CheCluster Custom Resource fields reference

This section describes all fields available to customize the CheCluster Custom Resource.

Example 1. A minimal CheCluster Custom Resource example.
apiVersion: org.eclipse.che/v2
kind: CheCluster
metadata:
  name: eclipse-che
  namespace: eclipse-che
spec:
  components: {}
  devEnvironments: {}
  networking: {}
Table 1. Development environment configuration options.
Property Description Default

allowedSources

AllowedSources defines the allowed sources on which workspaces can be started.

containerBuildConfiguration

Container build configuration.

defaultComponents

Default components applied to DevWorkspaces. These default components are meant to be used when a Devfile, that does not contain any components.

defaultEditor

The default editor to workspace create with. It could be a plugin ID or a URI. The plugin ID must have publisher/name/version format. The URI must start from http:// or https://.

defaultNamespace

User’s default namespace.

{ "autoProvision": true, "template": "<username>-che"}

defaultPlugins

Default plug-ins applied to DevWorkspaces.

deploymentStrategy

DeploymentStrategy defines the deployment strategy to use to replace existing workspace pods with new ones. The available deployment stragies are Recreate and RollingUpdate. With the Recreate deployment strategy, the existing workspace pod is killed before the new one is created. With the RollingUpdate deployment strategy, a new workspace pod is created and the existing workspace pod is deleted only when the new workspace pod is in a ready state. If not specified, the default Recreate deployment strategy is used.

disableContainerBuildCapabilities

Disables the container build capabilities. When set to false (the default value), the devEnvironments.security.containerSecurityContext field is ignored, and the following container SecurityContext is applied: containerSecurityContext: allowPrivilegeEscalation: true capabilities: add: - SETGID - SETUID

gatewayContainer

GatewayContainer configuration.

ignoredUnrecoverableEvents

IgnoredUnrecoverableEvents defines a list of Kubernetes event names that should be ignored when deciding to fail a workspace that is starting. This option should be used if a transient cluster issue is triggering false-positives (for example, if the cluster occasionally encounters FailedScheduling events). Events listed here will not trigger workspace failures.

[ "FailedScheduling"]

imagePullPolicy

ImagePullPolicy defines the imagePullPolicy used for containers in a DevWorkspace.

maxNumberOfRunningWorkspacesPerCluster

The maximum number of concurrently running workspaces across the entire Kubernetes cluster. This applies to all users in the system. If the value is set to -1, it means there is no limit on the number of running workspaces.

maxNumberOfRunningWorkspacesPerUser

The maximum number of running workspaces per user. The value, -1, allows users to run an unlimited number of workspaces.

maxNumberOfWorkspacesPerUser

Total number of workspaces, both stopped and running, that a user can keep. The value, -1, allows users to keep an unlimited number of workspaces.

-1

nodeSelector

The node selector limits the nodes that can run the workspace pods.

persistUserHome

PersistUserHome defines configuration options for persisting the user home directory in workspaces.

podSchedulerName

Pod scheduler for the workspace pods. If not specified, the pod scheduler is set to the default scheduler on the cluster.

projectCloneContainer

Project clone container configuration.

runtimeClassName

RuntimeClassName specifies the spec.runtimeClassName for workspace pods.

secondsOfInactivityBeforeIdling

Idle timeout for workspaces in seconds. This timeout is the duration after which a workspace will be idled if there is no activity. To disable workspace idling due to inactivity, set this value to -1.

1800

secondsOfRunBeforeIdling

Run timeout for workspaces in seconds. This timeout is the maximum duration a workspace runs. To disable workspace run timeout, set this value to -1.

-1

security

Workspace security configuration.

serviceAccount

ServiceAccount to use by the DevWorkspace operator when starting the workspaces.

serviceAccountTokens

List of ServiceAccount tokens that will be mounted into workspace pods as projected volumes.

startTimeoutSeconds

StartTimeoutSeconds determines the maximum duration (in seconds) that a workspace can take to start before it is automatically failed. If not specified, the default value of 300 seconds (5 minutes) is used.

300

storage

Workspaces persistent storage.

{ "pvcStrategy": "per-user"}

tolerations

The pod tolerations of the workspace pods limit where the workspace pods can run.

trustedCerts

Trusted certificate settings.

user

User configuration.

workspacesPodAnnotations

WorkspacesPodAnnotations defines additional annotations for workspace pods.

Table 2. defaultNamespace options.
Property Description Default

autoProvision

Indicates if is allowed to automatically create a user namespace. If it set to false, then user namespace must be pre-created by a cluster administrator.

true

template

If you don’t create the user namespaces in advance, this field defines the Kubernetes namespace created when you start your first workspace. You can use <username> and <userid> placeholders, such as che-workspace-<username>.

"<username>-che"

Table 3. defaultPlugins options.
Property Description Default

editor

The editor ID to specify default plug-ins for. The plugin ID must have publisher/name/version format.

plugins

Default plug-in URIs for the specified editor.

Table 4. gatewayContainer options.
Property Description Default

env

List of environment variables to set in the container.

image

Container image. Omit it or leave it empty to use the default container image provided by the Operator.

imagePullPolicy

Image pull policy. Default value is Always for nightly, next or latest images, and IfNotPresent in other cases.

name

Container name.

resources

Compute resources required by this container.

Table 5. storage options.
Property Description Default

perUserStrategyPvcConfig

PVC settings when using the per-user PVC strategy.

perWorkspaceStrategyPvcConfig

PVC settings when using the per-workspace PVC strategy.

pvcStrategy

Persistent volume claim strategy for the Che server. The supported strategies are: per-user (all workspaces PVCs in one volume), per-workspace (each workspace is given its own individual PVC) and ephemeral (non-persistent storage where local changes will be lost when the workspace is stopped.)

"per-user"

Table 6. per-user PVC strategy options.
Property Description Default

claimSize

Persistent Volume Claim size. To update the claim size, the storage class that provisions it must support resizing.

storageClass

Storage class for the Persistent Volume Claim. When omitted or left blank, a default storage class is used.

Table 7. per-workspace PVC strategy options.
Property Description Default

claimSize

Persistent Volume Claim size. To update the claim size, the storage class that provisions it must support resizing.

storageClass

Storage class for the Persistent Volume Claim. When omitted or left blank, a default storage class is used.

Table 8. trustedCerts options.
Property Description Default

disableWorkspaceCaBundleMount

By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap containing the CA certificate bundle in users' workspaces at two locations: '/public-certs' and '/etc/pki/ca-trust/extracted/pem'. The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora). This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory while still mounting it to '/public-certs'.

gitTrustedCertsConfigMapName

The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/ The ConfigMap must have a app.kubernetes.io/part-of=che.eclipse.org label.

Table 9. containerBuildConfiguration options.
Property Description Default

openShiftSecurityContextConstraint

OpenShift security context constraint to build containers.

"container-build"

Table 10. Che components configuration.
Property Description Default

cheServer

General configuration settings related to the Che server.

{ "debug": false, "logLevel": "INFO"}

dashboard

Configuration settings related to the dashboard used by the Che installation.

devWorkspace

DevWorkspace Operator configuration.

devfileRegistry

Configuration settings related to the devfile registry used by the Che installation.

imagePuller

Kubernetes Image Puller configuration.

metrics

Che server metrics configuration.

{ "enable": true}

pluginRegistry

Configuration settings related to the plug-in registry used by the Che installation.

Table 11. General configuration settings related to the Che server component.
Property Description Default

clusterRoles

Additional ClusterRoles assigned to Che ServiceAccount. Each role must have a app.kubernetes.io/part-of=che.eclipse.org label. The defaults roles are: - <che-namespace>-cheworkspaces-clusterrole - <che-namespace>-cheworkspaces-namespaces-clusterrole - <che-namespace>-cheworkspaces-devworkspace-clusterrole where the <che-namespace> is the namespace where the CheCluster CR is created. The Che Operator must already have all permissions in these ClusterRoles to grant them.

debug

Enables the debug mode for Che server.

false

deployment

Deployment override options.

extraProperties

A map of additional environment variables applied in the generated che ConfigMap to be used by the Che server in addition to the values already generated from other fields of the CheCluster custom resource (CR). If the extraProperties field contains a property normally generated in che ConfigMap from other CR fields, the value defined in the extraProperties is used instead.

logLevel

The log level for the Che server: INFO or DEBUG.

"INFO"

proxy

Proxy server settings for Kubernetes cluster. No additional configuration is required for OpenShift cluster. By specifying these settings for the OpenShift cluster, you override the OpenShift proxy configuration.

Table 12. proxy options.
Property Description Default

credentialsSecretName

The secret name that contains user and password for a proxy server. The secret must have a app.kubernetes.io/part-of=che.eclipse.org label.

nonProxyHosts

A list of hosts that can be reached directly, bypassing the proxy. Specify wild card domain use the following form .<DOMAIN>, for example: - localhost - 127.0.0.1 - my.host.com - 123.42.12.32 Use only when a proxy configuration is required. The Operator respects OpenShift cluster-wide proxy configuration, defining nonProxyHosts in a custom resource leads to merging non-proxy hosts lists from the cluster proxy configuration, and the ones defined in the custom resources. See the following page: https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html. In some proxy configurations, localhost may not translate to 127.0.0.1. Both localhost and 127.0.0.1 should be specified in this situation.

port

Proxy server port.

url

URL (protocol+hostname) of the proxy server. Use only when a proxy configuration is required. The Operator respects OpenShift cluster-wide proxy configuration, defining url in a custom resource leads to overriding the cluster proxy configuration. See the following page: https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html.

Table 13. Configuration settings related to the Plug-in registry component used by the Che installation.
Property Description Default

deployment

Deployment override options.

disableInternalRegistry

Disables internal plug-in registry.

externalPluginRegistries

External plugin registries.

openVSXURL

Open VSX registry URL. If omitted an embedded instance will be used.

Table 14. externalPluginRegistries options.
Property Description Default

url

Public URL of the plug-in registry.

Table 15. Configuration settings related to the Devfile registry component used by the Che installation.
Property Description Default

deployment

Deprecated deployment override options.

disableInternalRegistry

Disables internal devfile registry.

externalDevfileRegistries

External devfile registries serving sample ready-to-use devfiles.

Table 16. externalDevfileRegistries options.
Property Description Default

url

The public URL of the devfile registry that serves sample ready-to-use devfiles.

Table 17. Configuration settings related to the Dashboard component used by the Che installation.
Property Description Default

branding

Dashboard branding resources.

deployment

Deployment override options.

headerMessage

Dashboard header message.

logLevel

The log level for the Dashboard.

"ERROR"

Table 18. headerMessage options.
Property Description Default

show

Instructs dashboard to show the message.

text

Warning message displayed on the user dashboard.

Table 19. Kubernetes Image Puller component configuration.
Property Description Default

enable

Install and configure the community supported Kubernetes Image Puller Operator. When you set the value to true without providing any specs, it creates a default Kubernetes Image Puller object managed by the Operator. When you set the value to false, the Kubernetes Image Puller object is deleted, and the Operator uninstalled, regardless of whether a spec is provided. If you leave the spec.images field empty, a set of recommended workspace-related images is automatically detected and pre-pulled after installation. Note that while this Operator and its behavior is community-supported, its payload may be commercially-supported for pulling commercially-supported images.

spec

A Kubernetes Image Puller spec to configure the image puller in the CheCluster.

Table 20. Che server metrics component configuration.
Property Description Default

enable

Enables metrics for the Che server endpoint.

true

Table 21. Configuration settings that allows users to work with remote Git repositories.
Property Description Default

azure

Enables users to work with repositories hosted on Azure DevOps Service (dev.azure.com).

bitbucket

Enables users to work with repositories hosted on Bitbucket (bitbucket.org or self-hosted).

github

Enables users to work with repositories hosted on GitHub (github.com or GitHub Enterprise).

gitlab

Enables users to work with repositories hosted on GitLab (gitlab.com or self-hosted).

Table 22. github options.
Property Description Default

disableSubdomainIsolation

Disables subdomain isolation. Deprecated in favor of che.eclipse.org/scm-github-disable-subdomain-isolation annotation. See the following page for details: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-github/.

endpoint

GitHub server endpoint URL. Deprecated in favor of che.eclipse.org/scm-server-endpoint annotation. See the following page for details: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-github/.

secretName

Kubernetes secret, that contains Base64-encoded GitHub OAuth Client id and GitHub OAuth Client secret. See the following page for details: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-github/.

Table 23. gitlab options.
Property Description Default

endpoint

GitLab server endpoint URL. Deprecated in favor of che.eclipse.org/scm-server-endpoint annotation. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-gitlab/.

secretName

Kubernetes secret, that contains Base64-encoded GitHub Application id and GitLab Application Client secret. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-gitlab/.

Table 24. bitbucket options.
Property Description Default

endpoint

Bitbucket server endpoint URL. Deprecated in favor of che.eclipse.org/scm-server-endpoint annotation. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-1-for-a-bitbucket-server/.

secretName

Kubernetes secret, that contains Base64-encoded Bitbucket OAuth 1.0 or OAuth 2.0 data. See the following pages for details: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-1-for-a-bitbucket-server/ and https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-the-bitbucket-cloud/.

Table 25. azure options.
Property Description Default

secretName

Kubernetes secret, that contains Base64-encoded Azure DevOps Service Application ID and Client Secret. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services

Table 26. Networking, Che authentication and TLS configuration.
Property Description Default

annotations

Defines annotations which will be set for an Ingress (a route for OpenShift platform). The defaults for kubernetes platforms are: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600", nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600", nginx.ingress.kubernetes.io/ssl-redirect: "true"

auth

Authentication settings.

{ "gateway": { "configLabels": { "app": "che", "component": "che-gateway-config" } }}

domain

For an OpenShift cluster, the Operator uses the domain to generate a hostname for the route. The generated hostname follows this pattern: che-<che-namespace>.<domain>. The <che-namespace> is the namespace where the CheCluster CRD is created. In conjunction with labels, it creates a route served by a non-default Ingress controller. For a Kubernetes cluster, it contains a global ingress domain. There are no default values: you must specify them.

hostname

The public hostname of the installed Che server.

ingressClassName

IngressClassName is the name of an IngressClass cluster resource. If a class name is defined in both the IngressClassName field and the kubernetes.io/ingress.class annotation, IngressClassName field takes precedence.

labels

Defines labels which will be set for an Ingress (a route for OpenShift platform).

tlsSecretName

The name of the secret used to set up Ingress TLS termination. If the field is an empty string, the default cluster certificate is used. The secret must have a app.kubernetes.io/part-of=che.eclipse.org label.

Table 27. auth options.
Property Description Default

advancedAuthorization

Advance authorization settings. Determines which users and groups are allowed to access Che. User is allowed to access Che if he/she is either in the allowUsers list or is member of group from allowGroups list and not in neither the denyUsers list nor is member of group from denyGroups list. If allowUsers and allowGroups are empty, then all users are allowed to access Che. if denyUsers and denyGroups are empty, then no users are denied to access Che.

gateway

Gateway settings.

{ "configLabels": { "app": "che", "component": "che-gateway-config" }}

identityProviderURL

Public URL of the Identity Provider server.

identityToken

Identity token to be passed to upstream. There are two types of tokens supported: id_token and access_token. Default value is id_token. This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.

oAuthAccessTokenInactivityTimeoutSeconds

Inactivity timeout for tokens to set in the OpenShift OAuthClient resource used to set up identity federation on the OpenShift side. 0 means tokens for this client never time out.

oAuthAccessTokenMaxAgeSeconds

Access token max age for tokens to set in the OpenShift OAuthClient resource used to set up identity federation on the OpenShift side. 0 means no expiration.

oAuthClientName

Name of the OpenShift OAuthClient resource used to set up identity federation on the OpenShift side.

oAuthScope

Access Token Scope. This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.

oAuthSecret

Name of the secret set in the OpenShift OAuthClient resource used to set up identity federation on the OpenShift side. For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a key oAuthSecret and the value is the secret. NOTE: this secret must exist in the same namespace as the CheCluster resource and contain the label app.kubernetes.io/part-of=che.eclipse.org.

Table 28. gateway options.
Property Description Default

configLabels

Gateway configuration labels.

{ "app": "che", "component": "che-gateway-config"}

deployment

Deployment override options. Since gateway deployment consists of several containers, they must be distinguished in the configuration by their names: - gateway - configbump - oauth-proxy - kube-rbac-proxy

kubeRbacProxy

Configuration for kube-rbac-proxy within the Che gateway pod.

oAuthProxy

Configuration for oauth-proxy within the Che gateway pod.

traefik

Configuration for Traefik within the Che gateway pod.

Table 29. Configuration of an alternative registry that stores Che images.
Property Description Default

hostname

An optional hostname or URL of an alternative container registry to pull images from. This value overrides the container registry hostname defined in all the default container images involved in a Che deployment. This is particularly useful for installing Che in a restricted environment.

organization

An optional repository name of an alternative registry to pull images from. This value overrides the container registry organization defined in all the default container images involved in a Che deployment. This is particularly useful for installing Che in a restricted environment.

Table 30. deployment options.
Property Description Default

containers

List of containers belonging to the pod.

nodeSelector

The node selector limits the nodes that can run the pod.

securityContext

Security options the pod should run with.

tolerations

The pod tolerations of the component pod limit where the pod can run.

Table 31. containers options.
Property Description Default

env

List of environment variables to set in the container.

image

Container image. Omit it or leave it empty to use the default container image provided by the Operator.

imagePullPolicy

Image pull policy. Default value is Always for nightly, next or latest images, and IfNotPresent in other cases.

name

Container name.

resources

Compute resources required by this container.

Table 32. containers options.
Property Description Default

limits

Describes the maximum amount of compute resources allowed.

request

Describes the minimum amount of compute resources required.

Table 33. request options.
Property Description Default

cpu

CPU, in cores. (500m = .5 cores) If the value is not specified, then the default value is set depending on the component. If value is 0, then no value is set for the component.

memory

Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) If the value is not specified, then the default value is set depending on the component. If value is 0, then no value is set for the component.

Table 34. limits options.
Property Description Default

cpu

CPU, in cores. (500m = .5 cores) If the value is not specified, then the default value is set depending on the component. If value is 0, then no value is set for the component.

memory

Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) If the value is not specified, then the default value is set depending on the component. If value is 0, then no value is set for the component.

Table 35. securityContext options.
Property Description Default

fsGroup

A special supplemental group that applies to all containers in a pod. The default value is 1724.

runAsUser

The UID to run the entrypoint of the container process. The default value is 1724.

Table 36. CheCluster Custom Resource status defines the observed state of Che installation
Property Description Default

chePhase

Specifies the current phase of the Che deployment.

cheURL

Public URL of the Che server.

cheVersion

Currently installed Che version.

devfileRegistryURL

Deprecated the public URL of the internal devfile registry.

gatewayPhase

Specifies the current phase of the gateway deployment.

message

A human readable message indicating details about why the Che deployment is in the current phase.

pluginRegistryURL

The public URL of the internal plug-in registry.

reason

A brief CamelCase message indicating details about why the Che deployment is in the current phase.

workspaceBaseDomain

The resolved workspace base domain. This is either the copy of the explicitly defined property of the same name in the spec or, if it is undefined in the spec and we’re running on OpenShift, the automatically resolved basedomain for routes.