From 8e3e610ad0db72e5dedee962237ac444c064f7a1 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 30 Oct 2024 10:48:34 +0100 Subject: [PATCH 1/4] fix: Update article to configure a user namespace Signed-off-by: Anatolii Bazko --- .../pages/configuring-a-user-namespace.adoc | 129 ++++++++++++++++-- 1 file changed, 121 insertions(+), 8 deletions(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 7a6e79f565..29075d521f 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -29,7 +29,7 @@ for other possible labels and annotations. kind: ConfigMap apiVersion: v1 metadata: - name: user-configmap + name: {prod-id-short}-user-configmap namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -45,7 +45,7 @@ data: kind: ConfigMap apiVersion: v1 metadata: - name: user-settings-xml + name: {prod-id-short}-user-configmap namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -73,7 +73,7 @@ for other possible labels and annotations. kind: Secret apiVersion: v1 metadata: - name: user-secret + name: {prod-id-short}-user-secret namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -89,7 +89,7 @@ data: kind: Secret apiVersion: v1 metadata: - name: user-certificates + name: {prod-id-short}-user-secret namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -113,7 +113,7 @@ See the link:https://devfile.io/docs/{devfile-api-version}/adding-event-bindings kind: Secret apiVersion: v1 metadata: - name: user-env + name: {prod-id-short}-user-secret namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -139,7 +139,7 @@ To modify the 'PersistentVolumeClaim', delete it and create a new one in {prod-n apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: user-pvc + name: {prod-id-short}-user-pvc namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -155,7 +155,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: user-pvc + name: {prod-id-short}-user-pvc namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -174,9 +174,122 @@ spec: ---- ==== +. Create the `Template` below to replicate resources included in the Template to every user {namespace}. ++ +[source,yaml,subs="+attributes,+quotes"] +---- +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: {prod-id-short}-user-namespace-configurator + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config +objects: + ... +parameters: +- name: PROJECT_NAME +- name: PROJECT_ADMIN_USER + +---- ++ +The `objects` array can contain any number of resources, including the previously mentioned ConfigMaps, Secrets, and PersistentVolumeClaims. ++ +The `parameters` are optional and define which parameters can be used. Currently, only `PROJECT_NAME` and `PROJECT_ADMIN_USER` are supported. `PROJECT_NAME` is the name of the {prod-short} {namespace}, while `PROJECT_ADMIN_USER` is the {prod-short} user of the {namespace}. ++ +The {namespace} name in objects is omitted and replaced with the user's {namespace} name during synchronization. ++ +.Synchronizing {kubernetes} resources to a user workspace: +==== +[source,yaml,subs="+attributes,+quotes"] +---- +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: {prod-id-short}-user-namespace-configurator + namespace: {prod-namespace} + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config +objects: +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: {prod-id-short}-user-resource-quota + spec: + ... +- apiVersion: v1 + kind: LimitRange + metadata: + name: {prod-id-short}-user-resource-constraint + spec: + ... +- kind: ConfigMap + apiVersion: v1 + metadata: + name: {prod-id-short}-user-configmap + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config + annotations: + controller.devfile.io/mount-as: subpath + controller.devfile.io/mount-path: /home/user/ + data: + ... +- kind: Secret + apiVersion: v1 + metadata: + name: {prod-id-short}-user--secret + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config + annotations: + controller.devfile.io/mount-as: subpath + controller.devfile.io/mount-path: /home/user/ + stringData: + ... +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: {prod-id-short}-user-pvc + labels: + app.kubernetes.io/part-of: che.eclipse.org + app.kubernetes.io/component: workspaces-config + controller.devfile.io/mount-to-devworkspace: 'true' + annotations: + controller.devfile.io/mount-path: /home/user/user-pvc + controller.devfile.io/read-only: 'false' + spec: + ... +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: {prod-id-short}-user-roles + rules: + ... +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: {prod-id-short}-user-rolebinding + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: che-user-roles + subjects: + - kind: User + apiGroup: rbac.authorization.k8s.io + name: ${PROJECT_ADMIN_USER} +parameters: +- name: PROJECT_NAME +- name: PROJECT_ADMIN_USER +---- +NOTE: [.]#Creating# Template Kubernetes resources is supported only on OpenShift. +==== + .Additional resources * xref:end-user-guide:mounting-configmaps.adoc[] * xref:end-user-guide:mounting-secrets.adoc[] * xref:end-user-guide:requesting-persistent-storage-for-workspaces.adoc[] * link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] - +* link:https://docs.openshift.com/container-platform/latest/rest_api/template_apis/template-template-openshift-io-v1.html[OpenShift API reference for `Template`] From ee763bebb247e49c9a6cef2fd024cda3dae8312d Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Mon, 4 Nov 2024 15:52:58 +0100 Subject: [PATCH 2/4] fixup Signed-off-by: Anatolii Bazko --- modules/administration-guide/nav.adoc | 2 +- .../pages/configuring-a-user-namespace.adoc | 72 ++++++------------- .../configuring-namespace-provisioning.adoc | 1 + 3 files changed, 25 insertions(+), 50 deletions(-) diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index ade8b2b88b..a85fcb205c 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -37,6 +37,7 @@ ** xref:configuring-namespace-provisioning.adoc[] *** xref:configuring-workspace-target-namespace.adoc[] *** xref:provisioning-namespaces-in-advance.adoc[] +*** xref:configuring-a-user-namespace.adoc[] ** xref:configuring-server-components.adoc[] *** xref:mounting-a-secret-as-a-file-or-an-environment-variable-into-a-container.adoc[] *** xref:advanced-configuration-options-for-the-che-server-component.adoc[] @@ -50,7 +51,6 @@ *** xref:deploying-che-with-support-for-git-repositories-with-self-signed-certificates.adoc[] *** xref:configuring-workspaces-nodeselector.adoc[] *** xref:configuring-the-open-vsx-registry-url.adoc[] -*** xref:configuring-a-user-namespace.adoc[] *** xref:configuring-allowed-urls-for-cloud-development-environments.adoc[] ** xref:caching-images-for-faster-workspace-start.adoc[] *** xref:installing-kubernetes-image-puller.adoc[] diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 29075d521f..1f96c01934 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -8,9 +8,7 @@ = Configuring a user namespace This procedure walks you through the process of using {prod-short} -to replicate `ConfigMaps`, `Secrets` and `PersistentVolumeClaim` from `{prod-namespace}` namespace to numerous -user-specific namespaces. The {prod-short} automates the synchronization of important configuration -data such as shared credentials, configuration files, and certificates to user namespaces. +to replicate `ConfigMaps`, `Secrets`, `PersistentVolumeClaim` and other {kubernetes} objects from `{prod-namespace}` namespace to numerous user-specific namespaces. The {prod-short} automates the synchronization of important configuration data such as shared credentials, configuration files, and certificates to user namespaces. If you make changes to a {kubernetes} resource in an {prod-namespace} namespace, {prod-short} will immediately replicate the changes across all users namespaces. @@ -132,7 +130,7 @@ To enhance the configurability, you can customize the `PersistentVolumeClaim` by See the link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] for other possible labels and annotations. + -To modify the 'PersistentVolumeClaim', delete it and create a new one in {prod-namespace} namespace. +To modify the `PersistentVolumeClaim`, delete it and create a new one in {prod-namespace} namespace. + [source,yaml,subs="+attributes,+quotes"] ---- @@ -174,7 +172,22 @@ spec: ---- ==== -. Create the `Template` below to replicate resources included in the Template to every user {namespace}. +. To leverage the OpenShift Kubernetes Engine, you can create a `Template` object to replicate all resources defined within the template across each user {namespace}. ++ +Aside from the previously mentioned `ConfigMap`, `Secret`, and `PersistentVolumeClaim`, `Template` objects can include: ++ +* `Deployments` +* `DevWorkspace` +* `DevWorkspaceTemplate` +* `Jobs` +* `LimitRange` +* `NetworkPolicy` +* `ResourceQuota` +* `Role` +* `RoleBinding` +* `Route` +* `Service` +* `ServiceAccount` + [source,yaml,subs="+attributes,+quotes"] ---- @@ -194,13 +207,11 @@ parameters: ---- + -The `objects` array can contain any number of resources, including the previously mentioned ConfigMaps, Secrets, and PersistentVolumeClaims. -+ The `parameters` are optional and define which parameters can be used. Currently, only `PROJECT_NAME` and `PROJECT_ADMIN_USER` are supported. `PROJECT_NAME` is the name of the {prod-short} {namespace}, while `PROJECT_ADMIN_USER` is the {prod-short} user of the {namespace}. + -The {namespace} name in objects is omitted and replaced with the user's {namespace} name during synchronization. +The {namespace} name in objects is omitted and will be replaced with the user's {namespace} name during synchronization. + -.Synchronizing {kubernetes} resources to a user workspace: +.Replicating {kubernetes} resources to a user namespace: ==== [source,yaml,subs="+attributes,+quotes"] ---- @@ -225,43 +236,6 @@ objects: name: {prod-id-short}-user-resource-constraint spec: ... -- kind: ConfigMap - apiVersion: v1 - metadata: - name: {prod-id-short}-user-configmap - labels: - app.kubernetes.io/part-of: che.eclipse.org - app.kubernetes.io/component: workspaces-config - annotations: - controller.devfile.io/mount-as: subpath - controller.devfile.io/mount-path: /home/user/ - data: - ... -- kind: Secret - apiVersion: v1 - metadata: - name: {prod-id-short}-user--secret - labels: - app.kubernetes.io/part-of: che.eclipse.org - app.kubernetes.io/component: workspaces-config - annotations: - controller.devfile.io/mount-as: subpath - controller.devfile.io/mount-path: /home/user/ - stringData: - ... -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: {prod-id-short}-user-pvc - labels: - app.kubernetes.io/part-of: che.eclipse.org - app.kubernetes.io/component: workspaces-config - controller.devfile.io/mount-to-devworkspace: 'true' - annotations: - controller.devfile.io/mount-path: /home/user/user-pvc - controller.devfile.io/read-only: 'false' - spec: - ... - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -275,16 +249,15 @@ objects: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: che-user-roles + name: {prod-id-short}-user-roles subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: ${PROJECT_ADMIN_USER} parameters: -- name: PROJECT_NAME - name: PROJECT_ADMIN_USER ---- -NOTE: [.]#Creating# Template Kubernetes resources is supported only on OpenShift. +NOTE: Creating Template Kubernetes resources is supported only on OpenShift. ==== .Additional resources @@ -293,3 +266,4 @@ NOTE: [.]#Creating# Template Kubernetes resources is supported only on OpenShift * xref:end-user-guide:requesting-persistent-storage-for-workspaces.adoc[] * link:https://github.com/devfile/devworkspace-operator/blob/main/docs/additional-configuration.adoc#automatically-mounting-volumes-configmaps-and-secrets[Automatically mounting volumes, configmaps, and secrets] * link:https://docs.openshift.com/container-platform/latest/rest_api/template_apis/template-template-openshift-io-v1.html[OpenShift API reference for `Template`] +* link:https://docs.openshift.com/container-platform/latest/applications/projects/configuring-project-creation.html[Configuring OpenShift project creation] \ No newline at end of file diff --git a/modules/administration-guide/pages/configuring-namespace-provisioning.adoc b/modules/administration-guide/pages/configuring-namespace-provisioning.adoc index e651f06fb8..0502e2f333 100644 --- a/modules/administration-guide/pages/configuring-namespace-provisioning.adoc +++ b/modules/administration-guide/pages/configuring-namespace-provisioning.adoc @@ -15,3 +15,4 @@ You can modify {prod-short} behavior by: * xref:configuring-workspace-target-namespace.adoc[] * xref:provisioning-namespaces-in-advance.adoc[] +* xref:configuring-a-user-namespace.adoc[] \ No newline at end of file From 1b5255d5d28874db687a25a88a5d6213d30dc1a5 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 5 Nov 2024 12:11:34 +0100 Subject: [PATCH 3/4] fixup Signed-off-by: Anatolii Bazko --- .../pages/configuring-a-user-namespace.adoc | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 1f96c01934..008f0ead2f 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -176,18 +176,11 @@ spec: + Aside from the previously mentioned `ConfigMap`, `Secret`, and `PersistentVolumeClaim`, `Template` objects can include: + -* `Deployments` -* `DevWorkspace` -* `DevWorkspaceTemplate` -* `Jobs` * `LimitRange` * `NetworkPolicy` * `ResourceQuota` * `Role` * `RoleBinding` -* `Route` -* `Service` -* `ServiceAccount` + [source,yaml,subs="+attributes,+quotes"] ---- @@ -209,7 +202,7 @@ parameters: + The `parameters` are optional and define which parameters can be used. Currently, only `PROJECT_NAME` and `PROJECT_ADMIN_USER` are supported. `PROJECT_NAME` is the name of the {prod-short} {namespace}, while `PROJECT_ADMIN_USER` is the {prod-short} user of the {namespace}. + -The {namespace} name in objects is omitted and will be replaced with the user's {namespace} name during synchronization. +The {namespace} name in objects will be replaced with the user's {namespace} name during synchronization. + .Replicating {kubernetes} resources to a user namespace: ==== From 33cd46f75744ca5ef172cb1c653c5e90a4876c9d Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 6 Nov 2024 11:52:28 +0100 Subject: [PATCH 4/4] Update modules/administration-guide/pages/configuring-a-user-namespace.adoc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Fabrice Flore-Thébault --- .../pages/configuring-a-user-namespace.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-a-user-namespace.adoc b/modules/administration-guide/pages/configuring-a-user-namespace.adoc index 008f0ead2f..8cf2ae52cd 100644 --- a/modules/administration-guide/pages/configuring-a-user-namespace.adoc +++ b/modules/administration-guide/pages/configuring-a-user-namespace.adoc @@ -246,7 +246,7 @@ objects: subjects: - kind: User apiGroup: rbac.authorization.k8s.io - name: ${PROJECT_ADMIN_USER} + name: $\{PROJECT_ADMIN_USER} parameters: - name: PROJECT_ADMIN_USER ----