Initial server configuration

Last modified: 16 April 2024

In order to configure the Toolbox Enterprise Server, you need to create an application.yaml file. Your server will process and retrieve essential configurations by leveraging the capabilities of SpringFramework.

Within the application.yaml file, you can define a wide range of settings, including secrets, authorization and authentication details, object storage parameters, database and logging options, and more.

The server application is capable of processing multiple configuration files. If you have several versions of application.yaml, Toolbox Enterprise uses the last file in the list to eliminate conflicts. To pass configuration files to the Toolbox Enterprise Server, add the SPRING_CONFIG_ADDITIONAL-LOCATION environment variable and list the necessary files using commas as separators.

Basic configuration

Create and fill in application.yaml following the example below. This example configuration only includes the required parameters.

note

The configuration format allows for using ${property references}.

server:
    port: 8080
    #ssl:
    #    enabled: true
    #    key-store-type: "PKCS12"
    #    key-store-password: "tbe-server"
tbe:
    deployment:
        url: "https://TODO" ### Use the public server URL here, https is highly advised

    db:
        host: "postgresql:5432"
        database: "toolbox"
        user: "username"
        password: "password"

    storage:
        type: s3

    minio:
        url: "https://minio"
        bucket: "toolbox"
        access-key: "username"
        secret-key: "password"
        # s3-region: 'eu-west-1' # optional

    auth:
        # See the examples of OAuth2 service configuration
        login-url: "http://localhost:8085/auth/realms/toolbox/protocol/openid-connect/auth"
        token-url: "http://mock-auth:8085/auth/realms/toolbox/protocol/openid-connect/token"
        jwt-certs-url: "http://mock-auth:8085/auth/realms/toolbox/protocol/openid-connect/certs"
        client-id: "tbe-server"
        client-secret: "123456"
        root-admin-emails:
        - 'toolbox.admin@example.com'

springdoc:
    api-docs:
        enabled: true # Enable OpenAPI documentation at /swagger-ui.html

logging:
    level:
        root: INFO # can be changed to WARN/DEBUG/TRACE

Secrets

There are different ways to extract passwords from the configuration file:

  • Using environment variables in the Docker container: You can set the password as an environment variable, such as S3_SECRET_KEY, and reference it in the Toolbox Enterprise configuration files using the following syntax:

    secret-key: "${S3_SECRET_KEY}"

  • Utilizing the Spring Boot configuration tree feature: In this scenario, Kubernetes mounts passwords to multiple files, and SpringFramework loads these files as properties. In certain cases, you may need to use ${interpolation} to ensure the correct configuration.

    To include the secrets from the mounted files, set the SPRING_CONFIG_ADDITIONAL-LOCATION environment variable with the configuration file paths. You can use a special path like configtree:/secrets/*/ for this purpose.

Configuration parameters

Server

This group of properties allows for embedded server configuration. For more information, refer to the Spring Boot documentation.

server.port

Specify a server HTTP port.

server.ssl.enabled

Enables SSL support.

server.ssl.key-store-type

Specify a type of the key store: JKS or PKCS12.

server.ssl.key-store-password

Provide a password to access the key store.

Code With Me Enterprise

cwm.lobby.enabled

Enables the Code With Me Enterprise component in Toolbox Enterprise.

cwm.lobby.license-bundles.license1

Specify your Code With Me Enterprise license as a value.

warning

To keep your license information safe from unauthorized access, keep this secret in a secure location and don't share it with anyone.

cwm.lobby.relay-config

Specify the relay server configuration.

cwm.lobby.relay-ecdsa-key

Specify your ECDSA private key without any passphrase to prevent unauthorized access to a relay server.

The length of the ECDSA private key file is 384-bit. The format of this file is PEM, and the file can be generated with OpenSSL.

cwm.lobby.session-base-url

Specify your session base URL.

License Vault

lv.server.enabled

Enables the License Vault component in Toolbox Enterprise.

lv.server.token-signing-secret

Used to sign and verify the validity of the JWT token for authorized access to the License Vault API.

Provide a randomly generated string of 32 or more characters. The string should only include Latin characters (a–z, A–Z) and digits (0–9).

warning

To keep your license information safe from unauthorized access, keep this secret in a secure location and don't share it with anyone.

lv.server.registration-token

Used to retrieve license information from JetBrains. Specify the string provided by the Toolbox Enterprise support team.

Offline mode

This group of properties allows you to enable and configure the offline mode capabilities for Toolbox Enterprise.

tbe.offline.enabled

Allows running the Toolbox Enterprise Server in offline mode.

tbe.offline.url-mapper-cache-time

Specify the time period, during which Toolbox Enterprise caches mappings in offline.json. The default value is 10 minutes - 10m.

tbe.offline.mapping-path

Specify the location of the offline.json file with mappings in the object storage.

External requests via an authenticated proxy

Use the Spring Cloud Gateway properties to configure traffic routing through a proxy and provide the necessary authentication credentials. For more information, refer to the Spring Cloud Gateway documentation.

spring.cloud.gateway.httpclient.proxy.username

Specify the username for Netty HttpClient proxy configuration.

spring.cloud.gateway.httpclient.proxy.password

Specify the password for Netty HttpClient proxy configuration.

spring.cloud.gateway.httpclient.proxy.type

Specify the pool type for HttpClient to use.

spring.cloud.gateway.httpclient.proxy.port

Specify the port for Netty HttpClient proxy configuration.

spring.cloud.gateway.httpclient.proxy.non-proxy-hosts-pattern

Provide a regular expression for a list of hosts that should be reached directly, bypassing the proxy.

spring.cloud.gateway.httpclient.proxy.host

Specify the hostname for Netty HttpClient proxy configuration.

Toolbox Enterprise deployment

tbe.deployment.url

Specify a public URL to access Toolbox Enterprise's Web UI. This URL is displayed to the end users in the browser.

tbe.deployment.allowed-origins

Optional

If necessary, provide a list of CORS origins allowed by the Toolbox Enterprise Server.

Database

tbe.db.host

Specify a PostgreSQL host.

tbe.db.database

Specify the name of the PostgreSQL database, to which the Toolbox Enterprise Server should connect and use.

tbe.db.user

Specify a username to connect to the PostgreSQL database.

tbe.db.password

Specify a password to connect to the PostgreSQL database.

tbe.db.repair

Optional

Controls whether the Toolbox Enterprise Server attempts to perform a flyway repair before running database migrations.

warning

Only enable this option if your database is corrupted, and you know how to handle it.

Storage type

tbe.storage.type

Defines the object storage type used for the Toolbox Enterprise Server: s3 or azure. Depending on the specified type, you need to set up a connection to the storage of your choice.

S3 Storage

note

If you want to use S3-compatible storage as your primary object storage, make sure to specify s3 as a value of the tbe.storage.type property.

tbe.minio.url

Specify a URL to access your S3 bucket.

tbe.minio.bucket

Specify the name of your S3 bucket.

tbe.minio.access-key

Provide a unique key to access the S3-compatible storage.

tbe.minio.secret-key

Provide a secret key to pair with the unique access key.

tbe.minio.s3-region

Specify a region that you selected during S3 bucket creation. The default value is us-east-1.

tbe.minio.check-bucket

Checks whether an S3 bucket exists before starting the application.

tbe.minio.use-s3-auto-configuration

If selected, the Toolbox Enterprise Server uses the values of environment variables propagated from AWS to access your S3 bucket.

tbe.minio.max-retries

Specify a number of tries to connect to your S3 bucket when starting the application.

tbe.minio.retry-base-delay

Set the standard amount of time to wait before trying again to connect to your S3 bucket.

tbe.minio.max-backoff-time

Set the maximum amount of time to wait before trying again to connect to your S3 bucket.

tbe.minio.checksum-validation

Disables the checksum validation when executing requests to S3.

Azure

note

If you want to use Azure as your primary object storage, make sure to specify azure as a value of the tbe.storage.type property.

In order to connect to Azure object storage, you need to provide either a connection string or a combination of the account name, key, and endpoint.

tbe.azure.connection-string

Provide a connection string to authorize requests to Azure storage.

tbe.azure.container

Specify the name of the Azure container to connect.

tbe.azure.account-key

Provide an account key to authorize requests to Azure storage.

tbe.azure.account-name

Provide an account name to authorize requests to Azure storage.

tbe.azure.endpoint

Provide the blob service endpoint to access the Azure server.

OAuth2 Provider

tbe.auth.login-url

Provide a URL for logging in via your selected OAuth2 provider.

tbe.auth.token-url

Provide a URL for obtaining an authorization token on the side of your OAuth2 provider.

tbe.auth.jwt-certs-url

Specify a URL to the JSON Web Key (JWK) set that is used to validate JSON Web Tokens (JWT).

tbe.auth.client-id

Specify a public identifier for Toolbox Enterprise that you set when configuring your OAuth2 provider.

tbe.auth.client-secret

Specify a secret for Toolbox Enterprise that you set when configuring your OAuth2 provider.

tbe.auth.required-scopes

Define scopes that will be available to Toolbox Enterprise when accessing a user account.

tbe.auth.root-admin-emails

List emails of users that will receive admin rights.

tbe.auth.root-admin-subjects

List OAuth2 subjects (ids) that will receive admin rights.

Mandatory for: Space.

tbe.auth.login-url-prompt-param

Defines whether the user should be prompted with a login dialog. Specify one of the following:

  • login: use this value to show the login dialog to the user.

  • none: use this value to skip showing the login dialog to the user.

Available for: OneLogin.

tbe.auth.use-id-token-as-access-token

Allows for using id tokens to authenticate users.

Available for: Google.

Binary downloads

tbe.download.cdn-redirect-mode

Defines how Toolbox Enterprise processes requests to download IDEs coming from the Toolbox App.

Possible values:

  • redirect_to_service: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.

  • handle_redirects: specify this option if you want to use the Toolbox Enterprise Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The Toolbox Enterprise Server will handle redirects in this case.

    note

    Using this option causes the Toolbox Enterprise Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.

tbe.download.feed-cache-time

Specify the time period for storing the Toolbox App metadata as cache.

Plugin installation from IDEs

tbe.ij-plugins.cdn-redirect-mode

Defines how Toolbox Enterprise processes requests to download plugins coming from an IDE.

Possible values:

  • redirect_to_service: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.

  • handle_redirects: specify this option if you want to use the Toolbox Enterprise Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The Toolbox Enterprise Server will handle redirects in this case.

    note

    Using this option causes the Toolbox Enterprise Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.

Plugin installation from Toolbox App

tbe.tbe-ij-plugin.tbe-plugin-repository-type

Specify the source for obtaining plugins. Possible values:

  • TBE: specify this option if you want Toolbox Enterprise to install plugins from the local plugin repository. Use this option when working in offline mode.

  • MARKETPLACE: specify this option if you want Toolbox Enterprise to look for plugins externally in the marketplace.

tbe.tbe-ij-plugin.cdn-redirect-mode

Defines how Toolbox Enterprise processes requests to download plugins coming from the Toolbox App.

Possible values:

  • redirect_to_service: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.

  • handle_redirects: specify this option if you want to use the Toolbox Enterprise Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The Toolbox Enterprise Server will handle redirects in this case.

    note

    Using this option causes the Toolbox Enterprise Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.

Logging

logging.level.root

Set the highest logging level to display in the logs (for root).

You can change the logging level of any package. To disable logging, set WARN as a value.

MDC. Advanced logging options

tbe.mdc.request-id

Provide an ID of the request to the Toolbox Enterprise Server.

tbe.mdc.audit-id

Provide an ID of the party that sends the request.

Spring

spring.r2dbc.pool.max-size

Set the maximum size of the R2DBC connection pool. Defaults to 20.

For more details, refer to the R2DBC pool documentation.

spring.r2dbc.pool.max-idle-time

Set the maximum idle time of the connection in the pool. Negative values indicate no timeout. Defaults to 30 minutes. This value is used as an interval for background eviction of idle connections unless configuring backgroundEvictionInterval.

For more details, refer to the R2DBC pool documentation.

API documentation

springdoc.api-docs.enabled

Enables Swagger for your server.