From 1477863578b1dc57d4ac27ffa6c15050e639f54e Mon Sep 17 00:00:00 2001 From: Mykhailo Kuznietsov Date: Mon, 6 Dec 2021 21:29:30 +0000 Subject: [PATCH] release: Bump version to 7.40.0 Signed-off-by: Mykhailo Kuznietsov --- antora-playbook-for-publication.yml | 4 +- antora.yml | 6 +- .../examples/checluster-properties.adoc | 19 ++-- .../examples/system-variables.adoc | 88 ++++++++++--------- 4 files changed, 61 insertions(+), 56 deletions(-) diff --git a/antora-playbook-for-publication.yml b/antora-playbook-for-publication.yml index cd3413a931..d2e716b06d 100644 --- a/antora-playbook-for-publication.yml +++ b/antora-playbook-for-publication.yml @@ -11,8 +11,8 @@ site: content: sources: - url: ./ - branches: "7.39.x" - edit_url: "https://github.com/eclipse/che-docs/edit/7.39.x/{path}" + branches: "7.40.x" + edit_url: "https://github.com/eclipse/che-docs/edit/7.40.x/{path}" output: destinations: - provider: fs diff --git a/antora.yml b/antora.yml index fc043e5b06..6727aa4501 100644 --- a/antora.yml +++ b/antora.yml @@ -90,13 +90,13 @@ asciidoc: prod-operator-image-name: che-operator prod-operator: che-operator prod-prev-ver-major: "6" - prod-prev-ver: "7.38" + prod-prev-ver: "7.39" prod-short: Che prod-upstream: Eclipse{nbsp}Che prod-url: https://che-host:che-port prod-ver-major: "7" - prod-ver-patch: "7.39.2" - prod-ver: "7.39" + prod-ver-patch: "7.40.0" + prod-ver: "7.40" prod-workspace: che-ws prod: Eclipse Che prod2: Eclipse Che diff --git a/modules/installation-guide/examples/checluster-properties.adoc b/modules/installation-guide/examples/checluster-properties.adoc index c2defd0422..5bedbe68a7 100644 --- a/modules/installation-guide/examples/checluster-properties.adoc +++ b/modules/installation-guide/examples/checluster-properties.adoc @@ -9,18 +9,18 @@ pass:[] airGapContainerRegistryHostname: Optional host name, or URL, to an alternate container registry to pull images from. This value overrides the container registry host name defined in all the default container images involved in a Che deployment. This is particularly useful to install Che in a restricted environment. airGapContainerRegistryOrganization: Optional repository name of an alternate container registry to pull images from. This value overrides the container registry organization defined in all the default container images involved in a Che deployment. This is particularly useful to install {prod-short} in a restricted environment. allowUserDefinedWorkspaceNamespaces: Deprecated. The value of this flag is ignored. Defines that a user is allowed to specify a Kubernetes namespace, or an OpenShift project, which differs from the default. It's NOT RECOMMENDED to set to `true` without OpenShift OAuth configured. The OpenShift infrastructure also uses this property. -cheClusterRoles: A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. +cheClusterRoles: A comma-separated list of ClusterRoles that will be assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` label. Be aware that the Che Operator has to already have all permissions in these ClusterRoles to grant them. cheDebug: Enables the debug mode for Che server. Defaults to `false`. cheFlavor: Specifies a variation of the installation. The options are `che` for upstream Che installations, or `codeready` for link\:https\://developers.redhat.com/products/codeready-workspaces/overview[CodeReady Workspaces] installation. Override the default value only on necessary occasions. cheHost: Public host name of the installed Che server. When value is omitted, the value it will be automatically set by the Operator. See the `cheHostTLSSecret` field. -cheHostTLSSecret: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che server. See the `cheHost` field. +cheHostTLSSecret: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed Che server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. See the `cheHost` field. cheImage: Overrides the container image used in Che deployment. This does NOT include the container image tag. Omit it or leave it empty to use the default container image provided by the Operator. cheImagePullPolicy: Overrides the image pull policy used in Che deployment. Default value is `Always` for `nightly`, `next` or `latest` images, and `IfNotPresent` in other cases. cheImageTag: Overrides the tag of the container image used in Che deployment. Omit it or leave it empty to use the default image tag provided by the Operator. cheLogLevel: Log level for the Che server\: `INFO` or `DEBUG`. Defaults to `INFO`. cheServerIngress: The Che server ingress custom settings. cheServerRoute: The Che server route custom settings. -cheWorkspaceClusterRole: Custom cluster role bound to the user for the Che workspaces. The default roles are used when omitted or left blank. +cheWorkspaceClusterRole: Custom cluster role bound to the user for the Che workspaces. The role must have `app.kubernetes.io/part-of=che.eclipse.org` label. The default roles are used when omitted or left blank. customCheProperties: Map of additional environment variables that will be applied in the generated `che` ConfigMap to be used by the Che server, in addition to the values already generated from other fields of the `CheCluster` custom resource (CR). When `customCheProperties` contains a property that would be normally generated in `che` ConfigMap from other CR fields, the value defined in the `customCheProperties` is used instead. dashboardCpuLimit: Overrides the CPU limit used in the dashboard deployment. In cores. (500m = .5 cores). Default to 500m. dashboardCpuRequest: Overrides the CPU request used in the dashboard deployment. In cores. (500m = .5 cores). Default to 100m. @@ -43,7 +43,7 @@ disableInternalClusterSVCNames: Disable internal cluster SVC names usage to comm externalDevfileRegistries: External devfile registries, that serves sample, ready-to-use devfiles. Configure this in addition to a dedicated devfile registry (when `externalDevfileRegistry` is `false`) or instead of it (when `externalDevfileRegistry` is `true`) externalDevfileRegistry: Instructs the Operator on whether to deploy a dedicated devfile registry server. By default, a dedicated devfile registry server is started. When `externalDevfileRegistry` is `true`, no such dedicated server will be started by the Operator and configure at least one devfile registry with `externalDevfileRegistries` field. externalPluginRegistry: Instructs the Operator on whether to deploy a dedicated plugin registry server. By default, a dedicated plugin registry server is started. When `externalPluginRegistry` is `true`, no such dedicated server will be started by the Operator and you will have to manually set the `pluginRegistryUrl` field. -gitSelfSignedCert: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide particular configuration for Git. +gitSelfSignedCert: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide particular configuration for Git. Note, the `che-git-self-signed-cert` ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` label. nonProxyHosts: List of hosts that will be reached directly, bypassing the proxy. Specify wild card domain use the following form `.` and `|` as delimiter, for example\: `localhost|.my.host.com|123.42.12.32` Only use when configuring a proxy is required. Operator respects OpenShift cluster wide proxy configuration and no additional configuration is required, but defining `nonProxyHosts` in a custom resource leads to merging non proxy hosts lists from the cluster proxy configuration and ones defined in the custom resources. See the doc https\://docs.openshift.com/container-platform/4.4/networking/enable-cluster-wide-proxy.html. See also the `proxyURL` fields. pluginRegistryCpuLimit: Overrides the CPU limit used in the plugin registry deployment. In cores. (500m = .5 cores). Default to 500m. pluginRegistryCpuRequest: Overrides the CPU request used in the plugin registry deployment. In cores. (500m = .5 cores). Default to 100m. @@ -56,7 +56,7 @@ pluginRegistryRoute: Plugin registry route custom settings. pluginRegistryUrl: Public URL of the plugin registry that serves sample ready-to-use devfiles. Set this ONLY when a use of an external devfile registry is needed. See the `externalPluginRegistry` field. By default, this will be automatically calculated by the Operator. proxyPassword: Password of the proxy server. Only use when proxy configuration is required. See the `proxyURL`, `proxyUser` and `proxySecret` fields. proxyPort: Port of the proxy server. Only use when configuring a proxy is required. See also the `proxyURL` and `nonProxyHosts` fields. -proxySecret: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` and `proxyPassword` are ignored. +proxySecret: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` and `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. proxyURL: URL (protocol+host name) of the proxy server. This drives the appropriate changes in the `JAVA_OPTS` and `https(s)_proxy` variables in the Che server and workspaces containers. Only use when configuring a proxy is required. Operator respects OpenShift cluster wide proxy configuration and no additional configuration is required, but defining `proxyUrl` in a custom resource leads to overrides the cluster proxy configuration with fields `proxyUrl`, `proxyPort`, `proxyUser` and `proxyPassword` from the custom resource. See the doc https\://docs.openshift.com/container-platform/4.4/networking/enable-cluster-wide-proxy.html. See also the `proxyPort` and `nonProxyHosts` fields. proxyUser: User name of the proxy server. Only use when configuring a proxy is required. See also the `proxyURL`, `proxyPassword` and `proxySecret` fields. selfSignedCert: Deprecated. The value of this flag is ignored. The Che Operator will automatically detect whether the router certificate is self-signed and propagate it to other components, such as the Che server. @@ -65,7 +65,7 @@ serverCpuRequest: Overrides the CPU request used in the Che server deployment In serverExposureStrategy: Sets the server and workspaces exposure type. Possible values are `multi-host`, `single-host`, `default-host`. Defaults to `multi-host`, which creates a separate ingress, or OpenShift routes, for every required endpoint. `single-host` makes Che exposed on a single host name with workspaces exposed on subpaths. Read the docs to learn about the limitations of this approach. Also consult the `singleHostExposureType` property to further configure how the Operator and the Che server make that happen on Kubernetes. `default-host` exposes the Che server on the host of the cluster. Read the docs to learn about the limitations of this approach. serverMemoryLimit: Overrides the memory limit used in the Che server deployment. Defaults to 1Gi. serverMemoryRequest: Overrides the memory request used in the Che server deployment. Defaults to 512Mi. -serverTrustStoreConfigMapName: Name of the ConfigMap with public certificates to add to Java trust store of the Che server. This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. +serverTrustStoreConfigMapName: Name of the ConfigMap with public certificates to add to Java trust store of the Che server. This is often required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This is disabled by default. The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` label. singleHostGatewayConfigMapLabels: The labels that need to be present in the ConfigMaps representing the gateway configuration. singleHostGatewayConfigSidecarImage: The image used for the gateway sidecar that provides configuration to the gateway. Omit it or leave it empty to use the default container image provided by the Operator. singleHostGatewayImage: The image used for the gateway in the single host mode. Omit it or leave it empty to use the default container image provided by the Operator. @@ -85,12 +85,13 @@ chePostgresDb: PostgreSQL database name that the Che server uses to connect to t chePostgresHostName: PostgreSQL Database host name that the Che server uses to connect to. Defaults is `postgres`. Override this value ONLY when using an external database. See field `externalDb`. In the default case it will be automatically set by the Operator. chePostgresPassword: PostgreSQL password that the Che server uses to connect to the DB. When omitted or left blank, it will be set to an automatically generated value. chePostgresPort: PostgreSQL Database port that the Che server uses to connect to. Defaults to 5432. Override this value ONLY when using an external database. See field `externalDb`. In the default case it will be automatically set by the Operator. -chePostgresSecret: The secret that contains PostgreSQL`user` and `password` that the Che server uses to connect to the DB. When the secret is defined, the `chePostgresUser` and `chePostgresPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies\: 1. `chePostgresUser` and `chePostgresPassword` are defined, then they will be used to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and with an auto-generated value for `password`. +chePostgresSecret: The secret that contains PostgreSQL`user` and `password` that the Che server uses to connect to the DB. When the secret is defined, the `chePostgresUser` and `chePostgresPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies\: 1. `chePostgresUser` and `chePostgresPassword` are defined, then they will be used to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and with an auto-generated value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. chePostgresUser: PostgreSQL user that the Che server uses to connect to the DB. Defaults to `pgche`. externalDb: Instructs the Operator on whether to deploy a dedicated database. By default, a dedicated PostgreSQL database is deployed as part of the Che installation. When `externalDb` is `true`, no dedicated database will be deployed by the Operator and you will need to provide connection details to the external DB you are about to use. See also all the fields starting with\: `chePostgres`. postgresImage: Overrides the container image used in the PostgreSQL database deployment. This includes the image tag. Omit it or leave it empty to use the default container image provided by the Operator. postgresImagePullPolicy: Overrides the image pull policy used in the PostgreSQL database deployment. Default value is `Always` for `nightly`, `next` or `latest` images, and `IfNotPresent` in other cases. postgresVersion: Indicates a PostgreSQL version image to use. Allowed values are\: `9.6` and `13.3`. Migrate your PostgreSQL database to switch from one version to another. +pvcClaimSize: Size of the persistent volume claim for database. Defaults to `1Gi`. To update pvc storageclass that provisions it must support resize when {prod-short} has been already deployed. :=== [id="checluster-custom-resource-auth-settings_{context}"] @@ -112,10 +113,10 @@ identityProviderImagePullPolicy: Overrides the image pull policy used in the Ide identityProviderIngress: Ingress custom settings. identityProviderPassword: Overrides the password of Keycloak administrator user. Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. When omitted or left blank, it is set to an auto-generated password. identityProviderPostgresPassword: Password for a Identity Provider, Keycloak or RH-SSO, to connect to the database. Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. When omitted or left blank, it is set to an auto-generated password. -identityProviderPostgresSecret: The secret that contains `password` for the Identity Provider, Keycloak or RH-SSO, to connect to the database. When the secret is defined, the `identityProviderPostgresPassword` is ignored. When the value is omitted or left blank, the one of following scenarios applies\: 1. `identityProviderPostgresPassword` is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` will be created with an auto-generated value for `password`. +identityProviderPostgresSecret: The secret that contains `password` for the Identity Provider, Keycloak or RH-SSO, to connect to the database. When the secret is defined, the `identityProviderPostgresPassword` is ignored. When the value is omitted or left blank, the one of following scenarios applies\: 1. `identityProviderPostgresPassword` is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` will be created with an auto-generated value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. identityProviderRealm: Name of a Identity provider, Keycloak or RH-SSO, realm that is used for Che. Override this when an external Identity Provider is in use. See the `externalIdentityProvider` field. When omitted or left blank, it is set to the value of the `flavour` field. identityProviderRoute: Route custom settings. -identityProviderSecret: The secret that contains `user` and `password` for Identity Provider. When the secret is defined, the `identityProviderAdminUserName` and `identityProviderPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies\: 1. `identityProviderAdminUserName` and `identityProviderPassword` are defined, then they will be used. 2. `identityProviderAdminUserName` or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated value for `password`. +identityProviderSecret: The secret that contains `user` and `password` for Identity Provider. When the secret is defined, the `identityProviderAdminUserName` and `identityProviderPassword` are ignored. When the value is omitted or left blank, the one of following scenarios applies\: 1. `identityProviderAdminUserName` and `identityProviderPassword` are defined, then they will be used. 2. `identityProviderAdminUserName` or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` label. identityProviderURL: Public URL of the Identity Provider server (Keycloak / RH-SSO server). Set this ONLY when a use of an external Identity Provider is needed. See the `externalIdentityProvider` field. By default, this will be automatically calculated and set by the Operator. initialOpenShiftOAuthUser: For operating with the OpenShift OAuth authentication, create a new user account since the kubeadmin can not be used. If the value is true, then a new OpenShift OAuth user will be created for the HTPasswd identity provider. If the value is false and the user has already been created, then it will be removed. If value is an empty, then do nothing. The user's credentials are stored in the `openshift-oauth-user-credentials` secret in 'openshift-config' namespace by Operator. Note that this solution is Openshift 4 platform-specific. nativeUserMode: Enables native user mode. Currently works only on OpenShift and DevWorkspace engine. Native User mode uses OpenShift OAuth directly as identity provider, without Keycloak. diff --git a/modules/installation-guide/examples/system-variables.adoc b/modules/installation-guide/examples/system-variables.adoc index 9d678c105e..b2bdca34f8 100644 --- a/modules/installation-guide/examples/system-variables.adoc +++ b/modules/installation-guide/examples/system-variables.adoc @@ -710,6 +710,15 @@ Default::: `+NULL+` ''' +== `+CHE_INFRA_KUBERNETES_USER__CLUSTER__ROLES+` + +Cluster roles to assign to user in his namespace + +Default::: `+NULL+` + +''' + + == `+CHE_INFRA_KUBERNETES_WORKSPACE__START__TIMEOUT__MIN+` Defines wait time that limits the Kubernetes workspace start time. @@ -1007,15 +1016,6 @@ Default::: empty ''' -== `+CHE_INFRA_KUBERNETES_ENABLE__UNSUPPORTED__K8S+` - -Enables the `/unsupported/{orch-name}` endpoint to resolve calls on Kubernetes infrastructure. Provides direct access to the underlying infrastructure REST API. This results in huge privilege escalation. It impacts only Kubernetes infrastructure. Therefore it implies no security risk on OpenShift with OAuth. Do not enable this, unless you understand the risks. - -Default::: `+false+` - -''' - - [id="openshift-infra-parameters"] = OpenShift Infra parameters @@ -1591,28 +1591,59 @@ Default::: `+NULL+` ''' -[id="keycloak-configuration"] -= Keycloak configuration +[id="oidc-configuration"] += OIDC configuration -== `+CHE_KEYCLOAK_AUTH__SERVER__URL+` +== `+CHE_OIDC_AUTH__SERVER__URL+` -Url to keycloak identity provider server Can be set to NULL only if `che.keycloak.oidcProvider` is used +Url to OIDC identity provider server Can be set to NULL only if `che.oidc.oidcProvider` is used Default::: `+http://${CHE_HOST}:5050/auth+` ''' -== `+CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL+` +== `+CHE_OIDC_AUTH__INTERNAL__SERVER__URL+` + +Internal network service Url to OIDC identity provider server + +Default::: `+NULL+` + +''' + + +== `+CHE_OIDC_ALLOWED__CLOCK__SKEW__SEC+` + +The number of seconds to tolerate for clock skew when verifying `exp` or `nbf` claims. + +Default::: `+3+` + +''' + + +== `+CHE_OIDC_USERNAME__CLAIM+` + +Username claim to be used as user display name when parsing JWT token if not defined the fallback value is 'preferred_username' in Keycloak installations and `name` in Dex installations. + +Default::: `+NULL+` + +''' + + +== `+CHE_OIDC_OIDC__PROVIDER+` -Internal network service Url to keycloak identity provider server +Base URL of an alternate OIDC provider that provides a discovery endpoint as detailed in the following specification link:https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Obtaining OpenID Provider Configuration Information] Deprecated, use `che.oidc.auth_server_url` and `che.oidc.auth_internal_server_url` instead. Default::: `+NULL+` ''' +[id="keycloak-configuration"] += Keycloak configuration + + == `+CHE_KEYCLOAK_REALM+` Keycloak realm is used to authenticate users Can be set to NULL only if `che.keycloak.oidcProvider` is used @@ -1649,15 +1680,6 @@ Default::: `+NULL+` ''' -== `+CHE_KEYCLOAK_ALLOWED__CLOCK__SKEW__SEC+` - -The number of seconds to tolerate for clock skew when verifying `exp` or `nbf` claims. - -Default::: `+3+` - -''' - - == `+CHE_KEYCLOAK_USE__NONCE+` Use the OIDC optional `nonce` feature to increase security. @@ -1676,15 +1698,6 @@ Default::: `+NULL+` ''' -== `+CHE_KEYCLOAK_OIDC__PROVIDER+` - -Base URL of an alternate OIDC provider that provides a discovery endpoint as detailed in the following specification link:https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Obtaining OpenID Provider Configuration Information] - -Default::: `+NULL+` - -''' - - == `+CHE_KEYCLOAK_USE__FIXED__REDIRECT__URLS+` Set to true when using an alternate OIDC provider that only supports fixed redirect Urls This property is ignored when `che.keycloak.oidc_provider` is NULL @@ -1694,15 +1707,6 @@ Default::: `+false+` ''' -== `+CHE_KEYCLOAK_USERNAME__CLAIM+` - -Username claim to be used as user display name when parsing JWT token if not defined the fallback value is 'preferred_username' - -Default::: `+NULL+` - -''' - - == `+CHE_OAUTH_SERVICE__MODE+` Configuration of OAuth Authentication Service that can be used in "embedded" or "delegated" mode. If set to "embedded", then the service work as a wrapper to {prod-short}'s OAuthAuthenticator ( as in Single User mode). If set to "delegated", then the service will use Keycloak IdentityProvider mechanism. Runtime Exception `wii` be thrown, in case if this property is not set properly.