Server configuration file

To configure the IDE Services Server, you need to create an application.yaml file. Your server will process and retrieve essential configurations by leveraging the capabilities of SpringFramework.

Within the application.yaml file, you can define a wide range of settings, including secrets, authorization and authentication details, object storage parameters, database and logging options, and more.

The server application is capable of processing multiple configuration files. If you have several versions of application.yaml, IDE Services uses the last file in the list to eliminate conflicts. To pass configuration files to the IDE Services Server, add the SPRING_CONFIG_ADDITIONAL-LOCATION environment variable and list the necessary files using commas as separators.

Basic configuration

Create and fill in application.yaml following the example below. This example configuration only includes the required parameters.

            server:
                port: 8080
                #ssl:
                #    enabled: true
                #    key-store-type: "PKCS12"
                #    key-store-password: "tbe-server"
            tbe:
                deployment:
                    url: "https://TODO" ### Use the public server URL here, https is highly advised

                db:
                    host: "postgresql:5432"
                    database: "toolbox"
                    user: "username"
                    password: "password"

                storage:
                    type: s3

                minio:
                    url: "https://minio"
                    bucket: "toolbox"
                    access-key: "username"
                    secret-key: "password"
                    # s3-region: 'eu-west-1' # optional

                auth:
                    # See the examples of OAuth 2.0 service configuration
                    login-url: "http://localhost:8085/auth/realms/toolbox/protocol/openid-connect/auth"
                    token-url: "http://mock-auth:8085/auth/realms/toolbox/protocol/openid-connect/token"
                    jwt-certs-url: "http://mock-auth:8085/auth/realms/toolbox/protocol/openid-connect/certs"
                    client-id: "tbe-server"
                    client-secret: "123456"
                    root-admin-emails:
                    - 'toolbox.admin@example.com'

            springdoc:
                api-docs:
                    enabled: true # Enable OpenAPI documentation at /swagger-ui.html

            logging:
                level:
                    root: INFO # can be changed to WARN/DEBUG/TRACE
        

Secrets

There are different ways to extract passwords from the configuration file:

Using environment variables in the Docker container: You can set the password as an environment variable, such as S3_SECRET_KEY, and reference it in the IDE Services configuration files using the following syntax:
secret-key: "${S3_SECRET_KEY}"
Using the Spring Boot configuration tree feature: In this scenario, Kubernetes mounts passwords to multiple files, and SpringFramework loads these files as properties. In certain cases, you may need to use ${interpolation} to ensure the correct configuration.
To include the secrets from the mounted files, set the SPRING_CONFIG_ADDITIONAL-LOCATION environment variable with the configuration file paths. You can use a special path like configtree:/secrets/*/ for this purpose.

Configuration parameters

Server

This group of properties allows for embedded server configuration. For more information, refer to the Spring Boot documentation.

server.port: Specify a server HTTP port.
server.ssl.enabled: Enables SSL support.
server.ssl.key-store-type: Specify a type of the key store: JKS or PKCS12.
server.ssl.key-store-password: Provide a password to access the key store.

Code With Me Enterprise

cwm.lobby.enabled

Enables the Code With Me Enterprise product in IDE Services.

cwm.lobby.relay-config

Specify the relay server configuration.

cwm.lobby.relay-ecdsa-key

Specify your ECDSA private key without any passphrase to prevent unauthorized access to a relay server.

The length of the ECDSA private key file is 384-bit. The format of this file is PEM, and the file can be generated with OpenSSL.

Offline mode

This group of properties allows you to enable and configure the offline mode capabilities for IDE Services.

tbe.offline.enabled: Allows running the IDE Services Server in offline mode.
tbe.offline.url-mapper-cache-time: Specify the time period, during which IDE Services caches mappings in offline.json. The default value is 10 minutes - 10m.
tbe.offline.mapping-path: Specify the location of the offline.json file in the object storage.

External requests via an authenticated proxy

Use the Spring Cloud Gateway properties to configure traffic routing through a proxy and provide the necessary authentication credentials. For more information, refer to the Spring Cloud Gateway documentation.

spring.cloud.gateway.httpclient.proxy.username: Specify the username for Netty HttpClient proxy configuration.
spring.cloud.gateway.httpclient.proxy.password: Specify the password for Netty HttpClient proxy configuration.
spring.cloud.gateway.httpclient.proxy.type: Specify the pool type for HttpClient to use.
spring.cloud.gateway.httpclient.proxy.port: Specify the port for Netty HttpClient proxy configuration.
spring.cloud.gateway.httpclient.proxy.non-proxy-hosts-pattern: Provide a regular expression for a list of hosts that should be reached directly, bypassing the proxy.
spring.cloud.gateway.httpclient.proxy.host: Specify the hostname for Netty HttpClient proxy configuration.

IDE Services deployment

tbe.deployment.url: Specify a public URL to access IDE Services's Web UI. This URL is displayed to the end users in the browser.
tbe.deployment.allowed-origins: If necessary, provide a list of CORS origins allowed by the IDE Services Server.

Database

tbe.db.host

Specify a PostgreSQL host.

tbe.db.database

Specify the name of the PostgreSQL database, to which the IDE Services Server should connect and use.

tbe.db.user

Specify a username to connect to the PostgreSQL database.

tbe.db.password

Specify a password to connect to the PostgreSQL database.

tbe.db.repair

Optional

Controls whether the IDE Services Server attempts to perform a flyway repair before running database migrations.

Storage type

tbe.storage.type: Defines the object storage type used for the IDE Services Server: s3 or azure. Depending on the specified type, set up a connection to the storage of your choice.

S3 Storage

tbe.minio.url: Specify a URL to access your S3 bucket.
tbe.minio.bucket: Specify the name of your S3 bucket.
tbe.minio.access-key: Provide a unique key to access the S3-compatible storage.
tbe.minio.secret-key: Provide a secret key to pair with the unique access key.
tbe.minio.s3-region: Specify a region that you selected during S3 bucket creation. The default value is us-east-1.
tbe.minio.check-bucket: Checks whether an S3 bucket exists before starting the application.
tbe.minio.use-s3-auto-configuration: If selected, the IDE Services Server uses the values of environment variables propagated from AWS to access your S3 bucket.
tbe.minio.max-retries: Specify a number of tries to connect to your S3 bucket when starting the application.
tbe.minio.retry-base-delay: Set the standard amount of time to wait before trying again to connect to your S3 bucket.
tbe.minio.max-backoff-time: Set the maximum amount of time to wait before trying again to connect to your S3 bucket.
tbe.minio.checksum-validation: Disables the checksum validation when executing requests to S3.

Azure

In order to connect to Azure object storage, you need to provide either a connection string or a combination of the account name, key, and endpoint.

tbe.azure.connection-string: Provide a connection string to authorize requests to Azure storage.
tbe.azure.container: Specify the name of the Azure container to connect.
tbe.azure.account-key: Provide an account key to authorize requests to Azure storage.
tbe.azure.account-name: Provide an account name to authorize requests to Azure storage.
tbe.azure.endpoint: Provide the blob service endpoint to access the Azure server.
tbe.azure.check-container: Enables the check that verifies the existence of the specified Azure container on every application start.

Authentication

tbe.auth.login-url

Provide a URL for logging in via your selected authentication provider.

tbe.auth.token-url

Provide a URL for obtaining an authorization token on the side of your authentication provider.

tbe.auth.jwt-certs-url

Specify a URL to the JSON Web Key (JWK) set that is used to validate JSON Web Tokens (JWT).

tbe.auth.client-id

Specify a public identifier for IDE Services that you set when configuring your authentication provider.

tbe.auth.client-secret

Specify a secret for IDE Services that you set when configuring your authentication provider.

tbe.auth.required-scopes

Define scopes that will be available to IDE Services when accessing a user account.

tbe.auth.root-admin-emails

List emails of users that will receive admin rights.

tbe.auth.login-url-prompt-param

Defines whether the user should be prompted with a login dialog. Specify one of the following values:

login: use this value to show the login dialog to the user.
none: use this value to skip showing the login dialog to the user.

Available for: OneLogin, Microsoft Entra ID.

tbe.auth.use-id-token-as-access-token

Allows for using id tokens to authenticate users.

Available for: Google.

tbe.auth.saml.enabled

Enables the use of SAML.

tbe.auth.saml.sp-id

If necessary, specify a unique identifier for IDE Services, which can be used in requests to an external SAML identity provider.

tbe.auth.saml.sp-x509cert

Provide the content of local.crt. This value is used to publish the metadata provided in the certificate.

tbe.auth.saml.sp-private-key

Provide the content of local.key. This value is used for generating a signature and decrypting a SAMLResponse.

tbe.auth.saml.sso-url

An external endpoint of the SAML identity provider used for Single Sign-On. This value can be obtained from an external IdP configuration.

tbe.auth.saml.idp-id

Specify an identifier of the identity provider.

tbe.auth.saml.idp-x509cert

Provide the X509 certificate. This value is used to validate signatures of IdP responses.

tbe.auth.saml.cert-algorithm

Specify SHA-256 as a certificate signing algorithm.

tbe.auth.saml.idp-http-method

Specify the HTTP method type to use in sign-on requests. Possible values: GET, POST.

tbe.auth.saml.attribute-mapping.email

If the email field is named differently on the identity provider's side, specify the field name.

tbe.auth.saml.attribute-mapping.firstName

If the firstName field is named differently on the identity provider's side, specify the field name.

tbe.auth.saml.attribute-mapping.lastName

If the lastName field is named differently on the identity provider's side, specify the field name.

tbe.auth.saml.attribute-mapping.fullName

If the fullName field is named differently on the identity provider's side, specify the field name.

tbe.auth.saml.internal.token-life

Specify the duration for which the JWT token, issued by the Internal Authorization Server after a successful SAML login, remains valid. This token is primarily used for making authenticated calls to IDE Services.

tbe.auth.saml.internal.refresh-token-life

Specify the duration for which the Refresh JWT token, issued by the Internal Authorization Server, remains valid. The refresh token is used to renew the primary JWT token without requiring re-authentication via the SAML provider. If the refresh token expires (30 days by default), the user will need to re-authenticate through the SAML provider.

tbe.auth.saml.internal.private-key

Provide the content of the private_key_pkcs8.pem file. This is a private key that will be used to sign internal JWT tokens.

tbe.auth.saml.internal.public-key

Provide the content of the public_key.pem file. This is a public key that will be used to validate internal JWT tokens.

tbe.deployment.allowed-origins

If necessary, provide a list of CORS origins allowed by the IDE Services Server.

server.forward-headers-strategy

Define how forwarded headers, such as X-Forwarded-For, from a reverse proxy are processed in a Spring Boot application. Possible values:

NATIVE: Uses the native web server's support for handling forwarded headers.
FRAMEWORK: Relies on Spring's custom mechanism to process forwarded headers.

User import

tbe.users.import.enabled

Enables the user import functionality.

tbe.users.import.provider

The identity provider used in your organization. Possible values: okta, entra.

tbe.users.import.url

Okta: specify the URL of the Okta instance.

Microsoft Entra ID: specify https://graph.microsoft.com as a value.

tbe.users.import.token

Specify an API token in the SSWS <token> format.

Required for: Okta.

tbe.users.import.login-max-delay

Specify a timeout for the initial user login. IDE Services attempts to retrieve the information from Okta within the specified timeframe. If successful, the user logs in with complete data and groups. Failure to obtain the data within this timeframe results in the user being created and logged in with default attribute values. The user's groups and details will be eventually updated through periodic synchronization.

Available for: Okta.

tbe.users.import.schedule

Specify a CRON schedule for periodical user synchronization. The default value is 0 */15 * * * * and IDE Services launches synchronization every 15 minuted.

tbe.users.import.mapping.groups

Specify identifiers of Okta groups or object identifiers of Microsoft Entra ID groups that should be imported and mapped to IDE Services. Users who belong to these designated identity provider groups will have mirrored groups created in IDE Services with the matching group names. All other existing IDE Services users, such as those present before the group import was enabled, will be deactivated.

Additionally, if a user is removed from a designated identity provider group, they are also removed from the mirrored group in IDE Services and disabled, as group sync is the sole reference for user management.

tbe.users.import.mapping.admin-groups

Specify identifiers of Okta groups or object identifiers of Microsoft Entra ID groups to grant administrator rights to members of these groups in IDE Services.

If a user isn’t part of these specified groups, their administrator rights in IDE Services are revoked. However, if user credentials are included in the server configuration file, these users will retain access to the IDE Services Server for emergencies, such as when the admin group is accidentally removed from the identity provider.

Binary downloads

tbe.download.cdn-redirect-mode

Defines how IDE Services processes requests to download IDEs coming from the Toolbox App.

Possible values:

redirect_to_service: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.
handle_redirects: specify this option if you want to use the IDE Services Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The IDE Services Server will handle redirects in this case.
Using this option causes the IDE Services Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.

tbe.download.feed-cache-time

Specify the time period for storing the Toolbox App metadata as cache.

Plugin installation from IDEs

tbe.ij-plugins.cdn-redirect-mode

Defines how IDE Services processes requests to download plugins coming from an IDE.

Possible values:

redirect_to_service: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.
handle_redirects: specify this option if you want to use the IDE Services Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The IDE Services Server will handle redirects in this case.
Using this option causes the IDE Services Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.

Plugin installation from Toolbox App

tbe.tbe-ij-plugin.tbe-plugin-repository-type

Specify the source for obtaining plugins. Possible values:

TBE: specify this option if you want IDE Services to install plugins from the local plugin repository. Use this option when working in offline mode.
MARKETPLACE: specify this option if you want IDE Services to search for plugins externally on the marketplace.

tbe.tbe-ij-plugin.cdn-redirect-mode

Defines how IDE Services processes requests to download plugins coming from the Toolbox App.

Possible values:

redirect_to_service: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.
handle_redirects: specify this option if you want to use the IDE Services Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The IDE Services Server will handle redirects in this case.
Using this option causes the IDE Services Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.

Logging

logging.level.root

Set the highest logging level to display in the logs (for root).

You can change the logging level of any package. To disable logging, set WARN as a value.

MDC. Advanced logging options

tbe.mdc.request-id: Provide an ID of the request to the IDE Services Server.
tbe.mdc.audit-id: Provide an ID of the party that sends the request.

Logging of AI requests

tbe.ai.platform.logging.enabled: Enables logging of AI requests.
tbe.ai.platform.logging.format: Specify one of Logbook's formatting styles for logs. Possible values: json, http, and splunk.
tbe.ai.platform.logging.path-prefix: To store AI logs together with other IDE Services Server data, specify the path for these log files in your object storage. The resulting layout is as follows: $pathPrefix/${yyyy-MM-dd}/$correlationId-response.json.
tbe.ai.platform.logging.storage-type: If you use a separate object storage for logs, specify its type: s3 or azure. Depending on the specified type, set up a connection to the storage of your choice.
tbe.ai.platform.logging.azure.connection-string: Provide a connection string to authorize requests to Azure storage.
tbe.ai.platform.logging.azure.container: Specify the name of the Azure container to connect.
tbe.ai.platform.logging.s3.url: Specify a URL to access your S3 bucket.
tbe.ai.platform.logging.s3.bucket: Specify the name of your S3 bucket.
tbe.ai.platform.logging.s3.access-key: Provide a unique key to access the S3-compatible storage.
tbe.ai.platform.logging.s3.secret-key: Provide a secret key to pair with the unique access key.

Spring

spring.r2dbc.pool.max-size

Set the maximum size of the R2DBC connection pool. Defaults to 20.

For more details, refer to the R2DBC pool documentation.

spring.r2dbc.pool.max-idle-time

Set the maximum idle time of the connection in the pool. Negative values indicate no timeout. Defaults to 30 minutes. This value is used as an interval for background eviction of idle connections unless configuring backgroundEvictionInterval.

For more details, refer to the R2DBC pool documentation.

API documentation

springdoc.api-docs.enabled: Enables Swagger for your server.

Last modified: 18 December 2024