Google Git
Sign in
eclipse / gerrit / www.eclipse.org / che / 8041b9ad14c78ef4d7ecc38f386a561ce524896c / . / docs / che-7 / configuring-workspace-exposure-strategies / index.html
blob: 2607f1c62f622adb1c43a2d121d4662c31853eee [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="keywords" content=", ">
<title>Configuring workspace exposure strategies | Eclipse Che Documentation</title>
<link rel="stylesheet" href="/che/docs/css/syntax.css">
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" crossorigin="anonymous">
<!--<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">-->
<link rel="stylesheet" href="/che/docs/css/modern-business.css">
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="/che/docs/css/customstyles.css">
<link rel="stylesheet" href="/che/docs/css/boxshadowproperties.css">
<!-- most color styles are extracted out to here -->
<link rel="stylesheet" href="/che/docs/css/theme-che.css">
<link rel="stylesheet" href="/che/docs/css/coderay.css" media="screen" type="text/css">
<link rel="stylesheet" href="/che/docs/css/asciidoc.css" type="text/css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js" crossorigin="anonymous"></script>
<script src="/che/docs/js/jquery.navgoco.min.js"></script>
<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<!-- Anchor.js -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/2.0.0/anchor.min.js" crossorigin="anonymous"></script>
<script src="/che/docs/js/toc.js"></script>
<script src="/che/docs/js/customscripts.js"></script>
<link rel="shortcut icon" href="/che/docs/images/favicon.ico">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="alternate" type="application/rss+xml" title="che" href="/feed.xml">
<script>
$(document).ready(function() {
// Initialize navgoco with default options
$("#mysidebar").navgoco({
caretHtml: '',
accordion: false,
openClass: 'active', // open
save: false, // leave false or nav highlighting doesn't work right
cookie: {
name: 'navgoco',
expires: false,
path: '/'
},
slide: {
duration: 400,
easing: 'swing'
}
});
$("#collapseAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', false);
});
$("#expandAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', true);
});
});
</script>
<script>
$(function () {
$('[data-toggle="tooltip"]').tooltip()
})
</script>
<script>
$(document).ready(function() {
$("#tg-sb-link").click(function() {
$("#tg-sb-sidebar").toggle();
$("#tg-sb-content").toggleClass('col-md-9');
$("#tg-sb-content").toggleClass('col-md-12');
$("#tg-sb-icon").toggleClass('fa-toggle-on');
$("#tg-sb-icon").toggleClass('fa-toggle-off');
});
});
</script>
</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-inverse navbar-static-top">
<div class="container topnavlinks">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="fa fa-home fa-lg navbar-brand" href="/che/docs/">&nbsp;<span class="projectTitle"> Eclipse Che Documentation</span></a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right">
<!-- toggle sidebar button -->
<li><a id="tg-sb-link" href="#"><i id="tg-sb-icon" class="fa fa-toggle-on"></i> Nav</a></li>
<!-- entries without drop-downs appear here -->
<li><a href="https://medium.com/eclipse-che-blog/" target="_blank">Blog</a></li>
<li><a href="https://github.com/eclipse/che" target="_blank">Source Code</a></li>
<!-- entries with drop-downs appear here -->
<!-- conditional logic to control which topnav appears for the audience defined in the configuration file.-->
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Get Support<b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="https://github.com/eclipse/che/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Akind%2Fbug" target="_blank">Known Bugs</a></li>
<li><a href="https://github.com/eclipse/che/issues/new" target="_blank">File an Issue</a></li>
<li><a href="https://stackoverflow.com/questions/tagged/eclipse-che" target="_blank">Che on StackOverflow</a></li>
</ul>
</li>
<!--
<li>
<a class="email" title="Submit feedback" href="#" onclick="javascript:window.location='mailto:?subject= feedback&body=I have some feedback about the Configuring workspace exposure strategies page: ' + window.location.href;"><i class="fa fa-envelope-o"></i> Feedback</a>
</li>
-->
<!--comment out this block if you want to hide search-->
<li>
<!--start search-->
<div id="search-demo-container">
<input type="text" id="search-input" placeholder="search...">
<ul id="results-container"></ul>
</div>
<script src="/che/docs/js/jekyll-search.js" type="text/javascript"></script>
<script type="text/javascript">
SimpleJekyllSearch.init({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
dataSource: "/che/docs/search.json",
searchResultTemplate: '<li><a href="{url}" title="Configuring workspace exposure strategies">{title}</a></li>',
noResultsText: 'No results found.',
limit: 10,
fuzzy: true,
})
</script>
<!--end search-->
</li>
</ul>
</div>
</div>
<!-- /.container -->
</nav>
<!-- Page Content -->
<div class="container">
<div id="main">
<!-- Content Row -->
<div class="row">
<!-- Sidebar Column -->
<div class="col-md-3" id="tg-sb-sidebar">
<ul id="mysidebar" class="nav">
<li class="sidebarTitle"> </li>
<div class="sidebarSubtitle">Overview</div>
<li>
<a href="/che/docs/che-7/introduction-to-eclipse-che">Introduction to Che</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">Che quick-starts</a>
<ul>
<li><a href="/che/docs/che-7/che-quick-starts">Overview</a></li>
<li><a href="/che/docs/che-7/installing-the-chectl-management-tool">Installing the chectl management tool</a></li>
<li><a href="/che/docs/che-7/running-che-locally">Running Che locally</a></li>
<li><a href="/che/docs/che-7/deploying-che-on-kubernetes-on-aws">Che on Amazon Web Services</a></li>
<li><a href="/che/docs/che-7/installing-che-on-openshift-3-using-the-operator">Che on OpenShift 3</a></li>
<li><a href="/che/docs/che-7/installing-che-on-openshift-4-from-operatorhub">Che on OpenShift 4</a></li>
<li><a href="/che/docs/che-7/installing-che-on-google-cloud-platform">Che on Google Cloud Platform</a></li>
<li><a href="/che/docs/che-7/installing-eclipse-che-on-microsoft-azure">Che on Microsoft Azure</a></li>
<li><a href="/che/docs/che-7/accessing-che-from-openshift-developer-perspective">Accessing Che from OpenShift Developer Perspective</a></li>
</ul>
</li>
<li>
<a href="/che/docs/che-7/hosted-che">Hosted Che</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">Che architecture</a>
<ul>
<li><a href="/che/docs/che-7/che-architecture">Overview</a></li>
<li><a href="/che/docs/che-7/high-level-che-architecture">High-level Che architecture</a></li>
<li><a href="/che/docs/che-7/che-workspace-controller">Che workspace controller</a></li>
<li><a href="/che/docs/che-7/che-workspaces-architecture">Che workspaces architecture</a></li>
</ul>
</li>
<div class="sidebarSubtitle">End-user Guide</div>
<li>
<a href="/che/docs/che-7/navigating-che-using-the-dashboard">Navigating Che: dashboard</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">Che-Theia IDE basics</a>
<ul>
<li><a href="/che/docs/che-7/che-theia-ide-basics">Overview</a></li>
<li><a href="/che/docs/che-7/defining-custom-commands-for-che-theia">Defining custom commands for Che-Theia</a></li>
<li><a href="/che/docs/che-7/version-control">Version Control</a></li>
<li><a href="/che/docs/che-7/che-theia-troubleshooting">Che-Theia Troubleshooting</a></li>
</ul>
</li>
<li>
<a href="#" class="expandable">Using developer workspaces</a>
<ul>
<li><a href="/che/docs/che-7/workspaces-overview">Overview</a></li>
<li><a href="/che/docs/che-7/configuring-a-workspace-using-a-devfile">Configuring a workspace using a devfile</a></li>
<li><a href="/che/docs/che-7/making-a-workspace-portable-using-a-devfile">Making a workspace portable using a devfile</a></li>
<li><a href="/che/docs/che-7/converting-a-che-6-workspace-to-a-che-7-devfile">Converting a Che 6 Workspace to a Che 7 devfile</a></li>
<li><a href="/che/docs/che-7/creating-and-configuring-a-new-che-7-workspace">Creating and configuring a new Che 7 workspace</a></li>
<li><a href="/che/docs/che-7/importing-a-kubernetes-application-into-a-che-workspace">Importing a Kubernetes application into a Che workspace</a></li>
<li><a href="/che/docs/che-7/remotely-accessing-che-workspaces">Remotely accessing workspaces</a></li>
<li><a href="/che/docs/che-7/creating-a-workspace-from-code-sample">Creating a workspace from code sample</a></li>
<li><a href="/che/docs/che-7/creating-a-workspace-by-importing-source-code-of-a-project">Creating a workspace by importing source code of a project</a></li>
<li><a href="/che/docs/che-7/configuring-workspace-exposure-strategies">Configuring workspace exposure strategies</a></li>
</ul>
</li>
<li>
<a href="#" class="expandable">Customizing developer environments</a>
<ul>
<li><a href="/che/docs/che-7/customizing-developer-environments">Overview</a></li>
<li><a href="/che/docs/che-7/what-is-a-che-theia-plug-in">What is a Che-Theia plug-in</a></li>
<li><a href="/che/docs/che-7/using-alternative-ides-in-che">Using alternative IDEs in Che</a></li>
<li><a href="/che/docs/che-7/using-a-visual-studio-code-extension-in-che">Using a VS Code extension in Che</a></li>
<li><a href="/che/docs/che-7/adding-tools-to-che-after-creating-a-workspace">Adding tools to Che after creating a workspace</a></li>
</ul>
</li>
<li>
<a href="#" class="expandable">Configuring OAuth authorization</a>
<ul>
<li><a href="/che/docs/che-7/configuring-oauth-authorization">Overview</a></li>
<li><a href="/che/docs/che-7/configuring-github-oauth">Configuring GitHub OAuth</a></li>
<li><a href="/che/docs/che-7/configuring-openshift-oauth">Configuring OpenShift OAuth</a></li>
</ul>
</li>
<li>
<a href="#" class="expandable">Using artifact repositories in a restricted environment</a>
<ul>
<li><a href="/che/docs/che-7/using-artifact-repositories-in-a-restricted-environment">Overview</a></li>
<li><a href="/che/docs/che-7/using-maven-artifact-repositories">Using Maven artifact repositories</a></li>
<li><a href="/che/docs/che-7/using-gradle-artifact-repositories">Using Gradle artifact repositories</a></li>
<li><a href="/che/docs/che-7/using-python-artifact-repositories">Using Python artifact repositories</a></li>
<li><a href="/che/docs/che-7/using-go-artifact-repositories">Using Go artifact repositories</a></li>
<li><a href="/che/docs/che-7/using-nuget-artifact-repositories">Using NuGet artifact repositories</a></li>
<li><a href="/che/docs/che-7/using-npm-artifact-repositories">Using npm artifact repositories</a></li>
</ul>
</li>
<li>
<a href="/che/docs/che-7/troubleshooting-for-che-end-users">Troubleshooting for Che end users</a>
<ul>
</ul>
</li>
<div class="sidebarSubtitle">Installation Guide</div>
<li>
<a href="/che/docs/che-7/installing-che-in-restricted-environment">Installing Che in restricted environment</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/upgrading-che">Upgrading Che</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/advanced-configuration-options">Advanced configuration options</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/uninstalling-che">Uninstalling Che</a>
<ul>
</ul>
</li>
<div class="sidebarSubtitle">Administration Guide</div>
<li>
<a href="#" class="expandable">Customizing devfile and plug-in registries</a>
<ul>
<li><a href="/che/docs/che-7/customizing-the-devfile-and-plug-in-registries">Overview</a></li>
<li><a href="/che/docs/che-7/building-and-running-a-custom-registry-image">Building and running a custom registry image</a></li>
<li><a href="/che/docs/che-7/including-the-plug-in-binaries-in-the-registry-image">Including the plug-in binaries in the registry image</a></li>
<li><a href="/che/docs/che-7/editing-a-devfile-and-plug-in-at-runtime">Editing a devfile and plug-in at runtime</a></li>
</ul>
</li>
<li>
<a href="/che/docs/che-7/configuring-system-variables">Configuring system variables</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">Retrieving Che logs</a>
<ul>
<li><a href="/che/docs/che-7/retrieving-che-logs">Overview</a></li>
<li><a href="/che/docs/che-7/viewing-kubernetes-events">Accessing Kubernetes events on OpenShift</a></li>
<li><a href="/che/docs/che-7/viewing-che-server-logs">Viewing Che server logs</a></li>
<li><a href="/che/docs/che-7/viewing-external-service-logs">Viewing external service logs</a></li>
<li><a href="/che/docs/che-7/viewing-che-workspaces-logs">Viewing Che workspaces logs</a></li>
<li><a href="/che/docs/che-7/viewing-plug-in-broker-logs">Viewing Plug-in broker logs</a></li>
<li><a href="/che/docs/che-7/collecting-logs-using-chectl">Collecting logs using chectl</a></li>
</ul>
</li>
<li>
<a href="/che/docs/che-7/monitoring-che">Monitoring Che</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/tracing-che">Tracing Che</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">Managing users</a>
<ul>
<li><a href="/che/docs/che-7/managing-users">Overview</a></li>
<li><a href="/che/docs/che-7/configuring-authorization">Configuring authorization</a></li>
<li><a href="/che/docs/che-7/using-organizations">Using organizations</a></li>
<li><a href="/che/docs/che-7/removing-user-data">Removing user data</a></li>
</ul>
</li>
<li>
<a href="#" class="expandable">Securing Che</a>
<ul>
<li><a href="/che/docs/che-7/securing-che">Overview</a></li>
<li><a href="/che/docs/che-7/authenticating-users">Authenticating users</a></li>
<li><a href="/che/docs/che-7/authorizing-users">Authorizing users</a></li>
</ul>
</li>
<li>
<a href="#" class="expandable">Backup and disaster recovery</a>
<ul>
<li><a href="/che/docs/che-7/backup-and-disaster-recovery">Overview</a></li>
<li><a href="/che/docs/che-7/external-database-setup">External database setup</a></li>
<li><a href="/che/docs/che-7/persistent-volumes-backups">Persistent Volumes backups</a></li>
</ul>
</li>
<li>
<a href="/che/docs/che-7/calculating-che-resource-requirements">Calculating Che resource requirements</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/caching-images-for-faster-workspace-start">Caching images for faster workspace start</a>
<ul>
</ul>
</li>
<div class="sidebarSubtitle">Contributor Guide</div>
<li>
<a href="/che/docs/che-7/installing-che-in-tls-mode-with-self-signed-certificates">Installing Che in TLS mode with self-signed certificates</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/branding-che-theia">Branding Che-Theia</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/developing-che-theia-plug-ins">Developing Che-Theia plug-ins</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/testing-che-theia-plug-ins">Testing Che-Theia plug-ins</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/publishing-che-theia-plug-ins">Publishing Che-Theia plug-ins</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/adding-support-for-a-new-language">Adding support for a new language</a>
<ul>
</ul>
</li>
<li>
<a href="/che/docs/che-7/adding-support-for-a-new-debugger">Adding support for a new debugger</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">Che extensibility reference</a>
<ul>
<li><a href="/che/docs/che-7/che-extensibility-reference">Overview</a></li>
<li><a href="/che/docs/che-7/che-extension-points">Che extension points</a></li>
<li><a href="/che/docs/che-7/che-theia-plug-in-api">Che-Theia plug-in API</a></li>
<li><a href="/che/docs/che-7/debug-adapter-protocol">Debug Adapter Protocol</a></li>
<li><a href="/che/docs/che-7/language-server-protocol">Language Server Protocol</a></li>
</ul>
</li>
<div class="sidebarSubtitle">Extensions</div>
<li>
<a href="/che/docs/che-7/eclipse-che4z">Eclipse Che4z</a>
<ul>
</ul>
</li>
<li>
<a href="#" class="expandable">OpenShift Connector</a>
<ul>
<li><a href="/che/docs/che-7/openshift-connector-overview">Overview</a></li>
<li><a href="/che/docs/che-7/features-of-openshift-connector">Features of OpenShift Connector</a></li>
<li><a href="/che/docs/che-7/installing-openshift-connector-in-eclipse-che">Installing OpenShift Connector in Eclipse Che</a></li>
<li><a href="/che/docs/che-7/authenticating-with-openshift-connector-from-eclipse-che">Authenticating with OpenShift Connector from Eclipse Che</a></li>
<li><a href="/che/docs/che-7/creating-components-with-openshift-connector-in-eclipse-che">Creating Components with OpenShift Connector in Eclipse Che</a></li>
<li><a href="/che/docs/che-7/connecting-source-code-from-github-to-a-openshift-component-using-openshift-connector">Connecting source code from GitHub to a OpenShift Component</a></li>
</ul>
</li>
<!-- if you aren't using the accordion, uncomment this block: -->
<!-- <p class="external">
<a href="#" id="collapseAll">Collapse all</a> | <a href="#" id="expandAll">Expand all</a>
</p>-->
</ul>
<!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted.-->
<script>$("li.active").parents('li').toggleClass("active");</script>
</div>
<!-- Content Column -->
<div class="col-md-9" id="tg-sb-content">
<div class="post-header">
<h1 class="post-title-main">Configuring workspace exposure strategies</h1>
</div>
<div class="post-content">
<!-- this handles the automatic toc. use ## for subheads to auto-generate the on-page minitoc. if you use html tags, you must supply an ID for the heading element in order for it to appear in the minitoc. -->
<script>
$( document ).ready(function() {
// Handler for .ready() called.
$('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2' });
/* this offset helps account for the space taken up by the floating toolbar. */
$('#toc').on('click', 'a', function() {
var target = $(this.getAttribute('href'))
, scroll_target = target.offset().top
$(window).scrollTop(scroll_target - 10);
return false
})
});
</script>
<div id="toc"></div>
<!--
-->
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>The following section describes how to configure workspace exposure strategies of a Che server and ensure that applications running inside are not vulnerable to outside attacks.</p>
</div>
<div class="paragraph">
<p>The workspace exposure strategy is configured per Che server, using the <code>che.infra.kubernetes.server_strategy</code> configuration property or the <code>CHE_INFRA_KUBERNETES_SERVER__STRATEGY</code> environment variable.</p>
</div>
<div class="paragraph">
<p>The supported values for <code>che.infra.kubernetes.server_strategy</code> are:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>multi-host</code></p>
</li>
<li>
<p><code>single-host</code></p>
</li>
<li>
<p><code>default-host</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>For the multi-host strategy, set the che.infra.kubernetes.ingress.domain (or the <code>CHE_INFRA_KUBERNETES_INGRESS_DOMAIN</code> environment variable) configuration property to the domain name that will host workspace component subdomains.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="workspace-exposure-strategies_configuring-workspace-exposure-strategies">Workspace exposure strategies</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Specific components of workspaces need to be made accessible outside of the Kubernetes or OpenShift cluster. This is typically the user interface of the workspace’s IDE, but it can also be the web UI of the application being developed. This enables developers to interact with the application during the development process.</p>
</div>
<div class="paragraph">
<p>Che supports three ways to make workspace components available to the users, also referred to as <em>strategies</em>:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>multi-host strategy</p>
</li>
<li>
<p>single-host strategy</p>
</li>
<li>
<p>default-host strategy</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The strategies define whether new subdomains are created for components of the workspace, and what hosts these components are available on.</p>
</div>
<div class="sect2">
<h3 id="multi-host-strategy">Multi-host strategy</h3>
<div class="paragraph">
<p>With this strategy, each workspace component is assigned a new subdomain of the main domain configured for the Che server. On OpenShift, this is the only possible strategy, and manual configuration of the workspace exposure strategy is therefore always ignored.</p>
</div>
<div class="paragraph">
<p>This strategy is the easiest to understand from the perspective of component deployment because any paths present in the URL to the component are received as they are by the component.</p>
</div>
<div class="paragraph">
<p>On a Che server secured using the Transport Layer Security (TLS) protocol, creating new subdomains for each component of each workspace requires a wildcard certificate to be available for all such subdomains for the Che deployment to be practical.</p>
</div>
</div>
<div class="sect2">
<h3 id="single-host-strategy">Single-host strategy</h3>
<div class="paragraph">
<p>This strategy is available on Kubernetes, but not on OpenShift. When it is used, all workspaces are deployed to sub-paths of the main Che server domain.</p>
</div>
<div class="paragraph">
<p>This is convenient for TLS-secured Che servers because it is sufficient to have a single certificate for the Che server, which will cover all the workspace component deployments as well.</p>
</div>
<div class="paragraph">
<p>This strategy limits the exposed components and user applications. Any absolute URL generated on the server side that points back to the server does not work. This is because the server is hidden behind a path-rewriting Ingress that hides the workspace and the component-specific URL prefix from the server.</p>
</div>
<div class="paragraph">
<p>For example, when the user accesses the hypothetical <code>http(s)://che-host:che-port/component-prefix-djh3d/app/index.php</code> URL, the application sees the request coming to <code>https://internal-host/app/index.php</code>. If the application used the host in the URL that it generates in its UI, it would not work because the internal host is different from the externally visible host. However, if the application used an absolute path as the URL (for the example above, this would be <code>/app/index.php</code>), such URL would still not work. This is because on the outside, such URL does not point to the application, because it is missing the component-specific prefix.</p>
</div>
<div class="paragraph">
<p>Therefore, only applications that use relative URLs in their UI work with the single-host workspace exposure strategy.</p>
</div>
</div>
<div class="sect2">
<h3 id="default-host-strategy">Default-host strategy</h3>
<div class="paragraph">
<p>This strategy exposes the components to the outside world on the sub-paths of the default host of the cluster. It is similar to the single-host strategy. All the limitations and advantages of the single-host strategy applying to this strategy as well.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-workspace-exposure-strategies-using-a-helm-chart-and-a-operator_configuring-workspace-exposure-strategies">Configuring workspace exposure strategies using a Helm chart and an Operator</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The following section describes how to configure workspace exposure strategies of a Che server using the Helm chart and the Operator.</p>
</div>
<div class="sect2">
<h3 id="using-a-helm-chart">Using a Helm chart</h3>
<div class="paragraph">
<p>A <a href="https://helm.sh/">Helm Chart</a> is a Kubernetes extension for defining, installing, and upgrading Kubernetes applications.</p>
</div>
<div class="paragraph">
<p>When deploying Che using the Helm chart, configure the workspace exposure strategy using the <code>global.serverStrategy</code> property. To do so, add the following option to the <code>helm install</code> or <code>helm upgrade</code> command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>$ helm install --set global.serverStrategy=<em>&lt;single-host&gt;</em></pre>
</div>
</div>
<div class="paragraph">
<p>or:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>$ helm upgrade --set global.serverStrategy=<em>&lt;single-host&gt;</em></pre>
</div>
</div>
<div class="paragraph">
<p>Depending on the strategy used, replace the <code><em>&lt;single-host&gt;</em></code> option in the above example with <code>multi-host</code> or <code>default-host</code>.</p>
</div>
</div>
<div class="sect2">
<h3 id="using-an-operator">Using an Operator</h3>
<div class="paragraph">
<p><a href="https://docs.openshift.com/container-platform/latest/operators/olm-what-operators-are.html">Operators</a> are software extensions to Kubernetes that use <a href="https://docs.openshift.com/container-platform/latest/operators/crds/crd-managing-resources-from-crds.html">custom resources</a> to manage applications and their components.</p>
</div>
<div class="paragraph">
<p>When deploying Che using the Operator, configure the intended strategy by modifying the <code>spec.k8s.ingressStrategy</code> property of the CheCluster custom resource object YAML file.
To activate changes done to CheCluster YAML file, do one of the following:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a new cluster by executing the <code>kubectl apply</code> command. For example:</p>
<div class="listingblock">
<div class="content">
<pre>$ kubectl apply -f <em>&lt;my-cluster.yaml&gt;</em></pre>
</div>
</div>
</li>
<li>
<p>Update the YAML file properties of an already running cluster by executing the <code>kubectl patch</code> command. For example:</p>
<div class="listingblock">
<div class="content">
<pre>$ kubectl patch checluster eclipse-che --type=json -p '[{"op": "replace", "path": "/spec/k8s/ingressStrategy", "value": "<em>single-host</em>"}]'</pre>
</div>
</div>
</li>
</ul>
</div>
<div class="paragraph">
<p>Depending on the strategy used, replace the <code><em>single-host</em></code> option in the above example with <code>multi-host</code> or <code>default-host</code>.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="security-considerations_configuring-workspace-exposure-strategies">Security considerations</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This section explains the security impact of using different Che workspace exposure strategies.</p>
</div>
<div class="paragraph">
<p>All the security-related considerations in this section are only applicable to Che in multiuser mode. The single user mode does not impose any security restrictions.</p>
</div>
<div class="sect2">
<h3 id="json-web-token-jwt-proxy_configuring-workspace-exposure-strategies">JSON web token (JWT) proxy</h3>
<div class="paragraph">
<p>All Che plug-ins, editors, and components can require authentication of the user accessing them. This authentication is performed using a JSON web token (JWT) proxy that functions as a reverse proxy of the corresponding component, based on its configuration, and performs the authentication on behalf of the component.</p>
</div>
<div class="paragraph">
<p>The authentication uses a redirect to a special page on the Che server that propagates the workspace and user-specific authentication token (workspace access token) back to the originally requested page.</p>
</div>
<div class="paragraph">
<p>The JWT proxy accepts the workspace access token from the following places in the incoming requests, in the following order:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>The token query parameter</p>
</li>
<li>
<p>The Authorization header in the bearer-token format</p>
</li>
<li>
<p>The <code>access_token</code> cookie</p>
</li>
</ol>
</div>
</div>
<div class="sect2">
<h3 id="secured-plug-ins-and-editors">Secured plug-ins and editors</h3>
<div class="paragraph">
<p>Che users do not need to secure workspace plug-ins and workspace editors (such as Che-Theia). This is because the JWT proxy authentication is transparent to the user and is governed by the plug-in or editor definition in their <code>meta.yaml</code> descriptors.</p>
</div>
</div>
<div class="sect2">
<h3 id="secured-container-image-components">Secured container-image components</h3>
<div class="paragraph">
<p>Container-image components can define custom endpoints for which the devfile author can require Che-provided authentication, if needed. This authentication is configured using two optional attributes of the endpoint:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>secure</code> - A boolean attribute that instructs the Che server to put the JWT proxy in front of the endpoint. Such endpoints have to be provided with the workspace access token in one of the several ways explained in <a href="#json-web-token-jwt-proxy_configuring-workspace-exposure-strategies">JSON web token (JWT) proxy</a>. The default value of the attribute is <code>false</code>.</p>
</li>
<li>
<p><code>cookiesAuthEnabled</code> - A boolean attribute that instructs the Che server to automatically redirect the unauthenticated requests for current user authentication as described in <a href="#json-web-token-jwt-proxy_configuring-workspace-exposure-strategies">JSON web token (JWT) proxy</a>. Setting this attribute to <code>true</code> has security consequences because it makes Cross-site request forgery (CSRF) attacks possible. The default value of the attribute is <code>false</code>.</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="cross-site-request-forgery-attacks">Cross-site request forgery attacks</h3>
<div class="paragraph">
<p>Cookie-based authentication can make an application secured by a JWT proxy prone to Cross-site request forgery (CSRF) attacks. See the <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site request forgery</a> Wikipedia page and other resources to ensure your application is not vulnerable.</p>
</div>
</div>
<div class="sect2">
<h3 id="phishing-attacks">Phishing attacks</h3>
<div class="paragraph">
<p>An attacker who is able to create an Ingress or route inside the cluster with the workspace that shares the host with some services behind a JWT proxy, the attacker may be able to create a service and a specially forged Ingress object. When such a service or Ingress is accessed by a legitimate user that was previously authenticated with a workspace, it can lead to the attacker stealing the workspace access token from the cookies sent by the legitimate user’s browser to the forged URL.
To eliminate this attack vector, configure OpenShift to disallow setting the host of an Ingress.</p>
</div>
</div>
</div>
</div>
<div class="tags">
<b>Tags: </b>
</div>
<!--
-->
</div>
<hr class="shaded"/>
<footer>
<div class="row">
<div class="col-lg-12 footer">
Eclipse Che - Documentation <br/>
Site last generated: Apr 29, 2020 <br/>
<hr>
<a href="http://www.eclipse.org" target="_blank">Eclipse Foundation</a><br/>
<a href="http://www.eclipse.org/legal/privacy.php" target="_blank">Privacy Policy</a><br/>
<a href="http://www.eclipse.org/legal/termsofuse.php" target="_blank">Terms of Use</a><br/>
<a href="https://www.eclipse.org/legal/epl-2.0/" target="_blank">Eclipse Public License</a><br/>
<a href="http://www.eclipse.org/legal" target="_blank">Legal Resources</a><br/>
</div>
</div>
</footer>
<!-- /.row -->
</div>
<!-- /.container -->
</div>
<!-- /#main -->
</div>
</body>
</html>