Chapter 2. Configuring the CodeReady Workspaces installation
The following section describes configuration options to install Red Hat CodeReady Workspaces using the Operator.
2.1. Understanding the CheCluster
Custom Resource
A default deployment of CodeReady Workspaces consist in the application of a parametrized CheCluster
Custom Resource by the Red Hat CodeReady Workspaces Operator.
CheCluster
Custom Resource- A YAML document describing the configuration of the overall CodeReady Workspaces installation.
-
Contains sections to configure each component:
auth
,database
,server
,storage
.
- Role of the Red Hat CodeReady Workspaces Operator
-
To translate the
CheCluster
Custom Resource into configuration (ConfigMap) usable by each component of the CodeReady Workspaces installation.
-
To translate the
- Role of the OpenShift platform
- To apply the configuration (ConfigMap) for each component.
- To create the necessary Pods.
- When OpenShift detects a change in the configuration of a component, it restarts the Pods accordingly.
Example 2.1. Configuring the main properties of the CodeReady Workspaces server component
-
The user applies a
CheCluster
Custom Resource containing some configuration related to theserver
. -
The Operator generates a necessary ConfigMap, called
che
. - OpenShift detects change in the ConfigMap and triggers a restart of the CodeReady Workspaces Pod.
Additional resources
- Understanding Operators.
- Understanding Custom Resources.
-
To learn how to modify the
CheCluster
Custom Resource, see the chosen installation procedure.
2.2. CheCluster
Custom Resource fields reference
This section describes all fields available to customize the CheCluster
Custom Resource.
-
Example 2.2, “A minimal
CheCluster
Custom Resource example.” -
Table 2.1, “
CheCluster
Custom Resourceserver
settings, related to the CodeReady Workspaces server component.” -
Table 2.2, “
CheCluster
Custom Resourcedatabase
configuration settings related to the database used by CodeReady Workspaces.” -
Table 2.3, “Custom Resource
auth
configuration settings related to authentication used by CodeReady Workspaces.” -
Table 2.4, “
CheCluster
Custom Resourcestorage
configuration settings related to persistent storage used by CodeReady Workspaces.” -
Table 2.5, “
CheCluster
Custom Resourcek8s
configuration settings specific to CodeReady Workspaces installations on OpenShift.” -
Table 2.6, “
CheCluster
Custom Resourcemetrics
settings, related to the CodeReady Workspaces metrics collection used by CodeReady Workspaces.” -
Table 2.7, “
CheCluster
Custom Resourcestatus
defines the observed state of CodeReady Workspaces installation”
Example 2.2. A minimal CheCluster
Custom Resource example.
apiVersion: org.eclipse.che/v1 kind: CheCluster metadata: name: codeready-workspaces spec: auth: externalIdentityProvider: false database: externalDb: false server: selfSignedCert: false gitSelfSignedCert: false tlsSupport: true storage: pvcStrategy: 'common' pvcClaimSize: '1Gi'
Property | Description |
---|---|
airGapContainerRegistryHostname | Optional host name, or URL, to an alternate container registry to pull images from. This value overrides the container registry host name defined in all the default container images involved in a Che deployment. This is particularly useful to install Che in a restricted environment. |
airGapContainerRegistryOrganization | Optional repository name of an alternate container registry to pull images from. This value overrides the container registry organization defined in all the default container images involved in a Che deployment. This is particularly useful to install CodeReady Workspaces in a restricted environment. |
allowUserDefinedWorkspaceNamespaces |
Deprecated. The value of this flag is ignored. Defines that a user is allowed to specify a OpenShift project, or an OpenShift project, which differs from the default. It’s NOT RECOMMENDED to set to |
cheClusterRoles | A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. |
cheDebug |
Enables the debug mode for Che server. Defaults to |
cheFlavor |
Specifies a variation of the installation. The options are |
cheHost |
Public host name of the installed Che server. When value is omitted, the value it will be automatically set by the Operator. See the |
cheHostTLSSecret |
Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che server. See the |
cheImage | Overrides the container image used in Che deployment. This does NOT include the container image tag. Omit it or leave it empty to use the default container image provided by the Operator. |
cheImagePullPolicy |
Overrides the image pull policy used in Che deployment. Default value is |
cheImageTag | Overrides the tag of the container image used in Che deployment. Omit it or leave it empty to use the default image tag provided by the Operator. |
cheLogLevel |
Log level for the Che server: |
cheServerIngress | The Che server ingress custom settings. |
cheServerRoute | The Che server route custom settings. |
cheWorkspaceClusterRole | Custom cluster role bound to the user for the Che workspaces. The default roles are used when omitted or left blank. |
customCheProperties |
Map of additional environment variables that will be applied in the generated |
dashboardCpuLimit | Overrides the CPU limit used in the dashboard deployment. In cores. (500m = .5 cores). Default to 500m. |
dashboardCpuRequest | Overrides the CPU request used in the dashboard deployment. In cores. (500m = .5 cores). Default to 100m. |
dashboardImage | Overrides the container image used in the dashboard deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. |
dashboardImagePullPolicy |
Overrides the image pull policy used in the dashboard deployment. Default value is |
dashboardIngress | Dashboard ingress custom settings. |
dashboardMemoryLimit | Overrides the memory limit used in the dashboard deployment. Defaults to 256Mi. |
dashboardMemoryRequest | Overrides the memory request used in the dashboard deployment. Defaults to 16Mi. |
dashboardRoute | Dashboard route custom settings. |
devfileRegistryCpuLimit | Overrides the CPU limit used in the devfile registry deployment. In cores. (500m = .5 cores). Default to 500m. |
devfileRegistryCpuRequest | Overrides the CPU request used in the devfile registry deployment. In cores. (500m = .5 cores). Default to 100m. |
devfileRegistryImage | Overrides the container image used in the devfile registry deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. |
devfileRegistryIngress | The devfile registry ingress custom settings. |
devfileRegistryMemoryLimit | Overrides the memory limit used in the devfile registry deployment. Defaults to 256Mi. |
devfileRegistryMemoryRequest | Overrides the memory request used in the devfile registry deployment. Defaults to 16Mi. |
devfileRegistryPullPolicy |
Overrides the image pull policy used in the devfile registry deployment. Default value is |
devfileRegistryRoute | The devfile registry route custom settings. |
devfileRegistryUrl |
Deprecated in favor of |
disableInternalClusterSVCNames | Disable internal cluster SVC names usage to communicate between components to speed up the traffic and avoid proxy issues. |
externalDevfileRegistries |
External devfile registries, that serves sample, ready-to-use devfiles. Configure this in addition to a dedicated devfile registry (when |
externalDevfileRegistry |
Instructs the Operator on whether to deploy a dedicated devfile registry server. By default, a dedicated devfile registry server is started. When |
externalPluginRegistry |
Instructs the Operator on whether to deploy a dedicated plugin registry server. By default, a dedicated plugin registry server is started. When |
gitSelfSignedCert |
When enabled, the certificate from |
nonProxyHosts |
List of hosts that will be reached directly, bypassing the proxy. Specify wild card domain use the following form |
pluginRegistryCpuLimit | Overrides the CPU limit used in the plugin registry deployment. In cores. (500m = .5 cores). Default to 500m. |
pluginRegistryCpuRequest | Overrides the CPU request used in the plugin registry deployment. In cores. (500m = .5 cores). Default to 100m. |
pluginRegistryImage | Overrides the container image used in the plugin registry deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. |
pluginRegistryIngress | Plugin registry ingress custom settings. |
pluginRegistryMemoryLimit | Overrides the memory limit used in the plugin registry deployment. Defaults to 256Mi. |
pluginRegistryMemoryRequest | Overrides the memory request used in the plugin registry deployment. Defaults to 16Mi. |
pluginRegistryPullPolicy |
Overrides the image pull policy used in the plugin registry deployment. Default value is |
pluginRegistryRoute | Plugin registry route custom settings. |
pluginRegistryUrl |
Public URL of the plugin registry that serves sample ready-to-use devfiles. Set this ONLY when a use of an external devfile registry is needed. See the |
proxyPassword |
Password of the proxy server. Only use when proxy configuration is required. See the |
proxyPort |
Port of the proxy server. Only use when configuring a proxy is required. See also the |
proxySecret |
The secret that contains |
proxyURL |
URL (protocol+host name) of the proxy server. This drives the appropriate changes in the |
proxyUser |
User name of the proxy server. Only use when configuring a proxy is required. See also the |
selfSignedCert | Deprecated. The value of this flag is ignored. The Che Operator will automatically detect whether the router certificate is self-signed and propagate it to other components, such as the Che server. |
serverCpuLimit | Overrides the CPU limit used in the Che server deployment In cores. (500m = .5 cores). Default to 1. |
serverCpuRequest | Overrides the CPU request used in the Che server deployment In cores. (500m = .5 cores). Default to 100m. |
serverExposureStrategy |
Sets the server and workspaces exposure type. Possible values are |
serverMemoryLimit | Overrides the memory limit used in the Che server deployment. Defaults to 1Gi. |
serverMemoryRequest | Overrides the memory request used in the Che server deployment. Defaults to 512Mi. |
serverTrustStoreConfigMapName | Name of the ConfigMap with public certificates to add to Java trust store of the Che server. This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. |
singleHostGatewayConfigMapLabels | The labels that need to be present in the ConfigMaps representing the gateway configuration. |
singleHostGatewayConfigSidecarImage | The image used for the gateway sidecar that provides configuration to the gateway. Omit it or leave it empty to use the default container image provided by the Operator. |
singleHostGatewayImage | The image used for the gateway in the single host mode. Omit it or leave it empty to use the default container image provided by the Operator. |
tlsSupport | Deprecated. Instructs the Operator to deploy Che in TLS mode. This is enabled by default. Disabling TLS sometimes cause malfunction of some Che components. |
useInternalClusterSVCNames |
Deprecated in favor of |
workspaceNamespaceDefault |
Defines default OpenShift project in which user’s workspaces are created for a case when a user does not override it. It’s possible to use |
Property | Description |
---|---|
chePostgresContainerResources | PostgreSQL container custom settings |
chePostgresDb |
PostgreSQL database name that the Che server uses to connect to the DB. Defaults to |
chePostgresHostName |
PostgreSQL Database host name that the Che server uses to connect to. Defaults is |
chePostgresPassword | PostgreSQL password that the Che server uses to connect to the DB. When omitted or left blank, it will be set to an automatically generated value. |
chePostgresPort |
PostgreSQL Database port that the Che server uses to connect to. Defaults to 5432. Override this value ONLY when using an external database. See field |
chePostgresSecret |
The secret that contains PostgreSQL`user` and |
chePostgresUser |
PostgreSQL user that the Che server uses to connect to the DB. Defaults to |
externalDb |
Instructs the Operator on whether to deploy a dedicated database. By default, a dedicated PostgreSQL database is deployed as part of the Che installation. When |
postgresImage | Overrides the container image used in the PostgreSQL database deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. |
postgresImagePullPolicy |
Overrides the image pull policy used in the PostgreSQL database deployment. Default value is |
Property | Description |
---|---|
externalIdentityProvider |
Instructs the Operator on whether or not to deploy a dedicated Identity Provider (Keycloak or RH SSO instance). Instructs the Operator on whether to deploy a dedicated Identity Provider (Keycloak or RH-SSO instance). By default, a dedicated Identity Provider server is deployed as part of the Che installation. When |
gatewayAuthenticationSidecarImage | Gateway sidecar responsible for authentication when NativeUserMode is enabled. See oauth2-proxy or openshift/oauth-proxy. |
gatewayAuthorizationSidecarImage | Gateway sidecar responsible for authorization when NativeUserMode is enabled. See kube-rbac-proxy or openshift/kube-rbac-proxy |
gatewayHeaderRewriteSidecarImage | Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin. |
identityProviderAdminUserName |
Overrides the name of the Identity Provider administrator user. Defaults to |
identityProviderClientId |
Name of a Identity provider, Keycloak or RH-SSO, |
identityProviderContainerResources | Identity provider container custom settings. |
identityProviderImage | Overrides the container image used in the Identity Provider, Keycloak or RH-SSO, deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. |
identityProviderImagePullPolicy |
Overrides the image pull policy used in the Identity Provider, Keycloak or RH-SSO, deployment. Default value is |
identityProviderIngress | Ingress custom settings. |
identityProviderPassword |
Overrides the password of Keycloak administrator user. Override this when an external Identity Provider is in use. See the |
identityProviderPostgresPassword |
Password for a Identity Provider, Keycloak or RH-SSO, to connect to the database. Override this when an external Identity Provider is in use. See the |
identityProviderPostgresSecret |
The secret that contains |
identityProviderRealm |
Name of a Identity provider, Keycloak or RH-SSO, realm that is used for Che. Override this when an external Identity Provider is in use. See the |
identityProviderRoute | Route custom settings. |
identityProviderSecret |
The secret that contains |
identityProviderURL |
Public URL of the Identity Provider server (Keycloak / RH-SSO server). Set this ONLY when a use of an external Identity Provider is needed. See the |
initialOpenShiftOAuthUser |
For operating with the OpenShift OAuth authentication, create a new user account since the kubeadmin can not be used. If the value is true, then a new OpenShift OAuth user will be created for the HTPasswd identity provider. If the value is false and the user has already been created, then it will be removed. If value is an empty, then do nothing. The user’s credentials are stored in the |
nativeUserMode | Enables native user mode. Currently works only on OpenShift and DevWorkspace engine. Native User mode uses OpenShift OAuth directly as identity provider, without Keycloak. |
oAuthClientName |
Name of the OpenShift |
oAuthSecret |
Name of the secret set in the OpenShift |
openShiftoAuth |
Enables the integration of the identity provider (Keycloak / RHSSO) with OpenShift OAuth. Empty value on OpenShift by default. This will allow users to directly login with their OpenShift user through the OpenShift login, and have their workspaces created under personal OpenShift namespaces. WARNING: the |
updateAdminPassword |
Forces the default |
Property | Description |
---|---|
postgresPVCStorageClassName | Storage class for the Persistent Volume Claim dedicated to the PostgreSQL database. When omitted or left blank, a default storage class is used. |
preCreateSubPaths |
Instructs the Che server to start a special Pod to pre-create a sub-path in the Persistent Volumes. Defaults to |
pvcClaimSize |
Size of the persistent volume claim for workspaces. Defaults to |
pvcJobsImage |
Overrides the container image used to create sub-paths in the Persistent Volumes. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. See also the |
pvcStrategy |
Persistent volume claim strategy for the Che server. This Can be:`common` (all workspaces PVCs in one volume), |
workspacePVCStorageClassName | Storage class for the Persistent Volume Claims dedicated to the Che workspaces. When omitted or left blank, a default storage class is used. |
Property | Description |
---|---|
ingressClass |
Ingress class that will define the which controller will manage ingresses. Defaults to |
ingressDomain | Global ingress domain for an OpenShift cluster. This MUST be explicitly specified: there are no defaults. |
ingressStrategy |
Strategy for ingress creation. Options are: |
securityContextFsGroup |
The FSGroup in which the Che Pod and workspace Pods containers runs in. Default value is |
securityContextRunAsUser |
ID of the user the Che Pod and workspace Pods containers run as. Default value is |
singleHostExposureType |
When the serverExposureStrategy is set to |
tlsSecretName |
Name of a secret that will be used to setup ingress TLS termination when TLS is enabled. When the field is empty string, the default cluster certificate will be used. See also the |
Property | Description |
---|---|
enable |
Enables |
Property | Description |
---|---|
cheClusterRunning |
Status of a Che installation. Can be |
cheURL | Public URL to the Che server. |
cheVersion | Current installed Che version. |
dbProvisioned | Indicates that a PostgreSQL instance has been correctly provisioned or not. |
devfileRegistryURL | Public URL to the devfile registry. |
devworkspaceStatus | The status of the Devworkspace subsystem |
gitHubOAuthProvisioned | Indicates whether an Identity Provider instance, Keycloak or RH-SSO, has been configured to integrate with the GitHub OAuth. |
helpLink | A URL that points to some URL where to find help related to the current Operator status. |
keycloakProvisioned | Indicates whether an Identity Provider instance, Keycloak or RH-SSO, has been provisioned with realm, client and user. |
keycloakURL | Public URL to the Identity Provider server, Keycloak or RH-SSO,. |
message | A human readable message indicating details about why the Pod is in this condition. |
openShiftOAuthUserCredentialsSecret |
OpenShift OAuth secret in |
openShiftoAuthProvisioned | Indicates whether an Identity Provider instance, Keycloak or RH-SSO, has been configured to integrate with the OpenShift OAuth. |
pluginRegistryURL | Public URL to the plugin registry. |
reason | A brief CamelCase message indicating details about why the Pod is in this state. |