Configuring a user namespace

Learn how to use Che to synchronize ConfigMaps, Secrets, PersistentVolumeClaim and other Kubernetes objects from eclipse-che namespace to numerous user-specific namespaces. The Che automates the synchronization of important configuration data, such as shared credentials, configuration files, and certificates to user namespaces.

If you make changes to a Kubernetes resource in an eclipse-che namespace, Che will immediately synchronize the changes across all users namespaces. In reverse, if a Kubernetes resource is modified in a user namespace, Che will immediately revert the changes.

Procedure

  1. Create the ConfigMap below to create and mount it into every workspace.

    kind: ConfigMap
apiVersion: v1
metadata:
  name: che-user-configmap
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
data:
  ...

    To enhance the configurability, you can customize the ConfigMap by adding additional labels and annotations.

    Add the following labels if you do not want the ConfigMap to be mounted automatically:

    controller.devfile.io/watch-configmap: "false"
controller.devfile.io/mount-to-devworkspace: "false"

    Add the annotation below if you want the ConfigMap to be retained in a user namespace after being deleted from eclipse-che namespace:

    che.eclipse.org/sync-retain-on-delete: "true"

    See the mounting volumes, configmaps, and secrets for other possible labels and annotations.

  2. Create the Secret below to create and mount it into every workspace.

    kind: Secret
apiVersion: v1
metadata:
  name: che-user-secret
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
stringData:
    ...

    To enhance the configurability, you can customize the Secret by adding additional labels and annotations.

    Add the labels if you do not want the Secret to be mounted automatically:

    controller.devfile.io/watch-secret: "false"
controller.devfile.io/mount-to-devworkspace: "false"

    Add the annotation below if you want the Secret to be retained in a user namespace after being deleted from eclipse-che namespace:

    che.eclipse.org/sync-retain-on-delete: "true"

    See the mounting volumes, configmaps, and secrets for other possible labels and annotations.

  3. Create the PersistentVolumeClaim below to create it to every user namespace.

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: che-user-pvc
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
spec:
  ...

    To enhance the configurability, you can customize the PersistentVolumeClaim by adding additional labels and annotations.

    The PersistentVolumeClaim is not deleted in a user namespace by default, if the one from eclipse-che is deleted. Add the annotation below if you want the PersistentVolumeClaim to be deleted in a user namespace as well:

    che.eclipse.org/sync-retain-on-delete: "false"

    See the mounting volumes, configmaps, and secrets for other possible labels and annotations.

  4. To leverage the OpenShift Kubernetes Engine, you can create a Template object to replicate all resources defined within the template across each user namespace.

    Aside from the previously mentioned ConfigMap, Secret, and PersistentVolumeClaim, Template objects can include:

    • LimitRange

    • NetworkPolicy

    • ResourceQuota

    • Role

    • RoleBinding

      apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
  ...
parameters:
- name: PROJECT_NAME
- name: PROJECT_ADMIN_USER

      The parameters are optional and define which parameters can be used. Currently, only PROJECT_NAME and PROJECT_ADMIN_USER are supported. PROJECT_NAME is the name of the Che namespace, while PROJECT_ADMIN_USER is the Che user of the namespace.

      The namespace name in objects will be replaced with the user’s namespace name during synchronization.

      Example 1. Replicating Kubernetes resources to a user namespace:
      apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: che-user-namespace-configurator
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
objects:
- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: che-user-resource-quota
  spec:
    ...
- apiVersion: v1
  kind: LimitRange
  metadata:
    name: che-user-resource-constraint
  spec:
    ...
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: che-user-roles
  rules:
    ...
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: che-user-rolebinding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: che-user-roles
  subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: ${PROJECT_ADMIN_USER}
parameters:
- name: PROJECT_ADMIN_USER
      Creating Template Kubernetes resources is supported only on OpenShift.
Additional resources