Configuring a user namespace

Learn how to use Che to synchronize ConfigMaps, Secrets, PersistentVolumeClaim and other Kubernetes objects from eclipse-che namespace to numerous user-specific namespaces. The Che automates the synchronization of important configuration data, such as shared credentials, configuration files, and certificates to user namespaces.

If you make changes to a Kubernetes resource in an eclipse-che namespace, Che will immediately synchronize the changes across all users namespaces. In reverse, if a Kubernetes resource is modified in a user namespace, Che will immediately revert the changes.

Applying or modifying a Secret or ConfigMap with the controller.devfile.io/mount-to-devworkspace: 'true' label restarts all running workspaces in the namespace. Ensure that users save their work before you apply these changes.

Procedure

Create the ConfigMap below to create and mount it into every workspace.
kind: ConfigMap apiVersion: v1 metadata: name: che-user-configmap namespace: eclipse-che labels: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: workspaces-config data: ...
To enhance the configurability, you can customize the ConfigMap by adding additional labels and annotations.

Add the following labels if you do not want the ConfigMap to be mounted automatically:
```
controller.devfile.io/watch-configmap: "false"
controller.devfile.io/mount-to-devworkspace: "false"
```
Add the annotation below if you want the ConfigMap to be retained in a user namespace after being deleted from eclipse-che namespace:
```
che.eclipse.org/sync-retain-on-delete: "true"
```
For example, to mount a default SSH configuration into every workspace, you must create a ConfigMap:
kind: ConfigMap apiVersion: v1 metadata: name: ssh-config-configmap namespace: eclipse-che labels: app.kubernetes.io/component: workspaces-config app.kubernetes.io/part-of: che.eclipse.org annotations: controller.devfile.io/mount-as: subpath controller.devfile.io/mount-path: /etc/ssh/ssh_config.d/ data: ssh.conf: <ssh config content>
This ConfigMap propagates the SSH configuration as an extension to the existing default SSH configuration by using the Include /etc/ssh/ssh_config.d/*.conf argument. For more information, review the Include definition.

For other labels and annotations, see Mounting volumes, configmaps, and secrets.
Create the Secret below to create and mount it into every workspace.
kind: Secret apiVersion: v1 metadata: name: che-user-secret namespace: eclipse-che labels: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: workspaces-config stringData: ...
To enhance the configurability, you can customize the Secret by adding additional labels and annotations.

Add the labels if you do not want the Secret to be mounted automatically:
```
controller.devfile.io/watch-secret: "false"
controller.devfile.io/mount-to-devworkspace: "false"
```
Add the annotation below if you want the Secret to be retained in a user namespace after being deleted from eclipse-che namespace:
```
che.eclipse.org/sync-retain-on-delete: "true"
```
See the mounting volumes, configmaps, and secrets for other possible labels and annotations.
Create the PersistentVolumeClaim below to create it to every user namespace.
```
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: che-user-pvc
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
spec:
  ...
```
To enhance the configurability, you can customize the PersistentVolumeClaim by adding additional labels and annotations.

The PersistentVolumeClaim is not deleted in a user namespace by default, if the one from eclipse-che is deleted. Add the annotation below if you want the PersistentVolumeClaim to be deleted in a user namespace as well:
```
che.eclipse.org/sync-retain-on-delete: "false"
```
See the mounting volumes, configmaps, and secrets for other possible labels and annotations.

To leverage the OpenShift Kubernetes Engine, you can create a Template object to replicate all resources defined within the template across each user namespace.

Aside from the previously mentioned ConfigMap, Secret, and PersistentVolumeClaim, Template objects can include:

LimitRange
NetworkPolicy
ResourceQuota
Role

RoleBinding

apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
  ...
parameters:
- name: PROJECT_NAME
- name: PROJECT_ADMIN_USER

The parameters are optional and define which parameters can be used. Currently, only PROJECT_NAME and PROJECT_ADMIN_USER are supported. PROJECT_NAME is the name of the Che namespace, while PROJECT_ADMIN_USER is the Che user of the namespace.

The namespace name in objects will be replaced with the user’s namespace name during synchronization.

Example 1. Replicating Kubernetes resources to a user namespace:

apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: che-user-resource-quota
  spec:
    ...
- apiVersion: v1
  kind: LimitRange
  metadata:
    name: che-user-resource-constraint
  spec:
    ...
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: che-user-roles
  rules:
    ...
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: che-user-rolebinding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: che-user-roles
  subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: ${PROJECT_ADMIN_USER}
parameters:
- name: PROJECT_ADMIN_USER

Creating Template Kubernetes resources is supported only on OpenShift.

Additional resources