Configuring a user namespace

This procedure walks you through the process of using Che to replicate ConfigMaps, Secrets and PersistentVolumeClaim from eclipse-che namespace to numerous user-specific namespaces. The Che automates the synchronization of important configuration data such as shared credentials, configuration files, and certificates to user namespaces.

If you make changes to a Kubernetes resource in an eclipse-che namespace, Che will immediately replicate the changes across all users namespaces. In reverse, if a Kubernetes resource is modified in a user namespace, Che will immediately revert the changes.

Procedure

  1. Create the ConfigMap below to replicate it to every user namespace. To enhance the configurability, you can customize the ConfigMap by adding additional labels and annotations. See the Automatically mounting volumes, configmaps, and secrets for other possible labels and annotations.

    kind: ConfigMap
apiVersion: v1
metadata:
  name: user-configmap
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
data:
  ...
    Example 1. Mounting a settings.xml file to a user workspace:
    kind: ConfigMap
apiVersion: v1
metadata:
  name: user-settings-xml
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /home/user/.m2
data:
  settings.xml: |
    <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
      <localRepository>/home/user/.m2/repository</localRepository>
      <interactiveMode>true</interactiveMode>
      <offline>false</offline>
    </settings>

  2. Create the Secret below to replicate it to every user namespace. To enhance the configurability, you can customize the Secret by adding additional labels and annotations. See the Automatically mounting volumes, configmaps, and secrets for other possible labels and annotations.

    kind: Secret
apiVersion: v1
metadata:
  name: user-secret
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
data:
  ...
    Example 2. Mounting certificates to a user workspace:
    kind: Secret
apiVersion: v1
metadata:
  name: user-certificates
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /etc/pki/ca-trust/source/anchors
stringData:
  trusted-certificates.crt: |
    ...
    Run update-ca-trust command on workspace startup to import certificates. It can be achieved manually or by adding this command to a postStart event in a devfile. See the Adding event bindings in a devfile.
    Example 3. Mounting environment variables to a user workspace:
    kind: Secret
apiVersion: v1
metadata:
  name: user-env
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: env
stringData:
  ENV_VAR_1: value_1
  ENV_VAR_2: value_2

  3. Create the PersistentVolumeClaim below to replicate it to every user namespace.

    To enhance the configurability, you can customize the PersistentVolumeClaim by adding additional labels and annotations. See the Automatically mounting volumes, configmaps, and secrets for other possible labels and annotations.

    To modify the 'PersistentVolumeClaim', delete it and create a new one in eclipse-che namespace.

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: user-pvc
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
spec:
  ...
    Example 4. Mounting a PersistentVolumeClaim to a user workspace:
    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: user-pvc
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
    controller.devfile.io/mount-to-devworkspace: 'true'
  annotations:
    controller.devfile.io/mount-path: /home/user/data
    controller.devfile.io/read-only: 'true'
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  volumeMode: Filesystem
Additional resources