Chapter 6. Using credentials and configurations in workspaces
You can use your credentials and configurations in your workspaces.
			To do so, mount your credentials and configurations to the Dev Workspace containers in the OpenShift cluster of your organization’s OpenShift Dev Spaces instance:
		
- Mount your credentials and sensitive configurations as Kubernetes Secrets.
- Mount your non-sensitive configurations as Kubernetes ConfigMaps.
			If you need to allow the Dev Workspace Pods in the cluster to access container registries that require authentication, create an image pull Secret for the Dev Workspace Pods.
		
The mounting process uses the standard Kubernetes mounting mechanism and requires applying additional labels and annotations to your existing resources. Resources are mounted when starting a new workspace or restarting an existing one.
You can create permanent mount points for various components:
- 
					Maven configuration, such as the user-specific settings.xmlfile
- SSH key pairs
- Git-provider access tokens
- Git configuration
- AWS authorization tokens
- Configuration files
- Persistent storage
Additional resources
6.1. Mounting Secrets
To mount confidential data into your workspaces, use Kubernetes Secrets.
Using Kubernetes Secrets, you can mount usernames, passwords, SSH key pairs, authentication tokens (for example, for AWS), and sensitive configurations.
				Mount Kubernetes Secrets to the Dev Workspace containers in the OpenShift cluster of your organization’s OpenShift Dev Spaces instance.
			
Prerequisites
- 
						An active ocsession with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
- 
						In your user project, you created a new Secret or determined an existing Secret to mount to all Dev Workspacecontainers.
Procedure
- Add the labels, which are required for mounting the Secret, to the Secret. - oc label secret <Secret_name> \ controller.devfile.io/mount-to-devworkspace=true \ controller.devfile.io/watch-secret=true- $ oc label secret <Secret_name> \ controller.devfile.io/mount-to-devworkspace=true \ controller.devfile.io/watch-secret=true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Use the annotations to configure how the Secret is mounted. - Expand - Table 6.1. Optional annotations - Annotation - Description - controller.devfile.io/mount-path:- Specifies the mount path. - Defaults to - /etc/secret/<Secret_name>.- controller.devfile.io/mount-as:- Specifies how the resource should be mounted: - file,- subpath, or- env.- Defaults to - file.- mount-as: filemounts the keys and values as files within the mount path.- mount-as: subpathmounts the keys and values within the mount path using subpath volume mounts.- mount-as: envmounts the keys and values as environment variables in all- Dev Workspacecontainers.
Example 6.1. Mounting a Secret as a file
					When you start a workspace, the /home/user/.m2/settings.xml file will be available in the Dev Workspace containers.
				
					With Maven, you can set a custom path for the settings.xml file. For example:
				
mvn --settings /home/user/.m2/settings.xml clean install
$ mvn --settings /home/user/.m2/settings.xml clean install6.1.1. Creating image pull Secrets
					To allow the Dev Workspace Pods in the OpenShift cluster of your organization’s OpenShift Dev Spaces instance to access container registries that require authentication, create an image pull Secret.
				
					You can create image pull Secrets by using oc or a .dockercfg file or a config.json file.
				
6.1.1.1. Creating an image pull Secret with oc
Prerequisites
- 
								An active ocsession with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
Procedure
- In your user project, create an image pull Secret with your private container registry details and credentials: - oc create secret docker-registry <Secret_name> \ --docker-server=<registry_server> \ --docker-username=<username> \ --docker-password=<password> \ --docker-email=<email_address>- $ oc create secret docker-registry <Secret_name> \ --docker-server=<registry_server> \ --docker-username=<username> \ --docker-password=<password> \ --docker-email=<email_address>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the following label to the image pull Secret: - oc label secret <Secret_name> controller.devfile.io/devworkspace_pullsecret=true controller.devfile.io/watch-secret=true - $ oc label secret <Secret_name> controller.devfile.io/devworkspace_pullsecret=true controller.devfile.io/watch-secret=true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.1.1.2. Creating an image pull Secret from a .dockercfg file
						If you already store the credentials for the private container registry in a .dockercfg file, you can use that file to create an image pull Secret.
					
Prerequisites
- 
								An active ocsession with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
- 
								base64command line tools are installed in the operating system you are using.
Procedure
- Encode the - .dockercfgfile to Base64:- cat .dockercfg | base64 | tr -d '\n' - $ cat .dockercfg | base64 | tr -d '\n'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a new OpenShift Secret in your user project: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the Secret: - oc apply -f - <<EOF <Secret_prepared_in_the_previous_step> EOF - $ oc apply -f - <<EOF <Secret_prepared_in_the_previous_step> EOF- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.1.1.3. Creating an image pull Secret from a config.json file
						If you already store the credentials for the private container registry in a $HOME/.docker/config.json file, you can use that file to create an image pull Secret.
					
Prerequisites
- 
								An active ocsession with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
- 
								base64command line tools are installed in the operating system you are using.
Procedure
- Encode the - $HOME/.docker/config.jsonfile to Base64.- cat config.json | base64 | tr -d '\n' - $ cat config.json | base64 | tr -d '\n'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a new OpenShift Secret in your user project: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the Secret: - oc apply -f - <<EOF <Secret_prepared_in_the_previous_step> EOF - $ oc apply -f - <<EOF <Secret_prepared_in_the_previous_step> EOF- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.1.2. Using a Git-provider access token
					OAuth for GitHub, GitLab, Bitbucket, or Microsoft Azure Repos needs to be configured by the administrator of your organization’s OpenShift Dev Spaces instance. If your administrator could not configure it for OpenShift Dev Spaces users, the workaround is for you to use a personal access token. You can configure personal access tokens on the User Preferences page of your OpenShift Dev Spaces dashboard: https://<openshift_dev_spaces_fqdn>/dashboard/#/user-preferences?tab=personal-access-tokens, or apply it manually as a Kubernetes Secret in the namespace.
				
					Mounting your access token as a Secret enables the OpenShift Dev Spaces Server to access the remote repository that is cloned during workspace creation, including access to the repository’s /.che and /.vscode folders.
				
Apply the Secret in your user project of the OpenShift cluster of your organization’s OpenShift Dev Spaces instance.
After applying the Secret, you can create workspaces with clones of private Git repositories that are hosted on GitHub, GitLab, Bitbucket Server, or Microsoft Azure Repos.
You can create and apply multiple access-token Secrets per Git provider. You must apply each of those Secrets in your user project.
Prerequisites
- You have logged in to the cluster. Tip- On OpenShift, you can use the - occommand-line tool to log in to the cluster:- $ oc login https://<openshift_dev_spaces_fqdn> --username=<my_user>
Procedure
- Generate your access token on your Git provider’s website. Important- Personal access tokens are sensitive information and should be kept confidential. Treat them like passwords. If you are having trouble with authentication, ensure you are using the correct token and have the appropriate permissions for cloning repositories: - Open a terminal locally on your computer
- 
										Use the gitcommand to clone the repository using your personal access token. The format of thegitcommand vary based on the Git Provider. As an example, GitHub personal access token verification can be done using the following command:
 - git clone https://<PAT>@github.com/username/repo.git - git clone https://<PAT>@github.com/username/repo.git- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Replace - <PAT>with your personal access token, and- username/repowith the appropriate repository path. If the token is valid and has the necessary permissions, the cloning process should be successful. Otherwise, this is an indicator of incorrect personal access token, insufficient permissions, or other issues.Important- For GitHub Enterprise Cloud, verify that the token is authorized for use within the organization. 
- 
							Go to https://<openshift_dev_spaces_fqdn>/api/user/idin the web browser to get your OpenShift Dev Spaces user ID.
- Prepare a new OpenShift Secret. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Visit https://<openshift_dev_spaces_fqdn>/api/kubernetes/namespaceto get your OpenShift Dev Spaces user namespace asname.
- Switch to your OpenShift Dev Spaces user namespace in the cluster. Tip- On OpenShift: - The - occommand-line tool can return the namespace you are currently on in the cluster, which you can use to check your current namespace:- $ oc project
- You can switch to your OpenShift Dev Spaces user namespace on a command line if needed: - $ oc project <your_user_namespace>
 
- Apply the Secret. Tip- On OpenShift, you can use the - occommand-line tool:- oc apply -f - <<EOF <Secret_prepared_in_step_5> EOF - $ oc apply -f - <<EOF <Secret_prepared_in_step_5> EOF- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
If you are using Azure DevOps Server, you must also modify the workspace’s gitconfig with the following section:
[http]
    extraheader = "Authorization: Basic <base64-encoded(:personal-access-token)>"
[http]
    extraheader = "Authorization: Basic <base64-encoded(:personal-access-token)>"To generate the key-value pair, use the following command:
echo -n "extraheader = \"Authorization: Basic "$(printf ":%s" <personal access token> | base64)\"
echo -n "extraheader = \"Authorization: Basic "$(printf ":%s" <personal access token> | base64)\"see the documentation page for more information.
						The extraheader configuration is needed for remote git operations to Azure Devops Server, e.g. git clone. This authorization method has a higher priority over the git credentials store, and as a result, the remote operations to other Git providers will fail.
					
Verification
- Start a new workspace by using the URL of a remote Git repository that the Git provider hosts.
- Make some changes and push to the remote Git repository from the workspace.
Additional resources
6.2. Mounting ConfigMaps
To mount non-confidential configuration data into your workspaces, use Kubernetes ConfigMaps.
Using Kubernetes ConfigMaps, you can mount non-sensitive data such as configuration values for an application.
				Mount Kubernetes ConfigMaps to the Dev Workspace containers in the OpenShift cluster of your organization’s OpenShift Dev Spaces instance.
			
Prerequisites
- 
						An active ocsession with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
- 
						In your user project, you created a new ConfigMap or determined an existing ConfigMap to mount to all Dev Workspacecontainers.
Procedure
- Add the labels, which are required for mounting the ConfigMap, to the ConfigMap. - oc label configmap <ConfigMap_name> \ controller.devfile.io/mount-to-devworkspace=true \ controller.devfile.io/watch-configmap=true- $ oc label configmap <ConfigMap_name> \ controller.devfile.io/mount-to-devworkspace=true \ controller.devfile.io/watch-configmap=true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Use the annotations to configure how the ConfigMap is mounted. - Expand - Table 6.2. Optional annotations - Annotation - Description - controller.devfile.io/mount-path:- Specifies the mount path. - Defaults to - /etc/config/<ConfigMap_name>.- controller.devfile.io/mount-as:- Specifies how the resource should be mounted: - file,- subpath, or- env.- Defaults to - file.- mount-as:filemounts the keys and values as files within the mount path.- mount-as:subpathmounts the keys and values within the mount path using subpath volume mounts.- mount-as:envmounts the keys and values as environment variables in all- Dev Workspacecontainers.
Example 6.2. Mounting a ConfigMap as environment variables
					When you start a workspace, the <env_var_1> and <env_var_2> environment variables will be available in the Dev Workspace containers.
				
6.2.1. Mounting Git configuration
						The user.name and user.email fields will be set automatically to the gitconfig content from a git provider, connected to OpenShift Dev Spaces by a Git-provider access token or a token generated via OAuth, if username and email are set on the provider’s user profile page.
					
Follow the instructions below to mount a Git config file in a workspace.
Prerequisites
- You have logged in to the cluster.
Procedure
- Prepare a new OpenShift ConfigMap. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the ConfigMap. - oc apply -f - <<EOF <ConfigMap_prepared_in_step_1> EOF - $ oc apply -f - <<EOF <ConfigMap_prepared_in_step_1> EOF- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Start a new workspace by using the URL of a remote Git repository that the Git provider hosts.
- 
							Once the workspace is started, open a new terminal in the toolscontainer and rungit config --get-regexp user.*. Your Git user name and email should appear in the output.
6.3. Enabling artifact repositories in a restricted environment
By configuring technology stacks, you can work with artifacts from in-house repositories using self-signed certificates:
6.3.1. Maven
You can enable a Maven artifact repository in Maven workspaces that run in a restricted environment.
Prerequisites
- You are not running any Maven workspace.
- 
							You know your user namespace, which is <username>-devspaceswhere<username>is your OpenShift Dev Spaces username.
Procedure
- In the - <username>-devspacesnamespace, apply the Secret for the TLS certificate:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Base64 encoding with disabled line wrapping.
 
- In the - <username>-devspacesnamespace, apply the ConfigMap to create the- settings.xmlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Optional: When using JBoss EAP-based devfiles, apply a second settings-xmlConfigMap in the<username>-devspacesnamespace, and with the same content, a different name, and the/home/jboss/.m2mount path.
- In the - <username>-devspacesnamespace, apply the ConfigMap for the TrustStore initialization script:- Java 8 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Java 11 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Start a Maven workspace.
- 
							Open a new terminal in the toolscontainer.
- 
							Run ~/init-truststore.sh.
6.3.2. Gradle
You can enable a Gradle artifact repository in Gradle workspaces that run in a restricted environment.
Prerequisites
- You are not running any Gradle workspace.
Procedure
- Apply the Secret for the TLS certificate: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Base64 encoding with disabled line wrapping.
 
- Apply the ConfigMap for the TrustStore initialization script: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the ConfigMap for the Gradle init script: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Start a Gradle workspace.
- 
							Open a new terminal in the toolscontainer.
- 
							Run ~/init-truststore.sh.
6.3.3. npm
You can enable an npm artifact repository in npm workspaces that run in a restricted environment.
Prerequisites
- You are not running any npm workspace.
Applying a ConfigMap that sets environment variables might cause a workspace boot loop.
						If you encounter this behavior, remove the ConfigMap and edit the devfile directly.
					
Procedure
- Apply the Secret for the TLS certificate: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Base64 encoding with disabled line wrapping.
 
- Apply the ConfigMap to set the following environment variables in the - toolscontainer:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.3.3.1. Disabling self-signed certificate validation
						Run the command below to disable SSL/TLS, bypassing the validation of your self-signed certificates. Note that this is a potential security risk. For a better solution, configure a self-signed certificate you trust with NODE_EXTRA_CA_CERTS.
					
Procedure
- Run the following command in the terminal: - npm config set strict-ssl false - npm config set strict-ssl false- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.3.3.2. Configuring NODE_EXTRA_CA_CERTS to use a certificate
Use the command below to set NODE_EXTRA_CA_CERTS to point to where you have your SSL/TLS certificate.
Procedure
- Run the following command in the terminal: - `export NODE_EXTRA_CA_CERTS=/public-certs/nexus.cer` `npm install` - `export NODE_EXTRA_CA_CERTS=/public-certs/nexus.cer`- 1 - `npm install`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- /public-certs/nexus.ceris the path to self-signed SSL/TLS certificate of Nexus artifactory.
 
6.3.4. Python
You can enable a Python artifact repository in Python workspaces that run in a restricted environment.
Prerequisites
- You are not running any Python workspace.
Applying a ConfigMap that sets environment variables might cause a workspace boot loop.
						If you encounter this behavior, remove the ConfigMap and edit the devfile directly.
					
Procedure
- Apply the Secret for the TLS certificate: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Base64 encoding with disabled line wrapping.
 
- Apply the ConfigMap to set the following environment variables in the - toolscontainer:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.3.5. Go
You can enable a Go artifact repository in Go workspaces that run in a restricted environment.
Prerequisites
- You are not running any Go workspace.
Applying a ConfigMap that sets environment variables might cause a workspace boot loop.
						If you encounter this behavior, remove the ConfigMap and edit the devfile directly.
					
Procedure
- Apply the Secret for the TLS certificate: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Base64 encoding with disabled line wrapping.
 
- Apply the ConfigMap to set the following environment variables in the - toolscontainer:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.3.6. NuGet
You can enable a NuGet artifact repository in NuGet workspaces that run in a restricted environment.
Prerequisites
- You are not running any NuGet workspace.
Applying a ConfigMap that sets environment variables might cause a workspace boot loop.
						If you encounter this behavior, remove the ConfigMap and edit the devfile directly.
					
Procedure
- Apply the Secret for the TLS certificate: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Base64 encoding with disabled line wrapping.
 
- Apply the ConfigMap to set the environment variable for the path of the TLS certificate file in the - toolscontainer:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the ConfigMap to create the - nuget.configfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow