Skip to content

fix: Update fields descriptions to reflect OpenShift external OIDC su… #2112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tolusha merged 1 commit into from
Apr 3, 2026
Merged

fix: Update fields descriptions to reflect OpenShift external OIDC su… #2112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 21 additions & 16 deletions api/v2/checluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -594,44 +594,49 @@ type WorkspaceSecurityConfig struct {
// Authentication settings.
type Auth struct {
// Public URL of the Identity Provider server.
// For OpenShift with built-in OAuth, this field is not used, as OpenShift provides its own OAuth server.
// +optional
IdentityProviderURL string `json:"identityProviderURL,omitempty"`
// Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
// Defined the OIDC client id.
// For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
// +optional
OAuthClientName string `json:"oAuthClientName,omitempty"`
// Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
// For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
// key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
// resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
// Defines the OAuth client secret.
// It can either be a plain text secret value or the name of a Kubernetes secret
// containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
// as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
// For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
// +optional
OAuthSecret string `json:"oAuthSecret,omitempty"`
// Access Token Scope.
// This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
// Defines the scope requested from the OIDC provider.
// For OpenShift with built-in OAuth, the scope `user:full` is used by default.
// +optional
OAuthScope string `json:"oAuthScope,omitempty"`
// Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
// Inactivity timeout for tokens in seconds.
// This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
// 0 means tokens for this client never time out.
// +optional
OAuthAccessTokenInactivityTimeoutSeconds *int32 `json:"oAuthAccessTokenInactivityTimeoutSeconds,omitempty"`
// Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
// Access token max age in seconds.
// This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
// 0 means no expiration.
// +optional
OAuthAccessTokenMaxAgeSeconds *int32 `json:"oAuthAccessTokenMaxAgeSeconds,omitempty"`
// Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
// Default value is `id_token`.
// This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
// Identity token type to be passed to upstream services. Defaults to `id_token`.
// For OpenShift with built-in OAuth, defaults to `access_token`.
// +optional
// +kubebuilder:validation:Enum=id_token;access_token
IdentityToken string `json:"identityToken,omitempty"`
// Gateway settings.
// +optional
// +kubebuilder:default:={configLabels: {app: che, component: che-gateway-config}}
Gateway Gateway `json:"gateway,omitempty"`
// Advance authorization settings. Determines which users and groups are allowed to access Che.
// User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
// and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
// Advanced authorization settings. Determines which users and groups are allowed to access Che.
// A user is allowed to access Che if the user is in the `allowUsers` list or is a member of a group in the `allowGroups` list,
// and is not in the `denyUsers` list nor a member of a group in the `denyGroups` list.
// If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
// if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
// If `denyUsers` and `denyGroups` are empty, then no users are denied access to Che.
// Note: group-based authorization (`allowGroups` and `denyGroups`) is currently supported on OpenShift only.
// +optional
AdvancedAuthorization *AdvancedAuthorization `json:"advancedAuthorization,omitempty"`
}
Expand Down
6 changes: 3 additions & 3 deletions bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ metadata:
categories: Developer Tools
certified: "false"
containerImage: quay.io/eclipse/che-operator:next
createdAt: "2026-03-25T12:21:22Z"
createdAt: "2026-04-02T11:48:45Z"
description: A Kube-native development solution that delivers portable and collaborative
developer workspaces.
features.operators.openshift.io/cnf: "false"
Expand All @@ -108,7 +108,7 @@ metadata:
operatorframework.io/arch.amd64: supported
operatorframework.io/arch.arm64: supported
operatorframework.io/os.linux: supported
name: eclipse-che.v7.116.0-957.next
name: eclipse-che.v7.117.0-958.next
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -1144,7 +1144,7 @@ spec:
name: gateway-authorization-sidecar-k8s
- image: quay.io/che-incubator/header-rewrite-proxy:latest
name: gateway-header-sidecar
version: 7.116.0-957.next
version: 7.117.0-958.next
webhookdefinitions:
- admissionReviewVersions:
- v1
Expand Down
42 changes: 24 additions & 18 deletions bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10685,11 +10685,12 @@ spec:
properties:
advancedAuthorization:
description: |-
Advance authorization settings. Determines which users and groups are allowed to access Che.
User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
Advanced authorization settings. Determines which users and groups are allowed to access Che.
A user is allowed to access Che if the user is in the `allowUsers` list or is a member of a group in the `allowGroups` list,
and is not in the `denyUsers` list nor a member of a group in the `denyGroups` list.
If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
If `denyUsers` and `denyGroups` are empty, then no users are denied access to Che.
Note: group-based authorization (`allowGroups` and `denyGroups`) is currently supported on OpenShift only.
properties:
allowGroups:
description: List of groups allowed to access Che (currently
Expand Down Expand Up @@ -11101,44 +11102,49 @@ spec:
type: object
type: object
identityProviderURL:
description: Public URL of the Identity Provider server.
description: |-
Public URL of the Identity Provider server.
For OpenShift with built-in OAuth, this field is not used, as OpenShift provides its own OAuth server.
type: string
identityToken:
description: |-
Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
Default value is `id_token`.
This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
Identity token type to be passed to upstream services. Defaults to `id_token`.
For OpenShift with built-in OAuth, defaults to `access_token`.
enum:
- id_token
- access_token
type: string
oAuthAccessTokenInactivityTimeoutSeconds:
description: |-
Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
Inactivity timeout for tokens in seconds.
This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
0 means tokens for this client never time out.
format: int32
type: integer
oAuthAccessTokenMaxAgeSeconds:
description: |-
Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
Access token max age in seconds.
This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
0 means no expiration.
format: int32
type: integer
oAuthClientName:
description: Name of the OpenShift `OAuthClient` resource
used to set up identity federation on the OpenShift side.
description: |-
Defined the OIDC client id.
For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
type: string
oAuthScope:
description: |-
Access Token Scope.
This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
Defines the scope requested from the OIDC provider.
For OpenShift with built-in OAuth, the scope `user:full` is used by default.
type: string
oAuthSecret:
description: |-
Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
Defines the OAuth client secret.
It can either be a plain text secret value or the name of a Kubernetes secret
containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
type: string
type: object
domain:
Expand Down
42 changes: 24 additions & 18 deletions config/crd/bases/org.eclipse.che_checlusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10635,11 +10635,12 @@ spec:
properties:
advancedAuthorization:
description: |-
Advance authorization settings. Determines which users and groups are allowed to access Che.
User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
Advanced authorization settings. Determines which users and groups are allowed to access Che.
A user is allowed to access Che if the user is in the `allowUsers` list or is a member of a group in the `allowGroups` list,
and is not in the `denyUsers` list nor a member of a group in the `denyGroups` list.
If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
If `denyUsers` and `denyGroups` are empty, then no users are denied access to Che.
Note: group-based authorization (`allowGroups` and `denyGroups`) is currently supported on OpenShift only.
properties:
allowGroups:
description: List of groups allowed to access Che (currently
Expand Down Expand Up @@ -11046,44 +11047,49 @@ spec:
type: object
type: object
identityProviderURL:
description: Public URL of the Identity Provider server.
description: |-
Public URL of the Identity Provider server.
For OpenShift with built-in OAuth, this field is not used, as OpenShift provides its own OAuth server.
type: string
identityToken:
description: |-
Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
Default value is `id_token`.
This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
Identity token type to be passed to upstream services. Defaults to `id_token`.
For OpenShift with built-in OAuth, defaults to `access_token`.
enum:
- id_token
- access_token
type: string
oAuthAccessTokenInactivityTimeoutSeconds:
description: |-
Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
Inactivity timeout for tokens in seconds.
This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
0 means tokens for this client never time out.
format: int32
type: integer
oAuthAccessTokenMaxAgeSeconds:
description: |-
Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
Access token max age in seconds.
This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
0 means no expiration.
format: int32
type: integer
oAuthClientName:
description: Name of the OpenShift `OAuthClient` resource
used to set up identity federation on the OpenShift side.
description: |-
Defined the OIDC client id.
For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
type: string
oAuthScope:
description: |-
Access Token Scope.
This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
Defines the scope requested from the OIDC provider.
For OpenShift with built-in OAuth, the scope `user:full` is used by default.
type: string
oAuthSecret:
description: |-
Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
Defines the OAuth client secret.
It can either be a plain text secret value or the name of a Kubernetes secret
containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
type: string
type: object
domain:
Expand Down
Loading
Loading