Skip to content

Enabling DevWorkspace for Tenant's sandbox in OpenShift#

DevWorkspaces metadata via Multi Tenant Operator#

DevWorkspaces require specific metadata on a namespace for it to work in it. With Multi Tenant Operator (MTO), you can create sandbox namespaces for users of a Tenant, and then add the required metadata automatically on all sandboxes.

Required metadata for enabling DevWorkspace on sandbox#

  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-namespace
  annotations:
    che.eclipse.org/username: <username>

Automate sandbox metadata for all Tenant users via Tenant CR#

With Multi Tenant Operator (MTO), you can set sandboxMetadata like below to automate metadata for all sandboxes:

apiVersion: tenantoperator.stakater.com/v1beta3
kind: Tenant
metadata:
  name: bluesky
spec:
  quota: small
  accessControl:
    owners:
      users:
        - anna@acme.org
    editors:
      users:
        - erik@acme.org
    viewers:
      users:
        - john@acme.org
  namespaces:
    sandboxes:
      enabled: true
      private: false
    metadata:
      sandbox:
        labels:
          app.kubernetes.io/part-of: che.eclipse.org
          app.kubernetes.io/component: workspaces-namespace
        annotations:
          che.eclipse.org/username: "{{ TENANT.USERNAME }}"

It will create sandbox namespaces and also apply the sandboxMetadata for owners and editors. Notice the template {{ TENANT.USERNAME }}, it will resolve the username as value of the corresponding annotation. For more info on templated value, see here

Automate sandbox metadata for all Tenant users via IntegrationConfig CR#

You can also automate the metadata on all sandbox namespaces by using IntegrationConfig, notice metadata.sandboxes:

apiVersion: tenantoperator.stakater.com/v1beta1
kind: IntegrationConfig
metadata:
  name: tenant-operator-config
  namespace: multi-tenant-operator
spec:
  accessControl:
    namespaceAccessPolicy:
      deny:
        privilegedNamespaces: {}
    privileged:
      namespaces:
      - ^default$
      - ^openshift.*
      - ^kube.*
      serviceAccounts:
      - ^system:serviceaccount:openshift.*
      - ^system:serviceaccount:kube.*
      - ^system:serviceaccount:stakater-actions-runner-controller:actions-runner-controller-runner-deployment$
    rbac:
      tenantRoles:
        default:
          editor:
            clusterRoles:
            - edit
          owner:
            clusterRoles:
            - admin
          viewer:
            clusterRoles:
            - view
  components:
    console: false
    ingress:
      console: {}
      gateway: {}
      keycloak: {}
    showback: false
  integrations:
    vault:
      accessInfo:
        accessorPath: ""
        address: ""
        roleName: ""
        secretRef:
          name: ""
          namespace: ""
      authMethod: kubernetes
      config:
        ssoClient: ""
      enabled: false
  metadata:
    groups: {}
    namespaces: {}
    sandboxes:
      labels:
        app.kubernetes.io/part-of: che.eclipse.org
        app.kubernetes.io/component: workspaces-namespace
      annotations:
        che.eclipse.org/username: "{{ TENANT.USERNAME }}"

For more info on templated value "{{ TENANT.USERNAME }}", see here