Advanced configuration options for the Che server component

The following section describes advanced deployment and configuration methods for the Che server component.

Understanding Che server advanced configuration using the Operator

The following section describes the Che server component advanced configuration method for a deployment using the Operator.

Advanced configuration is necessary to:

Add environment variables not automatically generated by the Operator from the standard CheCluster Custom Resource fields.
Override the properties automatically generated by the Operator from the standard CheCluster Custom Resource fields.

The customCheProperties field, part of the CheCluster Custom Resource server settings, contains a map of additional environment variables to apply to the Che server component.

Example 1. Override the default memory limit for workspaces

Add the CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB property to customCheProperties:

apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
  name: eclipse-che
  namespace: <che>
spec:
  server:
    cheImageTag: ''
    devfileRegistryImage: ''
    pluginRegistryImage: ''
    tlsSupport: true
    selfSignedCert: false
    customCheProperties:
      CHE_WORKSPACE_DEFAULTMEMORYLIMIT__MB: "2048"
  auth:
# [...]

Previous versions of the Che Operator had a configMap named custom to fulfill this role. If the Che Operator finds a configMap with the name custom, it adds the data it contains into the customCheProperties field, redeploys Che, and deletes the custom configMap.

Additional resources

For the list of all parameters available in the CheCluster Custom Resource, see Configuring the Che installation.
For the list of all parameters available to configure customCheProperties, see Che server component system properties reference.

Understanding Che server advanced configuration not using the Operator

The following section describes Che server component advanced configuration method when the installation method is not using the Operator.

The user configures Che manually by modifying the configMap object.

Procedure

Proceed to the installation to generate the che configMap object.
Edit the che configMap template.
Apply manual changes to the custom configMap without downtime using the following kubectl command:
```
$ kubectl rollout restart deployment/che
```

Additional resources

Understanding configMaps

Che server component system properties reference

The following document describes all possible configuration properties of the Che server component.

Table 1. Che server
Environment Variable Name	Default value	Description
`CHE_DATABASE`	`${che.home}/storage`	Folder where Che will store internal data objects
`CHE_API`	`http://${CHE_HOST}:${CHE_PORT}/api`	API service. Browsers initiate REST communications to Che server with this URL
`CHE_WEBSOCKET_ENDPOINT`	`ws://${CHE_HOST}:${CHE_PORT}/api/websocket`	Che websocket major endpoint. Provides basic communication endpoint for major websocket interaction/messaging.
`CHE_WEBSOCKET_ENDPOINT__MINOR`	`ws://${CHE_HOST}:${CHE_PORT}/api/websocket-minor`	Che websocket minor endpoint. Provides basic communication endpoint for minor websocket interaction/messaging.
`CHE_WORKSPACE_STORAGE`	`${che.home}/workspaces`	Your projects are synchronized from the Che server into the machine running each workspace. This is the directory in the ws runtime where your projects are mounted.
`CHE_WORKSPACE_PROJECTS_STORAGE`	`/projects`	Your projects are synchronized from the Che server into the machine running each workspace. This is the directory in the machine where your projects are placed.
`CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE`	`1Gi`	Used when devfile Kubernetes/os type components requests project PVC creation (applied in case of unique and perWorkspace PVC strategy. In case of common PVC strategy, it will be rewritten with value of che.infra.kubernetes.pvc.quantity property)
`CHE_WORKSPACE_LOGS_ROOT__DIR`	`/workspace_logs`	Defines the directory inside the machine where all the workspace logs are placed. The value of this folder should be provided into machine e.g. like environment variable so agents developers can use this directory for backup agents logs.
`CHE_WORKSPACE_HTTP__PROXY`		Configures proxies used by runtimes powering workspaces
`CHE_WORKSPACE_HTTPS__PROXY`		Configuresproxies used by runtimes powering workspaces
`CHE_WORKSPACE_NO__PROXY`		Configuresproxiesused by runtimes powering workspaces
`CHE_TRUSTED__CA__BUNDLES__CONFIGMAP`	`NULL`	When cluster wide proxy is configured, che-operator creates special configmap and allows OpenShift Network operator to inject ca-bundle into it. In addition, it adds the key CHE_TRUSTEDCABUNDLES__CONFIGMAP with name of this configmap into Che server configmap (and corresponding ENV variable). So by its presence we can detect if proxy mode is enabled or not. This property is not supposed to be set manually unless that specifically required.
`CHE_WORKSPACE_AUTO__START`	`true`	By default, when users access to a workspace with its URL the workspace automatically starts if it is stopped. You can set this to false to disable this.
`CHE_WORKSPACE_POOL_TYPE`	`fixed`	Workspace threads pool configuration, this pool is used for workspace related operations that require asynchronous execution e.g. starting/stopping. Possible values are 'fixed', 'cached'
`CHE_WORKSPACE_POOL_EXACT__SIZE`	`30`	This property is ignored when pool type is different from 'fixed'. Configures the exact size of the pool, if it’s set multiplier property is ignored. If this property is not set(0, < 0, NULL) then pool sized to number of cores, it can be modified within multiplier
`CHE_WORKSPACE_POOL_CORES__MULTIPLIER`	`2`	This property is ignored when pool type is different from 'fixed' or exact pool size is set. If it’s set the pool size will be N_CORES * multiplier
`CHE_WORKSPACE_PROBE__POOL__SIZE`	`10`	This property specifies how much threads to use for workspaces servers liveness probes
`CHE_WORKSPACE_HTTP__PROXY__JAVA__OPTIONS`	`NULL`	Http proxy setting for workspace JVM
`CHE_WORKSPACE_JAVA__OPTIONS`	`-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom`	Java command line options to be added to JVM’s that running within workspaces.
`CHE_WORKSPACE_MAVEN__OPTIONS`	`-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom`	Maven command line options added to JVM’s that run agents within workspaces.
`CHE_WORKSPACE_MAVEN__SERVER__JAVA__OPTIONS`	`-XX:MaxRAM=128m-XX:MaxRAMFraction=1 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom`	Default java command line options to be added to JVM that run maven server.
`CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB`	`1024`	RAM limit default for each machine that has no RAM settings in environment. Value less or equal to 0 interpreted as limit disabling.
`CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB`	`200`	RAM request default for each container that has no explicit RAM settings in environment. this amount will be allocated on workspace container creation this property might not be supported by all infrastructure implementations: currently it is supported by Kubernetes and OpenShift Container Platform if default memory request is more than the memory limit, request will be ignored, and only limit will be used. Value less or equal to 0 interpreted as disabling request.
`CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES`	`-1`	CPU limit default for each container that has no CPU settings in environment. Can be specified either in floating point cores number, e.g. 0.125 or in K8S format integer millicores e.g. 125m Value less or equal to 0 interpreted as limit disabling.
`CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES`	`-1`	CPU request default for each container that has no CPU settings in environment. if default CPU request is more than the CPU limit, request will be ignored, and only limit will be used. Value less or equal to 0 interpreted as disabling this request.
`CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB`	`128`	RAM limit and request default for each sidecar that has no RAM settings in Che plugin configuration. Value less or equal to 0 interpreted as limit disabling.
`CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB`	`64`	RAMlimit and request default for each sidecar that has no RAM settings in `{prod-short}` plugin configuration. Value less or equal to 0 interpreted as limit disabling.
`CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES`	`-1`	CPU limit and request default for each sidecar that has no CPU settings in Che plugin configuration. Can be specified either in floating point cores number, e.g. 0.125 or in K8S format integer millicores e.g. 125m Value less or equal to 0 interpreted as disabling limit.
`CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES`	`-1`	CPUlimit and request default for each sidecar that has no CPU settings in `{prod-short}` plugin configuration. Can be specified either in floating point cores number, e.g. 0.125 or in K8S format integer millicores e.g. 125m Value less or equal to 0 interpreted as disabling limit.
`CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY`	`Always`	Define image pulling strategy for sidecars. Possible values are: Always, Never, IfNotPresent. Any other value will be interpreted as unspecified policy (Always if :latest tag is specified, or IfNotPresent otherwise.)
`CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__PERIOD__S`	`60`	Period of inactive workspaces suspend job execution.
`CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__PERIOD__S`	`3600`	The period of the cleanup of the activity table. The activity table can contain invalid or stale data if some unforeseen errors happen, like a server crash at a peculiar point in time. The default is to run the cleanup job every hour.
`CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__INITIAL__DELAY__S`	`60`	The delay after server startup to start the first activity clean up job.
`CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__DELAY__S`	`180`	Delay before first workspace idleness check job started to avoid mass suspend if ws master was unavailable for period close to inactivity timeout.
`CHE_WORKSPACE_CLEANUP__TEMPORARY__INITIAL__DELAY__MIN`	`5`	Period of stopped temporary workspaces cleanup job execution.
`CHE_WORKSPACE_CLEANUP__TEMPORARY__PERIOD__MIN`	`180`	Periodof stopped temporary workspaces cleanup job execution.
`CHE_WORKSPACE_SERVER_PING__SUCCESS__THRESHOLD`	`1`	Number of sequential successful pings to server after which it is treated as available. Note: the property is common for all servers e.g. workspace agent, terminal, exec etc.
`CHE_WORKSPACE_SERVER_PING__INTERVAL__MILLISECONDS`	`3000`	Interval, in milliseconds, between successive pings to workspace server.
`CHE_WORKSPACE_SERVER_LIVENESS__PROBES`	`wsagent/http,exec-agent/http,terminal,theia,jupyter,dirigible,cloud-shell`	List of servers names which require liveness probes
`CHE_WORKSPACE_STARTUP__DEBUG__LOG__LIMIT__BYTES`	`10485760`	Limit size of the logs collected from single container that can be observed by che-server when debugging workspace startup. default 10MB=10485760
`CHE_WORKSPACE_STOP_ROLE_ENABLED`	`true`	If true, 'stop-workspace' role with the edit privileges will be granted to the 'che' ServiceAccount if OpenShift OAuth is enabled. This configuration is mainly required for workspace idling when the OpenShift OAuth is enabled.

Table 2. Templates
Environment Variable Name	Default value	Description
`CHE_TEMPLATE_STORAGE`	`${che.home}/templates`	Folder that contains JSON files with code templates and samples

Table 3. Authentication parameters
Environment Variable Name	Default value	Description
`CHE_AUTH_USER__SELF__CREATION`	`false`	Che has a single identity implementation, so this does not change the user experience. If true, enables user creation at API level
`CHE_AUTH_ACCESS__DENIED__ERROR__PAGE`	`/error-oauth`	Authentication error page address
`CHE_AUTH_RESERVED__USER__NAMES`		Reserved user names
`CHE_OAUTH_GITHUB_CLIENTID`	`NULL`	You can setup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.
`CHE_OAUTH_GITHUB_CLIENTSECRET`	`NULL`	Youcan setup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.
`CHE_OAUTH_GITHUB_AUTHURI`	`https://github.com/login/oauth/authorize`	Youcansetup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.
`CHE_OAUTH_GITHUB_TOKENURI`	`https://github.com/login/oauth/access_token`	YoucansetupGitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.
`CHE_OAUTH_GITHUB_REDIRECTURIS`	`http://localhost:${CHE_PORT}/api/oauth/callback`	YoucansetupGitHubOAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.
`CHE_OAUTH_OPENSHIFT_CLIENTID`	`NULL`	Configuration of OpenShift OAuth client. Used to obtain OpenShift OAuth token.
`CHE_OAUTH_OPENSHIFT_CLIENTSECRET`	`NULL`	Configurationof OpenShift OAuth client. Used to obtain OpenShift OAuth token.
`CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT`	`NULL`	ConfigurationofOpenShift OAuth client. Used to obtain OpenShift OAuth token.
`CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL`	`NULL`	ConfigurationofOpenShiftOAuth client. Used to obtain OpenShift OAuth token.

Table 4. Internal
Environment Variable Name	Default value	Description
`SCHEDULE_CORE__POOL__SIZE`	`10`	Che extensions can be scheduled executions on a time basis. This configures the size of the thread pool allocated to extensions that are launched on a recurring schedule.
`ORG_EVERREST_ASYNCHRONOUS`	`false`	Everrest is a Java Web Services toolkit that manages JAX-RS & web socket communications Users should rarely need to configure this. Disable asynchronous mechanism that is embedded in everrest.
`ORG_EVERREST_ASYNCHRONOUS_POOL_SIZE`	`20`	Quantity of asynchronous requests which may be processed at the same time
`ORG_EVERREST_ASYNCHRONOUS_QUEUE_SIZE`	`500`	Size of queue. If asynchronous request can’t be processed after consuming it will be added in queue.
`ORG_EVERREST_ASYNCHRONOUS_JOB_TIMEOUT`	`10`	Timeout in minutes for request. If after timeout request is not done or client did not come yet to get result of request it may be discarded.
`ORG_EVERREST_ASYNCHRONOUS_CACHE_SIZE`	`1024`	Size of cache for waiting, running and ended request.
`ORG_EVERREST_ASYNCHRONOUS_SERVICE_PATH`	`/async/`	Path to asynchronous service
`DB_SCHEMA_FLYWAY_BASELINE_ENABLED`	`true`	DB initialization and migration configuration
`DB_SCHEMA_FLYWAY_BASELINE_VERSION`	`5.0.0.8.1`	DBinitialization and migration configuration
`DB_SCHEMA_FLYWAY_SCRIPTS_PREFIX`		DBinitializationand migration configuration
`DB_SCHEMA_FLYWAY_SCRIPTS_SUFFIX`	`.sql`	DBinitializationandmigration configuration
`DB_SCHEMA_FLYWAY_SCRIPTS_VERSION__SEPARATOR`	`__`	DBinitializationandmigrationconfiguration
`DB_SCHEMA_FLYWAY_SCRIPTS_LOCATIONS`	`classpath:che-schema`	DBinitializationandmigrationconfiguration

Table 5. Kubernetes Infra parameters
Environment Variable Name	Default value	Description
`CHE_INFRA_KUBERNETES_MASTER__URL`		Configuration of Kubernetes client that Infra will use
`CHE_INFRA_KUBERNETES_TRUST__CERTS`		Configurationof Kubernetes client that Infra will use
`CHE_INFRA_KUBERNETES_SERVER__STRATEGY`	`multi-host`	Defines the way how servers are exposed to the world in Kubernetes infra. List of strategies implemented in Che: default-host, multi-host, single-host
`CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE`	`native`	Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using Kubernetes Ingresses. Works only on Kubernetes. - 'gateway': Exposes servers using reverse-proxy gateway.
`CHE_INFRA_KUBERNETES_SINGLEHOST_GATEWAY_CONFIGMAP__LABELS`	`app=che,component=che-gateway-config`	Defines labels which will be set to ConfigMaps configuring single-host gateway.
`CHE_INFRA_KUBERNETES_INGRESS_DOMAIN`		Used to generate domain for a server in a workspace in case property `che.infra.kubernetes.server_strategy` is set to `multi-host`
`CHE_INFRA_KUBERNETES_NAMESPACE`		DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines Kubernetes namespace in which all workspaces will be created. If not set, every workspace will be created in a new namespace, where namespace = workspace id It’s possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>). In that case, new namespace will be created for each user. Service account with permission to create new namespace must be used. Ignored for OpenShift infra. Use `che.infra.openshift.project` instead If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.
`CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT`	`<username>-che`	Defines Kubernetes default namespace in which user’s workspaces are created if user does not override it. It’s possible to use <username>, <userid> and <workspaceid> placeholders (e.g.: che-workspace-<username>). In that case, new namespace will be created for each user (or workspace). Is used by OpenShift infra as well to specify Project
`CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED`	`false`	Defines if a user is able to specify Kubernetes namespace (or OpenShift project) different from the default. It’s NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra.
`CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME`	`NULL`	Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. Note that Kubernetes Infrastructure won’t create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there
`CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES`	`NULL`	Specifies optional, additional cluster roles to use with the workspace service account. Note that the cluster role names must already exist, and the Che service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates 'che.infra.kubernetes.cluster_role_name'.
`CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN`	`8`	Defines time frame that limits the Kubernetes workspace start time
`CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN`	`5`	Defines the timeout in minutes that limits the period for which Kubernetes Ingress become ready
`CHE_INFRA_KUBERNETES_WORKSPACE__UNRECOVERABLE__EVENTS`	`FailedMount,FailedScheduling,MountVolume.SetUpfailed,Failed to pull image,FailedCreate`	If during workspace startup an unrecoverable event defined in the property occurs, terminate workspace immediately instead of waiting until timeout Note that this SHOULD NOT include a mere 'Failed' reason, because that might catch events that are not unrecoverable. A failed container startup is handled explicitly by Che server.
`CHE_INFRA_KUBERNETES_PVC_ENABLED`	`true`	Defines whether use the Persistent Volume Claim for che workspace needs e.g backup projects, logs etc or disable it.
`CHE_INFRA_KUBERNETES_PVC_STRATEGY`	`common`	Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: - 'common' All workspaces in the same Kubernetes Namespace will reuse the same PVC. Name of PVC may be configured with 'che.infra.kubernetes.pvc.name'. Existing PVC will be used or new one will be created if it doesn’t exist. - 'unique' Separate PVC for each workspace’s volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + `{generated_8_chars}’. Existing PVC will be used or a new one will be created if it doesn’t exist. - 'per-workspace' Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + `{WORKSPACE_ID}’. Existing PVC will be used or a new one will be created if it doesn’t exist.
`CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS`	`true`	Defines whether to run a job that creates workspace’s subpath directories in persistent volume for the 'common' strategy before launching a workspace. Necessary in some versions of OpenShift/Kubernetes as workspace subpath volume mounts are created with root permissions, and thus cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in Che). The default is 'true', but should be set to false if the version of Openshift/Kubernetes creates subdirectories with user permissions. Relevant issue: https://github.com/kubernetes/kubernetes/issues/41638 Note that this property has effect only if the 'common' PVC strategy used.
`CHE_INFRA_KUBERNETES_PVC_NAME`	`claim-che-workspace`	Defines the settings of PVC name for che workspaces. Each PVC strategy supplies this value differently. See doc for che.infra.kubernetes.pvc.strategy property
`CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME`		Defines the storage class of Persistent Volume Claim for the workspaces. Empty strings means 'use default'.
`CHE_INFRA_KUBERNETES_PVC_QUANTITY`	`10Gi`	Defines the size of Persistent Volume Claim of che workspace. Format described here: https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html
`CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE`	`centos:centos7`	Pod that is launched when performing persistent volume claim maintenance jobs on OpenShift
`CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE_PULL__POLICY`	`IfNotPresent`	Image pull policy of container that used for the maintenance jobs on Kubernetes/OpenShift cluster
`CHE_INFRA_KUBERNETES_PVC_JOBS_MEMORYLIMIT`	`250Mi`	Defines pod memory limit for persistent volume claim maintenance jobs
`CHE_INFRA_KUBERNETES_PVC_ACCESS__MODE`	`ReadWriteOnce`	Defines Persistent Volume Claim access mode. Note that for common PVC strategy changing of access mode affects the number of simultaneously running workspaces. If OpenShift flavor where che running is using PVs with RWX access mode then a limit of running workspaces at the same time bounded only by che limits configuration like(RAM, CPU etc). Detailed information about access mode is described here: https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html
`CHE_INFRA_KUBERNETES_PVC_WAIT__BOUND`	`true`	Defines whether Che Server should wait workspaces PVCs to become bound after creating. It’s used by all PVC strategies. It should be set to `false` in case if `volumeBindingMode` is configured to `WaitForFirstConsumer` otherwise workspace starts will hangs up on phase of waiting PVCs. Default value is true (means that PVCs should be waited to be bound)
`CHE_INFRA_KUBERNETES_INSTALLER__SERVER__MIN__PORT`	`10000`	Defined range of ports for installers servers By default, installer will use own port, but if it conflicts with another installer servers then OpenShift infrastructure will reconfigure installer to use first available from this range
`CHE_INFRA_KUBERNETES_INSTALLER__SERVER__MAX__PORT`	`20000`	Definedrange of ports for installers servers By default, installer will use own port, but if it conflicts with another installer servers then OpenShift infrastructure will reconfigure installer to use first available from this range
`CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON`	`NULL`	Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes instead of ingresses. Note that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers don’t need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for nginx ingress controller 0.22.0 and later the following value is recommended: `{'ingress.kubernetes.io/rewrite-target': '/$1','ingress.kubernetes.io/ssl-redirect': 'false',\ 'ingress.kubernetes.io/proxy-connect-timeout': '3600','ingress.kubernetes.io/proxy-read-timeout': '3600'}` and the che.infra.kubernetes.ingress.path.rewrite_transform should be set to '%s(.*)' For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely '/' and the path transform to '%s' (see the the che.infra.kubernetes.ingress.path.rewrite_transform property). Please consult the nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression present in the ingress path and how it achieves the URL rewriting.
`CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM`	`NULL`	Defines a 'recipe' on how to declare the path of the ingress that should expose a server. The '%s' represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format() method and contain exactly one reference to '%s'. Please see the description of the che.infra.kubernetes.ingress.annotations_json property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to '%s' (without the quotes) which means that the path is not transformed in any way for use with the ingress controller.
`CHE_INFRA_KUBERNETES_INGRESS_LABELS`	`NULL`	Additional labels to add into every Ingress created by Che server to allow clear identification.
`CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER`	`NULL`	Defines security context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra
`CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP`	`NULL`	Definessecurity context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra
`CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC`	`0`	Defines grace termination period for pods that will be created by Kubernetes / OpenShift infrastructures Grace termination period of Kubernetes / OpenShift workspace’s pods defaults '0', which allows to terminate pods almost instantly and significantly decrease the time required for stopping a workspace. Note: if `terminationGracePeriodSeconds` have been explicitly set in Kubernetes / OpenShift recipe it will not be overridden.
`CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX`	`1000`	Number of maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn’t seem correct for multi-user scenarios knowing that Che keeps a number of connections opened (e.g. for command or ws-agent logs)
`CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST`	`1000`	Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the `KubernetesClient` instances. Default values are 64, and 5 per-host, which doesn’t seem correct for multi-user scenarios knowing that `{prod-short}` keeps a number of connections opened (e.g. for command or ws-agent logs)
`CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE`	`5`	Max number of idle connections in the connection pool of the Kubernetes-client shared http client
`CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN`	`5`	Keep-alive timeout of the connection pool of the Kubernetes-client shared http client in minutes
`CHE_INFRA_KUBERNETES_TLS__ENABLED`	`false`	Creates Ingresses with Transport Layer Security (TLS) enabled In OpenShift infrastructure, Routes will be TLS-enabled
`CHE_INFRA_KUBERNETES_TLS__SECRET`		Name of a secret that should be used when creating workspace ingresses with TLS Ignored by OpenShift infrastructure
`CHE_INFRA_KUBERNETES_TLS__KEY`	`NULL`	Data for TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure
`CHE_INFRA_KUBERNETES_TLS__CERT`	`NULL`	Datafor TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure
`CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN`	`-1`	Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or `-1`, where `-1` means that checks won’t be performed at all. It is disabled by default because there is possible Che Server configuration when Che Server doesn’t have an ability to interact with Kubernetes API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where Che Server is located; - cluster-admin service account token is mount to Che Server pod; It DOES NOT work on the following configurations: - Che Server communicates with Kubernetes API using token from OAuth provider;

Table 6. OpenShift Infra parameters
Environment Variable Name	Default value	Description
`CHE_INFRA_OPENSHIFT_PROJECT`		DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines OpenShift namespace in which all workspaces will be created. If not set, every workspace will be created in a new project, where project name = workspace id It’s possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>). In that case, new project will be created for each user. OpenShift oauth or service account with permission to create new projects must be used. If the project pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.
`CHE_INFRA_OPENSHIFT_TRUSTED__CA__BUNDLES__CONFIG__MAP`	`ca-certs`	Configures name of the trust-store config map where the CA bundles are stored in Openshift 4. This map is supposed to be initially created by Che installer (operator or etc) with basically any name, and Che server finds it by specific label (see below) during workspace startup and then creates and mounts same map in the namespace of the workspace. The property defines name of the map in workspace namespace.
`CHE_INFRA_OPENSHIFT_TRUSTED__CA__BUNDLES__CONFIG__MAP__LABELS`	`config.openshift.io/inject-trusted-cabundle=true`	Label name for config maps which are used for automatic certificate injection in Openshift 4.
`CHE_INFRA_OPENSHIFT_TRUSTED__CA__BUNDLES__MOUNT__PATH`	`/public-certs`	Configures path on workspace containers where the CA bundles are mount.
`CHE_INFRA_OPENSHIFT_ROUTE_LABELS`	`NULL`	Additional labels to add into every Route created by Che server to allow clear identification.
`CHE_SINGLEPORT_WILDCARD__DOMAIN_HOST`	`NULL`	Single port mode wildcard domain host & port. nip.io is used by default
`CHE_SINGLEPORT_WILDCARD__DOMAIN_PORT`	`NULL`	Singleport mode wildcard domain host & port. nip.io is used by default
`CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS`	`false`	Enable single port custom DNS without inserting the IP

Table 7. Experimental properties
Environment Variable Name	Default value	Description
`CHE_WORKSPACE_PLUGIN__BROKER_METADATA_IMAGE`	`quay.io/eclipse/che-plugin-metadata-broker:v3.4.0`	Docker image of Che plugin broker app that resolves workspace tooling configuration and copies plugins dependencies to a workspace Note these images are overridden by the Che Operator by default; changing the images here will not have an effect if Che is installed via Operator.
`CHE_WORKSPACE_PLUGIN__BROKER_ARTIFACTS_IMAGE`	`quay.io/eclipse/che-plugin-artifacts-broker:v3.4.0`	Dockerimage of `{prod-short}` plugin broker app that resolves workspace tooling configuration and copies plugins dependencies to a workspace Note these images are overridden by the `{prod-short}` Operator by default; changing the images here will not have an effect if `{prod-short}` is installed via Operator.
`CHE_WORKSPACE_PLUGIN__BROKER_DEFAULT__MERGE__PLUGINS`	`false`	Configures the default behavior of the plugin brokers when provisioning plugins into a workspace. If set to true, the plugin brokers will attempt to merge plugins when possible (i.e. they run in the same sidecar image and do not have conflicting settings). This value is the default setting used when the devfile does not specify otherwise, via the 'mergePlugins' attribute.
`CHE_WORKSPACE_PLUGIN__BROKER_PULL__POLICY`	`Always`	Docker image of Che plugin broker app that resolves workspace tooling configuration and copies plugins dependencies to a workspace
`CHE_WORKSPACE_PLUGIN__BROKER_WAIT__TIMEOUT__MIN`	`3`	Defines the timeout in minutes that limits the max period of result waiting for plugin broker.
`CHE_WORKSPACE_PLUGIN__REGISTRY__URL`	`https://che-plugin-registry.prod-preview.openshift.io/v3`	Workspace tooling plugins registry endpoint. Should be a valid HTTP URL. `Example: http://che-plugin-registry-eclipse-che.192.168.65.2.nip.io` In case Che plugins tooling is not needed value 'NULL' should be used
`CHE_WORKSPACE_DEVFILE__REGISTRY__URL`	`https://che-devfile-registry.prod-preview.openshift.io/`	Devfile Registry endpoint. Should be a valid HTTP URL. `Example: http://che-devfile-registry-eclipse-che.192.168.65.2.nip.io` In case Che plugins tooling is not needed value 'NULL' should be used
`CHE_WORKSPACE_STORAGE_AVAILABLE__TYPES`	`persistent,ephemeral,async`	The configuration property that defines available values for storage types that clients like Dashboard should propose for users during workspace creation/update. Available values: - 'persistent': Persistent Storage slow I/O but persistent. - 'ephemeral': Ephemeral Storage allows for faster I/O but may have limited storage and is not persistent. - 'async': Experimental feature: Asynchronous storage is combination of Ephemeral and Persistent storage. Allows for faster I/O and keep your changes, will backup on stop and restore on start workspace. Will work only if: - che.infra.kubernetes.pvc.strategy='common' - che.limits.user.workspaces.run.count=1 - che.infra.kubernetes.namespace.allow_user_defined=false - che.infra.kubernetes.namespace.default contains <username> in other cases remove 'async' from the list.
`CHE_WORKSPACE_STORAGE_PREFERRED__TYPE`	`persistent`	The configuration property that defines a default value for storage type that clients like Dashboard should propose for users during workspace creation/update. The 'async' value not recommended as default type since it’s experimental
`CHE_SERVER_SECURE__EXPOSER`	`default`	Configures in which way secure servers will be protected with authentication. Suitable values: - 'default': jwtproxy is configured in a pass-through mode. So, servers should authenticate requests themselves. - 'jwtproxy': jwtproxy will authenticate requests. So, servers will receive only authenticated ones.
`CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_ISSUER`	`wsmaster`	Jwtproxy issuer string, token lifetime and optional auth page path to route unsigned requests to.
`CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_TTL`	`8800h`	Jwtproxyissuer string, token lifetime and optional auth page path to route unsigned requests to.
`CHE_SERVER_SECURE__EXPOSER_JWTPROXY_AUTH_LOADER_PATH`	`/_app/loader.html`	Jwtproxyissuerstring, token lifetime and optional auth page path to route unsigned requests to.
`CHE_SERVER_SECURE__EXPOSER_JWTPROXY_IMAGE`	`quay.io/eclipse/che-jwtproxy:0.10.0`	Jwtproxyissuerstring,token lifetime and optional auth page path to route unsigned requests to.
`CHE_SERVER_SECURE__EXPOSER_JWTPROXY_MEMORY__LIMIT`	`128mb`	Jwtproxyissuerstring,tokenlifetime and optional auth page path to route unsigned requests to.
`CHE_SERVER_SECURE__EXPOSER_JWTPROXY_CPU__LIMIT`	`0.5`	Jwtproxyissuerstring,tokenlifetimeand optional auth page path to route unsigned requests to.

Table 8. Configuration of major "/websocket" endpoint
Environment Variable Name	Default value	Description
`CHE_CORE_JSONRPC_PROCESSOR__MAX__POOL__SIZE`	`50`	Maximum size of the JSON RPC processing pool in case if pool size would be exceeded message execution will be rejected
`CHE_CORE_JSONRPC_PROCESSOR__CORE__POOL__SIZE`	`5`	Initial json processing pool. Minimum number of threads that used to process major JSON RPC messages.
`CHE_CORE_JSONRPC_PROCESSOR__QUEUE__CAPACITY`	`100000`	Configuration of queue used to process Json RPC messages.

Table 9. Configuration of major "/websocket-minor" endpoint
Environment Variable Name	Default value	Description
`CHE_CORE_JSONRPC_MINOR__PROCESSOR__MAX__POOL__SIZE`	`100`	Maximum size of the JSON RPC processing pool in case if pool size would be exceeded message execution will be rejected
`CHE_CORE_JSONRPC_MINOR__PROCESSOR__CORE__POOL__SIZE`	`15`	Initial json processing pool. Minimum number of threads that used to process minor JSON RPC messages.
`CHE_CORE_JSONRPC_MINOR__PROCESSOR__QUEUE__CAPACITY`	`10000`	Configuration of queue used to process Json RPC messages.
`CHE_METRICS_PORT`	`8087`	Port the the http server endpoint that would be exposed with Prometheus metrics

Table 10. CORS settings
Environment Variable Name	Default value	Description
`CHE_CORS_ALLOWED__ORIGINS`	`*`	CORS filter on WS Master is turned off by default. Use environment variable 'CHE_CORS_ENABLED=true' to turn it on 'cors.allowed.origins' indicates which request origins are allowed
`CHE_CORS_ALLOW__CREDENTIALS`	`false`	'cors.support.credentials' indicates if it allows processing of requests with credentials (in cookies, headers, TLS client certificates)

Table 11. Factory defaults
Environment Variable Name	Default value	Description
`CHE_FACTORY_DEFAULT__EDITOR`	`eclipse/che-theia/next`	Editor and plugin which will be used for factories which are created from remote git repository which doesn’t contain any Che-specific workspace descriptors (like .devfile of .factory.json) Multiple plugins must be comma-separated, for example: pluginFooPublisher/pluginFooName/pluginFooVersion,pluginBarPublisher/pluginBarName/pluginBarVersion
`CHE_FACTORY_DEFAULT__PLUGINS`	`eclipse/che-machine-exec-plugin/nightly`	Editorand plugin which will be used for factories which are created from remote git repository which doesn’t contain any `{prod-short}`-specific workspace descriptors (like .devfile of .factory.json) Multiple plugins must be comma-separated, for example: pluginFooPublisher/pluginFooName/pluginFooVersion,pluginBarPublisher/pluginBarName/pluginBarVersion
`CHE_FACTORY_DEFAULT__DEVFILE__FILENAMES`	`devfile.yaml,.devfile.yaml`	Devfile filenames to look on repository-based factories (like GitHub etc). Factory will try to locate those files in the order they enumerated in the property.

Table 12. Devfile defaults
Environment Variable Name	Default value	Description
`CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR`	`eclipse/che-theia/next`	Default Editor that should be provisioned into Devfile if there is no specified Editor Format is `editorPublisher/editorName/editorVersion` value. `NULL` or absence of value means that default editor should not be provisioned.
`CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR_PLUGINS`	`eclipse/che-machine-exec-plugin/nightly`	Default Plugins which should be provisioned for Default Editor. All the plugins from this list that are not explicitly mentioned in the user-defined devfile will be provisioned but only when the default editor is used or if the user-defined editor is the same as the default one (even if in different version). Format is comma-separated `pluginPublisher/pluginName/pluginVersion` values, and URLs. For example: eclipse/che-theia-exec-plugin/0.0.1,eclipse/che-theia-terminal-plugin/0.0.1,https://cdn.pluginregistry.com/vi-mode/meta.yaml If the plugin is a URL, the plugin’s meta.yaml is retrieved from that URL.
`CHE_WORKSPACE_PROVISION_SECRET_LABELS`	`app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspace-secret`	Defines comma-separated list of labels for selecting secrets from a user namespace, which will be mount into workspace containers as a files or env variables. Only secrets that match ALL given labels will be selected.
`CHE_WORKSPACE_DEVFILE_ASYNC_STORAGE_PLUGIN`	`eclipse/che-async-pv-plugin/nightly`	Plugin is added in case async storage feature will be enabled in workspace config and supported by environment
`CHE_INFRA_KUBERNETES_ASYNC_STORAGE_IMAGE`	`quay.io/eclipse/che-workspace-data-sync-storage:latest`	Docker image for the Che async storage
`CHE_WORKSPACE_POD_NODE__SELECTOR`	`NULL`	Optionally configures node selector for workspace pod. Format is comma-separated key=value pairs, e.g: disktype=ssd,cpu=xlarge,foo=bar
`CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__TIMEOUT__MIN`	`120`	The timeout for the Asynchronous Storage Pod shutdown after stopping the last used workspace. Value less or equal to 0 interpreted as disabling shutdown ability.
`CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__CHECK__PERIOD__MIN`	`30#`	Defines the period with which the Asynchronous Storage Pod stopping ability will be performed (once in 30 minutes by default)

Table 13. Che system
Environment Variable Name	Default value	Description
`CHE_SYSTEM_SUPER__PRIVILEGED__MODE`	`false`	System Super Privileged Mode. Grants users with the manageSystem permission additional permissions for getByKey, getByNameSpace, stopWorkspaces, and getResourcesInformation. These are not given to admins by default and these permissions allow admins gain visibility to any workspace along with naming themselves with admin privileges to those workspaces.
`CHE_SYSTEM_ADMIN__NAME`	`admin`	Grant system permission for 'che.admin.name' user. If the user already exists it’ll happen on component startup, if not - during the first login when user is persisted in the database.

Table 14. Workspace limits
Environment Variable Name	Default value	Description
`CHE_LIMITS_WORKSPACE_ENV_RAM`	`16gb`	Workspaces are the fundamental runtime for users when doing development. You can set parameters that limit how workspaces are created and the resources that are consumed. The maximum amount of RAM that a user can allocate to a workspace when they create a new workspace. The RAM slider is adjusted to this maximum value.
`CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT`	`1800000`	The length of time that a user is idle with their workspace when the system will suspend the workspace and then stopping it. Idleness is the length of time that the user has not interacted with the workspace, meaning that one of our agents has not received interaction. Leaving a browser window open counts toward idleness.
`CHE_LIMITS_WORKSPACE_RUN_TIMEOUT`	`0`	The length of time in milliseconds that a workspace will run, regardless of activity, before the system will suspend it. Set this property if you want to automatically stop workspaces after a period of time. The default is zero, meaning that there is no run timeout.

Table 15. Users workspace limits
Environment Variable Name	Default value	Description
`CHE_LIMITS_USER_WORKSPACES_RAM`	`-1`	The total amount of RAM that a single user is allowed to allocate to running workspaces. A user can allocate this RAM to a single workspace or spread it across multiple workspaces.
`CHE_LIMITS_USER_WORKSPACES_COUNT`	`-1`	The maximum number of workspaces that a user is allowed to create. The user will be presented with an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.
`CHE_LIMITS_USER_WORKSPACES_RUN_COUNT`	`1`	The maximum number of running workspaces that a single user is allowed to have. If the user has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The user will need to stop a running workspace to activate another.

Table 16. Organizations workspace limits
Environment Variable Name	Default value	Description
`CHE_LIMITS_ORGANIZATION_WORKSPACES_RAM`	`-1`	The total amount of RAM that a single organization (team) is allowed to allocate to running workspaces. An organization owner can allocate this RAM however they see fit across the team’s workspaces.
`CHE_LIMITS_ORGANIZATION_WORKSPACES_COUNT`	`-1`	The maximum number of workspaces that a organization is allowed to own. The organization will be presented an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.
`CHE_LIMITS_ORGANIZATION_WORKSPACES_RUN_COUNT`	`-1`	The maximum number of running workspaces that a single organization is allowed. If the organization has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The organization will need to stop a running workspace to activate another.
`CHE_MAIL_FROM__EMAIL__ADDRESS`	`che@noreply.com`	Address that will be used as from email for email notifications

Table 17. Organizations notifications settings
Environment Variable Name	Default value	Description
`CHE_ORGANIZATION_EMAIL_MEMBER__ADDED__SUBJECT`	`You'vebeen added to a Che Organization`	Organization notifications sunjects and templates
`CHE_ORGANIZATION_EMAIL_MEMBER__ADDED__TEMPLATE`	`st-html-templates/user_added_to_organization`	Organizationnotifications sunjects and templates
`CHE_ORGANIZATION_EMAIL_MEMBER__REMOVED__SUBJECT`	`You'vebeen removed from a Che Organization`
`CHE_ORGANIZATION_EMAIL_MEMBER__REMOVED__TEMPLATE`	`st-html-templates/user_removed_from_organization`
`CHE_ORGANIZATION_EMAIL_ORG__REMOVED__SUBJECT`	`CheOrganization deleted`
`CHE_ORGANIZATION_EMAIL_ORG__REMOVED__TEMPLATE`	`st-html-templates/organization_deleted`
`CHE_ORGANIZATION_EMAIL_ORG__RENAMED__SUBJECT`	`CheOrganization renamed`
`CHE_ORGANIZATION_EMAIL_ORG__RENAMED__TEMPLATE`	`st-html-templates/organization_renamed`

Table 18. Multi-user-specific OpenShift infrastructure configuration
Environment Variable Name	Default value	Description
`CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER`	`NULL`	Alias of the Openshift identity provider registered in Keycloak, that should be used to create workspace OpenShift resources in Openshift namespaces owned by the current Che user. Should be set to NULL if `che.infra.openshift.project` is set to a non-empty value. For more information see the following documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#openshift-4

Table 19. Keycloak configuration
Environment Variable Name	Default value	Description
`CHE_KEYCLOAK_AUTH__SERVER__URL`	`http://${CHE_HOST}:5050/auth`	Url to keycloak identity provider server Can be set to NULL only if `che.keycloak.oidcProvider` is used
`CHE_KEYCLOAK_REALM`	`che`	Keycloak realm is used to authenticate users Can be set to NULL only if `che.keycloak.oidcProvider` is used
`CHE_KEYCLOAK_CLIENT__ID`	`che-public`	Keycloak client id in che.keycloak.realm that is used by dashboard, ide and cli to authenticate users

Table 20. RedHat Che specific configuration
Environment Variable Name	Default value	Description
`CHE_KEYCLOAK_OSO_ENDPOINT`	`NULL`	URL to access OSO oauth tokens
`CHE_KEYCLOAK_GITHUB_ENDPOINT`	`NULL`	URL to access Github oauth tokens
`CHE_KEYCLOAK_ALLOWED__CLOCK__SKEW__SEC`	`3`	The number of seconds to tolerate for clock skew when verifying exp or nbf claims.
`CHE_KEYCLOAK_USE__NONCE`	`true`	Use the OIDC optional `nonce` feature to increase security.
`CHE_KEYCLOAK_JS__ADAPTER__URL`	`NULL`	URL to the Keycloak Javascript adapter we want to use. if set to NULL, then the default used value is `${che.keycloak.auth_server_url}/js/keycloak.js`, or `<che-server>/api/keycloak/OIDCKeycloak.js` if an alternate `oidc_provider` is used
`CHE_KEYCLOAK_OIDC__PROVIDER`	`NULL`	Base URL of an alternate OIDC provider that provides a discovery endpoint as detailed in the following specification https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
`CHE_KEYCLOAK_USE__FIXED__REDIRECT__URLS`	`false`	Set to true when using an alternate OIDC provider that only supports fixed redirect Urls This property is ignored when `che.keycloak.oidc_provider` is NULL
`CHE_KEYCLOAK_USERNAME__CLAIM`	`NULL`	Username claim to be used as user display name when parsing JWT token if not defined the fallback value is 'preferred_username'
`CHE_OAUTH_SERVICE__MODE`	`delegated`	Configuration of OAuth Authentication Service that can be used in 'embedded' or 'delegated' mode. If set to 'embedded', then the service work as a wrapper to Che’s OAuthAuthenticator ( as in Single User mode). If set to 'delegated', then the service will use Keycloak IdentityProvider mechanism. Runtime Exception wii be thrown, in case if this property is not set properly.