From ad498890bbb7436e1524aa631d05f8940d671c9d Mon Sep 17 00:00:00 2001 From: Mykola Morhun Date: Mon, 22 Nov 2021 17:34:37 +0200 Subject: [PATCH] chore: Remove Che opertor memory limit workaround (#1190) Remove Che opertor memory limit workaround Signed-off-by: Mykola Morhun --- api/v1/checluster_types.go | 9 +++++ .../che-operator.clusterserviceversion.yaml | 6 ++-- .../manifests/org_v1_che_crd.yaml | 33 ++++++++++++------- .../che-operator.clusterserviceversion.yaml | 6 ++-- .../manifests/org_v1_che_crd.yaml | 18 +++++----- .../che-operator.clusterserviceversion.yaml | 6 ++-- .../manifests/org_v1_che_crd.yaml | 33 ++++++++++++------- config/crd/bases/org_v1_che_crd-v1beta1.yaml | 31 +++++++++++------ config/crd/bases/org_v1_che_crd.yaml | 33 ++++++++++++------- config/manager/manager.yaml | 2 +- .../on-reconcile-one-time-migration.go | 1 - 11 files changed, 112 insertions(+), 66 deletions(-) diff --git a/api/v1/checluster_types.go b/api/v1/checluster_types.go index 4b7f83c20..84a03c1f4 100644 --- a/api/v1/checluster_types.go +++ b/api/v1/checluster_types.go @@ -104,6 +104,7 @@ type CheClusterSpecServer struct { // +optional CheHost string `json:"cheHost,omitempty"` // Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che server. + // The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. // See the `cheHost` field. // +optional CheHostTLSSecret string `json:"cheHostTLSSecret,omitempty"` @@ -114,10 +115,12 @@ type CheClusterSpecServer struct { // +optional CheDebug string `json:"cheDebug,omitempty"` // A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. + // Each role must have `app.kubernetes.io/part-of=che.eclipse.org` label. // Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. // +optional CheClusterRoles string `json:"cheClusterRoles,omitempty"` // Custom cluster role bound to the user for the Che workspaces. + // The role must have `app.kubernetes.io/part-of=che.eclipse.org` label. // The default roles are used when omitted or left blank. // +optional CheWorkspaceClusterRole string `json:"cheWorkspaceClusterRole,omitempty"` @@ -140,9 +143,11 @@ type CheClusterSpecServer struct { // Name of the ConfigMap with public certificates to add to Java trust store of the Che server. // This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. // The Che server must be aware of its CA cert to be able to request it. This is disabled by default. + // The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` label. // +optional ServerTrustStoreConfigMapName string `json:"serverTrustStoreConfigMapName,omitempty"` // When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide particular configuration for Git. + // Note, the `che-git-self-signed-cert` ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` label. // +optional GitSelfSignedCert bool `json:"gitSelfSignedCert"` // Deprecated. Instructs the Operator to deploy Che in TLS mode. This is enabled by default. Disabling TLS sometimes cause malfunction of some Che components. @@ -296,6 +301,7 @@ type CheClusterSpecServer struct { // +optional ProxyPassword string `json:"proxyPassword,omitempty"` // The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` and `proxyPassword` are ignored. + // The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. // +optional ProxySecret string `json:"proxySecret,omitempty"` // Overrides the memory request used in the Che server deployment. Defaults to 512Mi. @@ -369,6 +375,7 @@ type CheClusterSpecDB struct { // 1. `chePostgresUser` and `chePostgresPassword` are defined, then they will be used to connect to the DB. // 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` // will be created with default value of `pgche` for `user` and with an auto-generated value for `password`. + // The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. // +optional ChePostgresSecret string `json:"chePostgresSecret,omitempty"` // Overrides the container image used in the PostgreSQL database deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. @@ -422,6 +429,7 @@ type CheClusterSpecAuth struct { // 1. `identityProviderAdminUserName` and `identityProviderPassword` are defined, then they will be used. // 2. `identityProviderAdminUserName` or `identityProviderPassword` are not defined, then a new secret with the name // `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated value for `password`. + // The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. // +optional IdentityProviderSecret string `json:"identityProviderSecret,omitempty"` // Name of a Identity provider, Keycloak or RH-SSO, realm that is used for Che. @@ -443,6 +451,7 @@ type CheClusterSpecAuth struct { // When the secret is defined, the `identityProviderPostgresPassword` is ignored. When the value is omitted or left blank, the one of following scenarios applies: // 1. `identityProviderPostgresPassword` is defined, then it will be used to connect to the database. // 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` will be created with an auto-generated value for `password`. + // The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. // +optional IdentityProviderPostgresSecret string `json:"identityProviderPostgresSecret,omitempty"` // Forces the default `admin` Che user to update password on first login. Defaults to `false`. diff --git a/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index 1e8b80f89..7181396e8 100644 --- a/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -126,7 +126,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-openshift.v7.40.0-373.next + name: eclipse-che-preview-openshift.v7.40.0-374.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1175,7 +1175,7 @@ spec: resources: limits: cpu: 500m - memory: 5Gi + memory: 256Mi requests: cpu: 100m memory: 64Mi @@ -1427,4 +1427,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.40.0-373.next + version: 7.40.0-374.next diff --git a/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml b/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml index 36eef0be8..48f9f8485 100644 --- a/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml +++ b/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml @@ -174,7 +174,9 @@ spec: is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` - will be created with an auto-generated value for `password`.' + will be created with an auto-generated value for `password`. + The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderRealm: description: Name of a Identity provider, Keycloak or RH-SSO, @@ -215,7 +217,8 @@ spec: or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated - value for `password`.' + value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderURL: description: Public URL of the Identity Provider server (Keycloak @@ -328,7 +331,8 @@ spec: to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and - with an auto-generated value for `password`.' + with an auto-generated value for `password`. The secret must + have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string chePostgresUser: description: PostgreSQL user that the Che server uses to connect @@ -513,9 +517,9 @@ spec: type: boolean cheClusterRoles: description: A comma-separated list of ClusterRoles that will - be assigned to Che ServiceAccount. Be aware that the Che Operator - has to already have all permissions in these ClusterRoles - to grant them. + be assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. Be aware that the Che Operator has to already have + all permissions in these ClusterRoles to grant them. type: string cheDebug: description: Enables the debug mode for Che server. Defaults @@ -536,7 +540,8 @@ spec: cheHostTLSSecret: description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed - Che server. See the `cheHost` field. + Che server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. See the `cheHost` field. type: string cheImage: description: Overrides the container image used in Che deployment. @@ -598,8 +603,8 @@ spec: type: object cheWorkspaceClusterRole: description: Custom cluster role bound to the user for the Che - workspaces. The default roles are used when omitted or left - blank. + workspaces. The role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. The default roles are used when omitted or left blank. type: string customCheProperties: additionalProperties: @@ -783,7 +788,9 @@ spec: gitSelfSignedCert: description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide - particular configuration for Git. + particular configuration for Git. Note, the `che-git-self-signed-cert` + ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: boolean nonProxyHosts: description: 'List of hosts that will be reached directly, bypassing @@ -882,7 +889,8 @@ spec: proxySecret: description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` - and `proxyPassword` are ignored. + and `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string proxyURL: description: URL (protocol+host name) of the proxy server. This @@ -942,7 +950,8 @@ spec: required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This - is disabled by default. + is disabled by default. The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string singleHostGatewayConfigMapLabels: additionalProperties: diff --git a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml index 334f1391d..9a1a2db74 100644 --- a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml @@ -133,7 +133,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-kubernetes.v7.40.0-334.next + name: eclipse-che-preview-kubernetes.v7.40.0-335.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1164,7 +1164,7 @@ spec: resources: limits: cpu: 500m - memory: 5Gi + memory: 256Mi requests: cpu: 100m memory: 64Mi @@ -1394,4 +1394,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.40.0-334.next + version: 7.40.0-335.next diff --git a/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml b/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml index 6a488ebaa..8bedb5c44 100644 --- a/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml +++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml @@ -115,7 +115,7 @@ spec: description: Password for a Identity Provider, Keycloak or RH-SSO, to connect to the database. Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. When omitted or left blank, it is set to an auto-generated password. type: string identityProviderPostgresSecret: - description: 'The secret that contains `password` for the Identity Provider, Keycloak or RH-SSO, to connect to the database. When the secret is defined, the `identityProviderPostgresPassword` is ignored. When the value is omitted or left blank, the one of following scenarios applies: 1. `identityProviderPostgresPassword` is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` will be created with an auto-generated value for `password`.' + description: 'The secret that contains `password` for the Identity Provider, Keycloak or RH-SSO, to connect to the database. When the secret is defined, the `identityProviderPostgresPassword` is ignored. When the value is omitted or left blank, the one of following scenarios applies: 1. `identityProviderPostgresPassword` is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` will be created with an auto-generated value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string identityProviderRealm: description: Name of a Identity provider, Keycloak or RH-SSO, realm that is used for Che. Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. When omitted or left blank, it is set to the value of the `flavour` field. @@ -136,7 +136,7 @@ spec: type: string type: object identityProviderSecret: - description: 'The secret that contains `user` and `password` for Identity Provider. When the secret is defined, the `identityProviderAdminUserName` and `identityProviderPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies: 1. `identityProviderAdminUserName` and `identityProviderPassword` are defined, then they will be used. 2. `identityProviderAdminUserName` or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated value for `password`.' + description: 'The secret that contains `user` and `password` for Identity Provider. When the secret is defined, the `identityProviderAdminUserName` and `identityProviderPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies: 1. `identityProviderAdminUserName` and `identityProviderPassword` are defined, then they will be used. 2. `identityProviderAdminUserName` or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string identityProviderURL: description: Public URL of the Identity Provider server (Keycloak / RH-SSO server). Set this ONLY when a use of an external Identity Provider is needed. See the `externalIdentityProvider` field. By default, this will be automatically calculated and set by the Operator. @@ -200,7 +200,7 @@ spec: description: PostgreSQL Database port that the Che server uses to connect to. Defaults to 5432. Override this value ONLY when using an external database. See field `externalDb`. In the default case it will be automatically set by the Operator. type: string chePostgresSecret: - description: 'The secret that contains PostgreSQL`user` and `password` that the Che server uses to connect to the DB. When the secret is defined, the `chePostgresUser` and `chePostgresPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies: 1. `chePostgresUser` and `chePostgresPassword` are defined, then they will be used to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and with an auto-generated value for `password`.' + description: 'The secret that contains PostgreSQL`user` and `password` that the Che server uses to connect to the DB. When the secret is defined, the `chePostgresUser` and `chePostgresPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies: 1. `chePostgresUser` and `chePostgresPassword` are defined, then they will be used to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and with an auto-generated value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string chePostgresUser: description: PostgreSQL user that the Che server uses to connect to the DB. Defaults to `pgche`. @@ -314,7 +314,7 @@ spec: description: Deprecated. The value of this flag is ignored. Defines that a user is allowed to specify a Kubernetes namespace, or an OpenShift project, which differs from the default. It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. type: boolean cheClusterRoles: - description: A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. + description: A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` label. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. type: string cheDebug: description: Enables the debug mode for Che server. Defaults to `false`. @@ -326,7 +326,7 @@ spec: description: Public host name of the installed Che server. When value is omitted, the value it will be automatically set by the Operator. See the `cheHostTLSSecret` field. type: string cheHostTLSSecret: - description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che server. See the `cheHost` field. + description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. See the `cheHost` field. type: string cheImage: description: Overrides the container image used in Che deployment. This does NOT include the container image tag. Omit it or leave it empty to use the default container image provided by the Operator. @@ -368,7 +368,7 @@ spec: type: string type: object cheWorkspaceClusterRole: - description: Custom cluster role bound to the user for the Che workspaces. The default roles are used when omitted or left blank. + description: Custom cluster role bound to the user for the Che workspaces. The role must have `app.kubernetes.io/part-of=che.eclipse.org` label. The default roles are used when omitted or left blank. type: string customCheProperties: additionalProperties: @@ -488,7 +488,7 @@ spec: description: Instructs the Operator on whether to deploy a dedicated plugin registry server. By default, a dedicated plugin registry server is started. When `externalPluginRegistry` is `true`, no such dedicated server will be started by the Operator and you will have to manually set the `pluginRegistryUrl` field. type: boolean gitSelfSignedCert: - description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide particular configuration for Git. + description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide particular configuration for Git. Note, the `che-git-self-signed-cert` ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` label. type: boolean nonProxyHosts: description: 'List of hosts that will be reached directly, bypassing the proxy. Specify wild card domain use the following form `.` and `|` as delimiter, for example: `localhost|.my.host.com|123.42.12.32` Only use when configuring a proxy is required. Operator respects OpenShift cluster wide proxy configuration and no additional configuration is required, but defining `nonProxyHosts` in a custom resource leads to merging non proxy hosts lists from the cluster proxy configuration and ones defined in the custom resources. See the doc https://docs.openshift.com/container-platform/4.4/networking/enable-cluster-wide-proxy.html. See also the `proxyURL` fields.' @@ -548,7 +548,7 @@ spec: description: Port of the proxy server. Only use when configuring a proxy is required. See also the `proxyURL` and `nonProxyHosts` fields. type: string proxySecret: - description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` and `proxyPassword` are ignored. + description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` and `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. type: string proxyURL: description: URL (protocol+host name) of the proxy server. This drives the appropriate changes in the `JAVA_OPTS` and `https(s)_proxy` variables in the Che server and workspaces containers. Only use when configuring a proxy is required. Operator respects OpenShift cluster wide proxy configuration and no additional configuration is required, but defining `proxyUrl` in a custom resource leads to overrides the cluster proxy configuration with fields `proxyUrl`, `proxyPort`, `proxyUser` and `proxyPassword` from the custom resource. See the doc https://docs.openshift.com/container-platform/4.4/networking/enable-cluster-wide-proxy.html. See also the `proxyPort` and `nonProxyHosts` fields. @@ -575,7 +575,7 @@ spec: description: Overrides the memory request used in the Che server deployment. Defaults to 512Mi. type: string serverTrustStoreConfigMapName: - description: Name of the ConfigMap with public certificates to add to Java trust store of the Che server. This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. + description: Name of the ConfigMap with public certificates to add to Java trust store of the Che server. This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` label. type: string singleHostGatewayConfigMapLabels: additionalProperties: diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index 342f730ef..d0afb7ec1 100644 --- a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -126,7 +126,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-openshift.v7.40.0-341.next + name: eclipse-che-preview-openshift.v7.40.0-342.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1175,7 +1175,7 @@ spec: resources: limits: cpu: 500m - memory: 5Gi + memory: 256Mi requests: cpu: 100m memory: 64Mi @@ -1427,4 +1427,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.40.0-341.next + version: 7.40.0-342.next diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml index 36eef0be8..48f9f8485 100644 --- a/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml +++ b/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml @@ -174,7 +174,9 @@ spec: is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` - will be created with an auto-generated value for `password`.' + will be created with an auto-generated value for `password`. + The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderRealm: description: Name of a Identity provider, Keycloak or RH-SSO, @@ -215,7 +217,8 @@ spec: or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated - value for `password`.' + value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderURL: description: Public URL of the Identity Provider server (Keycloak @@ -328,7 +331,8 @@ spec: to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and - with an auto-generated value for `password`.' + with an auto-generated value for `password`. The secret must + have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string chePostgresUser: description: PostgreSQL user that the Che server uses to connect @@ -513,9 +517,9 @@ spec: type: boolean cheClusterRoles: description: A comma-separated list of ClusterRoles that will - be assigned to Che ServiceAccount. Be aware that the Che Operator - has to already have all permissions in these ClusterRoles - to grant them. + be assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. Be aware that the Che Operator has to already have + all permissions in these ClusterRoles to grant them. type: string cheDebug: description: Enables the debug mode for Che server. Defaults @@ -536,7 +540,8 @@ spec: cheHostTLSSecret: description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed - Che server. See the `cheHost` field. + Che server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. See the `cheHost` field. type: string cheImage: description: Overrides the container image used in Che deployment. @@ -598,8 +603,8 @@ spec: type: object cheWorkspaceClusterRole: description: Custom cluster role bound to the user for the Che - workspaces. The default roles are used when omitted or left - blank. + workspaces. The role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. The default roles are used when omitted or left blank. type: string customCheProperties: additionalProperties: @@ -783,7 +788,9 @@ spec: gitSelfSignedCert: description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide - particular configuration for Git. + particular configuration for Git. Note, the `che-git-self-signed-cert` + ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: boolean nonProxyHosts: description: 'List of hosts that will be reached directly, bypassing @@ -882,7 +889,8 @@ spec: proxySecret: description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` - and `proxyPassword` are ignored. + and `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string proxyURL: description: URL (protocol+host name) of the proxy server. This @@ -942,7 +950,8 @@ spec: required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This - is disabled by default. + is disabled by default. The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string singleHostGatewayConfigMapLabels: additionalProperties: diff --git a/config/crd/bases/org_v1_che_crd-v1beta1.yaml b/config/crd/bases/org_v1_che_crd-v1beta1.yaml index 4b830a174..cf9cac94d 100644 --- a/config/crd/bases/org_v1_che_crd-v1beta1.yaml +++ b/config/crd/bases/org_v1_che_crd-v1beta1.yaml @@ -168,7 +168,8 @@ spec: is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` will be created - with an auto-generated value for `password`.' + with an auto-generated value for `password`. The secret must have + `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string identityProviderRealm: description: Name of a Identity provider, Keycloak or RH-SSO, realm @@ -208,7 +209,8 @@ spec: or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated value for - `password`.' + `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderURL: description: Public URL of the Identity Provider server (Keycloak @@ -320,7 +322,9 @@ spec: are defined, then they will be used to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value - of `pgche` for `user` and with an auto-generated value for `password`.' + of `pgche` for `user` and with an auto-generated value for `password`. + The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string chePostgresUser: description: PostgreSQL user that the Che server uses to connect @@ -496,9 +500,9 @@ spec: type: boolean cheClusterRoles: description: A comma-separated list of ClusterRoles that will be - assigned to Che ServiceAccount. Be aware that the Che Operator - has to already have all permissions in these ClusterRoles to grant - them. + assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. Be aware that the Che Operator has to already have all + permissions in these ClusterRoles to grant them. type: string cheDebug: description: Enables the debug mode for Che server. Defaults to @@ -518,7 +522,8 @@ spec: cheHostTLSSecret: description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che - server. See the `cheHost` field. + server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. See the `cheHost` field. type: string cheImage: description: Overrides the container image used in Che deployment. @@ -577,7 +582,8 @@ spec: type: object cheWorkspaceClusterRole: description: Custom cluster role bound to the user for the Che workspaces. - The default roles are used when omitted or left blank. + The role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. The default roles are used when omitted or left blank. type: string customCheProperties: additionalProperties: @@ -754,7 +760,9 @@ spec: gitSelfSignedCert: description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide - particular configuration for Git. + particular configuration for Git. Note, the `che-git-self-signed-cert` + ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: boolean nonProxyHosts: description: 'List of hosts that will be reached directly, bypassing @@ -849,7 +857,8 @@ spec: proxySecret: description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` and - `proxyPassword` are ignored. + `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string proxyURL: description: URL (protocol+host name) of the proxy server. This @@ -908,6 +917,8 @@ spec: when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. + The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string singleHostGatewayConfigMapLabels: additionalProperties: diff --git a/config/crd/bases/org_v1_che_crd.yaml b/config/crd/bases/org_v1_che_crd.yaml index 10fbd2de9..4342ce58e 100644 --- a/config/crd/bases/org_v1_che_crd.yaml +++ b/config/crd/bases/org_v1_che_crd.yaml @@ -174,7 +174,9 @@ spec: is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` - will be created with an auto-generated value for `password`.' + will be created with an auto-generated value for `password`. + The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderRealm: description: Name of a Identity provider, Keycloak or RH-SSO, @@ -215,7 +217,8 @@ spec: or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated - value for `password`.' + value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderURL: description: Public URL of the Identity Provider server (Keycloak @@ -328,7 +331,8 @@ spec: to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and - with an auto-generated value for `password`.' + with an auto-generated value for `password`. The secret must + have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string chePostgresUser: description: PostgreSQL user that the Che server uses to connect @@ -513,9 +517,9 @@ spec: type: boolean cheClusterRoles: description: A comma-separated list of ClusterRoles that will - be assigned to Che ServiceAccount. Be aware that the Che Operator - has to already have all permissions in these ClusterRoles - to grant them. + be assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. Be aware that the Che Operator has to already have + all permissions in these ClusterRoles to grant them. type: string cheDebug: description: Enables the debug mode for Che server. Defaults @@ -536,7 +540,8 @@ spec: cheHostTLSSecret: description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed - Che server. See the `cheHost` field. + Che server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. See the `cheHost` field. type: string cheImage: description: Overrides the container image used in Che deployment. @@ -598,8 +603,8 @@ spec: type: object cheWorkspaceClusterRole: description: Custom cluster role bound to the user for the Che - workspaces. The default roles are used when omitted or left - blank. + workspaces. The role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. The default roles are used when omitted or left blank. type: string customCheProperties: additionalProperties: @@ -783,7 +788,9 @@ spec: gitSelfSignedCert: description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide - particular configuration for Git. + particular configuration for Git. Note, the `che-git-self-signed-cert` + ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: boolean nonProxyHosts: description: 'List of hosts that will be reached directly, bypassing @@ -882,7 +889,8 @@ spec: proxySecret: description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` - and `proxyPassword` are ignored. + and `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string proxyURL: description: URL (protocol+host name) of the proxy server. This @@ -942,7 +950,8 @@ spec: required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This - is disabled by default. + is disabled by default. The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string singleHostGatewayConfigMapLabels: additionalProperties: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 92f880cbe..f3c2ff7e6 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -150,7 +150,7 @@ spec: resources: limits: cpu: 500m - memory: 5Gi + memory: 256Mi requests: cpu: 100m memory: 64Mi diff --git a/pkg/deploy/migration/on-reconcile-one-time-migration.go b/pkg/deploy/migration/on-reconcile-one-time-migration.go index e20547a72..8176a276c 100644 --- a/pkg/deploy/migration/on-reconcile-one-time-migration.go +++ b/pkg/deploy/migration/on-reconcile-one-time-migration.go @@ -87,7 +87,6 @@ func (m *Migrator) migrate(ctx *deploy.DeployContext) (bool, error) { // - spec.database.chePostgresSecret // - spec.auth.identityProviderSecret // - spec.auth.identityProviderPostgresSecret -// - spec.auth.oAuthSecret // - spec.k8s.tlsSecretName // Note, most of the objects above are autogenerated and do not require any migration, // but to handle the case when some were created manually or operator updated, the check is done here.