Advanced configuration options for the Che server component
The following section describes advanced deployment and configuration methods for the Che server component.
Understanding Che server advanced configuration using the Operator
The following section describes the Che server component advanced configuration method for a deployment using the Operator.
Advanced configuration is necessary to:
-
Add environment variables not automatically generated by the Operator from the standard
CheCluster
Custom Resource fields. -
Override the properties automatically generated by the Operator from the standard
CheCluster
Custom Resource fields.
The customCheProperties
field, part of the CheCluster
Custom Resource server
settings, contains a
map of additional environment variables to apply to the Che server component.
Add the CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB
property to customCheProperties
:
apiVersion: org.eclipse.che/v1
kind: CheCluster
# ...
spec:
server:
# ...
customCheProperties:
CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB: "2048"
# ...
Previous versions of the Che Operator had a ConfigMap named |
-
For the list of all parameters available in the
CheCluster
Custom Resource, see Configuring the Che installation. -
For the list of all parameters available to configure
customCheProperties
, see Che server component system properties reference.
Understanding Che server advanced configuration not using the Operator
The following section describes Che server component advanced configuration method when the installation method is not using the Operator.
The user configures Che manually by modifying the configMap
object.
-
Proceed to the installation to generate the
che
configMap
object. -
Edit the
che
configMap
template. -
Apply manual changes to the
custom
configMap
without downtime using the following `kubectl ` command:$ kubectl rollout restart deployment/che
Che server component system properties reference
The following document describes all possible configuration properties of the Che server component.
Che server
CHE_API
API service. Browsers initiate REST communications to Che server with this URL.
- Default
-
http://${CHE_HOST}:${CHE_PORT}/api
CHE_API_INTERNAL
API service internal network URL. Back-end services should initiate REST communications to Che server with this URL
- Default
-
NULL
CHE_WEBSOCKET_ENDPOINT
Che WebSocket major endpoint. Provides basic communication endpoint for major WebSocket interactions and messaging.
- Default
-
ws://${CHE_HOST}:${CHE_PORT}/api/websocket
CHE_WEBSOCKET_INTERNAL_ENDPOINT
Che WebSocket major internal endpoint. Provides basic communication endpoint for major WebSocket interactions and messaging.
- Default
-
NULL
CHE_WORKSPACE_PROJECTS_STORAGE
Your projects are synchronized from the Che server into the machine running each workspace. This is the directory in the machine where your projects are placed.
- Default
-
/projects
CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE
Used when Kubernetes-type components in a devfile request project PVC creation (Applied in case of unique
and per workspace
PVC strategy. In case of the common
PVC strategy, it is rewritten with the value of the che.infra.kubernetes.pvc.quantity
property.)
- Default
-
1Gi
CHE_WORKSPACE_LOGS_ROOT__DIR
Defines the directory inside the machine where all the workspace logs are placed. Provide this value into the machine, for example, as an environment variable. This is to ensure that agent developers can use this directory to back up agent logs.
- Default
-
/workspace_logs
CHE_WORKSPACE_HTTP__PROXY
Configures environment variable HTTP_PROXY to a specified value in containers powering workspaces.
- Default
-
empty
CHE_WORKSPACE_HTTPS__PROXY
Configures environment variable HTTPS_PROXY to a specified value in containers powering workspaces.
- Default
-
empty
CHE_WORKSPACE_NO__PROXY
Configures environment variable NO_PROXY to a specified value in containers powering workspaces.
- Default
-
empty
CHE_WORKSPACE_AUTO__START
By default, when users access a workspace with its URL, the workspace automatically starts (if currently stopped). Set this to false
to disable this behavior.
- Default
-
true
CHE_WORKSPACE_POOL_TYPE
Workspace threads pool configuration. This pool is used for workspace-related operations that require asynchronous execution, for example, starting and stopping. Possible values are fixed
and cached
.
- Default
-
fixed
CHE_WORKSPACE_POOL_EXACT__SIZE
This property is ignored when pool type is different from fixed
. It configures the exact size of the pool. When set, the multiplier
property is ignored. If this property is not set (0
, <0
, NULL
), then the pool size equals the number of cores. See also che.workspace.pool.cores_multiplier
.
- Default
-
30
CHE_WORKSPACE_POOL_CORES__MULTIPLIER
This property is ignored when pool type is not set to fixed
, che.workspace.pool.exact_size
is set. When set, the pool size is N_CORES * multiplier
.
- Default
-
2
CHE_WORKSPACE_PROBE__POOL__SIZE
This property specifies how many threads to use for workspace server liveness probes.
- Default
-
10
CHE_WORKSPACE_JAVA__OPTIONS
Java command-line options added to JVMs running in workspaces.
- Default
-
-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom
CHE_WORKSPACE_MAVEN__OPTIONS
Maven command-line options added to JVMs running agents in workspaces.
- Default
-
-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom
CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB
RAM limit default for each machine that has no RAM settings in its environment. Value less or equal to 0 is interpreted as disabling the limit.
- Default
-
1024
CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB
RAM request for each container that has no explicit RAM settings in its environment. This amount is allocated when the workspace container is created. This property may not be supported by all infrastructure implementations. Currently it is supported by Kubernetes. A memory request exceeding the memory limit is ignored, and only the limit size is used. Value less or equal to 0 is interpreted as disabling the limit.
- Default
-
200
CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES
CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, 0.125
, or using the Kubernetes format, integer millicores, for example, 125m
. Value less or equal to 0 is interpreted as disabling the limit.
- Default
-
-1
CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES
CPU request for each container that has no CPU settings in environment. A CPU request exceeding the CPU limit is ignored, and only limit number is used. Value less or equal to 0 is interpreted as disabling the limit.
- Default
-
-1
CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB
RAM limit for each sidecar that has no RAM settings in the Che plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit.
- Default
-
128
CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB
RAM request for each sidecar that has no RAM settings in the Che plug-in configuration.
- Default
-
64
CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES
CPU limit default for each sidecar that has no CPU settings in the Che plug-in configuration. Specify either in floating point cores number, for example, 0.125
, or using the Kubernetes format, integer millicores, for example, 125m
. Value less or equal to 0 is interpreted as disabling the limit.
- Default
-
-1
CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES
CPU request default for each sidecar that has no CPU settings in the Che plug-in configuration. Specify either in floating point cores number, for example, 0.125
, or using the Kubernetes format, integer millicores, for example, 125m
.
- Default
-
-1
CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY
Defines image-pulling strategy for sidecars. Possible values are: Always
, Never
, IfNotPresent
. For any other value, Always
is assumed for images with the :latest
tag, or IfNotPresent
for all other cases.
- Default
-
Always
CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__PERIOD__S
Period of inactive workspaces suspend job execution.
- Default
-
60
CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__PERIOD__S
The period of the cleanup of the activity table. The activity table can contain invalid or stale data if some unforeseen errors happen, as a server failure at a peculiar point in time. The default is to run the cleanup job every hour.
- Default
-
3600
CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__INITIAL__DELAY__S
The delay after server startup to start the first activity clean up job.
- Default
-
60
CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__DELAY__S
Delay before first workspace idleness check job started to avoid mass suspend if Che server was unavailable for period close to inactivity timeout.
- Default
-
180
CHE_WORKSPACE_CLEANUP__TEMPORARY__INITIAL__DELAY__MIN
Time to delay the first execution of temporary workspaces cleanup job.
- Default
-
5
CHE_WORKSPACE_CLEANUP__TEMPORARY__PERIOD__MIN
Time to delay between the termination of one execution and the commencement of the next execution of temporary workspaces cleanup job
- Default
-
180
CHE_WORKSPACE_SERVER_PING__SUCCESS__THRESHOLD
Number of sequential successful pings to server after which it is treated as available. the Che Operator: the property is common for all servers, for example, workspace agent, terminal, exec.
- Default
-
1
CHE_WORKSPACE_SERVER_PING__INTERVAL__MILLISECONDS
Interval, in milliseconds, between successive pings to workspace server.
- Default
-
3000
CHE_WORKSPACE_SERVER_LIVENESS__PROBES
List of servers names which require liveness probes
- Default
-
wsagent/http,exec-agent/http,terminal,theia,jupyter,dirigible,cloud-shell,intellij
CHE_WORKSPACE_STARTUP__DEBUG__LOG__LIMIT__BYTES
Limit size of the logs collected from single container that can be observed by che-server when debugging workspace startup. default 10MB=10485760
- Default
-
10485760
CHE_WORKSPACE_STOP_ROLE_ENABLED
If true, 'stop-workspace' role with the edit privileges will be granted to the 'che' ServiceAccount if OpenShift OAuth is enabled. This configuration is mainly required for workspace idling when the OpenShift OAuth is enabled.
- Default
-
true
CHE_DEVWORKSPACES_ENABLED
Specifies whether Che is deployed with DevWorkspaces enabled. This property is set by the Che Operator if it also installed the support for DevWorkspaces. This property is used to advertise this fact to the Che dashboard. It does not make sense to change the value of this property manually.
- Default
-
false
Authentication parameters
CHE_AUTH_USER__SELF__CREATION
Che has a single identity implementation, so this does not change the user experience. If true, enables user creation at API level
- Default
-
false
CHE_OAUTH2_GITHUB_CLIENTID__FILEPATH
Configuration of GitHub OAuth2 client. Used to obtain Personal access tokens. Location of the file with GitHub client id.
- Default
-
NULL
CHE_OAUTH2_GITHUB_CLIENTSECRET__FILEPATH
Location of the file with GitHub client secret.
- Default
-
NULL
CHE_OAUTH_GITHUB_AUTHURI
GitHub OAuth authorization URI.
- Default
-
https://github.com/login/oauth/authorize
CHE_OAUTH_GITHUB_TOKENURI
GitHub OAuth token URI.
- Default
-
https://github.com/login/oauth/access_token
CHE_OAUTH_GITHUB_REDIRECTURIS
GitHub OAuth redirect URIs. Separate multiple values with comma, for example: URI,URI,URI
- Default
-
http://localhost:${CHE_PORT}/api/oauth/callback
CHE_OAUTH_OPENSHIFT_CLIENTID
Configuration of OpenShift OAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID.
- Default
-
NULL
CHE_OAUTH_OPENSHIFT_CLIENTSECRET
Configurationof OpenShift OAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID. OpenShift OAuth client secret.
- Default
-
NULL
CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT
ConfigurationofOpenShift OAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID. OpenShift OAuth client secret. OpenShift OAuth endpoint.
- Default
-
NULL
CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL
ConfigurationofOpenShiftOAuth client. Used to obtain OpenShift OAuth token. OpenShift OAuth client ID. OpenShift OAuth client secret. OpenShift OAuth endpoint. OpenShift OAuth verification token URL.
- Default
-
NULL
CHE_OAUTH1_BITBUCKET_CONSUMERKEYPATH
Configuration of Bitbucket Server OAuth1 client. Used to obtain Personal access tokens. Location of the file with Bitbucket Server application consumer key (equivalent to a username).
- Default
-
NULL
CHE_OAUTH1_BITBUCKET_PRIVATEKEYPATH
Configurationof Bitbucket Server OAuth1 client. Used to obtain Personal access tokens. Location of the file with Bitbucket Server application consumer key (equivalent to a username). Location of the file with Bitbucket Server application private key
- Default
-
NULL
CHE_OAUTH1_BITBUCKET_ENDPOINT
ConfigurationofBitbucket Server OAuth1 client. Used to obtain Personal access tokens. Location of the file with Bitbucket Server application consumer key (equivalent to a username). Location of the file with Bitbucket Server application private key Bitbucket Server URL. To work correctly with factories the same URL has to be part of che.integration.bitbucket.server_endpoints
too.
- Default
-
NULL
Internal
SCHEDULE_CORE__POOL__SIZE
Che extensions can be scheduled executions on a time basis. This configures the size of the thread pool allocated to extensions that are launched on a recurring schedule.
- Default
-
10
DB_SCHEMA_FLYWAY_BASELINE_ENABLED
DB initialization and migration configuration If true, ignore scripts up to the version configured by baseline.version.
- Default
-
true
DB_SCHEMA_FLYWAY_BASELINE_VERSION
Scripts with version up to this are ignored. Note that scripts with version equal to baseline version are also ignored.
- Default
-
5.0.0.8.1
Kubernetes Infra parameters
CHE_INFRA_KUBERNETES_MASTER__URL
Configuration of Kubernetes client master URL that Infra will use.
- Default
-
empty
CHE_INFRA_KUBERNETES_TRUST__CERTS
Boolean to configure Kubernetes client to use trusted certificates.
- Default
-
false
CHE_INFRA_KUBERNETES_CLUSTER__DOMAIN
Kubernetes cluster domain. If not set, svc names will not contain information about the cluster domain.
- Default
-
NULL
CHE_INFRA_KUBERNETES_SERVER__STRATEGY
Defines the way how servers are exposed to the world in Kubernetes infra. List of strategies implemented in Che: default-host
, multi-host
, single-host
.
- Default
-
multi-host
CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE
Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: native
: Exposes servers using Kubernetes Ingresses. Works only on Kubernetes. gateway
: Exposes servers using reverse-proxy gateway.
- Default
-
native
CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE
Defines the way how to expose devfile endpoints, as end-user’s applications, in single-host server strategy. They can either follow the single-host strategy and be exposed on subpaths, or they can be exposed on subdomains. multi-host
: expose on subdomains single-host
: expose on subpaths
- Default
-
multi-host
CHE_INFRA_KUBERNETES_SINGLEHOST_GATEWAY_CONFIGMAP__LABELS
Defines labels which will be set to ConfigMaps configuring single-host gateway.
- Default
-
app=che,component=che-gateway-config
CHE_INFRA_KUBERNETES_INGRESS_DOMAIN
Used to generate domain for a server in a workspace in case property che.infra.kubernetes.server_strategy
is set to multi-host
- Default
-
empty
CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED
Indicates whether Che server is allowed to create namespace for user workspaces, or they’re intended to be created manually by cluster administrator. This property is also used by the OpenShift infra.
- Default
-
true
CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT
Defines Kubernetes default namespace in which user’s workspaces are created if user does not override it. It’s possible to use <username>
and <userid>
placeholders (for example: che-workspace-<username>
). In that case, new namespace will be created for each user. Used by OpenShift infra as well to specify a Project. The <username>
or <userid>
placeholder is mandatory.
- Default
-
<username>-che
CHE_INFRA_KUBERNETES_NAMESPACE_LABEL
Defines whether che-server should try to label the workspace namespaces.
- Default
-
true
CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATE
Defines whether che-server should try to annotate the workspace namespaces.
- Default
-
true
CHE_INFRA_KUBERNETES_NAMESPACE_LABELS
List of labels to find namespace that are used for Che Workspaces. They are used to: - find prepared namespace for users in combination with che.infra.kubernetes.namespace.annotations
. - actively label namespace with any workspace.
- Default
-
app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspaces-namespace
CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS
List of annotations to find namespace prepared for Che users workspaces. Only namespace matching the che.infra.kubernetes.namespace.labels
will be matched against these annotations. namespace that matches both che.infra.kubernetes.namespace.labels
and che.infra.kubernetes.namespace.annotations
will be preferentially used for User’s workspaces. It’s possible to use <username>
placeholder to specify the namespace to concrete user. They are used to: - find prepared namespace for users in combination with che.infra.kubernetes.namespace.labels
. - actively annotate namespace with any workspace.
- Default
-
che.eclipse.org/username=<username>
CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME
Defines Kubernetes Service Account name which should be specified to be bound to all workspaces Pods. the Che Operator that Kubernetes Infrastructure will not create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if che.infra.openshift.project
is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there
- Default
-
NULL
CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES
Specifies optional, additional cluster roles to use with the workspace service account. the Che Operator that the cluster role names must already exist, and the Che service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates che.infra.kubernetes.cluster_role_name
.
- Default
-
NULL
CHE_INFRA_KUBERNETES_USER__CLUSTER__ROLES
Cluster roles to assign to user in his namespace
- Default
-
NULL
CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN
Defines wait time that limits the Kubernetes workspace start time.
- Default
-
8
CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN
Defines the timeout in minutes that limits the period for which Kubernetes Ingress become ready
- Default
-
5
CHE_INFRA_KUBERNETES_WORKSPACE__UNRECOVERABLE__EVENTS
If during workspace startup an unrecoverable event defined in the property occurs, stop the workspace immediately rather than waiting until timeout. the Che Operator that this SHOULD NOT include a mere "Failed" reason, because that might catch events that are not unrecoverable. A failed container startup is handled explicitly by Che server.
- Default
-
FailedMount,FailedScheduling,MountVolume.SetUpfailed,Failed to pull image,FailedCreate,ReplicaSetCreateError
CHE_INFRA_KUBERNETES_PVC_ENABLED
Defines whether use the Persistent Volume Claim for Che workspace needs, for example: backup projects, logs, or disable it.
- Default
-
true
CHE_INFRA_KUBERNETES_PVC_STRATEGY
Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: common
: All workspaces in the same namespace will reuse the same PVC. Name of PVC may be configured with che.infra.kubernetes.pvc.name
. Existing PVC will be used or a new one will be created if it does not exist. unique
: Separate PVC for each workspace’s volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'
. Existing PVC will be used or a new one will be created if it does not exist. per-workspace
: Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'
. Existing PVC will be used or a new one will be created if it doesn’t exist.
- Default
-
common
CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS
Defines whether to run a job that creates workspace’s subpath directories in persistent volume for the common
strategy before launching a workspace. Necessary in some versions of Kubernetes as workspace subpath volume mounts are created with root permissions, and therefore cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in Che). The default is true
, but should be set to false
if the version of Kubernetes creates subdirectories with user permissions. See: subPath in volumeMount is not writable for non-root users #41638 the Che Operator that this property has effect only if the common
PVC strategy used.
- Default
-
true
CHE_INFRA_KUBERNETES_PVC_NAME
Defines the settings of PVC name for Che workspaces. Each PVC strategy supplies this value differently. See documentation for che.infra.kubernetes.pvc.strategy
property
- Default
-
claim-che-workspace
CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME
Defines the storage class of Persistent Volume Claim for the workspaces. Empty strings means "use default".
- Default
-
empty
CHE_INFRA_KUBERNETES_PVC_QUANTITY
Defines the size of Persistent Volume Claim of Che workspace. See: Understanding persistent storage
- Default
-
10Gi
CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE
Pod that is launched when performing persistent volume claim maintenance jobs on OpenShift
- Default
-
registry.access.redhat.com/ubi8-minimal:8.3-230
CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE_PULL__POLICY
Image pull policy of container that used for the maintenance jobs on Kubernetes cluster
- Default
-
IfNotPresent
CHE_INFRA_KUBERNETES_PVC_JOBS_MEMORYLIMIT
Defines Pod memory limit for persistent volume claim maintenance jobs
- Default
-
250Mi
CHE_INFRA_KUBERNETES_PVC_ACCESS__MODE
Defines Persistent Volume Claim access mode. the Che Operator that for common PVC strategy changing of access mode affects the number of simultaneously running workspaces. If the OpenShift instance running Che is using Persistent Volumes with RWX access mode, then a limit of running workspaces at the same time is bounded only by Che limits configuration: RAM, CPU, and so on. See: Understanding persistent storage
- Default
-
ReadWriteOnce
CHE_INFRA_KUBERNETES_PVC_WAIT__BOUND
Defines if Che Server should wait workspaces Persistent Volume Claims to become bound after creating. Default value is true
. The parameter is used by all Persistent Volume Claim strategies. It should be set to false
when volumeBindingMode
is configured to WaitForFirstConsumer
otherwise workspace starts will hangs up on phase of waiting PVCs.
- Default
-
true
CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON
Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes rather than Ingresses. the Che Operator that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers do not need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform
property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for Nginx ingress controller 0.22.0 and later the following value is recommended: {"ingress.kubernetes.io/rewrite-target": "/$1","ingress.kubernetes.io/ssl-redirect": "false",\ "ingress.kubernetes.io/proxy-connect-timeout": "3600","ingress.kubernetes.io/proxy-read-timeout": "3600", "nginx.org/websocket-services": "<service-name>"}
and the che.infra.kubernetes.ingress.path.rewrite_transform
should be set to "%s(.*)"
. For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely /
and the path transform to %s
(see the che.infra.kubernetes.ingress.path.rewrite_transform
property). See the Nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression available in the ingress path and how it achieves the URL rewriting.
- Default
-
NULL
CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM
Defines a recipe on how to declare the path of the ingress that should expose a server. The %s
represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format()
method and contain exactly one reference to %s
. See the description of the che.infra.kubernetes.ingress.annotations_json
property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to %s
(without the quotes) which means that the path is not transformed in any way for use with the ingress controller.
- Default
-
NULL
CHE_INFRA_KUBERNETES_INGRESS_LABELS
Additional labels to add into every Ingress created by Che server to allow clear identification.
- Default
-
NULL
CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER
Defines security context for Pods that will be created by Kubernetes Infra This is ignored by OpenShift infra
- Default
-
NULL
CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP
Defines security context for Pods that will be created by Kubernetes Infra. A special supplemental group that applies to all containers in a Pod. This is ignored by OpenShift infra.
- Default
-
NULL
CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC
Defines grace termination period for Pods that will be created by Kubernetes infrastructures. Default value: 0
. It allows to stop Pods quickly and significantly decrease the time required for stopping a workspace. the Che Operator: if terminationGracePeriodSeconds
have been explicitly set in Kubernetes recipe it will not be overridden.
- Default
-
0
CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX
Number of maximum concurrent asynchronous web requests (HTTP requests or ongoing WebSocket calls) supported in the underlying shared HTTP client of the KubernetesClient
instances. Default values: max=64
, and max_per_host:5
. Default values are not suitable for multi-user scenarios, as Che keeps open connections, for example for command or ws-agent logs.
- Default
-
1000
CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST
Number of maximum concurrent asynchronous web requests per host.
- Default
-
1000
CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE
Max number of idle connections in the connection pool of the Kubernetes-client shared HTTP client.
- Default
-
5
CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN
Keep-alive timeout of the connection pool of the Kubernetes-client shared HTTP client in minutes.
- Default
-
5
CHE_INFRA_KUBERNETES_TLS__ENABLED
Creates Ingresses with Transport Layer Security (TLS) enabled. In OpenShift infrastructure, Routes will be TLS-enabled.
- Default
-
false
CHE_INFRA_KUBERNETES_TLS__SECRET
Name of a secret that should be used when creating workspace ingresses with TLS. This property is ignored by OpenShift infrastructure.
- Default
-
empty
CHE_INFRA_KUBERNETES_TLS__KEY
Data for TLS Secret that should be used for workspaces Ingresses. cert
and key
should be encoded with Base64 algorithm. These properties are ignored by OpenShift infrastructure.
- Default
-
NULL
CHE_INFRA_KUBERNETES_TLS__CERT
Certificate data for TLS Secret that should be used for workspaces Ingresses. Certificate should be encoded with Base64 algorithm. This property is ignored by OpenShift infrastructure.
- Default
-
NULL
CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN
Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or -1
, where -1
means that checks won’t be performed at all. It is disabled by default because there is possible Che Server configuration when Che Server doesn’t have an ability to interact with Kubernetes API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where Che Server is located; - cluster-admin
service account token is mounted to Che Server Pod. It DOES NOT work on the following configurations: - Che Server communicates with Kubernetes API using token from OAuth provider.
- Default
-
-1
CHE_INFRA_KUBERNETES_TRUSTED__CA_SRC__CONFIGMAP
Name of the ConfigMap in Che server namespace with additional CA TLS certificates to be propagated into all user’s workspaces. If the property is set on OpenShift 4 infrastructure, and che.infra.openshift.trusted_ca.dest_configmap_labels
includes the config.openshift.io/inject-trusted-cabundle=true
label, then cluster CA bundle will be propagated too.
- Default
-
NULL
CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP
Name of the ConfigMap in a workspace namespace with additional CA TLS certificates. Holds the copy of che.infra.kubernetes.trusted_ca.src_configmap
but in a workspace namespace. Content of this ConfigMap is mounted into all workspace containers including plugin brokers. Do not change the ConfigMap name unless it conflicts with the already existing ConfigMap. the Che Operator that the resulting ConfigMap name can be adjusted eventually to make it unique in namespace. The original name would be stored in che.original_name
label.
- Default
-
ca-certs
OpenShift Infra parameters
CHE_INFRA_OPENSHIFT_TRUSTED__CA_DEST__CONFIGMAP__LABELS
Comma separated list of labels to add to the CA certificates ConfigMap in user workspace. See che.infra.kubernetes.trusted_ca.dest_configmap
property. This default value is used for automatic cluster CA bundle injection in OpenShift 4.
- Default
-
config.openshift.io/inject-trusted-cabundle=true
CHE_INFRA_OPENSHIFT_ROUTE_LABELS
Additional labels to add into every Route created by Che server to allow clear identification.
- Default
-
NULL
Experimental properties
CHE_WORKSPACE_PLUGIN__BROKER_METADATA_IMAGE
Docker image of Che plugin broker app that resolves workspace tools configuration and copies plugins dependencies to a workspace. The Che Operator overrides these images by default. Changing the images here will not have an effect if Che is installed using the Operator.
- Default
-
quay.io/eclipse/che-plugin-metadata-broker:v3.4.0
CHE_WORKSPACE_PLUGIN__BROKER_ARTIFACTS_IMAGE
Docker image of Che plugin artifacts broker. This broker runs as an init container on the workspace Pod. Its job is to take in a list of plugin identifiers (either references to a plugin in the registry or a link to a plugin meta.yaml) and ensure that the correct .vsix and .theia extensions are downloaded into the /plugins directory, for each plugin requested for the workspace.
- Default
-
quay.io/eclipse/che-plugin-artifacts-broker:v3.4.0
CHE_WORKSPACE_PLUGIN__BROKER_DEFAULT__MERGE__PLUGINS
Configures the default behavior of the plugin brokers when provisioning plugins into a workspace. If set to true, the plugin brokers will attempt to merge plugins when possible: they run in the same sidecar image and do not have conflicting settings. This value is the default setting used when the devfile does not specify the mergePlugins
attribute.
- Default
-
false
CHE_WORKSPACE_PLUGIN__BROKER_PULL__POLICY
Docker image of Che plugin broker app that resolves workspace tools configuration and copies plugins dependencies to a workspace
- Default
-
Always
CHE_WORKSPACE_PLUGIN__BROKER_WAIT__TIMEOUT__MIN
Defines the timeout in minutes that limits the max period of result waiting for plugin broker.
- Default
-
3
CHE_WORKSPACE_PLUGIN__REGISTRY__URL
Workspace plug-ins registry endpoint. Should be a valid HTTP URL. Example: http://che-plugin-registry-eclipse-che.192.168.65.2.nip.io In case Che plug-ins registry is not needed value 'NULL' should be used
- Default
-
https://che-plugin-registry.prod-preview.openshift.io/v3
CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL
Workspace plugins registry internal endpoint. Should be a valid HTTP URL. Example: http://devfile-registry.che.svc.cluster.local:8080 In case Che plug-ins registry is not needed value 'NULL' should be used
- Default
-
NULL
CHE_WORKSPACE_DEVFILE__REGISTRY__URL
Devfile Registry endpoint. Should be a valid HTTP URL. Example: http://che-devfile-registry-eclipse-che.192.168.65.2.nip.io In case Che plug-ins registry is not needed value 'NULL' should be used
- Default
-
https://che-devfile-registry.prod-preview.openshift.io/
CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL
Devfile Registry "internal" endpoint. Should be a valid HTTP URL. Example: http://plugin-registry.che.svc.cluster.local:8080 In case Che plug-ins registry is not needed value 'NULL' should be used
- Default
-
NULL
CHE_WORKSPACE_STORAGE_AVAILABLE__TYPES
The configuration property that defines available values for storage types that clients such as the Dashboard should propose to users during workspace creation and update. Available values: - persistent
: Persistent Storage slow I/O but persistent. - ephemeral
: Ephemeral Storage allows for faster I/O but may have limited storage and is not persistent. - async
: Experimental feature: Asynchronous storage is combination of Ephemeral and Persistent storage. Allows for faster I/O and keep your changes, will backup on stop and restore on start workspace. Will work only if: - che.infra.kubernetes.pvc.strategy='common'
- che.limits.user.workspaces.run.count=1
- che.infra.kubernetes.namespace.default
contains <username>
in other cases remove async
from the list.
- Default
-
persistent,ephemeral,async
CHE_WORKSPACE_STORAGE_PREFERRED__TYPE
The configuration property that defines a default value for storage type that clients such as the Dashboard should propose to users during workspace creation and update. The async
value is an experimental feature, not recommended as default type.
- Default
-
persistent
CHE_SERVER_SECURE__EXPOSER
Configures in which way secure servers will be protected with authentication. Suitable values: - default
: jwtproxy
is configured in a pass-through mode. Servers should authenticate requests themselves. - jwtproxy
: jwtproxy
will authenticate requests. Servers will receive only authenticated requests.
- Default
-
jwtproxy
CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_ISSUER
Jwtproxy
issuer string, token lifetime, and optional auth page path to route unsigned requests to.
- Default
-
wsmaster
CHE_SERVER_SECURE__EXPOSER_JWTPROXY_AUTH_LOADER_PATH
Optional authentication page path to route unsigned requests to.
- Default
-
/_app/loader.html
Configuration of the major WebSocket endpoint
CHE_CORE_JSONRPC_PROCESSOR__MAX__POOL__SIZE
Maximum size of the JSON RPC processing pool in case if pool size would be exceeded message execution will be rejected
- Default
-
50
CHE_CORE_JSONRPC_PROCESSOR__CORE__POOL__SIZE
Initial JSON processing pool. Minimum number of threads that used to process major JSON RPC messages.
- Default
-
5
CORS settings
Factory defaults
CHE_FACTORY_DEFAULT__PLUGINS
Editor and plugin which will be used for factories that are created from a remote Git repository which does not contain any Che-specific workspace descriptor Multiple plugins must be comma-separated, for example: pluginFooPublisher/pluginFooName/pluginFooVersion,pluginBarPublisher/pluginBarName/pluginBarVersion
- Default
-
redhat/vscode-commons/latest
Devfile defaults
CHE_FACTORY_DEFAULT__EDITOR
Editor that will be used for factories that are created from a remote Git repository which does not contain any Che-specific workspace descriptor.
- Default
-
eclipse/che-theia/latest
CHE_FACTORY_SCM__FILE__FETCHER__LIMIT__BYTES
File size limit for the URL fetcher which fetch files from the SCM repository.
- Default
-
102400
CHE_FACTORY_DEVFILE2__FILES__RESOLUTION__LIST
Additional files which may be present in repository to complement devfile v2, and should be referenced as links to SCM resolver service in factory to retrieve them.
- Default
-
.che/che-editor.yaml,.che/che-theia-plugins.yaml,.vscode/extensions.json
CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR
Default Editor that should be provisioned into Devfile if there is no specified Editor Format is editorPublisher/editorName/editorVersion
value. NULL
or absence of value means that default editor should not be provisioned.
- Default
-
eclipse/che-theia/latest
CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR_PLUGINS
Default Plug-ins which should be provisioned for Default Editor. All the plugins from this list that are not explicitly mentioned in the user-defined devfile will be provisioned but only when the default editor is used or if the user-defined editor is the same as the default one (even if in different version). Format is comma-separated pluginPublisher/pluginName/pluginVersion
values, and URLs. For example: eclipse/che-theia-exec-plugin/0.0.1,eclipse/che-theia-terminal-plugin/0.0.1,https://cdn.pluginregistry.com/vi-mode/meta.yaml
If the plugin is a URL, the plugin’s meta.yaml
is retrieved from that URL.
- Default
-
NULL
CHE_WORKSPACE_PROVISION_SECRET_LABELS
Defines comma-separated list of labels for selecting secrets from a user namespace, which will be mount into workspace containers as a files or environment variables. Only secrets that match ALL given labels will be selected.
- Default
-
app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspace-secret
CHE_WORKSPACE_DEVFILE_ASYNC_STORAGE_PLUGIN
Plugin is added in case asynchronous storage feature will be enabled in workspace configuration and supported by environment
- Default
-
eclipse/che-async-pv-plugin/latest
CHE_INFRA_KUBERNETES_ASYNC_STORAGE_IMAGE
Docker image for the Che asynchronous storage
- Default
-
quay.io/eclipse/che-workspace-data-sync-storage:0.0.1
CHE_WORKSPACE_POD_NODE__SELECTOR
Optionally configures node selector for workspace Pod. Format is comma-separated key=value pairs, for example: disktype=ssd,cpu=xlarge,foo=bar
- Default
-
NULL
CHE_WORKSPACE_POD_TOLERATIONS__JSON
Optionally configures tolerations for workspace Pod. Format is a string representing a JSON Array of taint tolerations, or NULL
to disable it. The objects contained in the array have to follow the toleration v1 core specifications. Example: [{"effect":"NoExecute","key":"aNodeTaint","operator":"Equal","value":"aValue"}]
- Default
-
NULL
CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__TIMEOUT__MIN
The timeout for the Asynchronous Storage Pod shutdown after stopping the last used workspace. Value less or equal to 0 interpreted as disabling shutdown ability.
- Default
-
120
CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__CHECK__PERIOD__MIN
Defines the period with which the Asynchronous Storage Pod stopping ability will be performed (once in 30 minutes by default)
- Default
-
30
CHE_INTEGRATION_BITBUCKET_SERVER__ENDPOINTS
Bitbucket endpoints used for factory integrations. Comma separated list of Bitbucket server URLs or NULL if no integration expected.
- Default
-
NULL
CHE_INTEGRATION_GITLAB_SERVER__ENDPOINTS
GitLab endpoints used for factory integrations. Comma separated list of GitLab server URLs or NULL if no integration expected.
- Default
-
NULL
CHE_INTEGRATION_GITLAB_OAUTH__ENDPOINT
Address of the GitLab server with configured OAuth 2 integration
- Default
-
NULL
Che system
CHE_SYSTEM_SUPER__PRIVILEGED__MODE
System Super Privileged Mode. Grants users with the manageSystem permission additional permissions for getByKey, getByNameSpace, stopWorkspaces, and getResourcesInformation. These are not given to admins by default and these permissions allow admins gain visibility to any workspace along with naming themselves with administrator privileges to those workspaces.
- Default
-
false
Workspace limits
CHE_LIMITS_WORKSPACE_ENV_RAM
Workspaces are the fundamental runtime for users when doing development. You can set parameters that limit how workspaces are created and the resources that are consumed. The maximum amount of RAM that a user can allocate to a workspace when they create a new workspace. The RAM slider is adjusted to this maximum value.
- Default
-
16gb
CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT
The length of time in milliseconds that a user is idle with their workspace when the system will suspend the workspace and then stopping it. Idleness is the length of time that the user has not interacted with the workspace, meaning that one of the agents has not received interaction. Leaving a browser window open counts toward idleness.
- Default
-
1800000
CHE_LIMITS_WORKSPACE_RUN_TIMEOUT
The length of time in milliseconds that a workspace will run, regardless of activity, before the system will suspend it. Set this property if you want to automatically stop workspaces after a period of time. The default is zero, meaning that there is no run timeout.
- Default
-
0
Users workspace limits
CHE_LIMITS_USER_WORKSPACES_RAM
The total amount of RAM that a single user is allowed to allocate to running workspaces. A user can allocate this RAM to a single workspace or spread it across multiple workspaces.
- Default
-
-1
CHE_LIMITS_USER_WORKSPACES_COUNT
The maximum number of workspaces that a user is allowed to create. The user will be presented with an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.
- Default
-
-1
CHE_LIMITS_USER_WORKSPACES_RUN_COUNT
The maximum number of running workspaces that a single user is allowed to have. If the user has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The user will need to stop a running workspace to activate another.
- Default
-
1
Organizations workspace limits
CHE_LIMITS_ORGANIZATION_WORKSPACES_RAM
The total amount of RAM that a single organization (team) is allowed to allocate to running workspaces. An organization owner can allocate this RAM however they see fit across the team’s workspaces.
- Default
-
-1
CHE_LIMITS_ORGANIZATION_WORKSPACES_COUNT
The maximum number of workspaces that a organization is allowed to own. The organization will be presented an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.
- Default
-
-1
CHE_LIMITS_ORGANIZATION_WORKSPACES_RUN_COUNT
The maximum number of running workspaces that a single organization is allowed. If the organization has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The organization will need to stop a running workspace to activate another.
- Default
-
-1
Multi-user-specific OpenShift infrastructure configuration
CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER
Alias of the OpenShift identity provider registered in Keycloak, that should be used to create workspace OpenShift resources in OpenShift namespaces owned by the current Che user. Should be set to NULL if che.infra.openshift.project
is set to a non-empty value. See: OpenShift identity provider
- Default
-
NULL
OIDC configuration
CHE_OIDC_AUTH__SERVER__URL
Url to OIDC identity provider server Can be set to NULL only if che.oidc.oidcProvider
is used
- Default
-
http://${CHE_HOST}:5050/auth
CHE_OIDC_AUTH__INTERNAL__SERVER__URL
Internal network service Url to OIDC identity provider server
- Default
-
NULL
CHE_OIDC_ALLOWED__CLOCK__SKEW__SEC
The number of seconds to tolerate for clock skew when verifying exp
or nbf
claims.
- Default
-
3
CHE_OIDC_USERNAME__CLAIM
Username claim to be used as user display name when parsing JWT token if not defined the fallback value is 'preferred_username' in Keycloak installations and name
in Dex installations.
- Default
-
NULL
CHE_OIDC_OIDC__PROVIDER
Base URL of an alternate OIDC provider that provides a discovery endpoint as detailed in the following specification Obtaining OpenID Provider Configuration Information Deprecated, use che.oidc.auth_server_url
and che.oidc.auth_internal_server_url
instead.
- Default
-
NULL
Keycloak configuration
CHE_KEYCLOAK_REALM
Keycloak realm is used to authenticate users Can be set to NULL only if che.keycloak.oidcProvider
is used
- Default
-
che
CHE_KEYCLOAK_CLIENT__ID
Keycloak client identifier in che.keycloak.realm
to authenticate users in the dashboard, the IDE, and the CLI.
- Default
-
che-public
CHE_KEYCLOAK_JS__ADAPTER__URL
URL to the Keycloak Javascript adapter to use. if set to NULL, then the default used value is ${che.keycloak.auth_server_url}/js/keycloak.js
, or <che-server>/api/keycloak/OIDCKeycloak.js
if an alternate oidc_provider
is used
- Default
-
NULL
CHE_KEYCLOAK_USE__FIXED__REDIRECT__URLS
Set to true when using an alternate OIDC provider that only supports fixed redirect Urls This property is ignored when che.keycloak.oidc_provider
is NULL
- Default
-
false
CHE_OAUTH_SERVICE__MODE
Configuration of OAuth Authentication Service that can be used in "embedded" or "delegated" mode. If set to "embedded", then the service work as a wrapper to Che’s OAuthAuthenticator ( as in Single User mode). If set to "delegated", then the service will use Keycloak IdentityProvider mechanism. Runtime Exception wii
be thrown, in case if this property is not set properly.
- Default
-
delegated
CHE_KEYCLOAK_CASCADE__USER__REMOVAL__ENABLED
Configuration for enabling removing user from Keycloak server on removing user from Che database. By default it’s disabled. Can be enabled in some special cases when deleting a user in Che database should execute removing related-user from Keycloak. For correct work need to set administrator username ${che.keycloak.admin_username} and password ${che.keycloak.admin_password}.
- Default
-
false
CHE_KEYCLOAK_ADMIN__USERNAME
Keycloak administrator username. Will be used for deleting user from Keycloak on removing user from Che database. Make sense only in case ${che.keycloak.cascade_user_removal_enabled} set to 'true'
- Default
-
NULL
CHE_KEYCLOAK_ADMIN__PASSWORD
Keycloak administrator password. Will be used for deleting user from Keycloak on removing user from Che database. Make sense only in case ${che.keycloak.cascade_user_removal_enabled} set to 'true'
- Default
-
NULL
CHE_KEYCLOAK_USERNAME_REPLACEMENT__PATTERNS
User name adjustment configuration. Che needs to use the usernames as part of Kubernetes object names and labels and therefore has stricter requirements on their format than the identity providers usually allow (it needs them to be DNS-compliant). The adjustment is represented by comma-separated key-value pairs. These are sequentially used as arguments to the String.replaceAll function on the original username. The keys are regular expressions, values are replacement strings that replace the characters in the username that match the regular expression. The modified username will only be stored in the Che database and will not be advertised back to the identity provider. It is recommended to use DNS-compliant characters as replacement strings (values in the key-value pairs). Example: \\=-,@=-at-
changes \
to -
and @
to -at-
so the username org\user@com
becomes org-user-at-com.
- Default
-
NULL