namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: admin
  namespace: <namespace> 1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <username> 2
1
pre-created namespace
2
target user

On Kubernetes, che ServiceAccount must have a cluster-wide list and get namespaces permissions as well as an admin role in target namespace.

4.2.4. Labeling the namespaces

CodeReady Workspaces updates the workspace’s project on workspace startup by adding the labels defined in CHE_INFRA_KUBERNETES_NAMESPACE_LABELS. To do so, che ServiceAccount has to have the following cluster-wide permissions to update and get namespaces:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <cluster-role-name> 1
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - update
      - get
1
name of the cluster role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <cluster-role-binding-name> 1
subjects:
  - kind: ServiceAccount
    name: <service-account-name> 2
    namespace: <service-accout-namespace> 3
roleRef:
  kind: ClusterRole
  name: <cluster-role-name> 4
  apiGroup: rbac.authorization.k8s.io
1
name of the cluster role binding
2
name of the che ServiceAccount
3
CodeReady Workspaces installation namespace
4
name of the cluster role created in previous step
Note

A lack of permissions does not prevent a CodeReady Workspaces workspace from starting, it only logs the warning. If you see the warnings in CodeReady Workspaces logs, consider disabling the feature by defining CHE_INFRA_KUBERNETES_NAMESPACE_LABEL=false.

4.3. Configuring storage strategies

This section describes how to configure storage strategies for CodeReady Workspaces workspaces.

4.3.1. Storage strategies for codeready-workspaces workspaces

Workspace Pods use Persistent Volume Claims (PVCs), which are bound to the physical Persistent Volumes (PVs) with ReadWriteOnce access mode. It is possible to configure how the CodeReady Workspaces server uses PVCs for workspaces. The individual methods for this configuration are called PVC strategies:

strategydetailsproscons

unique

One PVC per workspace volume or user-defined PVC

Storage isolation

An undefined number of PVs is required

per-workspace (default)

One PVC for one workspace

Easier to manage and control storage compared to unique strategy

PV count still is not known and depends on workspaces number

common

One PVC for all workspaces in one OpenShift namespace

Easy to manage and control storage

If PV does not support ReadWriteMany (RWX) access mode then workspaces must be in a separate OpenShift namespaces

Or there must not be more than 1 running workspace per namespace at the same time

CodeReady Workspaces uses the common PVC strategy in combination with the "one project per user" project strategy when all CodeReady Workspaces workspaces operate in the user’s project, sharing one PVC.

4.3.1.1. The common PVC strategy

All workspaces inside a OpenShift project use the same Persistent Volume Claim (PVC) as the default data storage when storing data such as the following in their declared volumes:

  • projects
  • workspace logs
  • additional Volumes defined by a use

When the common PVC strategy is in use, user-defined PVCs are ignored, and volumes related to these user-defined PVCs are replaced with a volume that refers to the common PVC. In this strategy, all CodeReady Workspaces workspaces use the same PVC. When the user runs one workspace, it only binds to one node in the cluster at a time.

The corresponding containers volume mounts link to a common volume, and sub-paths are prefixed with <workspace-ID> or <original-PVC-name>. For more details, see Section 4.3.1.4, “How subpaths are used in PVCs”.

The CodeReady Workspaces Volume name is identical to the name of the user-defined PVC. It means that if a machine is configured to use a CodeReady Workspaces volume with the same name as the user-defined PVC has, they will use the same shared folder in the common PVC.

When a workspace is deleted, a corresponding subdirectory (${ws-id}) is deleted in the PV directory.

Note

The common PVC will be removed when a user’s workspaces are all deleted. The PVC will be re-created when a non-ephemeral workspace is started.

Restrictions on using the common PVC strategy

When the common strategy is used, and a workspace PVC access mode is ReadWriteOnce (RWO), only one node can simultaneously use the PVC.

If there are several nodes, you can use the common strategy, but:

The common PVC strategy is not suitable for large multi-node clusters. Therefore, it is best to use it in single-node clusters. However, in combination with the per-workspace project strategy, the common PVC strategy is usable for clusters with not more than 75 nodes. The PVC used with this strategy must be large enough to accommodate all projects to prevent a situation in which one project depletes the resources of others.

4.3.1.2. The per-workspace PVC strategy

The per-workspace strategy is similar to the common PVC strategy. The only difference is that all workspace Volumes, but not all the workspaces, use the same PVC as the default data storage for:

  • projects
  • workspace logs
  • additional Volumes defined by a user

With this strategy, CodeReady Workspaces keeps its workspace data in assigned PVs that are allocated by a single PVC.

The per-workspace PVC strategy is the universal strategy out of the PVC strategies available and acts as a proper option for large multi-node clusters with a higher amount of users. Using the per-workspace PVC strategy, users can run multiple workspaces simultaneously, which results in more PVCs being created.

4.3.1.3. The unique PVC strategy

Using the `unique `PVC strategy, every CodeReady Workspaces Volume of a workspace has its own PVC. The workspace PVCs are then:

  • Created when a workspace starts for the first time.
  • Deleted when a corresponding workspace is deleted.

User-defined PVCs are created with the following specifics:

  • They are provisioned with generated names to prevent naming conflicts with other PVCs in a project.
  • Subpaths of the mounted Physical persistent volumes that reference user-defined PVCs are prefixed with <workspace-ID> or <PVC-name>. This ensures that the same PV data structure is configured with different PVC strategies. For details, see Section 4.3.1.4, “How subpaths are used in PVCs”.

The unique PVC strategy is suitable for larger multi-node clusters with a lesser amount of users. Since this strategy operates with separate PVCs for each volume in a workspace, vastly more PVCs are created.

4.3.1.4. How subpaths are used in PVCs

Subpaths illustrate the folder hierarchy in the Persistent Volumes (PV).

/pv0001
  /workspaceID1
  /workspaceID2
  /workspaceIDn
    /che-logs
    /projects
    /<volume1>
    /<volume2>
    /<User-defined PVC name 1 | volume 3>
    ...

When a user defines volumes for components in the devfile, all components that define the volume of the same name will be backed by the same directory in the PV as <PV-name>, <workspace-ID>, or `<original-PVC-name>. Each component can have this location mounted on a different path in its containers.

Example

Using the common PVC strategy, user-defined PVCs are replaced with subpaths on the common PVC. When the user references a volume as my-volume, it is mounted in the common-pvc with the /workspace-id/my-volume subpath.

4.3.2. Configuring a CodeReady Workspaces workspace with a persistent volume strategy

A persistent volume (PV) acts as a virtual storage instance that adds a volume to a cluster.

A persistent volume claim (PVC) is a request to provision persistent storage of a specific type and configuration, available in the following CodeReady Workspaces storage configuration strategies:

  • Common
  • Per-workspace
  • Unique

The mounted PVC is displayed as a folder in a container file system.

4.3.2.1. Configuring a PVC strategy using the Operator

The following section describes how to configure workspace persistent volume claim (PVC) strategies of a CodeReady Workspaces server using the Operator.

Warning

It is not recommended to reconfigure PVC strategies on an existing CodeReady Workspaces cluster with existing workspaces. Doing so causes data loss.

Operators are software extensions to OpenShift that use Custom Resources to manage applications and their components.

When deploying CodeReady Workspaces using the Operator, configure the intended strategy by modifying the spec.storage.pvcStrategy property of the CheCluster Custom Resource object YAML file.

Prerequisites

  • The oc tool is available.

Procedure

The following procedure steps are available for OpenShift command-line tool, '`oc’.

To do changes to the CheCluster YAML file, choose one of the following:

  • Create a new cluster by executing the oc apply command. For example:

    $ oc apply -f <my-cluster.yaml>
  • Update the YAML file properties of an already running cluster by executing the oc patch command. For example:

    $ oc patch checluster/codeready-workspaces --type=json \
      -p '[{"op": "replace", "path": "/spec/storage/pvcStrategy", "value": "per-workspace"}]'

Depending on the strategy used, replace the per-workspace option in the above example with unique or common.

4.4. Configuring storage types

Red Hat CodeReady Workspaces supports three types of storage with different capabilities:

  • Persistent
  • Ephemeral
  • Asynchronous

4.4.1. Persistent storage

Persistent storage allows storing user changes directly in the mounted Persistent Volume. User changes are kept safe by the OpenShift infrastructure (storage backend) at the cost of slow I/O, especially with many small files. For example, Node.js projects tend to have many dependencies and the node_modules/ directory is filled with thousands of small files.

Note

I/O speeds vary depending on the Storage Classes configured in the environment.

Persistent storage is the default mode for new workspaces. To make this setting visible in workspace configuration, add the following to the devfile:

attributes:
 persistVolumes: 'true'

4.4.2. Ephemeral storage

Ephemeral storage saves files to the emptyDir volume. This volume is initially empty. When a Pod is removed from a node, the data in the emptyDir volume is deleted forever. This means that all changes are lost on workspace stop or restart.

Important

To save the changes, commit and push to the remote before stopping an ephemeral workspace.

Ephemeral mode provides faster I/O than persistent storage. To enable this storage type, add the following to workspace configuration:

attributes:
 persistVolumes: 'false'

Table 4.17. Comparison between I/O of ephemeral (emptyDir) and persistent modes on AWS EBS

CommandEphemeralPersistent

Clone Red Hat CodeReady Workspaces

0 m 19 s

1 m 26 s

Generate 1000 random files

1 m 12 s

44 m 53 s

4.4.3. Asynchronous storage

Note

Asynchronous storage is an experimental feature.

Asynchronous storage is a combination of persistent and ephemeral modes. The initial workspace container mounts the emptyDir volume. Then a backup is performed on workspace stop, and changes are restored on workspace start. Asynchronous storage provides fast I/O (similar to ephemeral mode), and workspace project changes are persisted.

Synchronization is performed by the rsync tool using the SSH protocol. When a workspace is configured with asynchronous storage, the workspace-data-sync plug-in is automatically added to the workspace configuration. The plug-in runs the rsync command on workspace start to restore changes. When a workspace is stopped, it sends changes to the permanent storage.

For relatively small projects, the restore procedure is fast, and project source files are immediately available after Che-Theia is initialized. In case rsync takes longer, the synchronization process is shown in the Che-Theia status-bar area. (Extension in Che-Theia repository).

status bar file sync
Note

Asynchronous mode has the following limitations:

  • Supports only the common PVC strategy
  • Supports only the per-user project strategy
  • Only one workspace can be running at a time

To configure asynchronous storage for a workspace, add the following to workspace configuration:

attributes:
 asyncPersist: 'true'
 persistVolumes: 'false'

4.4.4. Configuring storage type defaults for CodeReady Workspaces dashboard

Use the following two che.properties to configure the default client values in CodeReady Workspaces dashboard:

che.workspace.storage.available_types

Defines available values for storage types that clients like the dashboard propose for users during workspace creation or update. Available values: persistent, ephemeral, and async. Separate multiple values by commas. For example:

che.workspace.storage.available_types=persistent,ephemeral,async
che.workspace.storage.preferred_type

Defines the default value for storage type that clients like the dashboard propose for users during workspace creation. The async value is not recommended as the default type because it is experimental. For example:

che.workspace.storage.preferred_type=persistent

Then users are able to configure Storage Type on the Create Custom Workspace tab on CodeReady Workspaces dashboard during workspace creation. Storage type for existing workspace can be configured in on Overview tab of the workspace details.

4.4.5. Idling asynchronous storage Pods

CodeReady Workspaces can shut down the Asynchronous Storage Pod when not used for a configured period of time.

Use these configuration properties to adjust the behavior:

che.infra.kubernetes.async.storage.shutdown_timeout_min
Defines the idle time after which the asynchronous storage Pod is stopped following the stopping of the last active workspace. The default value is 120 minutes.
che.infra.kubernetes.async.storage.shutdown_check_period_min
Defines the frequency with which the asynchronous storage Pod is checked for idleness. The default value is 30 minutes.

To increase the timeout of a CodeReady Workspaces workspace, use the following example, which sets the workspace timeout for 1800000 milliseconds that correspond to the interval of 30 minutes.

+

 $ oc patch checluster/codeready-workspaces --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT\": \"1800000\"}}}}" --type=merge -n openshift-workspaces

4.5. Configuring the number of workspaces that a user can run

This article describes how to configure the number of workspaces that a user can run simultaneously.

4.5.1. Using the Operator to configure the number of workspaces that a user can run

This procedure describes how to configure CodeReady Workspaces to run more than one workspace simultaneously. By running multiple workspaces, users can use different work environments simultaneously.

Prerequisites

  • You have installed an instance of CodeReady Workspaces by using the Operator.
  • The combination of PVC strategy and access mode meets the following criteria:

    • ReadWriteMany access mode and an arbitrary PVC strategy
    • ReadWriteOnce access mode and per-workspace or unique PVC strategy

    See Section 4.3, “Configuring storage strategies”.

  • You have determined the value of the <number-of-workspaces> placeholder.

    Note

    If the value is -1, an unlimited number of workspaces can run per user. If the value is a positive integer, users can run as many workspaces as the value of the integer. The default value is 1.

Procedure

  1. In the CheCluster Custom Resource server settings, configure the number of workspaces that a user can run by adding the CHE_LIMITS_USER_WORKSPACES_RUN_COUNT property to customCheProperties:

    apiVersion: org.eclipse.che/v1
    kind: CheCluster
    # [...]
    spec:
      server:
        # [...]
        customCheProperties:
          CHE_LIMITS_USER_WORKSPACES_RUN_COUNT: "<number-of-workspaces>"

4.6. Configuring the number of workspaces that a user can create

This article describes how to configure the number of workspaces that a user can create.

4.6.1. Using the Operator to configure the number of workspaces that a user can create

This procedure describes how to configure the number of workspaces that a user can create. By creating multiple workspaces, users can have access to workspaces with different configurations simultaneously.

Prerequisites

  • You have installed an instance of CodeReady Workspaces by using the Operator.
  • You have determined the value of the <number-of-workspaces> placeholder.

    Note

    If the value is -1, users can create an unlimited number of workspaces. If the value is a positive integer, users can create as many workspaces as the value of the integer. The default value is -1.

Procedure

  • In the CheCluster Custom Resource server settings, configure the number of workspaces that a user can create by adding the CHE_LIMITS_USER_WORKSPACES_COUNT property to customCheProperties:

    apiVersion: org.eclipse.che/v1
    kind: CheCluster
    # [...]
    spec:
      server:
        # [...]
        customCheProperties:
          CHE_LIMITS_USER_WORKSPACES_COUNT: "<number-of-workspaces>"

4.7. Configuring workspace exposure strategies

The following section describes how to configure workspace exposure strategies of a CodeReady Workspaces server and ensure that applications running inside are not vulnerable to outside attacks.

4.7.1. Configuring workspace exposure strategies using an Operator

Operators are software extensions to OpenShift that use Custom Resources to manage applications and their components.

Prerequisites

  • The oc tool is available.

Procedure

When deploying CodeReady Workspaces using the Operator, configure the intended strategy by modifying the spec.server.serverExposureStrategy property of the CheCluster Custom Resource object YAML file.

The supported values for spec.server.serverExposureStrategy are:

See Section 4.7.2, “Workspace exposure strategies” for more detail about individual strategies.

To activate changes done to CheCluster YAML file, do one of the following:

  • Create a new cluster by executing the crwctl command with applying a patch. For example:

    $ crwctl server:deploy  --installer=operator --platform=<platform> \
      --che-operator-cr-patch-yaml=patch.yaml
    Note

    For a list of available OpenShift deployment platforms, use crwctl server:deploy --platform --help.

    • Use the following patch.yaml file:

      apiVersion: org.eclipse.che/v1
      kind: CheCluster
      metadata:
        name: eclipse-che
      spec:
        server:
          serverExposureStrategy: '<exposure-strategy>' 1
      1
      - used workspace exposure strategy
  • Update the YAML file properties of an already running cluster by executing the oc patch command. For example:

    $ oc patch checluster/codeready-workspaces --type=json \
      -p '[{"op": "replace",
      "path": "/spec/server/serverExposureStrategy",
      "value": "<exposure-strategy>"}]' \ 1
      -n openshift-workspaces
    1
    - used workspace exposure strategy

4.7.2. Workspace exposure strategies

Specific components of workspaces need to be made accessible outside of the OpenShift cluster. This is typically the user interface of the workspace’s IDE, but it can also be the web UI of the application being developed. This enables developers to interact with the application during the development process.

The supported way of making workspace components available to the users is referred to as a strategy. This strategy defines whether new subdomains are created for the workspace components and what hosts these components are available on.

CodeReady Workspaces supports:

  • multi-host strategy
  • single-host strategy

    • with the gateway subtype

4.7.2.1. Multihost strategy

With multihost strategy, each workspace component is assigned a new subdomain of the main domain configured for the CodeReady Workspaces server. This is the default strategy.

This strategy is the easiest to understand from the perspective of component deployment because any paths present in the URL to the component are received as they are by the component.

On a CodeReady Workspaces server secured using the Transport Layer Security (TLS) protocol, creating new subdomains for each component of each workspace requires a wildcard certificate to be available for all such subdomains for the CodeReady Workspaces deployment to be practical.

4.7.2.2. Single-host strategy

With single-host strategy, all workspaces are deployed to sub-paths of the main CodeReady Workspaces server domain.

This is convenient for TLS-secured CodeReady Workspaces servers because it is sufficient to have a single certificate for the CodeReady Workspaces server, which will cover all the workspace component deployments as well.

Single-host strategy have two subtypes with different implementation methods. First subtype is named native. This strategy is available and default on Kubernetes, but not on OpenShift, since it uses Ingresses for servers exposing. The second subtype named gateway, works both on OpenShift, and uses a special Pod with reverse-proxy running inside to route requests.

Warning

With gateway single-host strategy, cluster network policies has to be configured so that workspace’s services are reachable from reverse-proxy Pod (typically in CodeReady Workspaces project). These typically lives in different project.

To define how to expose the endpoints specified in the devfile, define the CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE environment variable in the CodeReady Workspaces instance. This environment variable is only effective with the single-host server strategy and is applicable to all workspaces of all users.

4.7.2.2.1. devfile endpoints: single-host

CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE: 'single-host'

This single-host configuration exposes the endpoints on subpaths, for example: https://<che-host>/serverihzmuqqc/go-cli-server-8080. This limits the exposed components and user applications. Any absolute URL generated on the server side that points back to the server does not work. This is because the server is hidden behind a path-rewriting reverse proxy that hides the unique URL path prefix from the component or user application.

For example, when the user accesses the hypothetical \https://codeready-<openshift_deployment_name>.<domain_name>/component-prefix-djh3d/app/index.php URL, the application sees the request coming to https://internal-host/app/index.php. If the application used the host in the URL that it generates in its UI, it would not work because the internal host is different from the externally visible host. However, if the application used an absolute path as the URL (for the example above, this would be /app/index.php), such URL would still not work. This is because on the outside, such URL does not point to the application, because it is missing the component-specific prefix.

Therefore, only applications that use relative URLs in their UI work with the single-host workspace exposure strategy.

4.7.2.2.2. devfile endpoints: multi-host

CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE: 'multi-host'

This single-host configuration exposes the endpoints on subdomains, for example: http://serverihzmuqqc-go-cli-server-8080.<che-host>. These endpoints are exposed on an unsecured HTTP port. A dedicated Ingress or Route is used for such endpoints, even with gateway single-host setup.

This configuration limits the usability of previews shown directly in the editor page when CodeReady Workspaces is configured with TLS. Since https pages allow communication only with secured endpoints, users must open their application previews in another browser tab.

4.7.3. Security considerations

This section explains the security impact of using different CodeReady Workspaces workspace exposure strategies.

All the security-related considerations in this section are only applicable to CodeReady Workspaces in multiuser mode. The single user mode does not impose any security restrictions.

4.7.3.1. JSON web token (JWT) proxy

All CodeReady Workspaces plug-ins, editors, and components can require authentication of the user accessing them. This authentication is performed using a JSON web token (JWT) proxy that functions as a reverse proxy of the corresponding component, based on its configuration, and performs the authentication on behalf of the component.

The authentication uses a redirect to a special page on the CodeReady Workspaces server that propagates the workspace and user-specific authentication token (workspace access token) back to the originally requested page.

The JWT proxy accepts the workspace access token from the following places in the incoming requests, in the following order:

  1. The token query parameter
  2. The Authorization header in the bearer-token format
  3. The access_token cookie

4.7.3.2. Secured plug-ins and editors

CodeReady Workspaces users do not need to secure workspace plug-ins and workspace editors (such as Che-Theia). This is because the JWT proxy authentication is indiscernible to the user and is governed by the plug-in or editor definition in their meta.yaml descriptors.

4.7.3.3. Secured container-image components

Container-image components can define custom endpoints for which the devfile author can require CodeReady Workspaces-provided authentication, if needed. This authentication is configured using two optional attributes of the endpoint:

  • secure - A boolean attribute that instructs the CodeReady Workspaces server to put the JWT proxy in front of the endpoint. Such endpoints have to be provided with the workspace access token in one of the several ways explained in Section 4.7.3.1, “JSON web token (JWT) proxy”. The default value of the attribute is false.
  • cookiesAuthEnabled - A boolean attribute that instructs the CodeReady Workspaces server to automatically redirect the unauthenticated requests for current user authentication as described in Section 4.7.3.1, “JSON web token (JWT) proxy”. Setting this attribute to true has security consequences because it makes Cross-site request forgery (CSRF) attacks possible. The default value of the attribute is false.

4.7.3.4. Cross-site request forgery attacks

Cookie-based authentication can make an application secured by a JWT proxy prone to Cross-site request forgery (CSRF) attacks. See the Cross-site request forgery Wikipedia page and other resources to ensure your application is not vulnerable.

4.7.3.5. Phishing attacks

An attacker who is able to create an Ingress or route inside the cluster with the workspace that shares the host with some services behind a JWT proxy, the attacker may be able to create a service and a specially forged Ingress object. When such a service or Ingress is accessed by a legitimate user that was previously authenticated with a workspace, it can lead to the attacker stealing the workspace access token from the cookies sent by the legitimate user’s browser to the forged URL. To eliminate this attack vector, configure OpenShift to disallow setting the host of an Ingress.

4.8. Configuring workspaces nodeSelector

This section describes how to configure nodeSelector for Pods of CodeReady Workspaces workspaces.

Procedure

CodeReady Workspaces uses the CHE_WORKSPACE_POD_NODE__SELECTOR environment variable to configure nodeSelector. This variable may contain a set of comma-separated key=value pairs to form the nodeSelector rule, or NULL to disable it.

CHE_WORKSPACE_POD_NODE__SELECTOR=disktype=ssd,cpu=xlarge,[key=value]
Important

nodeSelector must be configured during CodeReady Workspaces installation. This prevents existing workspaces from failing to run due to volumes affinity conflict caused by existing workspace PVC and Pod being scheduled in different zones.

To avoid Pods and PVCs to be scheduled in different zones on large, multizone clusters, create an additional StorageClass object (pay attention to the allowedTopologies field), which will coordinate the PVC creation process.

Pass the name of this newly created StorageClass to CodeReady Workspaces through the CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME environment variable. A default empty value of this variable instructs CodeReady Workspaces to use the cluster’s default StorageClass.

4.9. Configuring Red Hat CodeReady Workspaces server hostname

This procedure describes how to configure CodeReady Workspaces to use custom hostname.

Prerequisites

  • The oc tool is available.
  • The certificate and the private key files are generated.
Important

To generate the pair of a private key and certificate, the same certification authority (CA) must be used as for other CodeReady Workspaces hosts.

Important

Ask a DNS provider to point the custom hostname to the cluster ingress.

Procedure

  1. Pre-create a project for CodeReady Workspaces:

    $ oc create project openshift-workspaces
  2. Create a TLS secret:

    $ oc create secret TLS ${secret} \  1
    --key ${key_file} \                       2
    --cert ${cert_file} \                     3
    -n openshift-workspaces
    1
    The TLS secret name
    2
    A file with the private key
    3
    A file with the certificate
  3. Set the following values in the Custom Resource:

    spec:
      server:
        cheHost: <hostname>         1
        cheHostTLSSecret: <secret>  2
    1
    Custom Red Hat CodeReady Workspaces server hostname
    2
    The TLS secret name
  4. If CodeReady Workspaces has been already deployed, wait until the rollout of all CodeReady Workspaces components finishes.

4.10. Configuring OpenShift Route

  • This procedure describes how to configure labels and annotations for OpenShift Route to organize and categorize objects by scoping and selecting.

Prerequisites

  • The oc tool is available.
  • An instance of CodeReady Workspaces running in OpenShift.

Procedure

  1. To configure labels for OpenShift Route, update the Custom Resource:

    Important

    Use comma to separate labels: key1=value1,key2=value2

    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/cheServerIngress/labels", '\
    '"value": "<labels for a codeready-workspaces server ingress>"}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/auth/identityProviderIngress/labels", '\
    '"value": "<labels for a RH-SSO ingress>"}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/pluginRegistryIngress/labels", '\
    '"value": "<labels for a plug-ins registry ingress>"}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/devfileRegistryIngress/labels",'\
    '"value": "<labels for a devfile registry ingress>"}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/dashboardIngress/labels",'\
    '"value": "<labels for a dashboard ingress>"}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/customCheProperties/CHE_INFRA_KUBERNETES_INGRESS_LABELS", '\
    '"value": "<labels for a workspace ingress>"}]'
  2. To configure annotations for OpenShift Route, update the Custom Resource with the following commands:

    Important

    Use object to specify annotations: {"key1": "value1", "key2" : "value2"}

    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/cheServerIngress/annotations", '\
    '"value": <annotations for a codeready-workspaces server ingress>}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/auth/identityProviderIngress/annotations", '\
    '"value": <annotations for a RH-SSO ingress>}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/pluginRegistryIngress/annotations", '\
    '"value": <annotations for a plug-ins registry ingress>}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/devfileRegistryIngress/annotations",'\
    '"value": <annotations for a devfile registry ingress>}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/dashboardIngress/annotations",'\
    '"value": <annotations for a dashboard ingress>}]'
    
    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/customCheProperties/CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON", '\
    '"value": "<annotations for a workspace ingress in json format>"}]'

4.11. Configuring OpenShift Route to work with Router Sharding

This procedure describes how to configure labels, annotations, and domains for OpenShift Route to work with Router Sharding. The chapter then mentions the configuration process for existing instances or those about to be installed.

Prerequisites

  • The oc and crwctl tool is available.

Procedure

  • For a new OperatorHub installation:

    1. Enter the CodeReady Workspaces Cluster using OpenShift Container Platform and create CheCluster Custom Resource (CR). See, Creating an instance of the Red Hat CodeReady Workspaces Operator
    2. Set the following values in codeready-workspaces Custom Resource (CR):

      spec:
        server:
          devfileRegistryRoute:
            labels: <labels> 1
            domain: <domain> 2
            annotations:     3
              key1: value1
              key2: value2
          pluginRegistryRoute:
            labels: <labels> 4
            domain: <domain> 5
            annotations:     6
              key1: value1
              key2: value2
          dashboardRoute:
            labels: <labels> 7
            domain: <domain> 8
            annotations:     9
              key1: value1
              key2: value2
          cheServerRoute:
            labels: <labels> 10
            domain: <domain> 11
            annotations:     12
              key1: value1
              key2: value2
          customCheProperties:
            CHE_INFRA_OPENSHIFT_ROUTE_LABELS: <labels> 13
            CHE_INFRA_OPENSHIFT_ROUTE_HOST_DOMAIN__SUFFIX: <domain> 14
        auth:
          identityProviderRoute:
            labels: <labels> 15
            domain: <domain> 16
            annotations:     17
              key1: value1
              key2: value2
      1 4 7 10 13 15
      comma separated list of labels that are used by the target ingress controller to filter the set of Routes to service
      2 5 8 11 14 16
      DNS name serviced by the target ingress controller
      3 6 9 12 17
      unstructured key value map stored with a resource
  • For a new crwctl installation:

    1. Configure the installation using:

      $ crwctl server:deploy --che-operator-cr-patch-yaml=patch.yaml ...

      The patch.yaml file must contain the following:

      spec:
        server:
          devfileRegistryRoute:
            labels: <labels> 1
            domain: <domain> 2
            annotations:     3
              key1: value1
              key2: value2
          pluginRegistryRoute:
            labels: <labels> 4
            domain: <domain> 5
            annotations:     6
              key1: value1
              key2: value2
          dashboardRoute:
            labels: <labels> 7
            domain: <domain> 8
            annotations:     9
              key1: value1
              key2: value2
          cheServerRoute:
            labels: <labels> 10
            domain: <domain> 11
            annotations:     12
              key1: value1
              key2: value2
          customCheProperties:
            CHE_INFRA_OPENSHIFT_ROUTE_LABELS: <labels> 13
            CHE_INFRA_OPENSHIFT_ROUTE_HOST_DOMAIN__SUFFIX: <domain> 14
        auth:
          identityProviderRoute:
            labels: <labels> 15
            domain: <domain> 16
            annotations:     17
              key1: value1
              key2: value2
      1 4 7 10 13 15
      comma separated list of labels that are used by the target ingress controller to filter the set of Routes to service
      2 5 8 11 14 16
      DNS name serviced by the target ingress controller
      3 6 9 12 17
      unstructured key value map stored with a resource
  • For already existing CodeReady Workspaces installation:

    1. Update codeready-workspaces CR using the oc tool:

      1. To configure labels:

        Important

        Use comma to separate labels: key1=value1,key2=value2

        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/cheServerRoute/labels",'\
        '"value": "<labels for a codeready-workspaces server route>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/pluginRegistryRoute/labels", '\
        '"value": "<labels for a plug-ins registry route>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/devfileRegistryRoute/labels", '\
        '"value": "<labels for a devfile registry route>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/dashboardRoute/labels", '\
        '"value": "<labels for a dashboard route>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/auth/identityProviderRoute/labels", '\
        '"value": "<labels for a RH-SSO route>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/customCheProperties/CHE_INFRA_OPENSHIFT_ROUTE_LABELS", '\
        '"value": "<labels for a workspace routes>"}]'
      2. To configure domains:

        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/cheServerRoute/domain",'\
        '"value": "<ingress domain>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/pluginRegistryRoute/domain", '\
        '"value": "<ingress domain>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/devfileRegistryRoute/domain", '\
        '"value": "<ingress domain>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/dashboardRoute/domain", '\
        '"value": "<ingress domain>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/auth/identityProviderRoute/domain", '\
        '"value": "<ingress domain>"}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/customCheProperties/CHE_INFRA_OPENSHIFT_ROUTE_HOST_DOMAIN__SUFFIX", '\
        '"value": "<ingress domain>"}]'
      3. To configure annotations:

        Important

        Use object to specify annotations: {"key1": "value1", "key2" : "value2"}

        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/cheServerRoute/annotations",'\
        '"value": <annotations for a codeready-workspaces ingress>}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/pluginRegistryRoute/annotations", '\
        '"value": <annotations for a plug-ins registry ingress>}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/devfileRegistryRoute/annotations", '\
        '"value": <annotations for a devfile registry ingress>}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/server/dashboardRoute/annotations", '\
        '"value": <annotations for a dashboard ingress>}]'
        $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
        '[{"op": "replace", "path": "/spec/auth/identityProviderRoute/annotations", '\
        '"value": <annotations for a RH-SSO ingress>}]'

4.12. Deploying CodeReady Workspaces with support for Git repositories with self-signed certificates

This procedure describes how to configure CodeReady Workspaces for deployment with support for Git operations on repositories that use self-signed certificates.

Prerequisites

  • Git version 2 or later

Procedure

Configuring support for self-signed Git repositories.

  1. Create a new ConfigMap with details about the Git server:

    $ oc create configmap che-git-self-signed-cert \
      --from-file=ca.crt=<path_to_certificate> \  1
      --from-literal=githost=<host:port> -n openshift-workspaces  2
    1
    Path to self-signed certificate
    2
    The host and port of the HTTPS connection on the Git server (optional).
    Note
    • When githost is not specified, the given certificate is used for all HTTPS repositories.
    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. Also, they can be encoded as binary data, for example, .cer. All Secrets that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.
  2. Configure CodeReady Workspaces to use self-signed certificates for git repositories:

    Update the gitSelfSignedCert property. To do that, execute:

    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json \
      -p '[{"op": "replace", "path": "/spec/server/gitSelfSignedCert", "value": true}]'
  3. Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The repository’s .git/config file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config). For example:

    [http "https://10.33.177.118:3000"]
    sslCAInfo = /etc/che/git/cert/ca.crt

4.13. Installing CodeReady Workspaces using storage classes

To configure CodeReady Workspaces to use a configured infrastructure storage, install CodeReady Workspaces using storage classes. This is especially useful when a user wants to bind a persistent volume provided by a non-default provisioner. To do so, a user binds this storage for the CodeReady Workspaces data saving and sets the parameters for that storage. These parameters can determine the following:

  • A special host path
  • A storage capacity
  • A volume mod
  • Mount options
  • A file system
  • An access mode
  • A storage type
  • And many others

CodeReady Workspaces has two components that require persistent volumes to store data:

  • A PostgreSQL database.
  • A CodeReady Workspaces workspaces. CodeReady Workspaces workspaces store source code using volumes, for example /projects volume.
Note

CodeReady Workspaces workspaces source code is stored in the persistent volume only if a workspace is not ephemeral.

Persistent volume claims facts:

  • CodeReady Workspaces does not create persistent volumes in the infrastructure.
  • CodeReady Workspaces uses persistent volume claims (PVC) to mount persistent volumes.
  • The CodeReady Workspaces server creates persistent volume claims.

    A user defines a storage class name in the CodeReady Workspaces configuration to use the storage classes feature in the CodeReady Workspaces PVC. With storage classes, a user configures infrastructure storage in a flexible way with additional storage parameters. It is also possible to bind a static provisioned persistent volumes to the CodeReady Workspaces PVC using the class name.

Procedure

Use CheCluster Custom Resource definition to define storage classes:

  1. Define storage class names

    To do so, use one of the following methods:

    • Use arguments for the server:deploy command

      1. Provide the storage class name for the PostgreSQL PVC

        Use the crwctl server:deploy command with the --postgres-pvc-storage-class-name flag:

        $ crwctl server:deploy -m -p minikube -a operator --postgres-pvc-storage-class-name=postgress-storage
      2. Provide the storage class name for the CodeReady Workspaces workspaces

        Use the server:deploy command with the --workspace-pvc-storage-class-name flag:

        $ crwctl server:deploy -m -p minikube -a operator --workspace-pvc-storage-class-name=workspace-storage

        For CodeReady Workspaces workspaces, the storage class name has different behavior depending on the workspace PVC strategy.

        Note

        postgres-pvc-storage-class-name=postgress-storage and workspace-pvc-storage-class-name work for the Operator installer and the Helm installer.

    • Define storage class names using a Custom Resources YAML file:

      1. Create a YAML file with Custom Resources defined for the CodeReady Workspaces installation.
      2. Define fields: spec#storage#postgresPVCStorageClassName and spec#storage#workspacePVCStorageClassName.

        apiVersion: org.eclipse.che/v1
        kind: CheCluster
        metadata:
          name: codeready-workspaces
        spec:
          # ...
          storage:
            # ...
            # keep blank unless you need to use a non default storage class for PostgreSQL PVC
            postgresPVCStorageClassName: 'postgres-storage'
            # ...
            # keep blank unless you need to use a non default storage class for workspace PVC(s)
            workspacePVCStorageClassName: 'workspace-storage'
            # ...
      3. Start the codeready-workspaces server with your Custom Resources:

        $ crwctl server:deploy -m -p minikube -a operator --che-operator-cr-yaml=/path/to/custom/che/resource/org_v1_che_cr.yaml
  2. Configure CodeReady Workspaces to store workspaces in one persistent volume and a PostreSQL database in the second one:

    1. Modify your Custom Resources YAML file:

      • Set pvcStrategy as common.
      • Configure CodeReady Workspaces to start workspaces in a single project.
      • Define storage class names for postgresPVCStorageClassName and workspacePVCStorageClassName.
      • Example of the YAML file:

        apiVersion: org.eclipse.che/v1
        kind: CheCluster
        metadata:
          name: codeready-workspaces
        spec:
          server:
            # ...
            workspaceNamespaceDefault: codeready-ws-<username>
            # ...
          storage:
            # ...
            # Defaults to common
            pvcStrategy: 'common'
            # ...
            # keep blank unless you need to use a non default storage class for PostgreSQL PVC
            postgresPVCStorageClassName: 'postgres-storage'
            # ...
            # keep blank unless you need to use a non default storage class for workspace PVC(s)
            workspacePVCStorageClassName: 'workspace-storage'
            # ...
    2. Start the codeready-workspaces server with your Custom Resources:

      $ crwctl server:deploy -m -p minikube -a operator --che-operator-cr-yaml=/path/to/custom/che/resource/org_v1_che_cr.yaml
  3. Bind static provisioned volumes using class names:

    1. Define the persistent volume for a PostgreSQL database:

      # che-postgres-pv.yaml
      apiVersion: v1
      kind: PersistentVolume
      metadata:
        name: postgres-pv-volume
        labels:
          type: local
      spec:
        storageClassName: postgres-storage
        capacity:
          storage: 1Gi
        accessModes:
          - ReadWriteOnce
        hostPath:
          path: "/data/che/postgres"
    2. Define the persistent volume for a CodeReady Workspaces workspace:

      # che-workspace-pv.yaml
      apiVersion: v1
      kind: PersistentVolume
      metadata:
        name: workspace-pv-volume
        labels:
          type: local
      spec:
        storageClassName: workspace-storage
        capacity:
          storage: 10Gi
        accessModes:
          - ReadWriteOnce
        hostPath:
          path: "/data/che/workspace"
    3. Bind the two persistent volumes:
$ oc apply -f che-workspace-pv.yaml -f che-postgres-pv.yaml
Note

You must provide valid file permissions for volumes. You can do it using storage class configuration or manually. To manually define permissions, define storageClass#mountOptions uid and gid. PostgreSQL volume requires uid=26 and gid=26.

4.14. Importing untrusted TLS certificates to CodeReady Workspaces

External communications between CodeReady Workspaces components are, by default, encrypted with TLS. Communications of CodeReady Workspaces components with external services such as proxies, source code repositories, and "RH-SSO Identity Provider" may require using TLS. Those communications require the use of TLS certificates signed by trusted Certificate Authorities.

Note

When the certificates used by CodeReady Workspaces components or by an external service are signed by an untrusted CA, it can be necessary to import the CA certificate in the CodeReady Workspaces installation so that every CodeReady Workspaces component will consider them as signed by a trusted CA.

Typical cases that may require this addition are:

  • When the underlying OpenShift cluster that uses TLS certificates signed by a CA that is not trusted.
  • When CodeReady Workspaces server or workspace components connect to external services such as RH-SSO or a Git server that use TLS certificates signed by an untrusted CA.

CodeReady Workspaces uses labeled ConfigMaps in project as sources for TLS certificates. The ConfigMaps can have an arbitrary number of keys with a random number of certificates each.

Note

When the cluster contains cluster-wide trusted CA certificates added through the cluster-wide-proxy configuration, CodeReady Workspaces Operator detects them and automatically injects them into this ConfigMap:

  • CodeReady Workspaces automatically labels the ConfigMap with the config.openshift.io/inject-trusted-cabundle="true" label.
  • Based on this annotation, OpenShift automatically injects the cluster-wide trusted CA certificates inside the ca-bundle.crt key of ConfigMap
Important

Some CodeReady Workspaces components require to have a full certificate chain to trust the endpoint. If the cluster is configured with an intermediate certificate, then the whole chain (including self-signed root) should be added to CodeReady Workspaces.

4.14.1. Adding new CA certificates into CodeReady Workspaces

The following procedure is applicable for already installed and running instances and for instances that are to be installed.

Note

If you are using CodeReady Workspaces version lower than 2.5.1 see this guide on how to apply additional TLS certificates.

Prerequisites

  • The oc tool is available.
  • Namespace for CodeReady Workspaces exists.

Procedure

  1. Save the certificates you need to import, to a local file system.

    Caution
    • Certificate files are typically stored as Base64 ASCII files, such as .pem, .crt, .ca-bundle. But, they can also be binary-encoded, for example, as .cer files. All Secrets that hold certificate files should use the Base64 ASCII certificate rather than the binary-encoded certificate.
    • CodeReady Workspaces already uses some reserved file names to automatically inject certificates into the ConfigMap, so you should avoid using the following reserved file names to save your certificates:

      • ca-bundle.crt
      • ca.crt
  2. Create a new ConfigMap with the required TLS certificates:

    $ oc create configmap custom-certs --from-file=<bundle-file-path> -n=openshift-workspaces

    Add another -from-file=<bundle-file-path> flag to apply more than one bundle. Otherwise, create another ConfigMap.

  3. Label created ConfigMaps with both app.kubernetes.io/part-of=che.eclipse.org and app.kubernetes.io/component=ca-bundle labels:

    $ oc label configmap custom-certs app.kubernetes.io/part-of=che.eclipse.org app.kubernetes.io/component=ca-bundle -n <crw-namespace-name>
  4. Deploy CodeReady Workspaces if it has not been deployed before. Otherwise wait until the rollout of CodeReady Workspaces components finishes. If there are running workspaces, they should be restarted for the changes to take effect.

4.14.2. Verification at the CodeReady Workspaces installation level

When something does not work as expected after adding the certificates, here is a list of things to verify:

  • In case of a CodeReady Workspaces Operator deployment, the namespace where the CheCluster is located contains labeled ConfigMaps with the right content:

    $ oc get cm --selector=app.kubernetes.io/component=ca-bundle,app.kubernetes.io/part-of=che.eclipse.org -n openshift-workspaces

    Check the content of ConfigMap by running:

$ {orch-cli} get cm __<name>__ -n {prod-namespace} -o yaml
  • CodeReady Workspaces Pod Volumes list contains a volume that uses ca-certs-merged ConfigMap as data-source. To get the list of Volumes of the CodeReady Workspaces Pod:

    $ oc get pod -o json <codeready-workspaces-pod-name> -n openshift-workspaces | jq .spec.volumes
  • CodeReady Workspaces mounts certificates in folder /public-certs/ of the CodeReady Workspaces server container. This command returns the list of files in that folder:

    $ oc exec -t <codeready-workspaces-pod-name> -n openshift-workspaces -- ls /public-certs/
  • In the CodeReady Workspaces server logs, there is a line for every certificate added to the Java truststore, including configured CodeReady Workspaces certificates.

    $ oc logs <codeready-workspaces-pod-name> -n openshift-workspaces
  • CodeReady Workspaces server Java truststore contains the certificates. The certificates SHA1 fingerprints are among the list of the SHA1 of the certificates included in the truststore returned by the following command:

    $ oc exec -t <codeready-workspaces-pod-name> -n openshift-workspaces -- keytool -list -keystore /home/jboss/cacerts
    Your keystore contains 141 entries:
    +
    (...)

    To get the SHA1 hash of a certificate on the local filesystem:

    $ openssl x509 -in <certificate-file-path> -fingerprint -noout
    SHA1 Fingerprint=3F:DA:BF:E7:A7:A7:90:62:CA:CF:C7:55:0E:1D:7D:05:16:7D:45:60

4.14.3. Verification at the workspace level

  • Start a workspace, obtain the project name in which it has been created, and wait for the workspace to be started.
  • Get the name of the workspace Pod with the following command:

    $ oc get pods -o=jsonpath='{.items[0].metadata.name}' -n <workspace namespace> | grep '^workspace.*'
  • Get the name of the Che-Theia IDE container in the workspace Pod with the following command:

    $ oc get -o json pod <workspace pod name>  -n <workspace namespace> | \
        jq -r '.spec.containers[] | select(.name | startswith("theia-ide")).name'
  • Look for a ca-certs ConfigMap that should have been created inside the workspace namespace:

    $ oc get cm ca-certs <workspace namespace>
  • Check that the entries in the ca-certs ConfigMap contain all the additional entries you added before. In addition, it can contain ca-bundle.crt entry which is a reserved one:

    $ oc get cm ca-certs -n <workspace namespace> -o json | jq -r '.data | keys[]'
    ca-bundle.crt
    source-config-map-name.data-key.crt
  • Confirm that the ca-certs ConfigMap has been added as a volume in the workspace Pod:

    $ oc get -o json pod <workspace pod name> -n <workspace namespace> | \
        jq '.spec.volumes[] | select(.configMap.name == "ca-certs")'
    {
      "configMap": {
        "defaultMode": 420,
        "name": "ca-certs"
      },
      "name": "che-self-signed-certs"
    }
  • Confirm that the volume is mounted into containers, especially in the Che-Theia IDE container:

    $ oc get -o json pod <workspace pod name> -n <workspace namespace> | \
       jq '.spec.containers[] | select(.name == "<theia ide container name>").volumeMounts[] | select(.name == "che-self-signed-certs")'
    {
      "mountPath": "/public-certs",
      "name": "che-self-signed-certs",
      "readOnly": true
    }
  • Inspect the /public-certs folder in the Che-Theia IDE container and check that its contents match the list of entries in the ca-certs ConfigMap:

    $ oc exec <workspace pod name> -c <theia ide container name> -n <workspace namespace> -- ls /public-certs
    ca-bundle.crt
    source-config-map-name.data-key.crt

4.15. Switching between external and internal DNS names in inter-component communication

By default, new CodeReady Workspaces deployments use OpenShift services DNS names for communications between CodeReady Workspaces server, RH-SSO, registries, and helps with:

  • Bypassing proxy, certificates, and firewalls issues
  • Speeding up the traffic

This type of communication is an alternative to the external method of inter-component communication, which uses OpenShift Route cluster host names. In the situations described below, using OpenShift internal DNS names is not supported. By disabling the use of the internal cluster host name in inter-component communication, the communication using external OpenShift Route will come into effect.

Internal inter-component communication restrictions in OpenShift

  • The CodeReady Workspaces components are deployed across multicluster OpenShift environments.
  • The OpenShift NetworkPolicies restricts communication between namespaces.

The following section describes how to enable and disable the external inter-component communication for OpenShift Route.

Prerequisites

  • The oc tool is available.
  • An instance of CodeReady Workspaces running in OpenShift.

Procedure

Switching between external and internal inter-component communication method is reached through the update against Custom Resource (CR).

  1. To use external OpenShift Route in inter-component communication:

    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/disableInternalClusterSVCNames", "value": true}]'
  2. To use internal OpenShift DNS names in the inter-component communication:

    $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
    '[{"op": "replace", "path": "/spec/server/disableInternalClusterSVCNames", "value": false}]'

4.16. Setting up the RH-SSO codeready-workspaces-username-readonly theme for the Red Hat CodeReady Workspaces login page

The following procedure is relevant for all CodeReady Workspaces instances with the OpenShift OAuth service enabled.

When a user with pre-created namespaces logs in to Red Hat CodeReady Workspaces Dashboard for the first time, a page allowing the user to update account information is displayed. It is possible to change the username, but choosing a username that doesn’t match the OpenShift username, prevents the user’s workspaces from running. This is caused by CodeReady Workspaces attempts to use a non-existing namespace, the name of which is derived from a user OpenShift username, to create a workspace. To prevent this, log in to RH-SSO and modify the theme settings.

4.16.1. Logging in to RH-SSO

The following procedure describes how to log in to RH-SSO, which acts as a route for OpenShift platforms. To log in to RH-SSO, a user has to obtain the RH-SSO URL and a user’s credentials first.

Prerequisites

  • The oc tool installed.
  • Logged in to OpenShift cluster using the oc tool.

Procedure

  1. Obtain a user RH-SSO login:

    oc get secret che-identity-secret  -n openshift-workspaces -o json | jq -r '.data.user' | base64 -d
  2. Obtain a user RH-SSO password:

    oc get secret che-identity-secret  -n openshift-workspaces -o json | jq -r '.data.password' | base64 -d
  3. Obtain the RH-SSO URL:

    oc  get ingress -n openshift-workspaces -l app=che,component=keycloak   -o 'custom-columns=URL:.spec.rules[0].host' --no-headers
  4. Open the URL in a browser and log in to RH-SSO using the obtained login and password.

4.16.2. Setting up the RH-SSO codeready-workspaces-username-readonly theme

Prerequisites

  • An instance of CodeReady Workspaces running in OpenShift.
  • A user is logged in to the RH-SSO service.

Procedure

After changing a username, set the Login Theme option to readonly.

  1. In the main Configure menu on the left, select Realm Settings:

    crw keycloak username readonly theme
  2. Navigate to the Themes tab.
  3. In the Login Theme field, select the codeready-workspaces-username-readonly option and click the Save button to apply the changes.

4.17. Mounting a Secret or a ConfigMap as a file or an environment variable into a CodeReady Workspaces container

Secrets are OpenShift objects that store sensitive data such as:

  • usernames
  • passwords
  • authentication tokens

in an encrypted form.

Users can mount a OpenShift Secret that contains sensitive data or a ConfigMap that contains configuration in a CodeReady Workspaces managed containers as:

  • a file
  • an environment variable

The mounting process uses the standard OpenShift mounting mechanism, but it requires additional annotations and labeling.

4.17.1. Mounting a Secret or a ConfigMap as a file into a CodeReady Workspaces container

Prerequisites

Procedure

  1. Create a new OpenShift Secret or a ConfigMap in the OpenShift project where a CodeReady Workspaces is deployed. The labels of the object that is about to be created must match the set of labels:

    • app.kubernetes.io/part-of: che.eclipse.org
    • app.kubernetes.io/component: <DEPLOYMENT_NAME>-<OBJECT_KIND>
    • The <DEPLOYMENT_NAME> corresponds to the one following deployments:

      • postgres
      • keycloak
      • devfile-registry
      • plugin-registry
      • codeready

        and

    • <OBJECT_KIND> is either:

      • secret

        or

      • configmap

Example 4.3. Example:

apiVersion: v1
kind: Secret
metadata:
  name: custom-settings
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: codeready-secret
...

or

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-settings
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: codeready-configmap
...

Annotations must indicate that the given object is mounted as a file.

  1. Configure the annotation values:

    • che.eclipse.org/mount-as: file - To indicate that a object is mounted as a file.
    • che.eclipse.org/mount-path: <TARGET_PATH> - To provide a required mount path.

Example 4.4. Example:

apiVersion: v1
kind: Secret
metadata:
  name: custom-data
  annotations:
    che.eclipse.org/mount-as: file
    che.eclipse.org/mount-path: /data
  labels:
...

or

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-data
  annotations:
    che.eclipse.org/mount-as: file
    che.eclipse.org/mount-path: /data
  labels:
...

The OpenShift object may contain several items whose names must match the desired file name mounted into the container.

Example 4.5. Example:

apiVersion: v1
kind: Secret
metadata:
  name: custom-data
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: codeready-secret
  annotations:
    che.eclipse.org/mount-as: file
    che.eclipse.org/mount-path: /data
data:
  ca.crt: <base64 encoded data content here>

or

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-data
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: codeready-configmap
  annotations:
    che.eclipse.org/mount-as: file
    che.eclipse.org/mount-path: /data
data:
  ca.crt: <data content here>

This results in a file named ca.crt being mounted at the /data path of CodeReady Workspaces container.

Important

To make the changes in a CodeReady Workspaces container visible, recreate the object entirely.

4.17.2. Mounting a Secret or a ConfigMap as an environment variable into a CodeReady Workspaces container

Prerequisites

Procedure

  1. Create a new OpenShift Secret or a ConfigMap in the OpenShift project where a CodeReady Workspaces is deployed. The labels of the object that is about to be created must match the set of labels:

    • app.kubernetes.io/part-of: che.eclipse.org
    • app.kubernetes.io/component: <DEPLOYMENT_NAME>-<OBJECT_KIND>
    • The <DEPLOYMENT_NAME> corresponds to the one following deployments:

      • postgres
      • keycloak
      • devfile-registry
      • plugin-registry
      • codeready

        and

    • <OBJECT_KIND> is either:

      • secret

        or

      • configmap

Example 4.6. Example:

apiVersion: v1
kind: Secret
metadata:
  name: custom-settings
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: codeready-secret
...

or

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-settings
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: codeready-configmap
...

Annotations must indicate that the given object is mounted as a environment variable.

  1. Configure the annotation values:

    • che.eclipse.org/mount-as: env - to indicate that a object is mounted as an environment variable
    • che.eclipse.org/env-name: <FOO_ENV> - to provide an environment variable name, which is required to mount a object key value

Example 4.7. Example:

apiVersion: v1
kind: Secret
metadata:
  name: custom-settings
  annotations:
    che.eclipse.org/env-name: FOO_ENV
    che.eclipse.org/mount-as: env
  labels:
   ...
data:
  mykey: myvalue

or

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-settings
  annotations:
    che.eclipse.org/env-name: FOO_ENV
    che.eclipse.org/mount-as: env
  labels:
   ...
data:
  mykey: myvalue

This results in two environment variables:

  • FOO_ENV
  • myvalue

being provisioned into a CodeReady Workspaces container.

If the object provides more than one data item, the environment variable name must be provided for each of the data keys as follows:

Example 4.8. Example:

apiVersion: v1
kind: Secret
metadata:
  name: custom-settings
  annotations:
    che.eclipse.org/mount-as: env
    che.eclipse.org/mykey_env-name: FOO_ENV
    che.eclipse.org/otherkey_env-name: OTHER_ENV
  labels:
   ...
data:
  mykey: __<base64 encoded data content here>__
  otherkey: __<base64 encoded data content here>__

or

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-settings
  annotations:
    che.eclipse.org/mount-as: env
    che.eclipse.org/mykey_env-name: FOO_ENV
    che.eclipse.org/otherkey_env-name: OTHER_ENV
  labels:
   ...
data:
  mykey: __<data content here>__
  otherkey: __<data content here>__

This results in two environment variables:

  • FOO_ENV
  • OTHER_ENV

being provisioned into a CodeReady Workspaces container.

Note

The maximum length of annotation names in a OpenShift object is 63 characters, where 9 characters are reserved for a prefix that ends with /. This acts as a restriction for the maximum length of the key that can be used for the object.

Important

To make the changes in a CodeReady Workspaces container visible, recreate the object entirely.

4.18. Enabling Dev Workspace engine

This procedure describes how to enable the Dev Workspace engine to support the Devfile 2.0.0 file format and mentions how to do so on existing instances or those about to be installed.

Prerequisites

  • The oc and crwctl tools are available.

Procedure

  • For a new OperatorHub installation:

    1. Enter the Red Hat CodeReady Workspaces Cluster using OpenShift Container Platform and create CheCluster Custom Resource (CR). See, Creating an instance of the Red Hat CodeReady Workspaces Operator
    2. Set the following values in codeready-workspaces Custom Resource (CR):

      spec:
        devWorkspace:
          enable: true
  • For a new crwctl installation:

    1. Configure the the crwctl installation using:

      $ crwctl server:deploy --che-operator-cr-patch-yaml=patch.yaml ...

      patch.yaml must contain the following:

      spec:
        devWorkspace:
          enable: true
  • For already existing CodeReady Workspaces installation:

    1. Update codeready-workspaces CR using the oc tool:

      $ oc patch checluster/codeready-workspaces -n openshift-workspaces --type=json -p \
      '[{"op": "replace", "path": "/spec/devWorkspace/enable", "value": true}]'

Additional resources

For information about installation methods mentioned in this chapter, see Chapter 3, Installing CodeReady Workspaces.