* Allow workspace pods to list Kubernetes services by default
* Update workspace-view-role.yaml to allow listing
of Kubernetes services
* Allow sidecar containers to list services on OpenShift
* Add services resource to workspace-view role for OpenShift
Signed-off-by: John Collier <John.J.Collier@ibm.com>
* Create view role rather than rely on view clusterRole
* Create view role for k8s. Fix typo
* Typo and Java doc sync
* Add namespaced role to k8s and openshift templates. Role instead ClusterRole for k8s
* Rename view role to workspace-view
* Fix formatting
* Fix javadoc. Revent erroneous changes to postgres template
* Remove hidden Dockerfile
* Revert pg changes
* Introduced two web-socket endpoints for workspace master to split JSON-RPC messages
Based on Dmytro's Kulieshov work https://github.com/eclipse/che/pull/12252
Signed-off-by: Sergii Kabashniuk <skabashniuk@redhat.com>
When using an existing Keycloak instance, it may be necessary to specify a particular realm or client.
This allows them to be speicfied at install time via parameters.
Signed-off-by: David Martin <david.martin@redhat.com>
The property CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS is required
for PVC cleanup on current versions of Kubernetes/OpenShift.
Without the property enabled, subpaths are created in PVCs by Kubernetes
when they are needed for pods. However, only the leaf directory created
in this way has write permissions for nonroot users. As a result, the
cleanup pod cannot delete directories created (e.g. the
workspaceX/projects) directory.
For more details, see https://github.com/eclipse/che/issues/12445
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
* Adds prometheus and grafana as to the deployment
moves che's custom charts into "custom-charts" directory so that they don't
interfere with helm which uses the "charts" directory to download and use
all the other remote dependencies.
Signed-off-by: Lukas Krejci <lkrejci@redhat.com>
* Deploy our own ingress for prometheus and grafana so that we can have
templatized names of the same format as the same of the deployment.
Also removed the hardcoded time interval in the sample dashboard so that
it uses the default of "last 6 hrs".
Signed-off-by: Lukas Krejci <lkrejci@redhat.com>
* New lines at the end of the files and whitespace removal.
Remove readiness/liveness probes from Che deployment when debug is
enabled.
This allows to debug Che master for a long period of time without
Che container being killed because of unresponsive probes.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Latest versions of minishift ignore Che master docker image that
was built locally inside the VM.
Removeing docker.io from the image name workarounds the issue.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
- Make Resource memory request configurable for k8s and OpenShift.
- Add alias for backwards compatibility to che.workspace.default_memory_limit_mb.
- set memory request to 512Mb.
- document CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB in che.env.
- Configure helm scripts to allow memory attributes on deployment.
Signed-off-by: Sergey Kuperman <sergey.kuperman@sap.com>
* Move wsnext flow in Kubernetes infra implementation
Now we need to start a broker and pass meta.yaml files to it.
Starting a broker is infra-specific stuff, so it has to be done
on the infra implementation side because we don't have a part
in the infra SPI that would allow us to start a broker.
Passing Meta files using InternalEnvironment object is more
invasive than passing only attributes. So, this commit applies
less invasive scheme.
* CHE-10202,10561: Add fetching of Che editor, plugins meta from the registry
Add fetching of Che editor ID from workspace attributes.
Add fetching of Che plugins IDs from workspace attributes.
Use colon sign for separating editor/plugin ID and version
instead of the slash.
Remove old Workspace.Next model objects.
* CHE-10561: Share WS.NEXT between k8s and OS infras
Use WS.NEXT in both k8s and OS infrastructure implementations.
* CHE-10561: fix fetching meta.yaml files from che-plugin-registry
* CHE-10561: Fix sidecar model serialization
Fixes the fact that some fields in workspace sidecar tooling model
POJOs were incorrectly named or required custom serialization of
fields.
* CHE-10561: Add listening of che-plugin-broker
Add code that allows listening for events from Che plugin broker.
An event might contain workspace tooling config as a result if the broker
finished successfully or error otherwise.
* CHE-10561: Add PluginBrokerManager to control broker lifecycle
Adds PluginBrokerManager that configures/starts/waits Che plugin
broker.
Remove unused code.
Remove notion of Workspace next.
* Align plugin registry property between different components
* Fix extra path in che plugin registry URL
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Added ability to deploy che plugin registry with ocp.sh ./ocp.sh --deploy-che --deploy-che-plugin-registry
Add environment variableCHE_PLUGIN_REGISTRY_URL for che-master with a link to che plugin registry
- Added option to set CHE_LOGGER_CONFIG through
global.log.loggerConfig in values.yaml.
- Added option to set name of custom log appender
implementation through global.log.customAppenderName
in values.yaml.
- Added default value for appender name in values.yaml
- Added CHE_LOGGER_CONFIG to deployment container env
Signed-off-by: Ido Itzkovich <ido.itzkovich@gmail.com>
Removes properties
- che.infra.kubernetes.username : can change, requiring reconfiguration
- che.infra.kubernetes.password : can change, requiring reconfiguration
- che.infra.kubernetes.oauth_token : expires
as they complicate setup and all represent suboptimal running scenarios.
Use che serviceaccount instead.
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
* Fix evaluation of OC version in ocp.sh script
* Add an ability to specify custom ocp tools dir
The motivation to do that is not to download oc and jq
binaries each time after reboot since default folder is located in tmp
folder
Rework model, of CheService and renamed it to ChePlugin.
Replace features hosting to apache server to be able to host plugin files and avoiding having model files for Go lang.
Host YAMLs instead of JSONs. Downloads and parse ChePlugin YAMLs instead of JSONs from the marketplace.
Improve unit tests coverage.
Add support of Che Server protocol and path, so it is possible to run Classic GWT IDE in Workspace Next now.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
* Improve wsmaster OpenIdConnect configurability, and helm deployment scripts
- Make username claim configurable in cases
Oidc provider does not support the default claim (default is "preferred_user")
- Introduce fallback for username (issuer+subject) if the username claim is not present
in the token
- Extend helm scripts to take customOidcProvider and customOidcUsernameClaim
parameters into account when deploying che master.
- Introduce cheDedicatedKeycloak global param, conditioning if dedicated che
keycloak server should be deployed, and waited on by the master.
- default value for cheDedicatedKeycloak (if not defined) is true
if the cheDedicatedKeycloak parameter is defined and is false,
customOidcProvicer must be supplied, when using multiuser mode.
Signed-off-by: Sergey Kuperman <sergey.kuperman@sap.com>
* Code review fixes
Remove the extra if condition in configmap.yaml
Remove extra line in requirements.yaml
fix typo in deployment.yaml
* Add che.keycloak.username_claim property as NULL into multiuser.properties
* Simplify helm conditions, when deploying che master with or without keycloak
if multiuser = true, and .Values.customOidcProvider was supplied, assumption is that
we work with no keycloak (no waiting in deployment)
global.cheDedicatedKeycloak is still needed as separate variable for requirements.yaml to determine whether keycloak chart should be installed
so for keycloak deployment, no parameters need to be passed beside global.multiuser=true,
for custom OIDC :
.Values.customOidcProvider=http://url, and global.cheDedicatedKeycloak=false
both need to be set
* Support identity provider token retrieval in both JSON or URL formats.
That's required because some identity providers (such a `openshift-v3`)
correctly return the token information in JSON, as expected. So
switching to the url-based syntax should only used when the returned
json is invalid.
Signed-off-by: David Festal <dfestal@redhat.com>
* Introduce an `OpenShiftClientConfigFactory` to allow customizing the OpenShift config returned according to the current context (workspace ID, current user)
Signed-off-by: David Festal <dfestal@redhat.com>
* Openshift Infra + Multi-user => allow using OpenShift identity provider to connect to openshift with the OS oauth token of the current Che user.
This introduces a new property:
`che.infra.openshift.oauth_identity_provider`
Signed-off-by: David Festal <dfestal@redhat.com>
* Notify the user when a workspace cannot be started from the nav bar.
Signed-off-by: David Festal <dfestal@redhat.com>
* Add the ability to install the Openshift certificate into Keycloak
Signed-off-by: David Festal <dfestal@redhat.com>
* Add a yaml file to provide the openshift certificate as a secret,
in case it has to be installed into the dedicated Keycloak server.
Then the commands to install Che multiuser on Minishift with this
certificate are:
```
oc new-project che
oc process -f multi/openshift-certificate-secret.yaml -p
CERTIFICATE="$(minishift ssh docker exec origin /bin/cat
./openshift.local.config/master/ca.crt)" | oc apply -f -; \
oc new-app -f multi/postgres-template.yaml; \
oc new-app -f multi/keycloak-template.yaml -p ROUTING_SUFFIX=$(minishift
ip).nip.io; \
oc apply -f pvc/che-server-pvc.yaml; \
oc new-app -f che-server-template.yaml -p ROUTING_SUFFIX=$(minishift
ip).nip.io -p CHE_MULTIUSER=true -p
CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER=openshift-v3; \
oc set volume dc/che --add -m /data --name=che-data-volume
--claim-name=che-data-volume
```
Of course it's still needed to register the `openshift-v3` identity
provider in the Keycloak server, as well as, add the corresponding
`OAuthClient` object in Minihshift.
Signed-off-by: David Festal <dfestal@redhat.com>
* Update OpenShift Origin version to 3.9
* Deploy script uses templates
* Pass args to deploy script
* Remove old scripts and yamls
* Add missing args to ocp.sh help and and help to deploy_che.sh
* Small fixes
* Remove mistakenly added file
* Remove mistakenly added file
* Remove -a in docker ps to get registry container
* Do not pass args but export envs in ocp.sh
* Messed envs a bit
* Delete test service that is used to compute routing suffix
* Remove unnecessary port from Keycloak route
* Fixes
* Fixes
* Typo
* Minor fixes
* Update OpenShift Origin version to 3.9
* Update grep to verify docker registyr container is in running state
* Do not list exited containers when looking for Registry container ID
Set correct bindings of generics, fix generics;
Add missing properties in che.properties and kubectl deployment.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
* Use templates only to deploy Che to OpenShift
* Avoid breaking existing scripts
* Avoid breaking existing scripts
* Fixes
* Cleanup
* Cleanup
* Fixup
* New line and typos
* New line and typos
* Update dc/che. Env variables
* Remove creationtimestamp
* Template cleanup. Update README
* Fix DB URL env
* Add missing keycloak param
* Changes to ocp.sh to use new templates. Fix Keycloak template
* Env support
* Update server yaml. Update ocp.sh
* Configure CHE_IMAGE and CHE_TAG
* Add recycler
* Revern recycler sa
* Using credentials and creating ws in separate namespaces
* Use custom Keycloak image
* Use custom Keycloak image
* Remove use of credentials
Introduce an External Server Exposer Strategy,
responsible for exposing service ports associated with external servers,
making them accessible from outside the cluster.
Move server exposure to shared k8s infra level:
- multi-host: unique hostname for each component, like Che Openshift infrastructure.
- single-host: single hostname for all components. Can be used in conjunction with TLS.
- default-host: default ingress hostname. Can be used for local development without dynamic DNS (based on ingress IP).
Add basic TLS support.
Signed-off-by: Guy Daich <guy.daich@sap.com>
Move openshift/k8s deployment files from dockerfiles/init folder
to deploy folder with a better structure because they are not
related to init dockerfile.
Add readme files in each deployment target folder with links to
Che docs where the process of deployment is described.
Remove delivery of deployment files by init image which is
useless.
Remove empty docs files from the repo and init image.
Fix some minor typos and trailing spaces.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Oleksandr Garagatyi