eclipse-che · AndrienkoAleksandr · Aug 3, 2021 · Jul 6, 2021 · Aug 2, 2021 · Aug 2, 2021
@@ -22,12 +22,15 @@ che.database=${che.home}/storage
 che.api=http://${CHE_HOST}:${CHE_PORT}/api
 
 # API service internal network URL. Back-end services should initiate REST communications to {prod-short} server with this URL
-che.api.internal=http://${CHE_HOST}:${CHE_PORT}/api
+che.api.internal=NULL
 
 # {prod-short} WebSocket major endpoint. Provides basic communication endpoint
 # for major WebSocket interactions and messaging.
 che.websocket.endpoint=ws://${CHE_HOST}:${CHE_PORT}/api/websocket
 
+# {prod-short} WebSocket major internal endpoint. Provides basic communication endpoint
+# for major WebSocket interactions and messaging.
+che.websocket.internal.endpoint=NULL
 
 # Your projects are synchronized from the {prod-short} server into the machine running each
 # workspace. This is the directory in the machine where your projects are placed.
@@ -741,9 +744,9 @@ che.infra.kubernetes.async.storage.image=quay.io/eclipse/che-workspace-data-sync
 # key=value pairs, for example: `disktype=ssd,cpu=xlarge,foo=bar`
 che.workspace.pod.node_selector=NULL
 
-# Optionally configures tolerations for workspace Pod. Format is a string representing a JSON Array of taint tolerations, 
-# or `NULL` to disable it. The objects contained in the array have to follow the 
-# link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core[toleration v1 core specifications]. 
+# Optionally configures tolerations for workspace Pod. Format is a string representing a JSON Array of taint tolerations,
+# or `NULL` to disable it. The objects contained in the array have to follow the
+# link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core[toleration v1 core specifications].
 # Example: `[{"effect":"NoExecute","key":"aNodeTaint","operator":"Equal","value":"aValue"}]`
 che.workspace.pod.tolerations_json=NULL
 

@@ -110,7 +110,7 @@ che.keycloak.realm=che
 
 # Keycloak client identifier in `che.keycloak.realm` to authenticate users in the dashboard, the IDE, and the CLI.
 che.keycloak.client_id=che-public
-        
+
 # URL to access OSO OAuth tokens
 che.keycloak.oso.endpoint=NULL
 

@@ -21,21 +21,21 @@ data:
   CHE_API: https://{{ template "cheHost" . }}/api
   {{- if .Values.global.useInternalClusterSVCNames }}
   CHE_API_INTERNAL: http://che-host.{{ .Release.Namespace }}.svc:8080/api
-  {{- else }}
-  CHE_API_INTERNAL: https://{{ template "cheHost" . }}/api
   {{- end }}
   CHE_WEBSOCKET_ENDPOINT:  wss://{{ template "cheHost" . }}/api/websocket
   CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: https://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
 {{ else }}
   CHE_API: http://{{ template "cheHost" . }}/api
   {{- if .Values.global.useInternalClusterSVCNames }}
   CHE_API_INTERNAL: http://che-host.{{ .Release.Namespace }}.svc:8080/api
-  {{- else }}
-  CHE_API_INTERNAL: http://{{ template "cheHost" . }}/api
   {{- end }}
   CHE_WEBSOCKET_ENDPOINT:  ws://{{ template "cheHost" . }}/api/websocket
   CHE_WEBSOCKET_ENDPOINT__MINOR:  ws://{{ template "cheHost" . }}/api/websocket-minor
   CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: http://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
+{{- end }}
+{{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_WEBSOCKET_INTERNAL_ENDPOINT: ws://che-host.{{ .Release.Namespace }}.svc:8080/api/websocket
+  CHE_WEBSOCKET_INTERNAL_ENDPOINT__MINOR: ws://che-host.{{ .Release.Namespace }}.svc:8080/api/websocket-minor
 {{- end }}
   CHE_DEBUG_SERVER: "true"
   CHE_INFRASTRUCTURE_ACTIVE: "kubernetes"
@@ -54,8 +54,6 @@ data:
   CHE_KEYCLOAK_AUTH__SERVER__URL: {{ template "keycloakAuthUrl" . }}
   {{- if .Values.global.useInternalClusterSVCNames }}
   CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: http://keycloak.{{ .Release.Namespace }}.svc:5050/auth
-  {{- else }}
-  CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: {{ template "keycloakAuthUrl" . }}
   {{- end }}
   CHE_KEYCLOAK_REALM: {{ .Values.cheKeycloakRealm }}
 {{- end }}
@@ -121,24 +119,18 @@ data:
 {{- end }}
 {{- if .Values.che.workspace.devfileRegistryUrl }}
   CHE_WORKSPACE_DEVFILE__REGISTRY__URL: {{ .Values.che.workspace.devfileRegistryUrl | quote }}
-  CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: {{ .Values.che.workspace.devfileRegistryUrl | quote }}
 {{- else if .Values.cheDevfileRegistry.deploy }}
   CHE_WORKSPACE_DEVFILE__REGISTRY__URL: {{ template "devfileRegistryUrl" . }}
   {{- if .Values.global.useInternalClusterSVCNames }}
   CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: http://devfile-registry.{{ .Release.Namespace }}.svc:8080
-  {{- else }}
-  CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: {{ template "devfileRegistryUrl" . }}
   {{- end }}
 {{- end }}
 {{- if .Values.che.workspace.pluginRegistryUrl }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__URL: {{ .Values.che.workspace.pluginRegistryUrl | quote }}
-  CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: {{ .Values.che.workspace.pluginRegistryUrl | quote }}
 {{- else if .Values.chePluginRegistry.deploy }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__URL: {{ template "pluginRegistryUrl" . }}
   {{- if .Values.global.useInternalClusterSVCNames }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: http://plugin-registry.{{ .Release.Namespace }}.svc:8080/v3
-  {{- else }}
-  CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: {{ template "pluginRegistryUrl" . }}
   {{- end }}
 {{- end }}
 {{- if .Values.che.workspace.pluginBroker }}

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2018 Red Hat, Inc.
+ * Copyright (c) 2012-2021 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/

@@ -11,11 +11,14 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.provision;
 
+import static com.google.common.base.Strings.isNullOrEmpty;
+
 import javax.inject.Inject;
 import javax.inject.Named;
 import org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.api.workspace.server.spi.provision.env.CheApiInternalEnvVarProvider;
+import org.eclipse.che.commons.annotation.Nullable;
 import org.eclipse.che.commons.lang.Pair;
 
 /**
@@ -29,12 +32,15 @@ public class KubernetesCheApiInternalEnvVarProvider implements CheApiInternalEnv
 
   @Inject
   public KubernetesCheApiInternalEnvVarProvider(
-      @Named("che.api.internal") String cheServerEndpoint) {
+      @Nullable @Named("che.api.internal") String cheServerEndpoint) {
     this.cheServerEndpoint = cheServerEndpoint;
   }
 
   @Override
   public Pair<String, String> get(RuntimeIdentity runtimeIdentity) throws InfrastructureException {
+    if (isNullOrEmpty(this.cheServerEndpoint)) {
+      return null;
+    }
     return Pair.of(CHE_API_INTERNAL_VARIABLE, cheServerEndpoint);
   }
 }
@@ -85,24 +85,30 @@ public abstract class BrokerEnvironmentFactory<E extends KubernetesEnvironment>
 
   public BrokerEnvironmentFactory(
       String cheWebsocketEndpoint,
+      String cheWebsocketInternalEndpoint,
       String brokerPullPolicy,
       AgentAuthEnableEnvVarProvider authEnableEnvVarProvider,
       MachineTokenEnvVarProvider machineTokenEnvVarProvider,
       String artifactsBrokerImage,
       String metadataBrokerImage,
-      String pluginRegistryUrl,
+      String pluginRegistryExternalUrl,
       String pluginRegistryInternalUrl,
       TrustedCAProvisioner trustedCAProvisioner,
       String certificateMountPath,
       CertificateProvisioner certProvisioner) {
-    this.cheWebsocketEndpoint = cheWebsocketEndpoint;
+    this.cheWebsocketEndpoint =
+        isNullOrEmpty(cheWebsocketInternalEndpoint)
+            ? cheWebsocketEndpoint
+            : cheWebsocketInternalEndpoint;
     this.brokerPullPolicy = brokerPullPolicy;
     this.authEnableEnvVarProvider = authEnableEnvVarProvider;
     this.machineTokenEnvVarProvider = machineTokenEnvVarProvider;
     this.artifactsBrokerImage = artifactsBrokerImage;
     this.metadataBrokerImage = metadataBrokerImage;
     this.pluginRegistryUrl =
-        isNullOrEmpty(pluginRegistryInternalUrl) ? pluginRegistryUrl : pluginRegistryInternalUrl;
+        isNullOrEmpty(pluginRegistryInternalUrl)
+            ? pluginRegistryExternalUrl
+            : pluginRegistryInternalUrl;
     this.trustedCAProvisioner = trustedCAProvisioner;
     this.certificateMountPath = certificateMountPath;
     this.certProvisioner = certProvisioner;

@@ -35,25 +35,27 @@ public class KubernetesBrokerEnvironmentFactory
   @Inject
   public KubernetesBrokerEnvironmentFactory(
       @Named("che.websocket.endpoint") String cheWebsocketEndpoint,
+      @Nullable @Named("che.websocket.internal.endpoint") String cheWebsocketInternalEndpoint,
       @Named("che.workspace.plugin_broker.pull_policy") String brokerPullPolicy,
       @Named("che.infra.kubernetes.trusted_ca.mount_path") String certificateMountPath,
       AgentAuthEnableEnvVarProvider authEnableEnvVarProvider,
       MachineTokenEnvVarProvider machineTokenEnvVarProvider,
       @Named("che.workspace.plugin_broker.artifacts.image") String artifactsBrokerImage,
       @Named("che.workspace.plugin_broker.metadata.image") String metadataBrokerImage,
-      @Nullable @Named("che.workspace.plugin_registry_url") String pluginRegistryUrl,
+      @Nullable @Named("che.workspace.plugin_registry_url") String pluginRegistryExternalUrl,
       @Nullable @Named("che.workspace.plugin_registry_internal_url")
           String pluginRegistryInternalUrl,
       KubernetesTrustedCAProvisioner trustedCAProvisioner,
       CertificateProvisioner certProvisioner) {
     super(
         cheWebsocketEndpoint,
+        cheWebsocketInternalEndpoint,
         brokerPullPolicy,
         authEnableEnvVarProvider,
         machineTokenEnvVarProvider,
         artifactsBrokerImage,
         metadataBrokerImage,
-        pluginRegistryUrl,
+        pluginRegistryExternalUrl,
         pluginRegistryInternalUrl,
         trustedCAProvisioner,
         certificateMountPath,

@@ -71,6 +71,7 @@ public void setUp() throws Exception {
         spy(
             new BrokerEnvironmentFactory<KubernetesEnvironment>(
                 PUSH_ENDPOINT,
+                null,
                 IMAGE_PULL_POLICY,
                 authEnableEnvVarProvider,
                 machineTokenEnvVarProvider,

@@ -33,6 +33,7 @@ public class OpenshiftBrokerEnvironmentFactory
   @Inject
   public OpenshiftBrokerEnvironmentFactory(
       @Named("che.websocket.endpoint") String cheWebsocketEndpoint,
+      @Nullable @Named("che.websocket.internal.endpoint") String cheWebsocketInternalEndpoint,
       @Named("che.workspace.plugin_broker.pull_policy") String brokerPullPolicy,
       AgentAuthEnableEnvVarProvider authEnableEnvVarProvider,
       MachineTokenEnvVarProvider machineTokenEnvVarProvider,
@@ -46,6 +47,7 @@ public OpenshiftBrokerEnvironmentFactory(
       OpenshiftTrustedCAProvisioner trustedCAProvisioner) {
     super(
         cheWebsocketEndpoint,
+        cheWebsocketInternalEndpoint,
         brokerPullPolicy,
         authEnableEnvVarProvider,
         machineTokenEnvVarProvider,

@@ -11,6 +11,8 @@
  */
 package org.eclipse.che.multiuser.keycloak.server;
 
+import static com.google.common.base.Strings.isNullOrEmpty;
+
 import com.auth0.jwk.GuavaCachedJwkProvider;
 import com.auth0.jwk.JwkProvider;
 import com.auth0.jwk.UrlJwkProvider;
@@ -27,7 +29,10 @@ public class KeycloakJwkProvider implements Provider<JwkProvider> {
 
   @Inject
   public KeycloakJwkProvider(OIDCInfo oidcInfo) throws MalformedURLException {
-    final String jwksUrl = oidcInfo.getJwksUri();
+    final String jwksUrl =
+        isNullOrEmpty(oidcInfo.getJwksInternalUri())
+            ? oidcInfo.getJwksPublicUri()
+            : oidcInfo.getJwksInternalUri();
 
     if (jwksUrl == null) {
       throw new ConfigurationException("Jwks endpoint url not found in keycloak settings");

@@ -11,6 +11,8 @@
  */
 package org.eclipse.che.multiuser.keycloak.server;
 
+import static com.google.common.base.Strings.isNullOrEmpty;
+
 import java.io.IOException;
 import java.util.Map;
 import javax.inject.Inject;
@@ -37,7 +39,10 @@ public class KeycloakProfileRetriever {
   @Inject
   public KeycloakProfileRetriever(OIDCInfo oidcInfo, HttpJsonRequestFactory requestFactory) {
     this.requestFactory = requestFactory;
-    this.keyclockCurrentUserInfoUrl = oidcInfo.getUserInfoEndpoint();
+    this.keyclockCurrentUserInfoUrl =
+        isNullOrEmpty(oidcInfo.getUserInfoInternalEndpoint())
+            ? oidcInfo.getUserInfoPublicEndpoint()
+            : oidcInfo.getUserInfoInternalEndpoint();
   }
 
   /**

@@ -17,27 +17,27 @@ public class OIDCInfo {
   private final String tokenPublicEndpoint;
   private final String endSessionPublicEndpoint;
   private final String userInfoPublicEndpoint;
-  private final String userInfoEndpoint;
+  private final String userInfoInternalEndpoint;
   private final String jwksPublicUri;
-  private final String jwksUri;
+  private final String jwksInternalUri;
   private final String authServerURL;
   private final String authServerPublicURL;
 
   public OIDCInfo(
       String tokenPublicEndpoint,
       String endSessionPublicEndpoint,
       String userInfoPublicEndpoint,
-      String userInfoEndpoint,
+      String userInfoInternalEndpoint,
       String jwksPublicUri,
-      String jwksUri,
+      String jwksInternalUri,
       String authServerURL,
       String authServerPublicURL) {
     this.tokenPublicEndpoint = tokenPublicEndpoint;
     this.endSessionPublicEndpoint = endSessionPublicEndpoint;
     this.userInfoPublicEndpoint = userInfoPublicEndpoint;
-    this.userInfoEndpoint = userInfoEndpoint;
+    this.userInfoInternalEndpoint = userInfoInternalEndpoint;
     this.jwksPublicUri = jwksPublicUri;
-    this.jwksUri = jwksUri;
+    this.jwksInternalUri = jwksInternalUri;
 
     this.authServerURL = authServerURL;
     this.authServerPublicURL = authServerPublicURL;
@@ -58,25 +58,19 @@ public String getUserInfoPublicEndpoint() {
     return userInfoPublicEndpoint;
   }
 
-  /**
-   * @return url to get user profile information. Url will be internal if internal network enabled,
-   *     otherwise url will be public.
-   */
-  public String getUserInfoEndpoint() {
-    return userInfoEndpoint;
+  /** @return internal network url to get user profile information. */
+  public String getUserInfoInternalEndpoint() {
+    return userInfoInternalEndpoint;
   }
 
   /** @return public url to retrieve JWK public key for token validation. */
   public String getJwksPublicUri() {
     return jwksPublicUri;
   }
 
-  /**
-   * @return url to retrieve JWK public key for token validation. Url will be internal if internal
-   *     network enabled, otherwise url will be public.
-   */
-  public String getJwksUri() {
-    return jwksUri;
+  /** @return internal network url to retrieve JWK public key for token validation. */
+  public String getJwksInternalUri() {
+    return jwksInternalUri;
   }
 
   /**

@@ -86,16 +86,16 @@ public OIDCInfo get() {
       String endSessionPublicEndpoint =
           setPublicUrl((String) openIdConfiguration.get("end_session_endpoint"));
       String jwksPublicUri = setPublicUrl((String) openIdConfiguration.get("jwks_uri"));
-      String jwksUri = setInternalUrl(jwksPublicUri);
-      String userInfoEndpoint = setInternalUrl(userInfoPublicEndpoint);
+      String jwksInternalUri = setInternalUrl(jwksPublicUri);
+      String userInfoInternalEndpoint = setInternalUrl(userInfoPublicEndpoint);
 
       return new OIDCInfo(
           tokenPublicEndPoint,
           endSessionPublicEndpoint,
           userInfoPublicEndpoint,
-          userInfoEndpoint,
+          userInfoInternalEndpoint,
           jwksPublicUri,
-          jwksUri,
+          jwksInternalUri,
           serverAuthUrl,
           serverURL);
     } catch (IOException e) {
@@ -136,7 +136,7 @@ private String setInternalUrl(String endpointUrl) {
     if (serverURL != null && serverInternalURL != null) {
       return endpointUrl.replace(serverURL, serverInternalURL);
     }
-    return endpointUrl;
+    return null;
   }
 
   private String setPublicUrl(String endpointUrl) {