Advanced configuration options for the Che server component

The following section describes advanced deployment and configuration methods for the Che server component.

Understanding Che server advanced configuration using the Operator

The following section describes the Che server component advanced configuration method for a deployment using the Operator.

Advanced configuration is necessary to:

  • Add environment variables not automatically generated by the Operator from the standard CheCluster Custom Resource fields.

  • Override the properties automatically generated by the Operator from the standard CheCluster Custom Resource fields.

The customCheProperties field, part of the CheCluster Custom Resource server settings, contains a map of additional environment variables to apply to the Che server component.

Example 1. Override the default memory limit for workspaces
  • Add the CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB property to customCheProperties:

apiVersion: org.eclipse.che/v1
kind: CheCluster
# [...]
spec:
  server:
    # [...]
    customCheProperties:
      CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB: "2048"
# [...]

Previous versions of the Che Operator had a configMap named custom to fulfill this role. If the Che Operator finds a configMap with the name custom, it adds the data it contains into the customCheProperties field, redeploys Che, and deletes the custom configMap.

Additional resources

Understanding Che server advanced configuration not using the Operator

The following section describes Che server component advanced configuration method when the installation method is not using the Operator.

The user configures Che manually by modifying the configMap object.

Procedure
  1. Proceed to the installation to generate the che configMap object.

  2. Edit the che configMap template.

  3. Apply manual changes to the custom configMap without downtime using the following `kubectl ` command:

    $ kubectl rollout restart deployment/che
Additional resources

Che server component system properties reference

The following document describes all possible configuration properties of the Che server component.

Che server

Table 1. Che server
Environment Variable Name Default value Description

CHE_DATABASE

${che.home}/storage

Folder where Che stores internal data objects.

CHE_API

http://${CHE_HOST}:${CHE_PORT}/api

API service. Browsers initiate REST communications to Che server with this URL.

CHE_API_INTERNAL

http://${CHE_HOST}:${CHE_PORT}/api

API service internal network url. Back-end services should initiate REST communications to Che server with this URL

CHE_WEBSOCKET_ENDPOINT

ws://${CHE_HOST}:${CHE_PORT}/api/websocket

Che websocket major endpoint. Provides basic communication endpoint for major websocket interactions and messaging.

CHE_WORKSPACE_PROJECTS_STORAGE

/projects

Your projects are synchronized from the Che server into the machine running each workspace. This is the directory in the machine where your projects are placed.

CHE_WORKSPACE_PROJECTS_STORAGE_DEFAULT_SIZE

1Gi

Used when Kubernetes or OpenShift-type components in a devfile request project PVC creation (Applied in case of 'unique' and 'per workspace' PVC strategy. In case of the 'common' PVC strategy, it is rewritten with the value of the che.infra.kubernetes.pvc.quantity property.)

CHE_WORKSPACE_LOGS_ROOT__DIR

/workspace_logs

Defines the directory inside the machine where all the workspace logs are placed. Provide this value into the machine, for example, as an environment variable. This is to ensure that agent developers can use this directory to back up agent logs.

CHE_WORKSPACE_HTTP__PROXY

Configures proxies used by runtimes powering workspaces.

CHE_WORKSPACE_HTTPS__PROXY

Configuresproxies used by runtimes powering workspaces.

CHE_WORKSPACE_NO__PROXY

Configuresproxiesused by runtimes powering workspaces.

CHE_WORKSPACE_AUTO__START

true

By default, when users access a workspace with its URL, the workspace automatically starts (if currently stopped). Set this to false to disable this behavior.

CHE_WORKSPACE_POOL_TYPE

fixed

Workspace threads pool configuration. This pool is used for workspace-related operations that require asynchronous execution, for example, starting and stopping. Possible values are fixed and cached.

CHE_WORKSPACE_POOL_EXACT__SIZE

30

This property is ignored when pool type is different from fixed. It configures the exact size of the pool. When set, the multiplier property is ignored. If this property is not set (0, <0, NULL), then the pool size equals the number of cores. See also che.workspace.pool.cores_multiplier.

CHE_WORKSPACE_POOL_CORES__MULTIPLIER

2

This property is ignored when pool type is not set to fixed, che.workspace.pool.exact_size is set. When set, the pool size is N_CORES * multiplier.

CHE_WORKSPACE_PROBE__POOL__SIZE

10

This property specifies how many threads to use for workspace server liveness probes.

CHE_WORKSPACE_HTTP__PROXY__JAVA__OPTIONS

NULL

HTTP proxy setting for workspace JVM.

CHE_WORKSPACE_JAVA__OPTIONS

-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom

Java command-line options added to JVMs running in workspaces.

CHE_WORKSPACE_MAVEN__OPTIONS

-XX:MaxRAM=150m-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom

Maven command-line options added to JVMs running agents in workspaces.

CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB

1024

RAM limit default for each machine that has no RAM settings in its environment. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB

200

RAM request for each container that has no explicit RAM settings in its environment. This amount is allocated when the workspace container is created. This property may not be supported by all infrastructure implementations. Currently it is supported by Kubernetes and OpenShift. A memory request exceeding the memory limit is ignored, and only the limit size is used. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_DEFAULT__CPU__LIMIT__CORES

-1

CPU limit for each container that has no CPU settings in its environment. Specify either in floating point cores number, for example, 0.125, or using the Kubernetes format, integer millicores, for example, 125m. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_DEFAULT__CPU__REQUEST__CORES

-1

CPU request for each container that has no CPU settings in environment. A CPU request exceeding the CPU limit is ignored, and only limit number is used. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__LIMIT__MB

128

RAM limit and request for each sidecar that has no RAM settings in the Che plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__MEMORY__REQUEST__MB

64

RAMlimit and request for each sidecar that has no RAM settings in the Che plug-in configuration. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__LIMIT__CORES

-1

CPU limit and request default for each sidecar that has no CPU settings in the Che plug-in configuration. Specify either in floating point cores number, for example, 0.125, or using the Kubernetes format, integer millicores, for example, 125m. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_DEFAULT__CPU__REQUEST__CORES

-1

CPUlimit and request default for each sidecar that has no CPU settings in the Che plug-in configuration. Specify either in floating point cores number, for example, 0.125, or using the Kubernetes format, integer millicores, for example, 125m. Value less or equal to 0 is interpreted as disabling the limit.

CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY

Always

Defines image-pulling strategy for sidecars. Possible values are: Always, Never, IfNotPresent. For any other value, Always is assumed for images with the :latest tag, or IfNotPresent for all other cases.

CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__PERIOD__S

60

Period of inactive workspaces suspend job execution.

CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__PERIOD__S

3600

The period of the cleanup of the activity table. The activity table can contain invalid or stale data if some unforeseen errors happen, like a server crash at a peculiar point in time. The default is to run the cleanup job every hour.

CHE_WORKSPACE_ACTIVITY__CLEANUP__SCHEDULER__INITIAL__DELAY__S

60

The delay after server startup to start the first activity clean up job.

CHE_WORKSPACE_ACTIVITY__CHECK__SCHEDULER__DELAY__S

180

Delay before first workspace idleness check job started to avoid mass suspend if ws master was unavailable for period close to inactivity timeout.

CHE_WORKSPACE_CLEANUP__TEMPORARY__INITIAL__DELAY__MIN

5

Period of stopped temporary workspaces cleanup job execution.

CHE_WORKSPACE_CLEANUP__TEMPORARY__PERIOD__MIN

180

Periodof stopped temporary workspaces cleanup job execution.

CHE_WORKSPACE_SERVER_PING__SUCCESS__THRESHOLD

1

Number of sequential successful pings to server after which it is treated as available. Note: the property is common for all servers e.g. workspace agent, terminal, exec etc.

CHE_WORKSPACE_SERVER_PING__INTERVAL__MILLISECONDS

3000

Interval, in milliseconds, between successive pings to workspace server.

CHE_WORKSPACE_SERVER_LIVENESS__PROBES

wsagent/http,exec-agent/http,terminal,theia,jupyter,dirigible,cloud-shell,intellij

List of servers names which require liveness probes

CHE_WORKSPACE_STARTUP__DEBUG__LOG__LIMIT__BYTES

10485760

Limit size of the logs collected from single container that can be observed by che-server when debugging workspace startup. default 10MB=10485760

CHE_WORKSPACE_STOP_ROLE_ENABLED

true

If true, 'stop-workspace' role with the edit privileges will be granted to the 'che' ServiceAccount if OpenShift OAuth is enabled. This configuration is mainly required for workspace idling when the OpenShift OAuth is enabled.

Authentication parameters

Table 2. Authentication parameters
Environment Variable Name Default value Description

CHE_AUTH_USER__SELF__CREATION

false

Che has a single identity implementation, so this does not change the user experience. If true, enables user creation at API level

CHE_AUTH_ACCESS__DENIED__ERROR__PAGE

/error-oauth

Authentication error page address

CHE_AUTH_RESERVED__USER__NAMES

Reserved user names

CHE_OAUTH_GITHUB_CLIENTID

NULL

You can setup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.

CHE_OAUTH_GITHUB_CLIENTSECRET

NULL

Youcan setup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.

CHE_OAUTH_GITHUB_AUTHURI

https://github.com/login/oauth/authorize

Youcansetup GitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.

CHE_OAUTH_GITHUB_TOKENURI

https://github.com/login/oauth/access_token

YoucansetupGitHub OAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.

CHE_OAUTH_GITHUB_REDIRECTURIS

http://localhost:${CHE_PORT}/api/oauth/callback

YoucansetupGitHubOAuth to automate authentication to remote repositories. You need to first register this application with GitHub OAuth.

CHE_OAUTH_OPENSHIFT_CLIENTID

NULL

Configuration of OpenShift OAuth client. Used to obtain OpenShift OAuth token.

CHE_OAUTH_OPENSHIFT_CLIENTSECRET

NULL

Configurationof OpenShift OAuth client. Used to obtain OpenShift OAuth token.

CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT

NULL

ConfigurationofOpenShift OAuth client. Used to obtain OpenShift OAuth token.

CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL

NULL

ConfigurationofOpenShiftOAuth client. Used to obtain OpenShift OAuth token.

Internal

Table 3. Internal
Environment Variable Name Default value Description

SCHEDULE_CORE__POOL__SIZE

10

Che extensions can be scheduled executions on a time basis. This configures the size of the thread pool allocated to extensions that are launched on a recurring schedule.

DB_SCHEMA_FLYWAY_BASELINE_ENABLED

true

DB initialization and migration configuration

DB_SCHEMA_FLYWAY_BASELINE_VERSION

5.0.0.8.1

DBinitialization and migration configuration

DB_SCHEMA_FLYWAY_SCRIPTS_PREFIX

DBinitializationand migration configuration

DB_SCHEMA_FLYWAY_SCRIPTS_SUFFIX

.sql

DBinitializationandmigration configuration

DB_SCHEMA_FLYWAY_SCRIPTS_VERSION__SEPARATOR

__

DBinitializationandmigrationconfiguration

DB_SCHEMA_FLYWAY_SCRIPTS_LOCATIONS

classpath:che-schema

DBinitializationandmigrationconfiguration

Kubernetes Infra parameters

Table 4. Kubernetes Infra parameters
Environment Variable Name Default value Description

CHE_INFRA_KUBERNETES_MASTER__URL

Configuration of Kubernetes client that Infra will use

CHE_INFRA_KUBERNETES_TRUST__CERTS

Configurationof Kubernetes client that Infra will use

CHE_INFRA_KUBERNETES_SERVER__STRATEGY

multi-host

Defines the way how servers are exposed to the world in Kubernetes infra. List of strategies implemented in Che: default-host, multi-host, single-host

CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_EXPOSURE

native

Defines the way in which the workspace plugins and editors are exposed in the single-host mode. Supported exposures: - 'native': Exposes servers using Kubernetes Ingresses. Works only on Kubernetes. - 'gateway': Exposes servers using reverse-proxy gateway.

CHE_INFRA_KUBERNETES_SINGLEHOST_WORKSPACE_DEVFILE__ENDPOINT__EXPOSURE

multi-host

Defines the way how to expose devfile endpoints, thus end-user’s applications, in single-host server strategy. They can either follow the single-host strategy and be exposed on subpaths, or they can be exposed on subdomains. - 'multi-host': expose on subdomains - 'single-host': expose on subpaths

CHE_INFRA_KUBERNETES_SINGLEHOST_GATEWAY_CONFIGMAP__LABELS

app=che,component=che-gateway-config

Defines labels which will be set to ConfigMaps configuring single-host gateway.

CHE_INFRA_KUBERNETES_INGRESS_DOMAIN

Used to generate domain for a server in a workspace in case property che.infra.kubernetes.server_strategy is set to multi-host

CHE_INFRA_KUBERNETES_NAMESPACE

DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines Kubernetes namespace in which all workspaces will be created. If not set, every workspace will be created in a new namespace, where namespace = workspace id It’s possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>). In that case, new namespace will be created for each user. Service account with permission to create new namespace must be used. Ignored for OpenShift infra. Use che.infra.openshift.project instead If the namespace pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.

CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED

true

Indicates whether Che server is allowed to create namespaces/projects for user workspaces, or they’re intended to be created manually by cluster administrator. This property is also used by the OpenShift infra.

CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT

<username>-che

Defines Kubernetes default namespace in which user’s workspaces are created if user does not override it. It’s possible to use <username>, <userid> and <workspaceid> placeholders (e.g.: che-workspace-<username>). In that case, new namespace will be created for each user (or workspace). Is used by OpenShift infra as well to specify Project

CHE_INFRA_KUBERNETES_NAMESPACE_LABEL

true

Defines whether che-server should try to label the workspace namespaces.

CHE_INFRA_KUBERNETES_NAMESPACE_LABELS

app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspaces-namespace

List of labels to find Namespaces/Projects that are used for Che Workspaces. They are used to: - find prepared Namespaces/Projects for users in combination with che.infra.kubernetes.namespace.annotations. - actively label namespaces with any workspace.

CHE_INFRA_KUBERNETES_NAMESPACE_ANNOTATIONS

che.eclipse.org/username=<username>

List of annotations to find Namespaces/Projects prepared for Che users workspaces. Only Namespaces/Projects matching the che.infra.kubernetes.namespace.labels will be matched against these annotations. Namespaces/Projects that matches both che.infra.kubernetes.namespace.labels and che.infra.kubernetes.namespace.annotations will be preferentially used for User’s workspaces. It’s possible to use <username> placeholder to specify the Namespace/Project to concrete user.

CHE_INFRA_KUBERNETES_NAMESPACE_ALLOW__USER__DEFINED

false

Defines if a user is able to specify Kubernetes namespace (or OpenShift project) different from the default. It’s NOT RECOMMENDED to configured true without OAuth configured. This property is also used by the OpenShift infra.

CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME

NULL

Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. Note that Kubernetes Infrastructure won’t create the service account and it should exist. OpenShift infrastructure will check if project is predefined(if che.infra.openshift.project is not empty): - if it is predefined then service account must exist there - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace and prepare workspace service account with needed roles there

CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES

NULL

Specifies optional, additional cluster roles to use with the workspace service account. Note that the cluster role names must already exist, and the Che service account needs to be able to create a Role Binding to associate these cluster roles with the workspace service account. The names are comma separated. This property deprecates 'che.infra.kubernetes.cluster_role_name'.

CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN

8

Defines time frame that limits the Kubernetes workspace start time

CHE_INFRA_KUBERNETES_INGRESS__START__TIMEOUT__MIN

5

Defines the timeout in minutes that limits the period for which Kubernetes Ingress become ready

CHE_INFRA_KUBERNETES_WORKSPACE__UNRECOVERABLE__EVENTS

FailedMount,FailedScheduling,MountVolume.SetUpfailed,Failed to pull image,FailedCreate

If during workspace startup an unrecoverable event defined in the property occurs, terminate workspace immediately instead of waiting until timeout Note that this SHOULD NOT include a mere 'Failed' reason, because that might catch events that are not unrecoverable. A failed container startup is handled explicitly by Che server.

CHE_INFRA_KUBERNETES_PVC_ENABLED

true

Defines whether use the Persistent Volume Claim for che workspace needs e.g backup projects, logs etc or disable it.

CHE_INFRA_KUBERNETES_PVC_STRATEGY

common

Defined which strategy will be used while choosing PVC for workspaces. Supported strategies: - 'common' All workspaces in the same Kubernetes Namespace will reuse the same PVC. Name of PVC may be configured with 'che.infra.kubernetes.pvc.name'. Existing PVC will be used or new one will be created if it doesn’t exist. - 'unique' Separate PVC for each workspace’s volume will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {generated_8_chars}'. Existing PVC will be used or a new one will be created if it doesn’t exist. - 'per-workspace' Separate PVC for each workspace will be used. Name of PVC is evaluated as '{che.infra.kubernetes.pvc.name} + '-' + {WORKSPACE_ID}'. Existing PVC will be used or a new one will be created if it doesn’t exist.

CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS

true

Defines whether to run a job that creates workspace’s subpath directories in persistent volume for the 'common' strategy before launching a workspace. Necessary in some versions of OpenShift/Kubernetes as workspace subpath volume mounts are created with root permissions, and thus cannot be modified by workspaces running as a user (presents an error importing projects into a workspace in Che). The default is 'true', but should be set to false if the version of Openshift/Kubernetes creates subdirectories with user permissions. Relevant issue: https://github.com/kubernetes/kubernetes/issues/41638 Note that this property has effect only if the 'common' PVC strategy used.

CHE_INFRA_KUBERNETES_PVC_NAME

claim-che-workspace

Defines the settings of PVC name for che workspaces. Each PVC strategy supplies this value differently. See doc for che.infra.kubernetes.pvc.strategy property

CHE_INFRA_KUBERNETES_PVC_STORAGE__CLASS__NAME

Defines the storage class of Persistent Volume Claim for the workspaces. Empty strings means 'use default'.

CHE_INFRA_KUBERNETES_PVC_QUANTITY

10Gi

Defines the size of Persistent Volume Claim of che workspace. Format described here: https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html

CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE

centos:centos7

Pod that is launched when performing persistent volume claim maintenance jobs on OpenShift

CHE_INFRA_KUBERNETES_PVC_JOBS_IMAGE_PULL__POLICY

IfNotPresent

Image pull policy of container that used for the maintenance jobs on Kubernetes/OpenShift cluster

CHE_INFRA_KUBERNETES_PVC_JOBS_MEMORYLIMIT

250Mi

Defines pod memory limit for persistent volume claim maintenance jobs

CHE_INFRA_KUBERNETES_PVC_ACCESS__MODE

ReadWriteOnce

Defines Persistent Volume Claim access mode. Note that for common PVC strategy changing of access mode affects the number of simultaneously running workspaces. If OpenShift flavor where che running is using PVs with RWX access mode then a limit of running workspaces at the same time bounded only by che limits configuration like(RAM, CPU etc). Detailed information about access mode is described here: https://docs.openshift.com/container-platform/4.4/storage/understanding-persistent-storage.html

CHE_INFRA_KUBERNETES_PVC_WAIT__BOUND

true

Defines whether Che Server should wait workspaces PVCs to become bound after creating. It’s used by all PVC strategies. It should be set to false in case if volumeBindingMode is configured to WaitForFirstConsumer otherwise workspace starts will hangs up on phase of waiting PVCs. Default value is true (means that PVCs should be waited to be bound)

CHE_INFRA_KUBERNETES_INSTALLER__SERVER__MIN__PORT

10000

Defined range of ports for installers servers By default, installer will use own port, but if it conflicts with another installer servers then OpenShift infrastructure will reconfigure installer to use first available from this range

CHE_INFRA_KUBERNETES_INSTALLER__SERVER__MAX__PORT

20000

Definedrange of ports for installers servers By default, installer will use own port, but if it conflicts with another installer servers then OpenShift infrastructure will reconfigure installer to use first available from this range

CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON

NULL

Defines annotations for ingresses which are used for servers exposing. Value depends on the kind of ingress controller. OpenShift infrastructure ignores this property because it uses Routes instead of ingresses. Note that for a single-host deployment strategy to work, a controller supporting URL rewriting has to be used (so that URLs can point to different servers while the servers don’t need to support changing the app root). The che.infra.kubernetes.ingress.path.rewrite_transform property defines how the path of the ingress should be transformed to support the URL rewriting and this property defines the set of annotations on the ingress itself that instruct the chosen ingress controller to actually do the URL rewriting, potentially building on the path transformation (if required by the chosen ingress controller). For example for nginx ingress controller 0.22.0 and later the following value is recommended: {'ingress.kubernetes.io/rewrite-target': '/$1','ingress.kubernetes.io/ssl-redirect': 'false',\ 'ingress.kubernetes.io/proxy-connect-timeout': '3600','ingress.kubernetes.io/proxy-read-timeout': '3600'} and the che.infra.kubernetes.ingress.path.rewrite_transform should be set to '%s(.*)' For nginx ingress controller older than 0.22.0, the rewrite-target should be set to merely '/' and the path transform to '%s' (see the the che.infra.kubernetes.ingress.path.rewrite_transform property). Please consult the nginx ingress controller documentation for the explanation of how the ingress controller uses the regular expression present in the ingress path and how it achieves the URL rewriting.

CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM

NULL

Defines a 'recipe' on how to declare the path of the ingress that should expose a server. The '%s' represents the base public URL of the server and is guaranteed to end with a forward slash. This property must be a valid input to the String.format() method and contain exactly one reference to '%s'. Please see the description of the che.infra.kubernetes.ingress.annotations_json property to see how these two properties interplay when specifying the ingress annotations and path. If not defined, this property defaults to '%s' (without the quotes) which means that the path is not transformed in any way for use with the ingress controller.

CHE_INFRA_KUBERNETES_INGRESS_LABELS

NULL

Additional labels to add into every Ingress created by Che server to allow clear identification.

CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER

NULL

Defines security context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra

CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP

NULL

Definessecurity context for pods that will be created by Kubernetes Infra This is ignored by OpenShift infra

CHE_INFRA_KUBERNETES_POD_TERMINATION__GRACE__PERIOD__SEC

0

Defines grace termination period for pods that will be created by Kubernetes / OpenShift infrastructures Grace termination period of Kubernetes / OpenShift workspace’s pods defaults '0', which allows to terminate pods almost instantly and significantly decrease the time required for stopping a workspace. Note: if terminationGracePeriodSeconds have been explicitly set in Kubernetes / OpenShift recipe it will not be overridden.

CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX

1000

Number of maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the KubernetesClient instances. Default values are 64, and 5 per-host, which doesn’t seem correct for multi-user scenarios knowing that Che keeps a number of connections opened (e.g. for command or ws-agent logs)

CHE_INFRA_KUBERNETES_CLIENT_HTTP_ASYNC__REQUESTS_MAX__PER__HOST

1000

Numberof maximum concurrent async web requests (http requests or ongoing web socket calls) supported in the underlying shared http client of the KubernetesClient instances. Default values are 64, and 5 per-host, which doesn’t seem correct for multi-user scenarios knowing that Che keeps a number of connections opened (e.g. for command or ws-agent logs)

CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_MAX__IDLE

5

Max number of idle connections in the connection pool of the Kubernetes-client shared http client

CHE_INFRA_KUBERNETES_CLIENT_HTTP_CONNECTION__POOL_KEEP__ALIVE__MIN

5

Keep-alive timeout of the connection pool of the Kubernetes-client shared http client in minutes

CHE_INFRA_KUBERNETES_TLS__ENABLED

false

Creates Ingresses with Transport Layer Security (TLS) enabled In OpenShift infrastructure, Routes will be TLS-enabled

CHE_INFRA_KUBERNETES_TLS__SECRET

Name of a secret that should be used when creating workspace ingresses with TLS Ignored by OpenShift infrastructure

CHE_INFRA_KUBERNETES_TLS__KEY

NULL

Data for TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure

CHE_INFRA_KUBERNETES_TLS__CERT

NULL

Datafor TLS Secret that should be used for workspaces Ingresses cert and key should be encoded with Base64 algorithm These properties are ignored by OpenShift infrastructure

CHE_INFRA_KUBERNETES_RUNTIMES__CONSISTENCY__CHECK__PERIOD__MIN

-1

Defines the period with which runtimes consistency checks will be performed. If runtime has inconsistent state then runtime will be stopped automatically. Value must be more than 0 or -1, where -1 means that checks won’t be performed at all. It is disabled by default because there is possible Che Server configuration when Che Server doesn’t have an ability to interact with Kubernetes API when operation is not invoked by user. It DOES work on the following configurations: - workspaces objects are created in the same namespace where Che Server is located; - cluster-admin service account token is mount to Che Server pod; It DOES NOT work on the following configurations: - Che Server communicates with Kubernetes API using token from OAuth provider;

CHE_INFRA_KUBERNETES_TRUSTED__CA_SRC__CONFIGMAP

NULL

Name of cofig map in Che server namespace with additional CA TLS certificates to be propagated into all user’s workspaces. If the property is set on OpenShift 4 infrastructure, and che.infra.openshift.trusted_ca.dest_configmap_labels includes config.openshift.io/inject-trusted-cabundle=true label, then cluster CA bundle will be propagated too.

CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP

ca-certs

Name of configmap in a workspace namespace with additional CA TLS certificates. Holds the copy of che.infra.kubernetes.trusted_ca.src_configmap but in a workspace namespace. Content of this config map is mounted into all workspace containers including plugin brokers. Do not change the config map name unless it conflicts with the already existing config map.

CHE_INFRA_KUBERNETES_TRUSTED__CA_MOUNT__PATH

/public-certs

Configures path on workspace containers where the CA bundle should be mount. Content of config map specified by che.infra.kubernetes.trusted_ca.dest_configmap is mounted.

CHE_INFRA_KUBERNETES_TRUSTED__CA_DEST__CONFIGMAP__LABELS

Comma separated list of labels to add to the CA certificates config map in user workspace. See che.infra.kubernetes.trusted_ca.dest_configmap property.

OpenShift Infra parameters

Table 5. OpenShift Infra parameters
Environment Variable Name Default value Description

CHE_INFRA_OPENSHIFT_PROJECT

DEPRECATED - please do not change the value of this property otherwise the existing workspaces will loose data. Do not set it on new installations. Defines OpenShift namespace in which all workspaces will be created. If not set, every workspace will be created in a new project, where project name = workspace id It’s possible to use <username> and <userid> placeholders (e.g.: che-workspace-<username>). In that case, new project will be created for each user. OpenShift oauth or service account with permission to create new projects must be used. If the project pointed to by this property exists, it will be used for all workspaces. If it does not exist, the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.

CHE_INFRA_OPENSHIFT_TRUSTED__CA_DEST__CONFIGMAP__LABELS

config.openshift.io/inject-trusted-cabundle=true

Comma separated list of labels to add to the CA certificates config map in user workspace. See che.infra.kubernetes.trusted_ca.dest_configmap property. This default value is used for automatic cluster CA bundle injection in Openshift 4.

CHE_INFRA_OPENSHIFT_ROUTE_LABELS

NULL

Additional labels to add into every Route created by Che server to allow clear identification.

Experimental properties

Table 6. Experimental properties
Environment Variable Name Default value Description

CHE_WORKSPACE_PLUGIN__BROKER_METADATA_IMAGE

quay.io/eclipse/che-plugin-metadata-broker:v3.4.0

Docker image of Che plugin broker app that resolves workspace tooling configuration and copies plugins dependencies to a workspace Note these images are overridden by the Che Operator by default; changing the images here will not have an effect if Che is installed via Operator.

CHE_WORKSPACE_PLUGIN__BROKER_ARTIFACTS_IMAGE

quay.io/eclipse/che-plugin-artifacts-broker:v3.4.0

Dockerimage of Che plugin broker app that resolves workspace tooling configuration and copies plugins dependencies to a workspace Note these images are overridden by the Che Operator by default; changing the images here will not have an effect if Che is installed via Operator.

CHE_WORKSPACE_PLUGIN__BROKER_DEFAULT__MERGE__PLUGINS

false

Configures the default behavior of the plugin brokers when provisioning plugins into a workspace. If set to true, the plugin brokers will attempt to merge plugins when possible (i.e. they run in the same sidecar image and do not have conflicting settings). This value is the default setting used when the devfile does not specify otherwise, via the 'mergePlugins' attribute.

CHE_WORKSPACE_PLUGIN__BROKER_PULL__POLICY

Always

Docker image of Che plugin broker app that resolves workspace tooling configuration and copies plugins dependencies to a workspace

CHE_WORKSPACE_PLUGIN__BROKER_WAIT__TIMEOUT__MIN

3

Defines the timeout in minutes that limits the max period of result waiting for plugin broker.

CHE_WORKSPACE_PLUGIN__REGISTRY__URL

https://che-plugin-registry.prod-preview.openshift.io/v3

Workspace tooling plugins registry endpoint. Should be a valid HTTP URL. Example: http://che-plugin-registry-eclipse-che.192.168.65.2.nip.io In case Che plugins tooling is not needed value 'NULL' should be used

CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL

NULL

Workspace tooling plugins registry 'internal' endpoint. Should be a valid HTTP URL. Example: http://devfile-registry.che.svc.cluster.local:8080 In case Che plugins tooling is not needed value 'NULL' should be used

CHE_WORKSPACE_DEVFILE__REGISTRY__URL

https://che-devfile-registry.prod-preview.openshift.io/

Devfile Registry endpoint. Should be a valid HTTP URL. Example: http://che-devfile-registry-eclipse-che.192.168.65.2.nip.io In case Che plugins tooling is not needed value 'NULL' should be used

CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL

NULL

Devfile Registry 'internal' endpoint. Should be a valid HTTP URL. Example: http://plugin-registry.che.svc.cluster.local:8080 In case Che plugins tooling is not needed value 'NULL' should be used

CHE_WORKSPACE_STORAGE_AVAILABLE__TYPES

persistent,ephemeral,async

The configuration property that defines available values for storage types that clients like Dashboard should propose for users during workspace creation/update. Available values: - 'persistent': Persistent Storage slow I/O but persistent. - 'ephemeral': Ephemeral Storage allows for faster I/O but may have limited storage and is not persistent. - 'async': Experimental feature: Asynchronous storage is combination of Ephemeral and Persistent storage. Allows for faster I/O and keep your changes, will backup on stop and restore on start workspace. Will work only if: - che.infra.kubernetes.pvc.strategy='common' - che.limits.user.workspaces.run.count=1 - che.infra.kubernetes.namespace.allow_user_defined=false - che.infra.kubernetes.namespace.default contains <username> in other cases remove 'async' from the list.

CHE_WORKSPACE_STORAGE_PREFERRED__TYPE

persistent

The configuration property that defines a default value for storage type that clients like Dashboard should propose for users during workspace creation/update. The 'async' value not recommended as default type since it’s experimental

CHE_SERVER_SECURE__EXPOSER

jwtproxy

Configures in which way secure servers will be protected with authentication. Suitable values: - 'default': jwtproxy is configured in a pass-through mode. So, servers should authenticate requests themselves. - 'jwtproxy': jwtproxy will authenticate requests. So, servers will receive only authenticated ones.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_ISSUER

wsmaster

Jwtproxy issuer string, token lifetime and optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_TOKEN_TTL

8800h

Jwtproxyissuer string, token lifetime and optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_AUTH_LOADER_PATH

/_app/loader.html

Jwtproxyissuerstring, token lifetime and optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_IMAGE

quay.io/eclipse/che-jwtproxy:0.10.0

Jwtproxyissuerstring,token lifetime and optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_MEMORY__REQUEST

15mb

Jwtproxyissuerstring,tokenlifetime and optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_MEMORY__LIMIT

128mb

Jwtproxyissuerstring,tokenlifetimeand optional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_CPU__REQUEST

0.03

Jwtproxyissuerstring,tokenlifetimeandoptional auth page path to route unsigned requests to.

CHE_SERVER_SECURE__EXPOSER_JWTPROXY_CPU__LIMIT

0.5

Jwtproxyissuerstring,tokenlifetimeandoptionalauth page path to route unsigned requests to.

Configuration of major "/websocket" endpoint

Table 7. Configuration of major "/websocket" endpoint
Environment Variable Name Default value Description

CHE_CORE_JSONRPC_PROCESSOR__MAX__POOL__SIZE

50

Maximum size of the JSON RPC processing pool in case if pool size would be exceeded message execution will be rejected

CHE_CORE_JSONRPC_PROCESSOR__CORE__POOL__SIZE

5

Initial json processing pool. Minimum number of threads that used to process major JSON RPC messages.

CHE_CORE_JSONRPC_PROCESSOR__QUEUE__CAPACITY

100000

Configuration of queue used to process Json RPC messages.

CHE_METRICS_PORT

8087

Port the the http server endpoint that would be exposed with Prometheus metrics

CORS settings

Table 8. CORS settings
Environment Variable Name Default value Description

CHE_CORS_ALLOWED__ORIGINS

*

CORS filter on WS Master is turned off by default. Use environment variable 'CHE_CORS_ENABLED=true' to turn it on 'cors.allowed.origins' indicates which request origins are allowed

CHE_CORS_ALLOW__CREDENTIALS

false

'cors.support.credentials' indicates if it allows processing of requests with credentials (in cookies, headers, TLS client certificates)

Factory defaults

Table 9. Factory defaults
Environment Variable Name Default value Description

CHE_FACTORY_DEFAULT__EDITOR

eclipse/che-theia/7.23.2

Editor and plugin which will be used for factories which are created from remote git repository which doesn’t contain any Che-specific workspace descriptor Multiple plugins must be comma-separated, for example: pluginFooPublisher/pluginFooName/pluginFooVersion,pluginBarPublisher/pluginBarName/pluginBarVersion

CHE_FACTORY_DEFAULT__PLUGINS

eclipse/che-machine-exec-plugin/7.23.2

Editorand plugin which will be used for factories which are created from remote git repository which doesn’t contain any Che-specific workspace descriptor Multiple plugins must be comma-separated, for example: pluginFooPublisher/pluginFooName/pluginFooVersion,pluginBarPublisher/pluginBarName/pluginBarVersion

CHE_FACTORY_DEFAULT__DEVFILE__FILENAMES

devfile.yaml,.devfile.yaml

Devfile filenames to look on repository-based factories (like GitHub etc). Factory will try to locate those files in the order they enumerated in the property.

Devfile defaults

Table 10. Devfile defaults
Environment Variable Name Default value Description

CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR

eclipse/che-theia/7.23.2

Default Editor that should be provisioned into Devfile if there is no specified Editor Format is editorPublisher/editorName/editorVersion value. NULL or absence of value means that default editor should not be provisioned.

CHE_WORKSPACE_DEVFILE_DEFAULT__EDITOR_PLUGINS

eclipse/che-machine-exec-plugin/7.23.2

Default Plugins which should be provisioned for Default Editor. All the plugins from this list that are not explicitly mentioned in the user-defined devfile will be provisioned but only when the default editor is used or if the user-defined editor is the same as the default one (even if in different version). Format is comma-separated pluginPublisher/pluginName/pluginVersion values, and URLs. For example: eclipse/che-theia-exec-plugin/0.0.1,eclipse/che-theia-terminal-plugin/0.0.1,https://cdn.pluginregistry.com/vi-mode/meta.yaml If the plugin is a URL, the plugin’s meta.yaml is retrieved from that URL.

CHE_WORKSPACE_PROVISION_SECRET_LABELS

app.kubernetes.io/part-of=che.eclipse.org,app.kubernetes.io/component=workspace-secret

Defines comma-separated list of labels for selecting secrets from a user namespace, which will be mount into workspace containers as a files or env variables. Only secrets that match ALL given labels will be selected.

CHE_WORKSPACE_DEVFILE_ASYNC_STORAGE_PLUGIN

eclipse/che-async-pv-plugin/nightly

Plugin is added in case async storage feature will be enabled in workspace config and supported by environment

CHE_INFRA_KUBERNETES_ASYNC_STORAGE_IMAGE

quay.io/eclipse/che-workspace-data-sync-storage:latest

Docker image for the Che async storage

CHE_WORKSPACE_POD_NODE__SELECTOR

NULL

Optionally configures node selector for workspace pod. Format is comma-separated key=value pairs, e.g: disktype=ssd,cpu=xlarge,foo=bar

CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__TIMEOUT__MIN

120

The timeout for the Asynchronous Storage Pod shutdown after stopping the last used workspace. Value less or equal to 0 interpreted as disabling shutdown ability.

CHE_INFRA_KUBERNETES_ASYNC_STORAGE_SHUTDOWN__CHECK__PERIOD__MIN

30

Defines the period with which the Asynchronous Storage Pod stopping ability will be performed (once in 30 minutes by default)

BITBUCKET_SERVER_ENDPOINTS

NULL#

Bitbucket endpoints used for factory integrations. Comma separated list of bitbucket server URLs or NULL if no integration expected.

Che system

Table 11. Che system
Environment Variable Name Default value Description

CHE_SYSTEM_SUPER__PRIVILEGED__MODE

false

System Super Privileged Mode. Grants users with the manageSystem permission additional permissions for getByKey, getByNameSpace, stopWorkspaces, and getResourcesInformation. These are not given to admins by default and these permissions allow admins gain visibility to any workspace along with naming themselves with admin privileges to those workspaces.

CHE_SYSTEM_ADMIN__NAME

admin

Grant system permission for 'che.admin.name' user. If the user already exists it’ll happen on component startup, if not - during the first login when user is persisted in the database.

Workspace limits

Table 12. Workspace limits
Environment Variable Name Default value Description

CHE_LIMITS_WORKSPACE_ENV_RAM

16gb

Workspaces are the fundamental runtime for users when doing development. You can set parameters that limit how workspaces are created and the resources that are consumed. The maximum amount of RAM that a user can allocate to a workspace when they create a new workspace. The RAM slider is adjusted to this maximum value.

CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT

1800000

The length of time that a user is idle with their workspace when the system will suspend the workspace and then stopping it. Idleness is the length of time that the user has not interacted with the workspace, meaning that one of our agents has not received interaction. Leaving a browser window open counts toward idleness.

CHE_LIMITS_WORKSPACE_RUN_TIMEOUT

0

The length of time in milliseconds that a workspace will run, regardless of activity, before the system will suspend it. Set this property if you want to automatically stop workspaces after a period of time. The default is zero, meaning that there is no run timeout.

Users workspace limits

Table 13. Users workspace limits
Environment Variable Name Default value Description

CHE_LIMITS_USER_WORKSPACES_RAM

-1

The total amount of RAM that a single user is allowed to allocate to running workspaces. A user can allocate this RAM to a single workspace or spread it across multiple workspaces.

CHE_LIMITS_USER_WORKSPACES_COUNT

-1

The maximum number of workspaces that a user is allowed to create. The user will be presented with an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.

CHE_LIMITS_USER_WORKSPACES_RUN_COUNT

1

The maximum number of running workspaces that a single user is allowed to have. If the user has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The user will need to stop a running workspace to activate another.

Organizations workspace limits

Table 14. Organizations workspace limits
Environment Variable Name Default value Description

CHE_LIMITS_ORGANIZATION_WORKSPACES_RAM

-1

The total amount of RAM that a single organization (team) is allowed to allocate to running workspaces. An organization owner can allocate this RAM however they see fit across the team’s workspaces.

CHE_LIMITS_ORGANIZATION_WORKSPACES_COUNT

-1

The maximum number of workspaces that a organization is allowed to own. The organization will be presented an error message if they try to create additional workspaces. This applies to the total number of both running and stopped workspaces.

CHE_LIMITS_ORGANIZATION_WORKSPACES_RUN_COUNT

-1

The maximum number of running workspaces that a single organization is allowed. If the organization has reached this threshold and they try to start an additional workspace, they will be prompted with an error message. The organization will need to stop a running workspace to activate another.

CHE_MAIL_FROM__EMAIL__ADDRESS

che@noreply.com

Address that will be used as from email for email notifications

Organizations notifications settings

Table 15. Organizations notifications settings
Environment Variable Name Default value Description

CHE_ORGANIZATION_EMAIL_MEMBER__ADDED__SUBJECT

You'vebeen added to a Che Organization

Organization notifications sunjects and templates

CHE_ORGANIZATION_EMAIL_MEMBER__ADDED__TEMPLATE

st-html-templates/user_added_to_organization

Organizationnotifications sunjects and templates

CHE_ORGANIZATION_EMAIL_MEMBER__REMOVED__SUBJECT

You'vebeen removed from a Che Organization

CHE_ORGANIZATION_EMAIL_MEMBER__REMOVED__TEMPLATE

st-html-templates/user_removed_from_organization

CHE_ORGANIZATION_EMAIL_ORG__REMOVED__SUBJECT

CheOrganization deleted

CHE_ORGANIZATION_EMAIL_ORG__REMOVED__TEMPLATE

st-html-templates/organization_deleted

CHE_ORGANIZATION_EMAIL_ORG__RENAMED__SUBJECT

CheOrganization renamed

CHE_ORGANIZATION_EMAIL_ORG__RENAMED__TEMPLATE

st-html-templates/organization_renamed

Multi-user-specific OpenShift infrastructure configuration

Table 16. Multi-user-specific OpenShift infrastructure configuration
Environment Variable Name Default value Description

CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER

NULL

Alias of the Openshift identity provider registered in Keycloak, that should be used to create workspace OpenShift resources in Openshift namespaces owned by the current Che user. Should be set to NULL if che.infra.openshift.project is set to a non-empty value. For more information see the following documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#openshift-4

Keycloak configuration

Table 17. Keycloak configuration
Environment Variable Name Default value Description

CHE_KEYCLOAK_AUTH__SERVER__URL

http://${CHE_HOST}:5050/auth

Url to keycloak identity provider server Can be set to NULL only if che.keycloak.oidcProvider is used

CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL

NULL

Internal network service Url to keycloak identity provider server

CHE_KEYCLOAK_REALM

che

Keycloak realm is used to authenticate users Can be set to NULL only if che.keycloak.oidcProvider is used

CHE_KEYCLOAK_CLIENT__ID

che-public

Keycloak client id in che.keycloak.realm that is used by dashboard, ide and cli to authenticate users

RedHat Che specific configuration

Table 18. RedHat Che specific configuration
Environment Variable Name Default value Description

CHE_KEYCLOAK_OSO_ENDPOINT

NULL

URL to access OSO oauth tokens

CHE_KEYCLOAK_GITHUB_ENDPOINT

NULL

URL to access Github oauth tokens

CHE_KEYCLOAK_ALLOWED__CLOCK__SKEW__SEC

3

The number of seconds to tolerate for clock skew when verifying exp or nbf claims.

CHE_KEYCLOAK_USE__NONCE

true

Use the OIDC optional nonce feature to increase security.

CHE_KEYCLOAK_JS__ADAPTER__URL

NULL

URL to the Keycloak Javascript adapter we want to use. if set to NULL, then the default used value is ${che.keycloak.auth_server_url}/js/keycloak.js, or <che-server>/api/keycloak/OIDCKeycloak.js if an alternate oidc_provider is used

CHE_KEYCLOAK_OIDC__PROVIDER

NULL

Base URL of an alternate OIDC provider that provides a discovery endpoint as detailed in the following specification https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

CHE_KEYCLOAK_USE__FIXED__REDIRECT__URLS

false

Set to true when using an alternate OIDC provider that only supports fixed redirect Urls This property is ignored when che.keycloak.oidc_provider is NULL

CHE_KEYCLOAK_USERNAME__CLAIM

NULL

Username claim to be used as user display name when parsing JWT token if not defined the fallback value is 'preferred_username'

CHE_OAUTH_SERVICE__MODE

delegated

Configuration of OAuth Authentication Service that can be used in 'embedded' or 'delegated' mode. If set to 'embedded', then the service work as a wrapper to Che’s OAuthAuthenticator ( as in Single User mode). If set to 'delegated', then the service will use Keycloak IdentityProvider mechanism. Runtime Exception wii be thrown, in case if this property is not set properly.

CHE_KEYCLOAK_CASCADE__USER__REMOVAL__ENABLED

false

Configuration for enabling removing user from Keycloak server on removing user from Che database. By default it’s disabled. Can be enabled in some special cases when deleting a user in Che database should execute removing related-user from Keycloak. For correct work need to set admin username ${che.keycloak.admin_username} and password ${che.keycloak.admin_password}.

CHE_KEYCLOAK_ADMIN__USERNAME

NULL

Keycloak admin username. Will be used for deleting user from Keycloak on removing user from Che database. Make sense only in case ${che.keycloak.cascade_user_removal_enabled} set to 'true'

CHE_KEYCLOAK_ADMIN__PASSWORD

NULL

Keycloak admin password. Will be used for deleting user from Keycloak on removing user from Che database. Make sense only in case ${che.keycloak.cascade_user_removal_enabled} set to 'true'

CHE_KEYCLOAK_USERNAME_REPLACEMENT__PATTERNS

NULL

User name adjustment configuration. Che needs to use the usernames as part of K8s object names and labels and therefore has stricter requirements on their format than the identity providers usually allow (it needs them to be DNS-compliant). The adjustment is represented by comma-separated key-value pairs. These are sequentially used as arguments to the String.replaceAll function on the original username. The keys are regular expressions, values are replacement strings that replace the characters in the username that match the regular expression. The modified username will only be stored in the Che database and will not be advertised back to the identity provider. It is recommended to use DNS-compliant characters as replacement strings (values in the key-value pairs). Example: \\=-,@=-at- changes \ to - and @ to -at- so the username org\user@com becomes org-user-at-com.