From 792b8b1440257895dbfc5dbd1b2bce10b9ebdf63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 5 Mar 2021 15:53:37 +0100 Subject: [PATCH 01/15] Use attributes for Kubernetes occurences --- .../pages/viewing-kubernetes-events.adoc | 4 +- ...con_authorization-and-user-management.adoc | 2 +- .../con_che-workspaces-architecture.adoc | 2 +- ...c_configuring-bitbucket-server-oauth1.adoc | 2 +- ...ernetes-applications-into-a-workspace.adoc | 4 +- ...onfiguration-of-an-existing-workspace.adoc | 2 +- ...ons-in-a-workspace-devfile-definition.adoc | 2 +- ...t-variable-into-a-workspace-container.adoc | 2 +- .../proc_using-npm-artifact-repositories.adoc | 2 +- ...lf-signed-certificates-in-go-projects.adoc | 2 +- ...igned-certificates-in-gradle-projects.adoc | 2 +- ...signed-certificates-in-maven-projects.adoc | 2 +- ...signed-certificates-in-nuget-projects.adoc | 2 +- ...igned-certificates-in-python-projects.adoc | 2 +- .../examples/checluster-properties.adoc | 10 ++-- .../examples/system-variables.adoc | 52 +++++++++---------- .../configuring-labels-for-ingresses.adoc | 2 +- ...proc_configuring-labels-for-ingresses.adoc | 6 +-- ...proc_configuring-namespace-strategies.adoc | 4 +- ...xposure-strategies-using-a-helm-chart.adoc | 4 +- ...exposure-strategies-using-an-operator.adoc | 4 +- ...orting-untrusted-tls-certificates-old.adoc | 4 +- ..._importing-untrusted-tls-certificates.adoc | 4 +- ...e-on-kubernetes_using_chectl_and_helm.adoc | 4 +- ...pools-for-your-eclipse-che-workspaces.adoc | 2 +- 25 files changed, 64 insertions(+), 64 deletions(-) diff --git a/modules/administration-guide/pages/viewing-kubernetes-events.adoc b/modules/administration-guide/pages/viewing-kubernetes-events.adoc index 499a5f9d26..1230afd7e9 100644 --- a/modules/administration-guide/pages/viewing-kubernetes-events.adoc +++ b/modules/administration-guide/pages/viewing-kubernetes-events.adoc @@ -1,6 +1,6 @@ [id="viewing-kubernetes-events"] -// = Accessing Kubernetes events on OpenShift -:navtitle: Accessing Kubernetes events on OpenShift +// = Accessing {kubernetes} events on OpenShift +:navtitle: Accessing {kubernetes} events on OpenShift :keywords: administration-guide, viewing-kubernetes-events :page-aliases: .:viewing-kubernetes-events diff --git a/modules/administration-guide/partials/con_authorization-and-user-management.adoc b/modules/administration-guide/partials/con_authorization-and-user-management.adoc index 65a61d8b53..bc171d962c 100644 --- a/modules/administration-guide/partials/con_authorization-and-user-management.adoc +++ b/modules/administration-guide/partials/con_authorization-and-user-management.adoc @@ -12,7 +12,7 @@ The default {identity-provider} credentials are `admin:admin`. You can use the ` .Identifying the {identity-provider} URL ifeval::["{project-context}" == "che"] -{prod-short} running on Kubernetes:: +{prod-short} running on {kubernetes}:: Go to `+$CHE_HOST:5050/auth+`. {prod-short} is running on OpenShift:: diff --git a/modules/administration-guide/partials/con_che-workspaces-architecture.adoc b/modules/administration-guide/partials/con_che-workspaces-architecture.adoc index a4de92d092..52d1270ac4 100644 --- a/modules/administration-guide/partials/con_che-workspaces-architecture.adoc +++ b/modules/administration-guide/partials/con_che-workspaces-architecture.adoc @@ -10,7 +10,7 @@ A {prod-short} deployment on the cluster consists of the {prod-short} server com * secrets * PVs -The {prod-short} workspace is a web application. It is composed of microservices running in containers that provide all the services of a modern IDE such as an editor, language auto-completion, and debugging tools. The IDE services are deployed with the development tools, packaged in containers and user runtime applications, which are defined as Kubernetes resources. +The {prod-short} workspace is a web application. It is composed of microservices running in containers that provide all the services of a modern IDE such as an editor, language auto-completion, and debugging tools. The IDE services are deployed with the development tools, packaged in containers and user runtime applications, which are defined as {orch-name} resources. The source code of the projects of a {prod-short} workspace is persisted in a {platforms-name} `PersistentVolume`. Microservices run in containers that have read-write access to the source code (IDE services, development tools), and runtime applications have read-write access to this shared directory. diff --git a/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc b/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc index 63f0c2dcc9..14574a9b00 100644 --- a/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc +++ b/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc @@ -41,7 +41,7 @@ openssl rand -base64 24 > ____ openssl rand -base64 24 > ____ ---- -. Create a Kubernetes Secret in {prod-short} namespace containing the consumer and private keys. +. Create a {orch-name} Secret in {prod-short} namespace containing the consumer and private keys. + [subs="+quotes,+attributes"] ---- diff --git a/modules/end-user-guide/pages/importing-kubernetes-applications-into-a-workspace.adoc b/modules/end-user-guide/pages/importing-kubernetes-applications-into-a-workspace.adoc index 77f9b81535..e493b570b0 100644 --- a/modules/end-user-guide/pages/importing-kubernetes-applications-into-a-workspace.adoc +++ b/modules/end-user-guide/pages/importing-kubernetes-applications-into-a-workspace.adoc @@ -1,6 +1,6 @@ [id="importing-kubernetes-applications-into-a-workspace"] -// = Importing a Kubernetes application into a workspace -:navtitle: Importing Kubernetes applications into a workspace +// = Importing a {orch-name} application into a workspace +:navtitle: Importing {orch-name} applications into a workspace :keywords: end-user-guide, importing-kubernetes-applications-into-a-workspace :page-aliases: .:importing-kubernetes-applications-into-a-workspace diff --git a/modules/end-user-guide/partials/proc_changing-the-configuration-of-an-existing-workspace.adoc b/modules/end-user-guide/partials/proc_changing-the-configuration-of-an-existing-workspace.adoc index 4686fc99fa..4993ec56aa 100644 --- a/modules/end-user-guide/partials/proc_changing-the-configuration-of-an-existing-workspace.adoc +++ b/modules/end-user-guide/partials/proc_changing-the-configuration-of-an-existing-workspace.adoc @@ -27,6 +27,6 @@ This section describes how to change the configuration of an existing workspace ** Select *Storage Type*. -** Review *Kubernetes namespace*. +** Review *{platforms-namespace}*. . From the *Devfile* tab, edit YAML configuration of the workspace. See xref:configuring-a-workspace-using-a-devfile.adoc[]. diff --git a/modules/end-user-guide/partials/proc_che-including-kubernetes-applications-in-a-workspace-devfile-definition.adoc b/modules/end-user-guide/partials/proc_che-including-kubernetes-applications-in-a-workspace-devfile-definition.adoc index 5bcb6bf9d9..109715dd1c 100644 --- a/modules/end-user-guide/partials/proc_che-including-kubernetes-applications-in-a-workspace-devfile-definition.adoc +++ b/modules/end-user-guide/partials/proc_che-including-kubernetes-applications-in-a-workspace-devfile-definition.adoc @@ -30,7 +30,7 @@ metadata: + <1> Only the name `minimal-workspace` is specified. After the {prod-short} server processes this devfile, the devfile is converted to a minimal {prod-short} workspace that only has the default editor (Che-Theia) and the default editor plug-ins, including, for example, the terminal. -. To add {orch-name} applications to a workspace, modify the devfile and add the `Kubernetes` component type. +. To add {orch-name} applications to a workspace, modify the devfile and add the `{kubernetes}` component type. + For example, to embed the NodeJS-Mongo application in the `minimal-workspace`: + diff --git a/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc b/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc index f699280fa7..03fc9e6dc8 100644 --- a/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc +++ b/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc @@ -13,7 +13,7 @@ The following section describes how to mount a {platforms-name} secret from the .Procedure -. In the Kubernetes {orch-namespace} where a {prod-short} workspace will be created, generate a new {platforms-name} secret . +. In the {platforms-namespace} where a {prod-short} workspace will be created, generate a new {platforms-name} secret . * The labels of the secret that is about to be generated must match the set of labels configured in `che.workspace.provision.secret.labels` property of {prod-short}. By default, it is a set of two labels: + diff --git a/modules/end-user-guide/partials/proc_using-npm-artifact-repositories.adoc b/modules/end-user-guide/partials/proc_using-npm-artifact-repositories.adoc index 725df96b6f..086f7b8cf2 100644 --- a/modules/end-user-guide/partials/proc_using-npm-artifact-repositories.adoc +++ b/modules/end-user-guide/partials/proc_using-npm-artifact-repositories.adoc @@ -16,7 +16,7 @@ Use the following environment variables for configuration: * The URL for the artifact repository: `NPM_CONFIG_REGISTRY` * For using a certificate from a file: `NODE_EXTRA_CA_CERTS` -Obtain a server certificate file from the repository server. It is customary for administrators to provide certificates of internal artifact servers as Kubernetes secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. +Obtain a server certificate file from the repository server. It is customary for administrators to provide certificates of internal artifact servers as {orch-name} secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. . An example configuration for the use of an internal repository with a self-signed certificate: + diff --git a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-go-projects.adoc b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-go-projects.adoc index 9bd1f06706..c3cd2fad51 100644 --- a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-go-projects.adoc +++ b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-go-projects.adoc @@ -11,7 +11,7 @@ Go uses certificates from a file defined in the `SSL_CERT_FILE` environment vari .Procedure -. Obtain the certificate used by the Athens server in the Privacy-Enhanced Mail (PEM) format. It is customary for administrators to provide certificates of internal artifact servers as Kubernetes secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. +. Obtain the certificate used by the Athens server in the Privacy-Enhanced Mail (PEM) format. It is customary for administrators to provide certificates of internal artifact servers as {orch-name} secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. . Add the appropriate environment variables to your devfile: + diff --git a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-gradle-projects.adoc b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-gradle-projects.adoc index fb776b3645..e465be502f 100644 --- a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-gradle-projects.adoc +++ b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-gradle-projects.adoc @@ -9,7 +9,7 @@ Internal artifact repositories often do not have a certificate signed by an auth .Procedure -. Obtain a server certificate file from the repository server. It is customary for administrators to provide certificates of internal artifact servers as Kubernetes secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. +. Obtain a server certificate file from the repository server. It is customary for administrators to provide certificates of internal artifact servers as {orch-name} secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. .. Copy the original Java truststore file: + diff --git a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-maven-projects.adoc b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-maven-projects.adoc index bbd0834eeb..9cb8af5ae3 100644 --- a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-maven-projects.adoc +++ b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-maven-projects.adoc @@ -9,7 +9,7 @@ Internal artifact repositories often do not have a certificate signed by an auth .Procedure -. Obtain a server certificate file from the repository server. It is customary for administrators to provide certificates of internal artifact servers as Kubernetes secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. +. Obtain a server certificate file from the repository server. It is customary for administrators to provide certificates of internal artifact servers as {orch-name} secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. .. Copy the original Java truststore file: + diff --git a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-nuget-projects.adoc b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-nuget-projects.adoc index 15a9f8f08b..7205dc88d0 100644 --- a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-nuget-projects.adoc +++ b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-nuget-projects.adoc @@ -9,7 +9,7 @@ Internal artifact repositories often do not have a self-signed TLS certificate s .Procedure -. Obtain the certificate used by the .NET server in the Privacy-Enhanced Mail (PEM) format. It is customary for administrators to provide certificates of internal artifact servers as Kubernetes secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. +. Obtain the certificate used by the .NET server in the Privacy-Enhanced Mail (PEM) format. It is customary for administrators to provide certificates of internal artifact servers as {orch-name} secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. . Specify the location of the certificate file in the `SSL_CERT_FILE` environment variable in your devfile for the OmniSharp plug-in and for the .NET container. + diff --git a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-python-projects.adoc b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-python-projects.adoc index 8dd598b455..c5fbb1fe3c 100644 --- a/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-python-projects.adoc +++ b/modules/end-user-guide/partials/proc_using-self-signed-certificates-in-python-projects.adoc @@ -11,7 +11,7 @@ Python uses certificates from a file defined in the `PIP_CERT` environment varia .Procedure -. Obtain the certificate used by the pip server in the Privacy-Enhanced Mail (PEM) format. It is customary for administrators to provide certificates of internal artifact servers as Kubernetes secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. +. Obtain the certificate used by the pip server in the Privacy-Enhanced Mail (PEM) format. It is customary for administrators to provide certificates of internal artifact servers as {orch-name} secrets (see xref:installation-guide:importing-untrusted-tls-certificates.adoc[]). The relevant server certificates will be mounted in `/public-certs` in every container in the workspace. + [NOTE] ==== diff --git a/modules/installation-guide/examples/checluster-properties.adoc b/modules/installation-guide/examples/checluster-properties.adoc index a3c1a32944..cc37225aef 100644 --- a/modules/installation-guide/examples/checluster-properties.adoc +++ b/modules/installation-guide/examples/checluster-properties.adoc @@ -6,7 +6,7 @@ Property: Description airGapContainerRegistryHostname: Optional host name, or URL, to an alternate container registry to pull images from. This value overrides the container registry host name defined in all the default container images involved in a Che deployment. This is particularly useful to install Che in a restricted environment. airGapContainerRegistryOrganization: Optional repository name of an alternate container registry to pull images from. This value overrides the container registry organization defined in all the default container images involved in a Che deployment. This is particularly useful to install {prod-short} in a restricted environment. -allowUserDefinedWorkspaceNamespaces: Defines that a user is allowed to specify a Kubernetes namespace, or an OpenShift project, which differs from the default. It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. +allowUserDefinedWorkspaceNamespaces: Defines that a user is allowed to specify a {platforms-namespace}, or an OpenShift project, which differs from the default. It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. cheClusterRoles: A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. cheDebug: Enables the debug mode for Che server. Defaults to `false`. cheFlavor: Specifies a variation of the installation. The options are `che` for upstream Che installations, or `codeready` for link\:https\://developers.redhat.com/products/codeready-workspaces/overview[CodeReady Workspaces] installation. Override the default value only on necessary occasions. @@ -50,7 +50,7 @@ proxyUser: User name of the proxy server. Only use when configuring a proxy is r selfSignedCert: Deprecated. The value of this flag is ignored. The Che Operator will automatically detect whether the router certificate is self-signed and propagate it to other components, such as the Che server. serverCpuLimit: Overrides the CPU limit used in the Che server deployment In cores. (500m = .5 cores). Default to 1. serverCpuRequest: Overrides the CPU request used in the Che server deployment In cores. (500m = .5 cores). Default to 100m. -serverExposureStrategy: Sets the server and workspaces exposure type. Possible values are `multi-host`, `single-host`, `default-host`. Defaults to `multi-host`, which creates a separate ingress, or OpenShift routes, for every required endpoint. `single-host` makes Che exposed on a single host name with workspaces exposed on subpaths. Read the docs to learn about the limitations of this approach. Also consult the `singleHostExposureType` property to further configure how the Operator and the Che server make that happen on Kubernetes. `default-host` exposes the Che server on the host of the cluster. Read the docs to learn about the limitations of this approach. +serverExposureStrategy: Sets the server and workspaces exposure type. Possible values are `multi-host`, `single-host`, `default-host`. Defaults to `multi-host`, which creates a separate ingress, or OpenShift routes, for every required endpoint. `single-host` makes Che exposed on a single host name with workspaces exposed on subpaths. Read the docs to learn about the limitations of this approach. Also consult the `singleHostExposureType` property to further configure how the Operator and the Che server make that happen on {orch-name}. `default-host` exposes the Che server on the host of the cluster. Read the docs to learn about the limitations of this approach. serverMemoryLimit: Overrides the memory limit used in the Che server deployment. Defaults to 1Gi. serverMemoryRequest: Overrides the memory request used in the Che server deployment. Defaults to 512Mi. serverTrustStoreConfigMapName: Name of the ConfigMap with public certificates to add to Java trust store of the Che server. This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. @@ -59,7 +59,7 @@ singleHostGatewayConfigSidecarImage: The image used for the gateway sidecar that singleHostGatewayImage: The image used for the gateway in the single host mode. Omit it or leave it empty to use the default container image provided by the Operator. tlsSupport: Deprecated. Instructs the Operator to deploy Che in TLS mode. This is enabled by default. Disabling TLS sometimes cause malfunction of some Che components. useInternalClusterSVCNames: Use internal cluster SVC names to communicate between components to speed up the traffic and avoid proxy issues. The default value is `false`. -workspaceNamespaceDefault: Defines Kubernetes default namespace in which user's workspaces are created for a case when a user does not override it. It's possible to use ``, `` and `` placeholders, such as che-workspace-. In that case, a new namespace will be created for each user or workspace. +workspaceNamespaceDefault: Defines {orch-name} default namespace in which user's workspaces are created for a case when a user does not override it. It's possible to use ``, `` and `` placeholders, such as che-workspace-. In that case, a new namespace will be created for each user or workspace. :=== [id="checluster-custom-resource-database-settings_{context}"] @@ -113,7 +113,7 @@ updateAdminPassword: Forces the default `admin` Che user to update password on f :=== Property: Description postgresPVCStorageClassName: Storage class for the Persistent Volume Claim dedicated to the PosgreSQL database. When omitted or left blank, a default storage class is used. -preCreateSubPaths: Instructs the Che server to start a special Pod to pre-create a sub-path in the Persistent Volumes. Defaults to `false`, however it will need to enable it according to the configuration of your Kubernetes cluster. +preCreateSubPaths: Instructs the Che server to start a special Pod to pre-create a sub-path in the Persistent Volumes. Defaults to `false`, however it will need to enable it according to the configuration of your {orch-name} cluster. pvcClaimSize: Size of the persistent volume claim for workspaces. Defaults to `1Gi`. pvcJobsImage: Overrides the container image used to create sub-paths in the Persistent Volumes. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. See also the `preCreateSubPaths` field. pvcStrategy: Persistent volume claim strategy for the Che server. This Can be\:`common` (all workspaces PVCs in one volume), `per-workspace` (one PVC per workspace for all declared volumes) and `unique` (one PVC per declared volume). Defaults to `common`. @@ -127,7 +127,7 @@ workspacePVCStorageClassName: Storage class for the Persistent Volume Claims ded :=== Property: Description ingressClass: Ingress class that will define the which controller will manage ingresses. Defaults to `nginx`. NB\: This drives the `kubernetes.io/ingress.class` annotation on Che-related ingresses. -ingressDomain: Global ingress domain for a Kubernetes cluster. This MUST be explicitly specified\: there are no defaults. +ingressDomain: Global ingress domain for a {orch-name} cluster. This MUST be explicitly specified\: there are no defaults. ingressStrategy: Strategy for ingress creation. Options are\: `multi-host` (host is explicitly provided in ingress), `single-host` (host is provided, path-based rules) and `default-host` (no host is provided, path-based rules). Defaults to `multi-host` Deprecated in favor of `serverExposureStrategy` in the `server` section, which defines this regardless of the cluster type. When both are defined, the `serverExposureStrategy` option takes precedence. securityContextFsGroup: The FSGroup in which the Che Pod and workspace Pods containers runs in. Default value is `1724`. securityContextRunAsUser: ID of the user the Che Pod and workspace Pods containers run as. Default value is `1724`. diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index 567c99c54a..b8bd06e94f 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -10,7 +10,7 @@ `+CHE_API_INTERNAL+`,"`+http://${CHE_HOST}:${CHE_PORT}/api+`","API service internal network url. Back-end services should initiate REST communications to {prod-short} server with this URL" `+CHE_WEBSOCKET_ENDPOINT+`,"`+ws://${CHE_HOST}:${CHE_PORT}/api/websocket+`","{prod-short} websocket major endpoint. Provides basic communication endpoint for major websocket interactions and messaging." `+CHE_WORKSPACE_PROJECTS_STORAGE+`,"`+/projects+`","Your projects are synchronized from the {prod-short} server into the machine running each workspace. This is the directory in the machine where your projects are placed." - `+CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE+`,"`+1Gi+`","Used when Kubernetes or OpenShift-type components in a devfile request project PVC creation (Applied in case of 'unique' and 'per workspace' PVC strategy. In case of the 'common' PVC strategy, it is rewritten with the value of the `che.infra.kubernetes.pvc.quantity` property.)" + `+CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE+`,"`+1Gi+`","Used when {orch-name} or OpenShift-type components in a devfile request project PVC creation (Applied in case of 'unique' and 'per workspace' PVC strategy. In case of the 'common' PVC strategy, it is rewritten with the value of the `che.infra.kubernetes.pvc.quantity` property.)" `+CHE_WORKSPACE_LOGS_ROOT__DIR+`,"`+/workspace_logs+`","Defines the directory inside the machine where all the workspace logs are placed. Provide this value into the machine, for example, as an environment variable. This is to ensure that agent developers can use this directory to back up agent logs." `+CHE_WORKSPACE_HTTP__PROXY+`,"","Configures proxies used by runtimes powering workspaces." `+CHE_WORKSPACE_HTTPS__PROXY+`,"","Configuresproxies used by runtimes powering workspaces." @@ -24,13 +24,13 @@ `+CHE_WORKSPACE_JAVA__OPTIONS+`,"`+-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom+`","Java command-line options added to JVMs running in workspaces." `+CHE_WORKSPACE_MAVEN__OPTIONS+`,"`+-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom+`","Maven command-line options added to JVMs running agents in workspaces." `+CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB+`,"`+1024+`","RAM limit default for each machine that has no RAM settings in its environment. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB+`,"`+200+`","RAM request for each container that has no explicit RAM settings in its environment. This amount is allocated when the workspace container is created. This property may not be supported by all infrastructure implementations. Currently it is supported by Kubernetes and OpenShift. A memory request exceeding the memory limit is ignored, and only the limit size is used. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, `0.125`, or using the Kubernetes format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB+`,"`+200+`","RAM request for each container that has no explicit RAM settings in its environment. This amount is allocated when the workspace container is created. This property may not be supported by all infrastructure implementations. Currently it is supported by {orch-name}. A memory request exceeding the memory limit is ignored, and only the limit size is used. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, `0.125`, or using the {orch-name} format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPU request for each container that has no CPU settings in environment. A CPU request exceeding the CPU limit is ignored, and only limit number is used. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB+`,"`+128+`","RAM limit and request for each sidecar that has no RAM settings in the {prod-short} plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB+`,"`+64+`","RAMlimit and request for each sidecar that has no RAM settings in the {prod-short} plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the Kubernetes format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPUlimit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the Kubernetes format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the {orch-name} format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPUlimit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the {orch-name} format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY+`,"`+Always+`","Defines image-pulling strategy for sidecars. Possible values are: `Always`, `Never`, `IfNotPresent`. For any other value, `Always` is assumed for images with the `:latest` tag, or `IfNotPresent` for all other cases." `+CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__PERIOD__S+`,"`+60+`","Period of inactive workspaces suspend job execution." `+CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__PERIOD__S+`,"`+3600+`","The period of the cleanup of the activity table. The activity table can contain invalid or stale data if some unforeseen errors happen, like a server crash at a peculiar point in time. The default is to run the cleanup job every hour." @@ -83,39 +83,39 @@ ,=== [id="kubernetes-infra-parameters"] -= Kubernetes Infra parameters += {orch-name} Infra parameters -.Kubernetes Infra parameters +.{orch-name} Infra parameters ,=== Environment Variable Name,Default value, Description - `+CHE_INFRA_KUBERNETES_MASTER__URL+`,"","Configuration of Kubernetes client that Infra will use" - `+CHE_INFRA_KUBERNETES_TRUST__CERTS+`,"","Configurationof Kubernetes client that Infra will use" + `+CHE_INFRA_KUBERNETES_MASTER__URL+`,"","Configuration of {orch-name} client that Infra will use" + `+CHE_INFRA_KUBERNETES_TRUST__CERTS+`,"","Configurationof {orch-name} client that Infra will use" `+CHE_INFRA_KUBERNETES_SERVER__STRATEGY+`,"`+multi-host+`","Defines the way how servers are exposed to the world in {orch-name} infra. List of strategies implemented in {prod-short}: default-host, multi-host, single-host" - `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE+`,"`+native+`","Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using {orch-name} Ingresses. Works only on Kubernetes. - 'gateway': Exposes servers using reverse-proxy gateway." + `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE+`,"`+native+`","Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using {orch-name} Ingresses. Works only on {kubernetes}. - 'gateway': Exposes servers using reverse-proxy gateway." `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE+`,"`+multi-host+`","Defines the way how to expose devfile endpoints, thus end-user's applications, in single-host server strategy. They can either follow the single-host strategy and be exposed on subpaths, or they can be exposed on subdomains. - 'multi-host': expose on subdomains - 'single-host': expose on subpaths" `+CHE_INFRA_KUBERNETES_SINGLEHOST_GATEWAY_CONFIGMAP__LABELS+`,"`+app=che,component=che-gateway-config+`","Defines labels which will be set to ConfigMaps configuring single-host gateway." `+CHE_INFRA_KUBERNETES_INGRESS_DOMAIN+`,"","Used to generate domain for a server in a workspace in case property `che.infra.kubernetes.server_strategy` is set to `multi-host`" - `+CHE_INFRA_KUBERNETES_NAMESPACE+`,"","DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines Kubernetes namespace in which all workspaces will be created. If not set, every workspace will be created in a new namespace, where namespace = workspace id It's possible to use and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user. Service account with permission to create new namespace must be used. Ignored for OpenShift infra. Use `che.infra.openshift.project` instead If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used." + `+CHE_INFRA_KUBERNETES_NAMESPACE+`,"","DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines {platforms-namespace} in which all workspaces will be created. If not set, every workspace will be created in a new namespace, where namespace = workspace id It's possible to use and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user. Service account with permission to create new namespace must be used. Ignored for OpenShift infra. Use `che.infra.openshift.project` instead If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used." `+CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED+`,"`+true+`","Indicates whether {prod-short} server is allowed to create namespaces/projects for user workspaces, or they're intended to be created manually by cluster administrator. This property is also used by the OpenShift infra." - `+CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT+`,"`+-che+`","Defines Kubernetes default namespace in which user's workspaces are created if user does not override it. It's possible to use , and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user (or workspace). Is used by OpenShift infra as well to specify Project" + `+CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT+`,"`+-che+`","Defines {orch-name} default namespace in which user's workspaces are created if user does not override it. It's possible to use , and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user (or workspace). Is used by OpenShift infra as well to specify Project" `+CHE_INFRA_KUBERNETES_NAMESPACE_LABEL+`,"`+true+`","Defines whether che-server should try to label the workspace namespaces." `+CHE_INFRA_KUBERNETES_NAMESPACE_LABELS+`,"`+app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspaces-namespace+`","List of labels to find Namespaces/Projects that are used for {prod-short} Workspaces. They are used to: - find prepared Namespaces/Projects for users in combination with `che.infra.kubernetes.namespace.annotations`. - actively label namespaces with any workspace." `+CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS+`,"`+che.eclipse.org/username=+`","List of annotations to find Namespaces/Projects prepared for {prod-short} users workspaces. Only Namespaces/Projects matching the `che.infra.kubernetes.namespace.labels` will be matched against these annotations. Namespaces/Projects that matches both `che.infra.kubernetes.namespace.labels` and `che.infra.kubernetes.namespace.annotations` will be preferentially used for User's workspaces. It's possible to use `` placeholder to specify the Namespace/Project to concrete user." - `+CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED+`,"`+false+`","Defines if a user is able to specify Kubernetes namespace (or OpenShift project) different from the default. It's NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra." - `+CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME+`,"`+NULL+`","Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. Note that Kubernetes Infrastructure won't create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there" + `+CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED+`,"`+false+`","Defines if a user is able to specify {platforms-namespace} (or OpenShift project) different from the default. It's NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra." + `+CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME+`,"`+NULL+`","Defines {orch-name} Service Account name which should be specified to be bound to all workspaces pods. Note that {orch-name} Infrastructure won't create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there" `+CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES+`,"`+NULL+`","Specifies optional, additional cluster roles to use with the workspace service account. Note that the cluster role names must already exist, and the {prod-short} service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates 'che.infra.kubernetes.cluster_role_name'." - `+CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN+`,"`+8+`","Defines time frame that limits the Kubernetes workspace start time" - `+CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN+`,"`+5+`","Defines the timeout in minutes that limits the period for which Kubernetes Ingress become ready" + `+CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN+`,"`+8+`","Defines time frame that limits the {orch-name} workspace start time" + `+CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN+`,"`+5+`","Defines the timeout in minutes that limits the period for which {platforms-ingress} become ready" `+CHE_INFRA_KUBERNETES_WORKSPACE__UNRECOVERABLE__EVENTS+`,"`+FailedMount,FailedScheduling,MountVolume.SetUpfailed,Failed to pull image,FailedCreate+`","If during workspace startup an unrecoverable event defined in the property occurs, terminate workspace immediately instead of waiting until timeout Note that this SHOULD NOT include a mere 'Failed' reason, because that might catch events that are not unrecoverable. A failed container startup is handled explicitly by {prod-short} server." `+CHE_INFRA_KUBERNETES_PVC_ENABLED+`,"`+true+`","Defines whether use the Persistent Volume Claim for che workspace needs e.g backup projects, logs etc or disable it." - `+CHE_INFRA_KUBERNETES_PVC_STRATEGY+`,"`+common+`","Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: - 'common' All workspaces in the same Kubernetes Namespace will reuse the same PVC. Name of PVC may be configured with 'che.infra.kubernetes.pvc.name'. Existing PVC will be used or new one will be created if it doesn't exist. - 'unique' Separate PVC for each workspace's volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'. Existing PVC will be used or a new one will be created if it doesn't exist. - 'per-workspace' Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'. Existing PVC will be used or a new one will be created if it doesn't exist." - `+CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS+`,"`+true+`","Defines whether to run a job that creates workspace's subpath directories in persistent volume for the 'common' strategy before launching a workspace. Necessary in some versions of OpenShift/Kubernetes as workspace subpath volume mounts are created with root permissions, and thus cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in {prod-short}). The default is 'true', but should be set to false if the version of Openshift/Kubernetes creates subdirectories with user permissions. Relevant issue: \https://github.com/kubernetes/kubernetes/issues/41638 Note that this property has effect only if the 'common' PVC strategy used." + `+CHE_INFRA_KUBERNETES_PVC_STRATEGY+`,"`+common+`","Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: - 'common' All workspaces in the same {platforms-namespace} will reuse the same PVC. Name of PVC may be configured with 'che.infra.kubernetes.pvc.name'. Existing PVC will be used or new one will be created if it doesn't exist. - 'unique' Separate PVC for each workspace's volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'. Existing PVC will be used or a new one will be created if it doesn't exist. - 'per-workspace' Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'. Existing PVC will be used or a new one will be created if it doesn't exist." + `+CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS+`,"`+true+`","Defines whether to run a job that creates workspace's subpath directories in persistent volume for the 'common' strategy before launching a workspace. Necessary in some versions of {orch-name} as workspace subpath volume mounts are created with root permissions, and thus cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in {prod-short}). The default is 'true', but should be set to false if the version of {orch-name} creates subdirectories with user permissions. Relevant issue: \https://github.com/kubernetes/kubernetes/issues/41638 Note that this property has effect only if the 'common' PVC strategy used." `+CHE_INFRA_KUBERNETES_PVC_NAME+`,"`+claim-che-workspace+`","Defines the settings of PVC name for che workspaces. Each PVC strategy supplies this value differently. See doc for che.infra.kubernetes.pvc.strategy property" `+CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME+`,"","Defines the storage class of Persistent Volume Claim for the workspaces. Empty strings means 'use default'." `+CHE_INFRA_KUBERNETES_PVC_QUANTITY+`,"`+10Gi+`","Defines the size of Persistent Volume Claim of che workspace. Format described here: \https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html" `+CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE+`,"`+centos:centos7+`","Pod that is launched when performing persistent volume claim maintenance jobs on OpenShift" - `+CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE_PULL__POLICY+`,"`+IfNotPresent+`","Image pull policy of container that used for the maintenance jobs on Kubernetes/OpenShift cluster" + `+CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE_PULL__POLICY+`,"`+IfNotPresent+`","Image pull policy of container that used for the maintenance jobs on {orch-name} cluster" `+CHE_INFRA_KUBERNETES_PVC_JOBS_MEMORYLIMIT+`,"`+250Mi+`","Defines pod memory limit for persistent volume claim maintenance jobs" `+CHE_INFRA_KUBERNETES_PVC_ACCESS__MODE+`,"`+ReadWriteOnce+`","Defines Persistent Volume Claim access mode. Note that for common PVC strategy changing of access mode affects the number of simultaneously running workspaces. If OpenShift flavor where che running is using PVs with RWX access mode then a limit of running workspaces at the same time bounded only by che limits configuration like(RAM, CPU etc). Detailed information about access mode is described here: \https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html" `+CHE_INFRA_KUBERNETES_PVC_WAIT__BOUND+`,"`+true+`","Defines whether {prod-short} Server should wait workspaces PVCs to become bound after creating. It's used by all PVC strategies. It should be set to `false` in case if `volumeBindingMode` is configured to `WaitForFirstConsumer` otherwise workspace starts will hangs up on phase of waiting PVCs. Default value is true (means that PVCs should be waited to be bound)" @@ -124,18 +124,18 @@ `+CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON+`,"`+NULL+`","Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes instead of ingresses. Note that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers don't need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for nginx ingress controller 0.22.0 and later the following value is recommended: {'ingress.kubernetes.io/rewrite-target': '/$1','ingress.kubernetes.io/ssl-redirect': 'false',\ 'ingress.kubernetes.io/proxy-connect-timeout': '3600','ingress.kubernetes.io/proxy-read-timeout': '3600'} and the che.infra.kubernetes.ingress.path.rewrite_transform should be set to '%s(.*)' For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely '/' and the path transform to '%s' (see the the che.infra.kubernetes.ingress.path.rewrite_transform property). Please consult the nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression present in the ingress path and how it achieves the URL rewriting." `+CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM+`,"`+NULL+`","Defines a 'recipe' on how to declare the path of the ingress that should expose a server. The '%s' represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format() method and contain exactly one reference to '%s'. Please see the description of the che.infra.kubernetes.ingress.annotations_json property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to '%s' (without the quotes) which means that the path is not transformed in any way for use with the ingress controller." `+CHE_INFRA_KUBERNETES_INGRESS_LABELS+`,"`+NULL+`","Additional labels to add into every Ingress created by {prod-short} server to allow clear identification." - `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER+`,"`+NULL+`","Defines security context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra" - `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP+`,"`+NULL+`","Definessecurity context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra" - `+CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC+`,"`+0+`","Defines grace termination period for pods that will be created by Kubernetes / OpenShift infrastructures Grace termination period of Kubernetes / OpenShift workspace's pods defaults '0', which allows to terminate pods almost instantly and significantly decrease the time required for stopping a workspace. Note: if `terminationGracePeriodSeconds` have been explicitly set in Kubernetes / OpenShift recipe it will not be overridden." + `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER+`,"`+NULL+`","Defines security context for pods that will be created by {orch-name} Infra This is ignored by OpenShift infra" + `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP+`,"`+NULL+`","Definessecurity context for pods that will be created by {orch-name} Infra This is ignored by OpenShift infra" + `+CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC+`,"`+0+`","Defines grace termination period for pods that will be created by {orch-name} infrastructures Grace termination period of {orch-name} workspace's pods defaults '0', which allows to terminate pods almost instantly and significantly decrease the time required for stopping a workspace. Note: if `terminationGracePeriodSeconds` have been explicitly set in {orch-name} recipe it will not be overridden." `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX+`,"`+1000+`","Number of maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" - `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST+`,"`+1000+`","Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" - `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE+`,"`+5+`","Max number of idle connections in the connection pool of the Kubernetes-client shared http client" - `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN+`,"`+5+`","Keep-alive timeout of the connection pool of the Kubernetes-client shared http client in minutes" + `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST+`,"`+1000+`","Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `{orch-name}Client` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" + `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE+`,"`+5+`","Max number of idle connections in the connection pool of the {orch-name}-client shared http client" + `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN+`,"`+5+`","Keep-alive timeout of the connection pool of the {orch-name}-client shared http client in minutes" `+CHE_INFRA_KUBERNETES_TLS__ENABLED+`,"`+false+`","Creates Ingresses with Transport Layer Security (TLS) enabled In OpenShift infrastructure, Routes will be TLS-enabled" `+CHE_INFRA_KUBERNETES_TLS__SECRET+`,"","Name of a secret that should be used when creating workspace ingresses with TLS Ignored by OpenShift infrastructure" `+CHE_INFRA_KUBERNETES_TLS__KEY+`,"`+NULL+`","Data for TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure" `+CHE_INFRA_KUBERNETES_TLS__CERT+`,"`+NULL+`","Datafor TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure" - `+CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN+`,"`+-1+`","Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or `-1`, where `-1` means that checks won't be performed at all. It is disabled by default because there is possible {prod-short} Server configuration when {prod-short} Server doesn't have an ability to interact with Kubernetes API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where {prod-short} Server is located; - cluster-admin service account token is mount to {prod-short} Server pod; It DOES NOT work on the following configurations: - {prod-short} Server communicates with Kubernetes API using token from OAuth provider;" + `+CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN+`,"`+-1+`","Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or `-1`, where `-1` means that checks won't be performed at all. It is disabled by default because there is possible {prod-short} Server configuration when {prod-short} Server doesn't have an ability to interact with {orch-name} API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where {prod-short} Server is located; - cluster-admin service account token is mount to {prod-short} Server pod; It DOES NOT work on the following configurations: - {prod-short} Server communicates with {orch-name} API using token from OAuth provider;" `+CHE_INFRA_KUBERNETES_TRUSTED__CA_SRC__CONFIGMAP+`,"`+NULL+`","Name of cofig map in {prod-short} server namespace with additional CA TLS certificates to be propagated into all user's workspaces. If the property is set on OpenShift 4 infrastructure, and che.infra.openshift.trusted_ca.dest_configmap_labels includes config.openshift.io/inject-trusted-cabundle=true label, then cluster CA bundle will be propagated too." `+CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP+`,"`+ca-certs+`","" `+CHE_INFRA_KUBERNETES_TRUSTED__CA_MOUNT__PATH+`,"`+/public-certs+`","Configures path on workspace containers where the CA bundle should be mount. Content of config map specified by che.infra.kubernetes.trusted_ca.dest_configmap is mounted." diff --git a/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc b/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc index 26339045cf..7a0c39d67d 100644 --- a/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc +++ b/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc @@ -1,6 +1,6 @@ [id="configuring-labels-for-ingresses"] // = Configuring Labels -:navtitle: Configuring labels for Kubernetes Ingress +:navtitle: Configuring labels for {orch-name} Ingress :keywords: installation-guide, configuring-labels :page-aliases: .:configuring-labels-for-ingresses diff --git a/modules/installation-guide/partials/proc_configuring-labels-for-ingresses.adoc b/modules/installation-guide/partials/proc_configuring-labels-for-ingresses.adoc index 1a06da8df5..7b027df4e6 100644 --- a/modules/installation-guide/partials/proc_configuring-labels-for-ingresses.adoc +++ b/modules/installation-guide/partials/proc_configuring-labels-for-ingresses.adoc @@ -1,8 +1,8 @@ [id="configuring-labels-for-ingresses_{context}"] -= Configuring labels for Kubernetes Ingress += Configuring labels for {platforms-ingress} -This procedure describes how to configure labels for Kubernetes Ingress to organize and categorize (scope and select) objects. +This procedure describes how to configure labels for {platforms-ingress} to organize and categorize (scope and select) objects. .Prerequisites @@ -13,7 +13,7 @@ IMPORTANT: Use comma to separate labels: `key1=value1,key2=value2` .Procedure -. To configure labels for Kubernetes Ingress update the Custom Resource with the following commands: +. To configure labels for {platforms-ingress} update the Custom Resource with the following commands: + [subs="+quotes,+attributes"] ---- diff --git a/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc b/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc index f3dc4dda4e..8af95cf64c 100644 --- a/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc +++ b/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc @@ -25,7 +25,7 @@ spec: ifeval::["{project-context}" == "che"] -With **Helm** installer, Kubernetes namespaces strategies are configured using `global.cheWorkspacesNamespace` property. +With **Helm** installer, {platforms-namespace}s strategies are configured using `global.cheWorkspacesNamespace` property. *Helm* [subs="+quotes,+attributes"] @@ -170,7 +170,7 @@ server: == Handling incompatible usernames or user IDs -{prod-short} server automatically checks usernames and IDs for compatibility with Kubernetes objects naming convention before creating a {orch-namespace} from a template. +{prod-short} server automatically checks usernames and IDs for compatibility with {orch-name} objects naming convention before creating a {orch-namespace} from a template. Incompatible username or IDs are reduced to the nearest valid name by replacing groups of unsuitable symbols with the `-` symbol. To avoid collisions, a random 6-symbol suffix is added and the result is stored in preferences for reuse. diff --git a/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc b/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc index 0f58cfdc4d..f1bc774f90 100644 --- a/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc +++ b/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc @@ -34,9 +34,9 @@ The supported values for `global.serverStrategy` are: * xref:default-host-workspace-exposure-strategy_{context}[`default-host`] -.Gateway single-host on Kubernetes +.Gateway single-host on {orch-name} -Single-host on Kubernetes has 2 implementations, `native`(default) and `gateway`. To deploy with `gateway` use: +Single-host on {orch-name} has 2 implementations, `native`(default) and `gateway`. To deploy with `gateway` use: [subs="+quotes,+attributes"] ---- diff --git a/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-an-operator.adoc b/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-an-operator.adoc index d2d51b0934..88c66f4f23 100644 --- a/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-an-operator.adoc +++ b/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-an-operator.adoc @@ -70,8 +70,8 @@ $ {orch-cli} patch checluster {prod-checluster} --type=json \ ifeval::["{project-context}" == "che"] -.Gateway single-host on Kubernetes -Single-host on Kubernetes has two implementations, `native`(default) and `gateway`. To deploy with `gateway` set the `k8s.singleHostExposureType` of CheCluster Custom Resource to `gateway`, or use this patch: +.Gateway single-host on {orch-name} +Single-host on {orch-name} has two implementations, `native`(default) and `gateway`. To deploy with `gateway` set the `k8s.singleHostExposureType` of CheCluster Custom Resource to `gateway`, or use this patch: [source,yaml,subs="+quotes"] ---- diff --git a/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates-old.adoc b/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates-old.adoc index 5491367413..37fbcaa913 100644 --- a/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates-old.adoc +++ b/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates-old.adoc @@ -20,7 +20,7 @@ When the certificates used by {prod-short} components or by an external service Typical cases that may require this addition are: -* when the underlying Kubernetes cluster uses TLS certificates signed by a CA that is not trusted, +* when the underlying {orch-name} cluster uses TLS certificates signed by a CA that is not trusted, * when {prod-short} server or workspace components connect to external services such as {identity-provider} or a Git server that use TLS certificates signed by an untrusted CA. To store those certificates, {prod-short} uses a dedicated ConfigMap. Its default name is `ca-certs` but {prod-short} allows configuring its name. @@ -239,7 +239,7 @@ SHA1 Fingerprint=3F:DA:BF:E7:A7:A7:90:62:CA:CF:C7:55:0E:1D:7D:05:16:7D:45:60 == Verification at the workspace level -. Start a workspace, get the Kubernetes namespace in which it has been created, and wait for it to be started +. Start a workspace, get the {platforms-namespace} in which it has been created, and wait for it to be started . Get the name of the workspace Pod with the following command: + diff --git a/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates.adoc b/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates.adoc index 7c371ddcbc..db41b4fc19 100644 --- a/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates.adoc +++ b/modules/installation-guide/partials/proc_importing-untrusted-tls-certificates.adoc @@ -10,7 +10,7 @@ When the certificates used by {prod-short} components or by an external service Typical cases that may require this addition are: -* when the underlying Kubernetes cluster uses TLS certificates signed by a CA that is not trusted, +* when the underlying {orch-name} cluster uses TLS certificates signed by a CA that is not trusted, * when {prod-short} server or workspace components connect to external services such as {identity-provider} or a Git server that use TLS certificates signed by an untrusted CA. {prod-short} uses labeled ConfigMaps in {prod-short} namespace as sources for TLS certificates. @@ -175,7 +175,7 @@ SHA1 Fingerprint=3F:DA:BF:E7:A7:A7:90:62:CA:CF:C7:55:0E:1D:7D:05:16:7D:45:60 == Verification at the workspace level -- Start a workspace, get the Kubernetes namespace in which it has been created, and wait for it to be started +- Start a workspace, get the {platforms-namespace} in which it has been created, and wait for it to be started - Get the name of the workspace Pod with the following command: + diff --git a/modules/installation-guide/partials/proc_installing-che-on-kubernetes_using_chectl_and_helm.adoc b/modules/installation-guide/partials/proc_installing-che-on-kubernetes_using_chectl_and_helm.adoc index ac8aadd645..c687e75d2f 100644 --- a/modules/installation-guide/partials/proc_installing-che-on-kubernetes_using_chectl_and_helm.adoc +++ b/modules/installation-guide/partials/proc_installing-che-on-kubernetes_using_chectl_and_helm.adoc @@ -20,8 +20,8 @@ [subs="+attributes"] ---- $ {prod-cli} server:deploy --installer=helm --platform=k8s --domain={domain} --multiuser -› Current Kubernetes context: 'minikube' - ✔ Verify Kubernetes API...OK +› Current {kubernetes} context: 'minikube' + ✔ Verify {kubernetes} API...OK ✔ 👀 Looking for an already existing {prod} instance ✔ Verify if {prod} is deployed into namespace "{prod-namespace}"...it is not ✔ ✈️ {kubernetes} preflight checklist diff --git a/modules/installation-guide/partials/proc_sizing-google-cloud-node-pools-for-your-eclipse-che-workspaces.adoc b/modules/installation-guide/partials/proc_sizing-google-cloud-node-pools-for-your-eclipse-che-workspaces.adoc index 9567cc15a6..b5d089eb33 100644 --- a/modules/installation-guide/partials/proc_sizing-google-cloud-node-pools-for-your-eclipse-che-workspaces.adoc +++ b/modules/installation-guide/partials/proc_sizing-google-cloud-node-pools-for-your-eclipse-che-workspaces.adoc @@ -7,7 +7,7 @@ The default node pool is using machine types `n1-standard-1`. You may need to us Changing the machine type configuration of an existing node pool is not possible with Google Cloud Platform. -One solution is to create a new node pool and delete the existing one afterwards. Google Kubernetes Engine would then transfer the workloads to the new node pool automatically. +One solution is to create a new node pool and delete the existing one afterwards. Google {kubernetes} Engine would then transfer the workloads to the new node pool automatically. Another solution is to have two node pools with one dedicated to the workspaces by configuring {prod} with a NodeSelector. See xref:configuring-workspaces-nodeselector.adoc[]. From 874dba5c16be11b86cc65a6c6b04732c4d287c4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 5 Mar 2021 16:00:15 +0100 Subject: [PATCH 02/15] Update modules/installation-guide/examples/checluster-properties.adoc --- modules/installation-guide/examples/checluster-properties.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/installation-guide/examples/checluster-properties.adoc b/modules/installation-guide/examples/checluster-properties.adoc index cc37225aef..c5e365c34c 100644 --- a/modules/installation-guide/examples/checluster-properties.adoc +++ b/modules/installation-guide/examples/checluster-properties.adoc @@ -6,7 +6,7 @@ Property: Description airGapContainerRegistryHostname: Optional host name, or URL, to an alternate container registry to pull images from. This value overrides the container registry host name defined in all the default container images involved in a Che deployment. This is particularly useful to install Che in a restricted environment. airGapContainerRegistryOrganization: Optional repository name of an alternate container registry to pull images from. This value overrides the container registry organization defined in all the default container images involved in a Che deployment. This is particularly useful to install {prod-short} in a restricted environment. -allowUserDefinedWorkspaceNamespaces: Defines that a user is allowed to specify a {platforms-namespace}, or an OpenShift project, which differs from the default. It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. +allowUserDefinedWorkspaceNamespaces: Defines that a user is allowed to specify a {platforms-namespace}, which differs from the default. It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. cheClusterRoles: A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. cheDebug: Enables the debug mode for Che server. Defaults to `false`. cheFlavor: Specifies a variation of the installation. The options are `che` for upstream Che installations, or `codeready` for link\:https\://developers.redhat.com/products/codeready-workspaces/overview[CodeReady Workspaces] installation. Override the default value only on necessary occasions. @@ -165,4 +165,3 @@ pluginRegistryURL: Public URL to the plugin registry. reason: A brief CamelCase message indicating details about why the Pod is in this state. :=== - From 572b7469a62414775a16bc92a520407c22d4398b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 5 Mar 2021 16:01:26 +0100 Subject: [PATCH 03/15] Update modules/installation-guide/pages/configuring-labels-for-ingresses.adoc --- .../pages/configuring-labels-for-ingresses.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc b/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc index 7a0c39d67d..ce7a5e0bbf 100644 --- a/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc +++ b/modules/installation-guide/pages/configuring-labels-for-ingresses.adoc @@ -1,6 +1,6 @@ [id="configuring-labels-for-ingresses"] // = Configuring Labels -:navtitle: Configuring labels for {orch-name} Ingress +:navtitle: Configuring labels for {platforms-ingress} :keywords: installation-guide, configuring-labels :page-aliases: .:configuring-labels-for-ingresses From 035ddf1ed47916b096cb9f18167224624e682469 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 5 Mar 2021 16:02:33 +0100 Subject: [PATCH 04/15] Update modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc --- .../partials/proc_configuring-namespace-strategies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc b/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc index 8af95cf64c..71262813c2 100644 --- a/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc +++ b/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc @@ -25,7 +25,7 @@ spec: ifeval::["{project-context}" == "che"] -With **Helm** installer, {platforms-namespace}s strategies are configured using `global.cheWorkspacesNamespace` property. +With **Helm** installer, {platforms-namespace} strategies are configured using `global.cheWorkspacesNamespace` property. *Helm* [subs="+quotes,+attributes"] From decc0271b40a5ffed26944e1a66960bd3648499d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 12 Mar 2021 08:30:09 +0100 Subject: [PATCH 05/15] Update modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc Co-authored-by: Yana Hontyk --- ...t-as-an-environment-variable-into-a-workspace-container.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc b/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc index 03fc9e6dc8..da00e8b385 100644 --- a/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc +++ b/modules/end-user-guide/partials/proc_mounting-a-secret-as-an-environment-variable-into-a-workspace-container.adoc @@ -13,7 +13,7 @@ The following section describes how to mount a {platforms-name} secret from the .Procedure -. In the {platforms-namespace} where a {prod-short} workspace will be created, generate a new {platforms-name} secret . +. In the {platforms-namespace} where a {prod-short} workspace will be created, generate a new {platforms-name} secret. * The labels of the secret that is about to be generated must match the set of labels configured in `che.workspace.provision.secret.labels` property of {prod-short}. By default, it is a set of two labels: + From 18efb48714850b2c7eacac06fb328d471d754406 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 12 Mar 2021 08:40:26 +0100 Subject: [PATCH 06/15] Update modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc --- .../partials/proc_configuring-bitbucket-server-oauth1.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc b/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc index 14574a9b00..42e63bceb9 100644 --- a/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc +++ b/modules/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc @@ -41,7 +41,7 @@ openssl rand -base64 24 > ____ openssl rand -base64 24 > ____ ---- -. Create a {orch-name} Secret in {prod-short} namespace containing the consumer and private keys. +. Create one {orch-name} Secret in {prod-short} namespace containing the consumer and private keys. + [subs="+quotes,+attributes"] ---- From e93a85686615c786e6f358cd10ff5b60138f598b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 22 Mar 2021 13:54:48 +0100 Subject: [PATCH 07/15] Update modules/installation-guide/examples/checluster-properties.adoc --- modules/installation-guide/examples/checluster-properties.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/installation-guide/examples/checluster-properties.adoc b/modules/installation-guide/examples/checluster-properties.adoc index c5e365c34c..a0fe12b4fa 100644 --- a/modules/installation-guide/examples/checluster-properties.adoc +++ b/modules/installation-guide/examples/checluster-properties.adoc @@ -127,7 +127,7 @@ workspacePVCStorageClassName: Storage class for the Persistent Volume Claims ded :=== Property: Description ingressClass: Ingress class that will define the which controller will manage ingresses. Defaults to `nginx`. NB\: This drives the `kubernetes.io/ingress.class` annotation on Che-related ingresses. -ingressDomain: Global ingress domain for a {orch-name} cluster. This MUST be explicitly specified\: there are no defaults. +ingressDomain: Global ingress domain for a {kubernetes} cluster. This MUST be explicitly specified\: there are no defaults. ingressStrategy: Strategy for ingress creation. Options are\: `multi-host` (host is explicitly provided in ingress), `single-host` (host is provided, path-based rules) and `default-host` (no host is provided, path-based rules). Defaults to `multi-host` Deprecated in favor of `serverExposureStrategy` in the `server` section, which defines this regardless of the cluster type. When both are defined, the `serverExposureStrategy` option takes precedence. securityContextFsGroup: The FSGroup in which the Che Pod and workspace Pods containers runs in. Default value is `1724`. securityContextRunAsUser: ID of the user the Che Pod and workspace Pods containers run as. Default value is `1724`. @@ -164,4 +164,3 @@ openShiftoAuthProvisioned: Indicates whether an Identity Provider instance, Keyc pluginRegistryURL: Public URL to the plugin registry. reason: A brief CamelCase message indicating details about why the Pod is in this state. :=== - From 6fee403208cbf79dcb323b6bd3b46fad91b53171 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 22 Mar 2021 13:55:20 +0100 Subject: [PATCH 08/15] Update modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc --- ...guring-workspace-exposure-strategies-using-a-helm-chart.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc b/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc index 0973bc1c98..e560913e78 100644 --- a/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc +++ b/modules/installation-guide/partials/proc_configuring-workspace-exposure-strategies-using-a-helm-chart.adoc @@ -34,7 +34,7 @@ The supported values for `global.serverStrategy` are: * xref:default-host-workspace-exposure-strategy_{context}[`default-host`] -.Gateway single-host on {orch-name} +.Gateway single-host on {kubernetes} Single-host on {orch-name} has 2 implementations, `native`(default) and `gateway`. To deploy with `gateway` use: From 1d5607379cc32c8f130d7ef042ea5c575a3b6c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 22 Mar 2021 14:00:07 +0100 Subject: [PATCH 09/15] Update modules/installation-guide/examples/system-variables.adoc --- modules/installation-guide/examples/system-variables.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index ae23c6de5e..ef48040384 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -10,7 +10,7 @@ `+CHE_API_INTERNAL+`,"`+http://${CHE_HOST}:${CHE_PORT}/api+`","API service internal network url. Back-end services should initiate REST communications to {prod-short} server with this URL" `+CHE_WEBSOCKET_ENDPOINT+`,"`+ws://${CHE_HOST}:${CHE_PORT}/api/websocket+`","{prod-short} websocket major endpoint. Provides basic communication endpoint for major websocket interactions and messaging." `+CHE_WORKSPACE_PROJECTS_STORAGE+`,"`+/projects+`","Your projects are synchronized from the {prod-short} server into the machine running each workspace. This is the directory in the machine where your projects are placed." - `+CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE+`,"`+1Gi+`","Used when {orch-name} or OpenShift-type components in a devfile request project PVC creation (Applied in case of 'unique' and 'per workspace' PVC strategy. In case of the 'common' PVC strategy, it is rewritten with the value of the `che.infra.kubernetes.pvc.quantity` property.)" + `+CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE+`,"`+1Gi+`","Used when {orch-name}-type components in a devfile request project PVC creation (Applied in case of 'unique' and 'per workspace' PVC strategy. In case of the 'common' PVC strategy, it is rewritten with the value of the `che.infra.kubernetes.pvc.quantity` property.)" `+CHE_WORKSPACE_LOGS_ROOT__DIR+`,"`+/workspace_logs+`","Defines the directory inside the machine where all the workspace logs are placed. Provide this value into the machine, for example, as an environment variable. This is to ensure that agent developers can use this directory to back up agent logs." `+CHE_WORKSPACE_HTTP__PROXY+`,"","Configures proxies used by runtimes powering workspaces." `+CHE_WORKSPACE_HTTPS__PROXY+`,"","Configuresproxies used by runtimes powering workspaces." From 3851206f38aebea1cd243878f581a0ae07bb39cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 22 Mar 2021 14:03:59 +0100 Subject: [PATCH 10/15] Apply suggestions from code review --- modules/installation-guide/examples/system-variables.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index ef48040384..9bf5161365 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -102,7 +102,7 @@ `+CHE_INFRA_KUBERNETES_NAMESPACE_LABEL+`,"`+true+`","Defines whether che-server should try to label the workspace namespaces." `+CHE_INFRA_KUBERNETES_NAMESPACE_LABELS+`,"`+app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspaces-namespace+`","List of labels to find Namespaces/Projects that are used for {prod-short} Workspaces. They are used to: - find prepared Namespaces/Projects for users in combination with `che.infra.kubernetes.namespace.annotations`. - actively label namespaces with any workspace." `+CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS+`,"`+che.eclipse.org/username=+`","List of annotations to find Namespaces/Projects prepared for {prod-short} users workspaces. Only Namespaces/Projects matching the `che.infra.kubernetes.namespace.labels` will be matched against these annotations. Namespaces/Projects that matches both `che.infra.kubernetes.namespace.labels` and `che.infra.kubernetes.namespace.annotations` will be preferentially used for User's workspaces. It's possible to use `` placeholder to specify the Namespace/Project to concrete user." - `+CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED+`,"`+false+`","Defines if a user is able to specify {platforms-namespace} (or OpenShift project) different from the default. It's NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra." + `+CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED+`,"`+false+`","Defines if a user is able to specify {platforms-namespace} different from the default. It's NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra." `+CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME+`,"`+NULL+`","Defines {orch-name} Service Account name which should be specified to be bound to all workspaces pods. Note that {orch-name} Infrastructure won't create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there" `+CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES+`,"`+NULL+`","Specifies optional, additional cluster roles to use with the workspace service account. Note that the cluster role names must already exist, and the {prod-short} service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates 'che.infra.kubernetes.cluster_role_name'." `+CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN+`,"`+8+`","Defines time frame that limits the {orch-name} workspace start time" @@ -124,8 +124,8 @@ `+CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON+`,"`+NULL+`","Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes instead of ingresses. Note that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers don't need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for nginx ingress controller 0.22.0 and later the following value is recommended: {'ingress.kubernetes.io/rewrite-target': '/$1','ingress.kubernetes.io/ssl-redirect': 'false',\ 'ingress.kubernetes.io/proxy-connect-timeout': '3600','ingress.kubernetes.io/proxy-read-timeout': '3600'} and the che.infra.kubernetes.ingress.path.rewrite_transform should be set to '%s(.*)' For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely '/' and the path transform to '%s' (see the the che.infra.kubernetes.ingress.path.rewrite_transform property). Please consult the nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression present in the ingress path and how it achieves the URL rewriting." `+CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM+`,"`+NULL+`","Defines a 'recipe' on how to declare the path of the ingress that should expose a server. The '%s' represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format() method and contain exactly one reference to '%s'. Please see the description of the che.infra.kubernetes.ingress.annotations_json property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to '%s' (without the quotes) which means that the path is not transformed in any way for use with the ingress controller." `+CHE_INFRA_KUBERNETES_INGRESS_LABELS+`,"`+NULL+`","Additional labels to add into every Ingress created by {prod-short} server to allow clear identification." - `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER+`,"`+NULL+`","Defines security context for pods that will be created by {orch-name} Infra This is ignored by OpenShift infra" - `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP+`,"`+NULL+`","Definessecurity context for pods that will be created by {orch-name} Infra This is ignored by OpenShift infra" + `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER+`,"`+NULL+`","Defines security context for pods that will be created by {kubernetes} Infra This is ignored by OpenShift infra" + `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP+`,"`+NULL+`","Definessecurity context for pods that will be created by {kubernetes} Infra This is ignored by OpenShift infra" `+CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC+`,"`+0+`","Defines grace termination period for pods that will be created by {orch-name} infrastructures Grace termination period of {orch-name} workspace's pods defaults '0', which allows to terminate pods almost instantly and significantly decrease the time required for stopping a workspace. Note: if `terminationGracePeriodSeconds` have been explicitly set in {orch-name} recipe it will not be overridden." `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX+`,"`+1000+`","Number of maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST+`,"`+1000+`","Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `{orch-name}Client` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" From 5e3d60d78abc0eced4e28e24ae100f0e3fac504b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 19 Apr 2021 10:34:01 +0200 Subject: [PATCH 11/15] Update modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc --- .../partials/proc_configuring-namespace-strategies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc b/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc index 1b4f895dfc..6700fc96ad 100644 --- a/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc +++ b/modules/installation-guide/partials/proc_configuring-namespace-strategies.adoc @@ -25,7 +25,7 @@ spec: ifeval::["{project-context}" == "che"] -With **Helm** installer, {platforms-namespace} strategies are configured using `global.cheWorkspacesNamespace` property. +With **Helm** installer, {orch-namespace} strategies are configured using `global.cheWorkspacesNamespace` property. *Helm* [subs="+quotes,+attributes"] From 32df7ec888254002036c9e112be444f453404b3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 6 May 2021 09:17:52 +0200 Subject: [PATCH 12/15] Update modules/installation-guide/examples/system-variables.adoc --- modules/installation-guide/examples/system-variables.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index 1489888e58..89b75e6ec7 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -89,7 +89,7 @@ pass:[] ,=== [id="kubernetes-infra-parameters"] -= {orch-name} Infra parameters += Kubernetes Infra parameters .{orch-name} Infra parameters ,=== @@ -346,4 +346,3 @@ pass:[] `+CHE_KEYCLOAK_USERNAME_REPLACEMENT__PATTERNS+`,"`+NULL+`","User name adjustment configuration. {prod-short} needs to use the usernames as part of K8s object names and labels and therefore has stricter requirements on their format than the identity providers usually allow (it needs them to be DNS-compliant). The adjustment is represented by comma-separated key-value pairs. These are sequentially used as arguments to the String.replaceAll function on the original username. The keys are regular expressions, values are replacement strings that replace the characters in the username that match the regular expression. The modified username will only be stored in the {prod-short} database and will not be advertised back to the identity provider. It is recommended to use DNS-compliant characters as replacement strings (values in the key-value pairs). Example: `\\=-,@=-at-` changes `\` to `-` and `@` to `-at-` so the username `org\user@com` becomes `org-user-at-com.`" ,=== - From 546d2d03f124f5f6a207ade2450fe4e4b83b213c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 6 May 2021 09:27:28 +0200 Subject: [PATCH 13/15] Apply suggestions from code review Revert Kubernetes edits. --- .../examples/system-variables.adoc | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index 89b75e6ec7..f170e6d6c5 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -91,31 +91,31 @@ pass:[] [id="kubernetes-infra-parameters"] = Kubernetes Infra parameters -.{orch-name} Infra parameters +.Kubernetes Infra parameters ,=== Environment Variable Name,Default value, Description `+CHE_INFRA_KUBERNETES_MASTER__URL+`,"","Configuration of {orch-name} client that Infra will use" `+CHE_INFRA_KUBERNETES_TRUST__CERTS+`,"","Configurationof {orch-name} client that Infra will use" `+CHE_INFRA_KUBERNETES_SERVER__STRATEGY+`,"`+multi-host+`","Defines the way how servers are exposed to the world in {orch-name} infra. List of strategies implemented in {prod-short}: default-host, multi-host, single-host" - `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE+`,"`+native+`","Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using {orch-name} Ingresses. Works only on {kubernetes}. - 'gateway': Exposes servers using reverse-proxy gateway." + `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE+`,"`+native+`","Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using Kubernetes Ingresses. Works only on {kubernetes}. - 'gateway': Exposes servers using reverse-proxy gateway." `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE+`,"`+multi-host+`","Defines the way how to expose devfile endpoints, thus end-user's applications, in single-host server strategy. They can either follow the single-host strategy and be exposed on subpaths, or they can be exposed on subdomains. - 'multi-host': expose on subdomains - 'single-host': expose on subpaths" `+CHE_INFRA_KUBERNETES_SINGLEHOST_GATEWAY_CONFIGMAP__LABELS+`,"`+app=che,component=che-gateway-config+`","Defines labels which will be set to ConfigMaps configuring single-host gateway." `+CHE_INFRA_KUBERNETES_INGRESS_DOMAIN+`,"","Used to generate domain for a server in a workspace in case property `che.infra.kubernetes.server_strategy` is set to `multi-host`" - `+CHE_INFRA_KUBERNETES_NAMESPACE+`,"","DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines {platforms-namespace} in which all workspaces will be created. If not set, every workspace will be created in a new namespace, where namespace = workspace id It's possible to use and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user. Service account with permission to create new namespace must be used. Ignored for OpenShift infra. Use `che.infra.openshift.project` instead If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used." + `+CHE_INFRA_KUBERNETES_NAMESPACE+`,"","DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines Kubernetes namespace in which all workspaces will be created. If not set, every workspace will be created in a new namespace, where namespace = workspace id It's possible to use and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user. Service account with permission to create new namespace must be used. Ignored for OpenShift infra. Use `che.infra.openshift.project` instead If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used." `+CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED+`,"`+true+`","Indicates whether {prod-short} server is allowed to create namespaces/projects for user workspaces, or they're intended to be created manually by cluster administrator. This property is also used by the OpenShift infra." - `+CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT+`,"`+-che+`","Defines {orch-name} default namespace in which user's workspaces are created if user does not override it. It's possible to use , and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user (or workspace). Is used by OpenShift infra as well to specify Project" + `+CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT+`,"`+-che+`","Defines Kubernetes default namespace in which user's workspaces are created if user does not override it. It's possible to use , and placeholders (e.g.: che-workspace-). In that case, new namespace will be created for each user (or workspace). Is used by OpenShift infra as well to specify Project" `+CHE_INFRA_KUBERNETES_NAMESPACE_LABEL+`,"`+true+`","Defines whether che-server should try to label the workspace namespaces." `+CHE_INFRA_KUBERNETES_NAMESPACE_LABELS+`,"`+app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspaces-namespace+`","List of labels to find Namespaces/Projects that are used for {prod-short} Workspaces. They are used to: - find prepared Namespaces/Projects for users in combination with `che.infra.kubernetes.namespace.annotations`. - actively label namespaces with any workspace." `+CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS+`,"`+che.eclipse.org/username=+`","List of annotations to find Namespaces/Projects prepared for {prod-short} users workspaces. Only Namespaces/Projects matching the `che.infra.kubernetes.namespace.labels` will be matched against these annotations. Namespaces/Projects that matches both `che.infra.kubernetes.namespace.labels` and `che.infra.kubernetes.namespace.annotations` will be preferentially used for User's workspaces. It's possible to use `` placeholder to specify the Namespace/Project to concrete user." `+CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED+`,"`+false+`","Defines if a user is able to specify {platforms-namespace} different from the default. It's NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra." - `+CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME+`,"`+NULL+`","Defines {orch-name} Service Account name which should be specified to be bound to all workspaces pods. Note that {orch-name} Infrastructure won't create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there" + `+CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME+`,"`+NULL+`","Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. Note that {orch-name} Infrastructure won't create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there" `+CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES+`,"`+NULL+`","Specifies optional, additional cluster roles to use with the workspace service account. Note that the cluster role names must already exist, and the {prod-short} service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates 'che.infra.kubernetes.cluster_role_name'." `+CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN+`,"`+8+`","Defines time frame that limits the Kubernetes workspace start time" `+CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN+`,"`+5+`","Defines the timeout in minutes that limits the period for which Kubernetes Ingress become ready" `+CHE_INFRA_KUBERNETES_WORKSPACE__UNRECOVERABLE__EVENTS+`,"`+FailedMount,FailedScheduling,MountVolume.SetUpfailed,Failed to pull image,FailedCreate,ReplicaSetCreateError+`","If during workspace startup an unrecoverable event defined in the property occurs, terminate workspace immediately instead of waiting until timeout Note that this SHOULD NOT include a mere 'Failed' reason, because that might catch events that are not unrecoverable. A failed container startup is handled explicitly by {prod-short} server." `+CHE_INFRA_KUBERNETES_PVC_ENABLED+`,"`+true+`","Defines whether use the Persistent Volume Claim for che workspace needs e.g backup projects, logs etc or disable it." - `+CHE_INFRA_KUBERNETES_PVC_STRATEGY+`,"`+common+`","Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: - 'common' All workspaces in the same {platforms-namespace} will reuse the same PVC. Name of PVC may be configured with 'che.infra.kubernetes.pvc.name'. Existing PVC will be used or new one will be created if it doesn't exist. - 'unique' Separate PVC for each workspace's volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'. Existing PVC will be used or a new one will be created if it doesn't exist. - 'per-workspace' Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'. Existing PVC will be used or a new one will be created if it doesn't exist." + `+CHE_INFRA_KUBERNETES_PVC_STRATEGY+`,"`+common+`","Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: - 'common' All workspaces in the same Kubernetes namespace will reuse the same PVC. Name of PVC may be configured with 'che.infra.kubernetes.pvc.name'. Existing PVC will be used or new one will be created if it doesn't exist. - 'unique' Separate PVC for each workspace's volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'. Existing PVC will be used or a new one will be created if it doesn't exist. - 'per-workspace' Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'. Existing PVC will be used or a new one will be created if it doesn't exist." `+CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS+`,"`+true+`","Defines whether to run a job that creates workspace's subpath directories in persistent volume for the 'common' strategy before launching a workspace. Necessary in some versions of {orch-name} as workspace subpath volume mounts are created with root permissions, and thus cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in {prod-short}). The default is 'true', but should be set to false if the version of {orch-name} creates subdirectories with user permissions. Relevant issue: \https://github.com/kubernetes/kubernetes/issues/41638 Note that this property has effect only if the 'common' PVC strategy used." `+CHE_INFRA_KUBERNETES_PVC_NAME+`,"`+claim-che-workspace+`","Defines the settings of PVC name for che workspaces. Each PVC strategy supplies this value differently. See doc for che.infra.kubernetes.pvc.strategy property" `+CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME+`,"","Defines the storage class of Persistent Volume Claim for the workspaces. Empty strings means 'use default'." @@ -130,18 +130,18 @@ pass:[] `+CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON+`,"`+NULL+`","Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes instead of ingresses. Note that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers don't need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for nginx ingress controller 0.22.0 and later the following value is recommended: {'ingress.kubernetes.io/rewrite-target': '/$1','ingress.kubernetes.io/ssl-redirect': 'false',\ 'ingress.kubernetes.io/proxy-connect-timeout': '3600','ingress.kubernetes.io/proxy-read-timeout': '3600'} and the che.infra.kubernetes.ingress.path.rewrite_transform should be set to '%s(.*)' For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely '/' and the path transform to '%s' (see the the che.infra.kubernetes.ingress.path.rewrite_transform property). Please consult the nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression present in the ingress path and how it achieves the URL rewriting." `+CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM+`,"`+NULL+`","Defines a 'recipe' on how to declare the path of the ingress that should expose a server. The '%s' represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format() method and contain exactly one reference to '%s'. Please see the description of the che.infra.kubernetes.ingress.annotations_json property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to '%s' (without the quotes) which means that the path is not transformed in any way for use with the ingress controller." `+CHE_INFRA_KUBERNETES_INGRESS_LABELS+`,"`+NULL+`","Additional labels to add into every Ingress created by {prod-short} server to allow clear identification." - `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER+`,"`+NULL+`","Defines security context for pods that will be created by {kubernetes} Infra This is ignored by OpenShift infra" - `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP+`,"`+NULL+`","Definessecurity context for pods that will be created by {kubernetes} Infra This is ignored by OpenShift infra" + `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER+`,"`+NULL+`","Defines security context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra" + `+CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP+`,"`+NULL+`","Definessecurity context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra" `+CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC+`,"`+0+`","Defines grace termination period for pods that will be created by {orch-name} infrastructures Grace termination period of {orch-name} workspace's pods defaults '0', which allows to terminate pods almost instantly and significantly decrease the time required for stopping a workspace. Note: if `terminationGracePeriodSeconds` have been explicitly set in {orch-name} recipe it will not be overridden." `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX+`,"`+1000+`","Number of maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" - `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST+`,"`+1000+`","Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `{orch-name}Client` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" - `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE+`,"`+5+`","Max number of idle connections in the connection pool of the {orch-name}-client shared http client" - `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN+`,"`+5+`","Keep-alive timeout of the connection pool of the {orch-name}-client shared http client in minutes" + `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST+`,"`+1000+`","Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn't seem correct for multi-user scenarios knowing that {prod-short} keeps a number of connections opened (e.g. for command or ws-agent logs)" + `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE+`,"`+5+`","Max number of idle connections in the connection pool of the Kubernetes-client shared http client" + `+CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN+`,"`+5+`","Keep-alive timeout of the connection pool of the Kubernetes-client shared http client in minutes" `+CHE_INFRA_KUBERNETES_TLS__ENABLED+`,"`+false+`","Creates Ingresses with Transport Layer Security (TLS) enabled In OpenShift infrastructure, Routes will be TLS-enabled" `+CHE_INFRA_KUBERNETES_TLS__SECRET+`,"","Name of a secret that should be used when creating workspace ingresses with TLS Ignored by OpenShift infrastructure" `+CHE_INFRA_KUBERNETES_TLS__KEY+`,"`+NULL+`","Data for TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure" `+CHE_INFRA_KUBERNETES_TLS__CERT+`,"`+NULL+`","Datafor TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure" - `+CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN+`,"`+-1+`","Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or `-1`, where `-1` means that checks won't be performed at all. It is disabled by default because there is possible {prod-short} Server configuration when {prod-short} Server doesn't have an ability to interact with {orch-name} API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where {prod-short} Server is located; - cluster-admin service account token is mount to {prod-short} Server pod; It DOES NOT work on the following configurations: - {prod-short} Server communicates with {orch-name} API using token from OAuth provider;" + `+CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN+`,"`+-1+`","Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or `-1`, where `-1` means that checks won't be performed at all. It is disabled by default because there is possible {prod-short} Server configuration when {prod-short} Server doesn't have an ability to interact with Kubernetes API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where {prod-short} Server is located; - cluster-admin service account token is mount to {prod-short} Server pod; It DOES NOT work on the following configurations: - {prod-short} Server communicates with Kubernetes API using token from OAuth provider;" `+CHE_INFRA_KUBERNETES_TRUSTED__CA_SRC__CONFIGMAP+`,"`+NULL+`","Name of cofig map in {prod-short} server namespace with additional CA TLS certificates to be propagated into all user's workspaces. If the property is set on OpenShift 4 infrastructure, and che.infra.openshift.trusted_ca.dest_configmap_labels includes config.openshift.io/inject-trusted-cabundle=true label, then cluster CA bundle will be propagated too." `+CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP+`,"`+ca-certs+`","" `+CHE_INFRA_KUBERNETES_TRUSTED__CA_MOUNT__PATH+`,"`+/public-certs+`","Configures path on workspace containers where the CA bundle should be mount. Content of config map specified by che.infra.kubernetes.trusted_ca.dest_configmap is mounted." @@ -345,4 +345,3 @@ pass:[] `+CHE_KEYCLOAK_ADMIN__PASSWORD+`,"`+NULL+`","Keycloak admin password. Will be used for deleting user from Keycloak on removing user from {prod-short} database. Make sense only in case $++{che.keycloak.cascade_user_removal_enabled}++ set to 'true'" `+CHE_KEYCLOAK_USERNAME_REPLACEMENT__PATTERNS+`,"`+NULL+`","User name adjustment configuration. {prod-short} needs to use the usernames as part of K8s object names and labels and therefore has stricter requirements on their format than the identity providers usually allow (it needs them to be DNS-compliant). The adjustment is represented by comma-separated key-value pairs. These are sequentially used as arguments to the String.replaceAll function on the original username. The keys are regular expressions, values are replacement strings that replace the characters in the username that match the regular expression. The modified username will only be stored in the {prod-short} database and will not be advertised back to the identity provider. It is recommended to use DNS-compliant characters as replacement strings (values in the key-value pairs). Example: `\\=-,@=-at-` changes `\` to `-` and `@` to `-at-` so the username `org\user@com` becomes `org-user-at-com.`" ,=== - From 261797d693f7a19882dae316bcfb2e321699de0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 10 May 2021 15:34:02 +0200 Subject: [PATCH 14/15] Update modules/installation-guide/examples/system-variables.adoc --- modules/installation-guide/examples/system-variables.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index 2f4115da66..6f72e7731d 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -27,7 +27,7 @@ pass:[] `+CHE_WORKSPACE_MAVEN__OPTIONS+`,"`+-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom+`","Maven command-line options added to JVMs running agents in workspaces." `+CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB+`,"`+1024+`","RAM limit default for each machine that has no RAM settings in its environment. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB+`,"`+200+`","RAM request for each container that has no explicit RAM settings in its environment. This amount is allocated when the workspace container is created. This property may not be supported by all infrastructure implementations. Currently it is supported by {orch-name}. A memory request exceeding the memory limit is ignored, and only the limit size is used. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, `0.125`, or using the {orch-name} format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, `0.125`, or using the Kubernetes format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPU request for each container that has no CPU settings in environment. A CPU request exceeding the CPU limit is ignored, and only limit number is used. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB+`,"`+128+`","RAM limit and request for each sidecar that has no RAM settings in the {prod-short} plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB+`,"`+64+`","RAMlimit and request for each sidecar that has no RAM settings in the {prod-short} plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit." From 40418c89ca48ff8f488ba1a9161c9fbd0c129ef9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 10 May 2021 15:42:54 +0200 Subject: [PATCH 15/15] Apply suggestions from code review --- modules/installation-guide/examples/system-variables.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index 6f72e7731d..958137464f 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -31,8 +31,8 @@ pass:[] `+CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPU request for each container that has no CPU settings in environment. A CPU request exceeding the CPU limit is ignored, and only limit number is used. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB+`,"`+128+`","RAM limit and request for each sidecar that has no RAM settings in the {prod-short} plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB+`,"`+64+`","RAMlimit and request for each sidecar that has no RAM settings in the {prod-short} plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the {orch-name} format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." - `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPUlimit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the {orch-name} format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES+`,"`+-1+`","CPU limit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the Kubernetes format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." + `+CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES+`,"`+-1+`","CPUlimit and request default for each sidecar that has no CPU settings in the {prod-short} plug-in configuration. Specify either in floating point cores number, for example, `0.125`, or using the Kubernetes format, integer millicores, for example, `125m`. Value less or equal to 0 is interpreted as disabling the limit." `+CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY+`,"`+Always+`","Defines image-pulling strategy for sidecars. Possible values are: `Always`, `Never`, `IfNotPresent`. For any other value, `Always` is assumed for images with the `:latest` tag, or `IfNotPresent` for all other cases." `+CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__PERIOD__S+`,"`+60+`","Period of inactive workspaces suspend job execution." `+CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__PERIOD__S+`,"`+3600+`","The period of the cleanup of the activity table. The activity table can contain invalid or stale data if some unforeseen errors happen, like a server crash at a peculiar point in time. The default is to run the cleanup job every hour." @@ -95,7 +95,7 @@ pass:[] ,=== Environment Variable Name,Default value, Description - `+CHE_INFRA_KUBERNETES_MASTER__URL+`,"","Configuration of {orch-name} client that Infra will use" + `+CHE_INFRA_KUBERNETES_MASTER__URL+`,"","Configuration of Kubernetes client that Infra will use" `+CHE_INFRA_KUBERNETES_TRUST__CERTS+`,"","Configurationof {orch-name} client that Infra will use" `+CHE_INFRA_KUBERNETES_SERVER__STRATEGY+`,"`+multi-host+`","Defines the way how servers are exposed to the world in {orch-name} infra. List of strategies implemented in {prod-short}: default-host, multi-host, single-host" `+CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE+`,"`+native+`","Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using Kubernetes Ingresses. Works only on {kubernetes}. - 'gateway': Exposes servers using reverse-proxy gateway."