Configuring a user namespace

This procedure walks you through the process of using Che to replicate ConfigMaps, Secrets, PersistentVolumeClaim and other Kubernetes objects from eclipse-che namespace to numerous user-specific namespaces. The Che automates the synchronization of important configuration data such as shared credentials, configuration files, and certificates to user namespaces.

If you make changes to a Kubernetes resource in an eclipse-che namespace, Che will immediately replicate the changes across all users namespaces. In reverse, if a Kubernetes resource is modified in a user namespace, Che will immediately revert the changes.

Procedure

  1. Create the ConfigMap below to replicate it to every user namespace. To enhance the configurability, you can customize the ConfigMap by adding additional labels and annotations. See the Automatically mounting volumes, configmaps, and secrets for other possible labels and annotations.

    kind: ConfigMap
apiVersion: v1
metadata:
  name: che-user-configmap
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
data:
  ...
    Example 1. Mounting a settings.xml file to a user workspace:
    kind: ConfigMap
apiVersion: v1
metadata:
  name: che-user-configmap
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /home/user/.m2
data:
  settings.xml: |
    <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
      <localRepository>/home/user/.m2/repository</localRepository>
      <interactiveMode>true</interactiveMode>
      <offline>false</offline>
    </settings>

  2. Create the Secret below to replicate it to every user namespace. To enhance the configurability, you can customize the Secret by adding additional labels and annotations. See the Automatically mounting volumes, configmaps, and secrets for other possible labels and annotations.

    kind: Secret
apiVersion: v1
metadata:
  name: che-user-secret
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
data:
  ...
    Example 2. Mounting certificates to a user workspace:
    kind: Secret
apiVersion: v1
metadata:
  name: che-user-secret
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /etc/pki/ca-trust/source/anchors
stringData:
  trusted-certificates.crt: |
    ...
    Run update-ca-trust command on workspace startup to import certificates. It can be achieved manually or by adding this command to a postStart event in a devfile. See the Adding event bindings in a devfile.
    Example 3. Mounting environment variables to a user workspace:
    kind: Secret
apiVersion: v1
metadata:
  name: che-user-secret
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: env
stringData:
  ENV_VAR_1: value_1
  ENV_VAR_2: value_2

  3. Create the PersistentVolumeClaim below to replicate it to every user namespace.

    To enhance the configurability, you can customize the PersistentVolumeClaim by adding additional labels and annotations. See the Automatically mounting volumes, configmaps, and secrets for other possible labels and annotations.

    To modify the PersistentVolumeClaim, delete it and create a new one in eclipse-che namespace.

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: che-user-pvc
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
spec:
  ...
    Example 4. Mounting a PersistentVolumeClaim to a user workspace:
    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: che-user-pvc
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
    controller.devfile.io/mount-to-devworkspace: 'true'
  annotations:
    controller.devfile.io/mount-path: /home/user/data
    controller.devfile.io/read-only: 'true'
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  volumeMode: Filesystem

  4. To leverage the OpenShift Kubernetes Engine, you can create a Template object to replicate all resources defined within the template across each user namespace.

    Aside from the previously mentioned ConfigMap, Secret, and PersistentVolumeClaim, Template objects can include:

    • LimitRange

    • NetworkPolicy

    • ResourceQuota

    • Role

    • RoleBinding

      apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
  ...
parameters:
- name: PROJECT_NAME
- name: PROJECT_ADMIN_USER

      The parameters are optional and define which parameters can be used. Currently, only PROJECT_NAME and PROJECT_ADMIN_USER are supported. PROJECT_NAME is the name of the Che namespace, while PROJECT_ADMIN_USER is the Che user of the namespace.

      The namespace name in objects will be replaced with the user’s namespace name during synchronization.

      Example 5. Replicating Kubernetes resources to a user namespace:
      apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: che-user-resource-quota
  spec:
    ...
- apiVersion: v1
  kind: LimitRange
  metadata:
    name: che-user-resource-constraint
  spec:
    ...
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: che-user-roles
  rules:
    ...
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: che-user-rolebinding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: che-user-roles
  subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: ${PROJECT_ADMIN_USER}
parameters:
- name: PROJECT_ADMIN_USER
      Creating Template Kubernetes resources is supported only on OpenShift.
Additional resources