then, any /projects/* items will use that parent folder to store dependencies and avoid to use current folder
it will avoid any big I/O operations on the /projects folder
Change-Id: I9fee5963808607b93dcc592456845fb5a3d73e4a
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Currently in Che there are still a number of requirements in upstream that are not required by the OIDC specification, so that Che still cannot be used with a number of OIDC compliant providers.
For example, in order to have Che working with the [`node-oidc-provider`](https://github.com/panva/node-oidc-provider), the following changes were necessary:
- Remove the requirement to have the email as a claim in the JWT access
token: this is not required the specification and is not supported by a
number of OIDC providers. Normally, the Id token contains such claims.
So now if the email is not in the JWT token the first time the user connects to Che, ten the email is retrieved from the OIDC provider through its `user-profile` endpoint.
- Explicitely specify the the `openid email profile` scope when requesting the access token. Because OIDC providers, when answering to the `userInfo` endpoint, are expected to return claims that corresponds to the scopes of the access token. So if an access token has the `openid` scope only, the `userinfo` might return no claim at all (according to the specification).
Until now it was working since keycloak allows adding claims to the returned tokens anyway.
- Allow supporting fixed redirect Uris: most OIDC providers support having a list of redirect URIs to come back to after the authorization step. But these authorized Uris don't necessarily support wildcards or prefix. Che doesn't support this currently, and these changes introduce 2 fixed callback HTML pages that redirect to the Dashboard / IDE URL of the final page we want to come back to after authentication. This makes Che compatible with more OIDC providers
We introduced a new boolean property to enable / disable fixed redirect URLs:
`che.keycloak.use_fixed_redirect_urls`
whose default value is `false`
- The previous points required some light changes in the Keycloak Javascript adapter file, that we will submit as a PR to the Keycloak project. I, the meantime the `OIDCKeycloak.js` file is still used, but has been updated to be now based on the `keycloak.js` file of the last `4.5.0-final` Keycloak release. This will make this Keycloak PR easier to get accepted.
Please keep in mind that this version upgrade only impacts the alternate OIDC provider case: when using a real Keycloak server, Che *always uses the `keycloak.js` file provided by the Keycloak server*.
Signed-off-by: David Festal <dfestal@redhat.com>
- allow to reuse caching of layers during the build phase (instead of having a big instruction)
- use copy from build image to the runtime image to have the smallest layers
Also drop supervisord
Change-Id: I70c81f1b48486751e507d0bf2171b6c33e541b06
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Use verbacio config to define max_body_size for request entity. I'ts prevent fail Theia image build if was applied extension with big size.
Redirect Verbaccio logs to the file with help config. We detach Verbaccio process so input from this application become mixed with Theia image build output.
Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>
- Make Resource memory request configurable for k8s and OpenShift.
- Add alias for backwards compatibility to che.workspace.default_memory_limit_mb.
- set memory request to 512Mb.
- document CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB in che.env.
- Configure helm scripts to allow memory attributes on deployment.
Signed-off-by: Sergey Kuperman <sergey.kuperman@sap.com>
- switch apk command to yum commands
Introduce usage of e and u flag in setup.sh (fail if there is one error in this script)
Change-Id: Iaf0b9b4d96209ccc60a62bacb9c36e0f618d6dc4
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Removes properties
- che.infra.kubernetes.username : can change, requiring reconfiguration
- che.infra.kubernetes.password : can change, requiring reconfiguration
- che.infra.kubernetes.oauth_token : expires
as they complicate setup and all represent suboptimal running scenarios.
Use che serviceaccount instead.
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
* - move all Dockerfile logic to separate setup file
- allow to apply patches on top of existing theia instance
- recompile all extensions to ensure its compatible with current theia version
- Then we publish internally a new version on a local registry, and change dependency version on all extensions to make compliant with this version
- install globally typescript so typescript lsp is working
remaining 4 extensions not installed:
- https://github.com/eclipse/che-theia-github-plugin
- https://github.com/eclipse/che-theia-task-plugin
- https://github.com/eclipse/che-theia-java-plugin
- https://github.com/eclipse/che-theia-terminal-plugin (but terminal is not compliant for openshift)
Change-Id: Ic6ba219e35b0e83783dc37b28f05dd54f2864cf2
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Parse THEIA_PORT environment variable in Theia start.sh script
to prevent failure of Theia start on k8s when there is a k8s
service "theia" and k8s injects THEIA_PORT environment variable
with a value such as tcp://19.19.191.19:3000
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
* Generate cache with THEIA_VERSION, Generate resolutions to use Theia dependency with strict version.
* Optimize docker images size.
* Reuse Theia node_modules on default extensions build.
* Use extensions json to get list default extensions from github or file system.
Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>
also, if it is not provided but that the rate limit is reached, it will exit asking user to provide GITHUB_TOKEN
Change-Id: I29c575124f73afce39fda5a3fe92e57de387223c
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Florent BENOIT