# # Copyright (c) 2012-2019 Red Hat, Inc. # This program and the accompanying materials are made # available under the terms of the Eclipse Public License 2.0 # which is available at https://www.eclipse.org/legal/epl-2.0/ # # SPDX-License-Identifier: EPL-2.0 # # Contributors: # Red Hat, Inc. - initial API and implementation apiVersion: org.eclipse.che/v1 kind: CheCluster metadata: name: eclipse-che spec: server: # Use internal cluster SVC names to communicate between components to speed up the traffic and avoid proxy issues. useInternalClusterSVCNames: true # Specifies a variation of the installation. The options are `che` for upstream Che installations, or `codeready` for link:https://developers.redhat.com/products/codeready-workspaces/overview[CodeReady Workspaces] installation. # Override the default value only on necessary occasions. cheFlavor: '' # A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. # Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. cheClusterRoles: '' # Custom cluster role bound to the user for the Che workspaces. # The default roles are used when omitted or left blank. cheWorkspaceClusterRole: '' # Name of the ConfigMap with public certificates to add to Java trust store of the Che server. # This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. # The Che server must be aware of its CA cert to be able to request it. serverTrustStoreConfigMapName: '' # When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide particular configuration for Git. gitSelfSignedCert: false # Deprecated. Instructs the Operator to deploy Che in TLS mode. Disabling TLS sometimes cause malfunction of some Che components. tlsSupport: true # URL (protocol+host name) of the proxy server. This drives the appropriate changes in the `JAVA_OPTS` and `https(s)_proxy` variables # in the Che server and workspaces containers. # Only use when configuring a proxy is required. Operator respects OpenShift cluster wide proxy configuration # and no additional configuration is required, but defining `proxyUrl` in a custom resource leads to overrides the cluster proxy configuration # with fields `proxyUrl`, `proxyPort`, `proxyUser` and `proxyPassword` from the custom resource. # See the doc https://docs.openshift.com/container-platform/4.4/networking/enable-cluster-wide-proxy.html. See also the `proxyPort` and `nonProxyHosts` fields. proxyURL: '' # Port of the proxy server. Only use when configuring a proxy is required. See also the `proxyURL` and `nonProxyHosts` fields. proxyPort: '' # User name of the proxy server. Only use when configuring a proxy is required. See also the `proxyURL`, `proxyPassword` and `proxySecret` fields. proxyUser: '' # Password of the proxy server. # Only use when proxy configuration is required. See the `proxyURL`, `proxyUser` and `proxySecret` fields. proxyPassword: '' # List of hosts that will be reached directly, bypassing the proxy. # Specify wild card domain use the following form `.` and `|` as delimiter, for example: `localhost|.my.host.com|123.42.12.32` # Only use when configuring a proxy is required. Operator respects OpenShift cluster wide proxy configuration and no additional configuration is required, # but defining `nonProxyHosts` in a custom resource leads to merging non proxy hosts lists from the cluster proxy configuration and ones defined in the custom resources. # See the doc https://docs.openshift.com/container-platform/4.4/networking/enable-cluster-wide-proxy.html. See also the `proxyURL` fields. nonProxyHosts: '' # Defines Kubernetes default namespace in which user's workspaces are created for a case when a user does not override it. # It's possible to use ``, `` and `` placeholders, such as che-workspace-. # In that case, a new namespace will be created for each user or workspace. workspaceNamespaceDefault: "-che" # Defines that a user is allowed to specify a Kubernetes namespace, or an OpenShift project, which differs from the default. # It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. allowUserDefinedWorkspaceNamespaces: false # Sets the server and workspaces exposure type. # Possible values are `multi-host`, `single-host`, `default-host`. Defaults to `multi-host`, which creates a separate ingress, or OpenShift routes, for every required endpoint. # `single-host` makes Che exposed on a single host name with workspaces exposed on subpaths. # Read the docs to learn about the limitations of this approach. # Also consult the `singleHostExposureType` property to further configure how the Operator and the Che server make that happen on Kubernetes. # `default-host` exposes the Che server on the host of the cluster. Read the docs to learn about the limitations of this approach. serverExposureStrategy: '' database: # Instructs the Operator on whether to deploy a dedicated database. # By default, a dedicated PostgreSQL database is deployed as part of the Che installation. When `externalDb` is `true`, no dedicated database will be deployed by the # Operator and you will need to provide connection details to the external DB you are about to use. See also all the fields starting with: `chePostgres`. externalDb: false # PostgreSQL Database host name that the Che server uses to connect to. # Defaults is `postgres`. Override this value ONLY when using an external database. See field `externalDb`. # In the default case it will be automatically set by the Operator. chePostgresHostName: '' # PostgreSQL Database port that the Che server uses to connect to. Defaults to 5432. # Override this value ONLY when using an external database. See field `externalDb`. In the default case it will be automatically set by the Operator. chePostgresPort: '' # PostgreSQL user that the Che server uses to connect to the DB. Defaults to `pgche`. chePostgresUser: '' # PostgreSQL password that the Che server uses to connect to the DB. When omitted or left blank, it will be set to an automatically generated value. chePostgresPassword: '' # PostgreSQL database name that the Che server uses to connect to the DB. Defaults to `dbche`. chePostgresDb: '' storage: # Persistent volume claim strategy for the Che server. This Can be:`common` (all workspaces PVCs in one volume), # `per-workspace` (one PVC per workspace for all declared volumes) and `unique` (one PVC per declared volume). pvcStrategy: 'common' # Size of the persistent volume claim for workspaces. pvcClaimSize: '10Gi' # Instructs the Che server to start a special Pod to pre-create a sub-path in the Persistent Volumes. preCreateSubPaths: true # Storage class for the Persistent Volume Claim dedicated to the PostgreSQL database. When omitted or left blank, a default storage class is used. postgresPVCStorageClassName: '' # Storage class for the Persistent Volume Claims dedicated to the Che workspaces. When omitted or left blank, a default storage class is used. workspacePVCStorageClassName: '' auth: # For operating with the OpenShift OAuth authentication, create a new user account since the kubeadmin can not be used. # If the value is true, then a new OpenShift OAuth user will be created for the HTPasswd identity provider. # If the value is false and the user has already been created, then it will be removed. # If value is an empty, then do nothing. # The user's credentials are stored in the `openshift-oauth-user-credentials` secret by Operator. # Note that this solution is Openshift 4 platform-specific. initialOpenShiftOAuthUser: true # Instructs the Operator on whether or not to deploy a dedicated Identity Provider (Keycloak or RH SSO instance). # Instructs the Operator on whether to deploy a dedicated Identity Provider (Keycloak or RH-SSO instance). # By default, a dedicated Identity Provider server is deployed as part of the Che installation. When `externalIdentityProvider` is `true`, # no dedicated identity provider will be deployed by the Operator and you will need to provide details about the external identity provider you are about to use. # See also all the other fields starting with: `identityProvider`. externalIdentityProvider: false # Public URL of the Identity Provider server (Keycloak / RH-SSO server). # Set this ONLY when a use of an external Identity Provider is needed. # See the `externalIdentityProvider` field. By default, this will be automatically calculated and set by the Operator. identityProviderURL: '' # Overrides the name of the Identity Provider administrator user. Defaults to `admin`. identityProviderAdminUserName: '' # Overrides the password of Keycloak administrator user. # Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. # When omitted or left blank, it is set to an auto-generated password. identityProviderPassword: '' # Name of a Identity provider, Keycloak or RH-SSO, realm that is used for Che. # Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. # When omitted or left blank, it is set to the value of the `flavour` field. identityProviderRealm: '' # Name of a Identity provider, Keycloak or RH-SSO, `client-id` that is used for Che. # Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. # When omitted or left blank, it is set to the value of the `flavour` field suffixed with `-public`. identityProviderClientId: '' # Name of the OpenShift `OAuthClient` resource used to setup identity federation on the OpenShift side. Auto-generated when left blank. See also the `OpenShiftoAuth` field. oAuthClientName: '' # Name of the secret set in the OpenShift `OAuthClient` resource used to setup identity federation on the OpenShift side. Auto-generated when left blank. See also the `OAuthClientName` field. oAuthSecret: '' k8s: # Global ingress domain for a Kubernetes cluster. ingressDomain: '192.168.99.101.nip.io' # Ingress class that will define the which controller will manage ingresses. Defaults to `nginx`. # NB: This drives the `kubernetes.io/ingress.class` annotation on Che-related ingresses. ingressClass: '' # Strategy for ingress creation. Options are: `multi-host` (host is explicitly provided in ingress), # `single-host` (host is provided, path-based rules) and `default-host` (no host is provided, path-based rules). # Defaults to `multi-host` Deprecated in favor of `serverExposureStrategy` in the `server` section, # which defines this regardless of the cluster type. When both are defined, the `serverExposureStrategy` option takes precedence. ingressStrategy: '' # Name of a secret that will be used to setup ingress TLS termination when TLS is enabled. # When the field is empty string, the default cluster certificate will be used. See also the `tlsSupport` field. tlsSecretName: 'che-tls' # The FSGroup in which the Che Pod and workspace Pods containers runs in. Default value is `1724`. securityContextFsGroup: '' # ID of the user the Che Pod and workspace Pods containers run as. Default value is `1724`. securityContextRunAsUser: '' # When the serverExposureStrategy is set to `single-host`, the way the server, registries and workspaces are exposed is further configured by this property. # The possible values are `native`, which means that the server and workspaces are exposed using ingresses on K8s # or `gateway` where the server and workspaces are exposed using a custom gateway based on link:https://doc.traefik.io/traefik/[Traefik]. # All the endpoints whether backed by the ingress or gateway `route` always point to the subpaths on the same domain. Defaults to `native`. singleHostExposureType: '' metrics: # Enables `metrics` the Che server endpoint. enable: true devWorkspace: # Deploys the DevWorkspace Operator in the cluster. # Does nothing when a matching version of the Operator is already installed. # Fails when a non-matching version of the Operator is already installed. enable: false