K8s multiuser helm (#8973)

Signed-off-by: Guy Daich <guy.daich@sap.com>
2018-03-08 11:36:32 +02:00 · 2018-03-08 11:36:32 +02:00 · 8c7ebc6751
parent 8e8cdc5265
commit 8c7ebc6751
34 changed files with 701 additions and 33 deletions
--- a/dockerfiles/init/modules/che-kubernetes-helm/Chart.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/Chart.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: v1
 description: A Helm chart for deploying Che to Kubernetes
 name: che-kubernetes-helm
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/.helmignore
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/.helmignore
@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/Chart.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/Chart.yaml
@ -0,0 +1,11 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+description: A Helm chart for Keycloak, used by Che
+name: che-keycloak
+version: 1.0.0
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/deployment.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/deployment.yaml
@ -0,0 +1,90 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: keycloak
+  name: keycloak
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        io.kompose.service: keycloak
+    spec:
+      initContainers:
+      - name: wait-for-postgres
+        image: alpine:3.5
+        command: ["sh", "-c", "apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for postgres to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/postgres`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      containers:
+      - env:
+        - name: POSTGRES_PORT_5432_TCP_ADDR
+          value: postgres
+        - name: POSTGRES_PORT_5432_TCP_PORT
+          value: "5432"
+        - name: POSTGRES_DATABASE
+          value: keycloak
+        - name: POSTGRES_USER
+          value: keycloak
+        - name: POSTGRES_PASSWORD
+          value: keycloak
+        - name: KEYCLOAK_USER
+          value: admin
+        - name: KEYCLOAK_PASSWORD
+          value: admin
+        - name: CHE_HOST
+          value: {{ template "cheHost" . }}
+        image: {{ .Values.image }}
+        imagePullPolicy: Always
+        name: keycloak
+        livenessProbe:
+          failureThreshold: 11
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          tcpSocket:
+            port: 8080
+          timeoutSeconds: 30
+        readinessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: auth/js/keycloak.js
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 3
+          successThreshold: 1
+          timeoutSeconds: 1
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            memory: 1536Mi
+          requests:
+            memory: 1024Mi
+        volumeMounts:
+        - mountPath: /opt/jboss/keycloak/standalone/data
+          name: keycloak-data
+        - mountPath: /opt/jboss/keycloak/standalone/log
+          name: keycloak-log
+      restartPolicy: Always
+      volumes:
+      - name: keycloak-data
+        persistentVolumeClaim:
+          claimName: keycloak-data
+      - name: keycloak-log
+        persistentVolumeClaim:
+          claimName: keycloak-log
+  test: false
+status: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/ingress.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/ingress.yaml
@ -0,0 +1,42 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: keycloak-ingress
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout: "3600"
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout: "3600"
+{{- if .Values.global.tlsEnabled }}
+    kubernetes.io/tls-acme: "true"
+{{- else }}
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect: "false"
+{{- end }}
+spec:
+{{- if .Values.global.tlsEnabled }}
+  tls:
+  - hosts:
+    - {{ template "keycloakHost" . }}
+    secretName: keycloak-tls
+{{- end }}
+  rules:
+{{- if .Values.global.isHostBased }}
+  - host: {{ template "keycloakHost" . }}
+    http:
+      paths:
+      - path: /
+{{- else }}
+  - http:
+      paths:
+      - path: /auth/
+{{- end }}
+        backend:
+          serviceName: keycloak
+          servicePort: 5050
+
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-configure-job.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-configure-job.yaml
@ -0,0 +1,42 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keycloak-configure-job
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: wait-for-keycloak
+        image: alpine:3.5
+        command: ["sh", "-c", "apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for keycloak to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/keycloak`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      containers:
+      - name: keycloak-configure-job
+        image: {{ .Values.image }}
+        command: ["/scripts/keycloak_config.sh"]
+        env:
+          - name: HTTP_PROTOCOL
+{{- if .Values.global.tlsEnabled }}
+            value: "https"
+{{- else }}
+            value: "http"
+{{- end }}
+          - name: KC_HOST
+            value:  {{ template "keycloakHost" . }}
+          - name: CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD
+            value: {{ .Values.requireAdminPasswordChange | quote }}
+          - name: CHE_HOST
+            value: {{ template "cheHost" . }}
+      restartPolicy: Never
+  backoffLimit: 4
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-data-claim.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-data-claim.yaml
@ -0,0 +1,20 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    io.kompose.service: keycloak-data
+  name: keycloak-data
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+status: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-log-claim.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-log-claim.yaml
@ -0,0 +1,20 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    io.kompose.service: keycloak-log
+  name: keycloak-log
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+status: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/service.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/service.yaml
@ -0,0 +1,20 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: "keycloak"
+spec:
+  ports:
+  - name: "5050"
+    port: 5050
+    targetPort: 8080
+  selector:
+    io.kompose.service: keycloak
+status:
+  loadBalancer: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/values.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/values.yaml
@ -0,0 +1,13 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+# Default values for postgres.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image: eclipse/che-keycloak:nightly
+requireAdminPasswordChange: true
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/.helmignore
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/.helmignore
@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/Chart.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/Chart.yaml
@ -0,0 +1,11 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+description: A Helm chart for postgresql, used by Che and Keycloak
+name: che-postgres
+version: 1.0.0
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/deployment.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/deployment.yaml
@ -0,0 +1,72 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  creationTimestamp: null
+  labels:
+    io.kompose.service: postgres
+  name: postgres
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        io.kompose.service: postgres
+    spec:
+      containers:
+      - env:
+        - name: POSTGRESQL_USER
+          value: keycloak
+        - name: POSTGRESQL_PASSWORD
+          value: keycloak
+        - name: POSTGRESQL_DATABASE
+          value: keycloak
+        - name: "CHE_POSTGRES_USERNAME"
+          value: "pgche"
+        - name: "CHE_POSTGRES_PASSWORD"
+          value: "pgchepassword"
+        - name: "CHE_POSTGRES_DATABASE"
+          value: "dbche"
+        image: {{ .Values.image }}
+        securityContext:
+          runAsUser: 26
+        imagePullPolicy: Always
+        name: postgres
+        livenessProbe:
+          failureThreshold: 3
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: 5432
+          timeoutSeconds: 1
+        readinessProbe:
+          exec:
+            command:
+            - bash
+            - -c
+            - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d $POSTGRESQL_DATABASE -c "SELECT 1"
+          failureThreshold: 10
+          initialDelaySeconds: 5
+          periodSeconds: 3
+          successThreshold: 1
+          timeoutSeconds: 1
+        ports:
+        - containerPort: 5432
+        resources: {}
+        volumeMounts:
+        - mountPath: /var/lib/pgsql/data
+          name: postgres-data
+      restartPolicy: Always
+      volumes:
+      - name: postgres-data
+        persistentVolumeClaim:
+          claimName: postgres-data
+  test: false
+status: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/postgres-data-claim.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/postgres-data-claim.yaml
@ -0,0 +1,21 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  creationTimestamp: null
+  labels:
+    io.kompose.service: postgres-data
+  name: postgres-data
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+status: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/service.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/service.yaml
@ -0,0 +1,23 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    io.kompose.service: postgres
+  name: postgres
+spec:
+  ports:
+  - name: "5432"
+    port: 5432
+    targetPort: 5432
+  selector:
+    io.kompose.service: postgres
+status:
+  loadBalancer: {}
--- a/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/values.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/values.yaml
@ -0,0 +1,11 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+# Default values for postgres.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+image: eclipse/che-postgres:nightly
--- a/dockerfiles/init/modules/che-kubernetes-helm/readme.md
+++ b/dockerfiles/init/modules/che-kubernetes-helm/readme.md
@ -21,7 +21,7 @@ In case you're specifying a hostname, simply pass it as the value of the `cheDom

 If you must use an ip address (e.g. your corporate policy prevents you from using nip.io), you would also have to set `isHostBased` to `false`.

-### Perform the Actual Deployment
+### Deploying with Helm
 The context of the commands below is the directory in which this readme file resides

 - Override default values by changing the values.yaml file and then typing:
@ -32,8 +32,55 @@ The context of the commands below is the directory in which this readme file res
 - Or, you can override default values during installation, using the `--set` flag:

  ```bash
-  helm upgrade --install <my-che-installation> --namespace <my-che-namespace> --set cheDomain=<my-hostname> --set cheImage=<my-image> ./
+  helm upgrade --install <my-che-installation> --namespace <my-che-namespace> --set global.cheDomain=<my-hostname> --set cheImage=<my-image> ./
  ```
+
+#### Deployment types
+Currenty, only minikube deployment is supported.
+
+##### Single User 
+Only Che will be deployed.
+
+  ```bash
+  helm upgrade --install <che-release> --namespace <che-namespace> --set global.cheDomain=<domain> ./
+  ```
+  
+##### Multi User 
+Che, KeyCloak and Postgres will be deployed.
+
+  ```bash
+  helm upgrade --install <che-release> --namespace <che-namespace> --set global.multiuser=true --set global.cheDomain=<domain> ./
+  ```
+  
+##### No Host:
+ Ingress will serve requests on minikube-ip. 
+ Path based routing to Che, Secondary servers (KeyCloak) and Workspace servers.
+
+  ```bash
+  helm upgrade --install <che-release> --namespace <che-namespace> --set global.isHostbased=false --set global.cheDomain=<minikube-ip> ./
+   Master: http://<minikube-ip>/
+   Workspaces: http://<minikube-ip>/<path-to-server>
+   Keycloak (if multiuser) : http://<minikube-ip>/auth/
+  ```
+  
+##### Host (partial): 
+ WS Master Ingress will serve requests on provided domain
+ Workspaces: Ingress will serve requests on minikube-ip, Path Based routing to workspaces. 
+ KeyCloak : dedicated hostname 
+   
+   ```bash
+   helm upgrade --install <che-release> --namespace <che-namespace> --set global.cheDomain=<minikube-ip>.xip.io ./
+   Master: http://master.<minikube-ip>.xip.io
+   Workspaces: http://<minikube-ip>/<path-to-server>
+   Keycloak (if multiuser): http://keycloak.<minikube-ip>.xip.io/
+   ```
+ 
+
+##### Future options:
+- Path Based: single hostname for all components (che, keycloak, WS servers) 
+- Host Based: unique host for each component
+- TLS
+  
 ## Deleting a Deployment
 You can delete a deployment using the following command:
 ``` bash
--- a/dockerfiles/init/modules/che-kubernetes-helm/requirements.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/requirements.yaml
@ -0,0 +1,16 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+dependencies:
+  - name: che-postgres
+    repository: file://./charts/che-postgres/
+    version: 1.0.0
+    condition: global.multiuser
+  - name: che-keycloak
+    repository: file://./charts/che-keycloak/
+    version: 1.0.0
+    condition: global.multiuser
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/_hostHelper.tpl
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/_hostHelper.tpl
@ -1,7 +1,7 @@
 {{- define "cheHost" }}
-{{- if .Values.isHostBased }}
-{{- printf "master.%s" .Values.cheDomain }}
+{{- if .Values.global.isHostBased }}
+{{- printf "master.%s" .Values.global.cheDomain }}
 {{- else }}
-{{- printf "%s" .Values.cheDomain }}
+{{- printf "%s" .Values.global.cheDomain }}
 {{- end }}
 {{- end }}
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/_keycloakAuthUrlHelper.tpl
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/_keycloakAuthUrlHelper.tpl
@ -0,0 +1,15 @@
+{{- define "keycloakAuthUrl" }}
+{{- if .Values.global.isHostBased }}
+{{- if .Values.global.tlsEnabled }}
+{{- printf "https://keycloak.%s/auth" .Values.global.cheDomain }}
+{{- else }}
+{{- printf "http://keycloak.%s/auth" .Values.global.cheDomain }}
+{{- end }}
+{{- else }}
+{{- if .Values.global.tlsEnabled }}
+{{- printf "https://%s/auth" .Values.global.cheDomain }}
+{{- else }}
+{{- printf "http://%s/auth" .Values.global.cheDomain }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/_keycloakHostHelper.tpl
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/_keycloakHostHelper.tpl
@ -0,0 +1,7 @@
+{{- define "keycloakHost" }}
+{{- if .Values.global.isHostBased }}
+{{- printf "keycloak.%s" .Values.global.cheDomain }}
+{{- else }}
+{{- printf "%s" .Values.global.cheDomain }}
+{{- end }}
+{{- end }}
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/cert-issuer.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/cert-issuer.yaml
@ -1,4 +1,11 @@
-{{- if .Values.tlsEnabled }}
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+{{- if .Values.global.tlsEnabled }}
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Issuer
 metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/certificate.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/certificate.yaml
@ -1,4 +1,11 @@
-{{- if .Values.tlsEnabled }}
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+{{- if .Values.global.tlsEnabled }}
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
@ -7,13 +14,13 @@ spec:
  secretName: che-tls
  issuerRef:
    name: letsencrypt
-  commonName: {{ .Values.cheDomain }}
+  commonName: {{ .Values.global.cheDomain }}
  dnsNames:
-      - {{ .Values.cheDomain }}
+      - {{ .Values.global.cheDomain }}
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
-      - {{ .Values.cheDomain }}
+      - {{ .Values.global.cheDomain }}
 {{- end }}
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/cluster-role-binding.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/cluster-role-binding.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/configmap.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/configmap.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -5,10 +12,10 @@ metadata:
    app: che
  name: che
 data:
-  CHE_DOMAIN: {{ .Values.cheDomain }}
+  CHE_DOMAIN: {{ .Values.global.cheDomain }}
  CHE_HOST: {{ template "cheHost" . }}
  CHE_PORT: "8080"
-{{- if .Values.tlsEnabled }}
+{{- if .Values.global.tlsEnabled }}
  CHE_API: https://{{ template "cheHost" . }}/api
  CHE_WEBSOCKET_ENDPOINT:  wss://{{ template "cheHost" . }}/api/websocket
  CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: https://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
@ -24,6 +31,11 @@ data:
  CHE_INFRA_KUBERNETES_OAUTH__TOKEN: ""
  CHE_INFRA_KUBERNETES_PASSWORD: ""
  CHE_INFRA_KUBERNETES_USERNAME: ""
+{{- if .Values.global.multiuser }}
+  CHE_KEYCLOAK_AUTH__SERVER__URL: {{ template "keycloakAuthUrl" . }}
+  CHE_KEYCLOAK_CLIENT__ID: {{ .Values.cheKeycloakClientId }}
+  CHE_KEYCLOAK_REALM: {{ .Values.cheKeycloakRealm }}
+{{- end }}
  CHE_INFRA_KUBERNETES_NAMESPACE: ""
  CHE_INFRA_KUBERNETES_TRUST__CERTS: "false"
  CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common"
@ -33,14 +45,14 @@ data:
  CHE_LOCAL_CONF_DIR: /etc/conf
  CHE_LOGS_DIR: /data/logs
  CHE_LOG_LEVEL: "INFO"
-  CHE_MULTIUSER: "false"
+  CHE_MULTIUSER: {{ .Values.global.multiuser | quote }}
  CHE_OAUTH_GITHUB_CLIENTID: ""
  CHE_OAUTH_GITHUB_CLIENTSECRET: ""
  CHE_PREDEFINED_STACKS_RELOAD__ON__START: "false"
  JAVA_OPTS: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Xms20m "
  CHE_WORKSPACE_AUTO_START: "false"
-{{- if .Values.tlsEnabled }}
-  CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"nginx.ingress.kubernetes.io/rewrite-target": "/","nginx.ingress.kubernetes.io/ssl-redirect": "true","kubernetes.io/tls-acme": "true","nginx.ingress.kubernetes.io/proxy-connect-timeout": "3600","nginx.ingress.kubernetes.io/proxy-read-timeout": "3600"}'
+{{- if .Values.global.tlsEnabled }}
+  CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"kubernetes.io/ingress.class": "nginx", "kubernetes.io/tls-acme": "true", "{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/rewrite-target": "/","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect": "true","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout": "3600","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout": "3600"}'
 {{- else }}
-  CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"nginx.ingress.kubernetes.io/rewrite-target": "/","nginx.ingress.kubernetes.io/ssl-redirect": "false","nginx.ingress.kubernetes.io/proxy-connect-timeout": "3600","nginx.ingress.kubernetes.io/proxy-read-timeout": "3600"}'
+  CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"kubernetes.io/ingress.class": "nginx", "{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/rewrite-target": "/","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect": "false","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout": "3600","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout": "3600"}'
 {{- end }}
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/deployment.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/deployment.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -14,11 +21,27 @@ spec:
    type: Recreate
  template:
    metadata:
-      annotations:
-        pod.alpha.kubernetes.io/init-containers: '[{"image":"busybox","imagePullPolicy":"IfNotPresent","name":"fmp-volume-permission","command":["chmod","777","/data"],"volumeMounts":[{"mountPath":"/data","name":"che-data-volume"}]}]'
      labels:
        app: che
    spec:
+      initContainers:
+{{- if .Values.global.multiuser }}
+      - name: wait-for-postgres
+        image: alpine:3.5
+        command: ["sh", "-c", "apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for postgres to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/postgres`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+{{- end }}
+      - name: fmp-volume-permission
+        image: busybox
+        command: ["chmod", "777", "/data"]
+        volumeMounts: [{
+              "mountPath": "/data",
+              "name": "che-data-volume"
+        }]
      containers:
      - env:
        - name: CHE_DOMAIN
@ -116,6 +139,23 @@ spec:
            configMapKeyRef:
              key: CHE_INFRA_KUBERNETES_USERNAME
              name: che
+{{- if .Values.global.multiuser }}
+        - name: CHE_KEYCLOAK_AUTH__SERVER__URL
+          valueFrom:
+            configMapKeyRef:
+              key: CHE_KEYCLOAK_AUTH__SERVER__URL
+              name: che
+        - name: CHE_KEYCLOAK_CLIENT__ID
+          valueFrom:
+            configMapKeyRef:
+              key: CHE_KEYCLOAK_CLIENT__ID
+              name: che
+        - name: CHE_KEYCLOAK_REALM
+          valueFrom:
+            configMapKeyRef:
+              key: CHE_KEYCLOAK_REALM
+              name: che
+{{- end }}
        - name: CHE_INFRA_KUBERNETES_NAMESPACE
          valueFrom:
            configMapKeyRef:
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/ingress.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/ingress.yaml
@ -1,31 +1,39 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: che-ingress
  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: "nginx"
-{{- if .Values.tlsEnabled }}
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout: "3600"
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout: "3600"
+{{- if .Values.global.tlsEnabled }}
    kubernetes.io/tls-acme: "true"
 {{- else }}
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect: "false"
 {{- end }}
-    ingress.kubernetes.io/proxy-read-timeout: "3600"
-    ingress.kubernetes.io/proxy-connect-timeout: "3600"
 spec:
-{{- if .Values.tlsEnabled }}
+{{- if .Values.global.tlsEnabled }}
  tls:
  - hosts:
    - {{ template "cheHost" . }}
    secretName: che-tls
 {{- end }}
  rules:
+{{- if .Values.global.isHostBased }}
+  - host: {{ template "cheHost" . }}
+    http:
+{{- else }}
  - http:
+{{- end }}
      paths:
-      - backend:
+      - path: /
+        backend:
          serviceName: che-host
          servicePort: 8080
-        path: /
-{{- if .Values.isHostBased }}
-    host: {{ template "cheHost" . }}
-{{- end }}
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/pvc.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/pvc.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/registry-pull-secret.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/registry-pull-secret.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 {{- if .Values.registry }}
 {{- if and .Values.registry.password .Values.registry.username }}
 # When creating a pod based on an image that resides in a private Docker registry (a secure registry protected by basic authentication),
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/service.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/service.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: v1
 kind: Service
 metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/serviceaccount.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/serviceaccount.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/templates/staging-cert-issuer.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/templates/staging-cert-issuer.yaml
@ -1,4 +1,11 @@
-# {{- if .Values.tlsEnabled }}
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+# {{- if .Values.global.tlsEnabled }}
 # apiVersion: certmanager.k8s.io/v1alpha1
 # kind: Issuer
 # metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/tiller-rbac.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/tiller-rbac.yaml
@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
--- a/dockerfiles/init/modules/che-kubernetes-helm/values.yaml
+++ b/dockerfiles/init/modules/che-kubernetes-helm/values.yaml
@ -1,12 +1,27 @@
-cheDomain: 192.168.99.100.nip.io
-isHostBased: true
-tlsEnabled: false
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#

 # the following section is for secure registries. when uncommented, a pull secret will be created
 #registry:
 #  host: my-secure-private-registry.com
+#  host: my-secure-private-registry.com
 #  username: myUser
 #  password: myPass

 cheImage: eclipse/che-server:nightly
 cheImagePullPolicy: Always
+
+cheKeycloakClientId: "che-public"
+cheKeycloakRealm: "che"
+
+global:
+  tlsEnabled: false
+  multiuser: false
+  isHostBased: true
+  cheDomain: 192.168.99.100.nip.io
+  # See --annotations-prefix flag (https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/cli-arguments.md)
+  ingressAnnotationsPrefix: "nginx."