Server configuration file
To configure the IDE Services Server, you need to create an application.yaml file. Your server will process and retrieve essential configurations by leveraging the capabilities of SpringFramework.
Within the application.yaml file, you can define a wide range of settings, including secrets, authorization and authentication details, object storage parameters, database and logging options, and more.
The server application is capable of processing multiple configuration files. If you have several versions of application.yaml, IDE Services uses the last file in the list to eliminate conflicts. To pass configuration files to the IDE Services Server, add the SPRING_CONFIG_ADDITIONAL-LOCATION
environment variable and list the necessary files using commas as separators.
Create and fill in application.yaml following the example below. This example configuration only includes the required parameters.
note
The configuration format allows for using
${property references}
.
server:
port: 8080
#ssl:
# enabled: true
# key-store-type: "PKCS12"
# key-store-password: "tbe-server"
tbe:
deployment:
url: "https://TODO" ### Use the public server URL here, https is highly advised
db:
host: "postgresql:5432"
database: "toolbox"
user: "username"
password: "password"
storage:
type: s3
minio:
url: "https://minio"
bucket: "toolbox"
access-key: "username"
secret-key: "password"
# s3-region: 'eu-west-1' # optional
auth:
# See the examples of OAuth 2.0 service configuration
login-url: "http://localhost:8085/auth/realms/toolbox/protocol/openid-connect/auth"
token-url: "http://mock-auth:8085/auth/realms/toolbox/protocol/openid-connect/token"
jwt-certs-url: "http://mock-auth:8085/auth/realms/toolbox/protocol/openid-connect/certs"
client-id: "tbe-server"
client-secret: "123456"
root-admin-emails:
- 'toolbox.admin@example.com'
springdoc:
api-docs:
enabled: true # Enable OpenAPI documentation at /swagger-ui.html
logging:
level:
root: INFO # can be changed to WARN/DEBUG/TRACE
There are different ways to extract passwords from the configuration file:
Using environment variables in the Docker container: You can set the password as an environment variable, such as
S3_SECRET_KEY
, and reference it in the IDE Services configuration files using the following syntax:secret-key: "${S3_SECRET_KEY}"
Using the Spring Boot configuration tree feature: In this scenario, Kubernetes mounts passwords to multiple files, and SpringFramework loads these files as properties. In certain cases, you may need to use
${interpolation}
to ensure the correct configuration.To include the secrets from the mounted files, set the
SPRING_CONFIG_ADDITIONAL-LOCATION
environment variable with the configuration file paths. You can use a special path likeconfigtree:/secrets/*/
for this purpose.
This group of properties allows for embedded server configuration. For more information, refer to the Spring Boot documentation.
- cwm.lobby.relay-ecdsa-key
Specify your ECDSA private key without any passphrase to prevent unauthorized access to a relay server.
The length of the ECDSA private key file is 384-bit. The format of this file is PEM, and the file can be generated with OpenSSL.
This group of properties allows you to enable and configure the offline mode capabilities for IDE Services.
Use the Spring Cloud Gateway properties to configure traffic routing through a proxy and provide the necessary authentication credentials. For more information, refer to the Spring Cloud Gateway documentation.
- spring.cloud.gateway.httpclient.proxy.username
Specify the username for Netty HttpClient proxy configuration.
- spring.cloud.gateway.httpclient.proxy.password
Specify the password for Netty HttpClient proxy configuration.
- spring.cloud.gateway.httpclient.proxy.port
Specify the port for Netty HttpClient proxy configuration.
- tbe.db.database
Specify the name of the PostgreSQL database, to which the IDE Services Server should connect and use.
- tbe.db.repair
Optional
Controls whether the IDE Services Server attempts to perform a flyway repair before running database migrations.
warning
Only enable this option if your database is corrupted, and you know how to handle it.
note
If you want to use S3-compatible storage as your primary object storage, make sure to specify
s3
as a value of thetbe.storage.type
property.
- tbe.minio.s3-region
Specify a region that you selected during S3 bucket creation. The default value is
us-east-1
.- tbe.minio.use-s3-auto-configuration
If selected, the IDE Services Server uses the values of environment variables propagated from AWS to access your S3 bucket.
- tbe.minio.max-retries
Specify a number of tries to connect to your S3 bucket when starting the application.
- tbe.minio.retry-base-delay
Set the standard amount of time to wait before trying again to connect to your S3 bucket.
note
If you want to use Azure as your primary object storage, make sure to specify
azure
as a value of thetbe.storage.type
property.
In order to connect to Azure object storage, you need to provide either a connection string or a combination of the account name, key, and endpoint.
- tbe.azure.connection-string
Provide a connection string to authorize requests to Azure storage.
- tbe.auth.token-url
Provide a URL for obtaining an authorization token on the side of your authentication provider.
- tbe.auth.jwt-certs-url
Specify a URL to the JSON Web Key (JWK) set that is used to validate JSON Web Tokens (JWT).
- tbe.auth.client-id
Specify a public identifier for IDE Services that you set when configuring your authentication provider.
- tbe.auth.client-secret
Specify a secret for IDE Services that you set when configuring your authentication provider.
- tbe.auth.required-scopes
Define scopes that will be available to IDE Services when accessing a user account.
- tbe.auth.login-url-prompt-param
Defines whether the user should be prompted with a login dialog. Specify one of the following values:
login
: use this value to show the login dialog to the user.none
: use this value to skip showing the login dialog to the user.
Available for: OneLogin, Microsoft Entra ID.
- tbe.auth.use-id-token-as-access-token
Allows for using id tokens to authenticate users.
Available for: Google.
- tbe.auth.saml.sp-id
If necessary, specify a unique identifier for IDE Services, which can be used in requests to an external SAML identity provider.
- tbe.auth.saml.sp-x509cert
Provide the content of local.crt. This value is used to publish the metadata provided in the certificate.
- tbe.auth.saml.sp-private-key
Provide the content of local.key. This value is used for generating a signature and decrypting a SAMLResponse.
- tbe.auth.saml.sso-url
An external endpoint of the SAML identity provider used for Single Sign-On. This value can be obtained from an external IdP configuration.
- tbe.auth.saml.idp-x509cert
Provide the X509 certificate. This value is used to validate signatures of IdP responses.
- tbe.auth.saml.idp-http-method
Specify the HTTP method type to use in sign-on requests. Possible values:
GET
,POST
.- tbe.auth.saml.attribute-mapping.email
If the
email
field is named differently on the identity provider's side, specify the field name.- tbe.auth.saml.attribute-mapping.firstName
If the
firstName
field is named differently on the identity provider's side, specify the field name.- tbe.auth.saml.attribute-mapping.lastName
If the
lastName
field is named differently on the identity provider's side, specify the field name.- tbe.auth.saml.attribute-mapping.fullName
If the
fullName
field is named differently on the identity provider's side, specify the field name.- tbe.auth.saml.internal.token-life
Specify the duration for which the JWT token, issued by the Internal Authorization Server after a successful SAML login, remains valid. This token is primarily used for making authenticated calls to IDE Services.
- tbe.auth.saml.internal.refresh-token-life
Specify the duration for which the Refresh JWT token, issued by the Internal Authorization Server, remains valid. The refresh token is used to renew the primary JWT token without requiring re-authentication via the SAML provider. If the refresh token expires (30 days by default), the user will need to re-authenticate through the SAML provider.
- tbe.auth.saml.internal.private-key
Provide the content of the private_key_pkcs8.pem file. This is a private key that will be used to sign internal JWT tokens.
- tbe.auth.saml.internal.public-key
Provide the content of the public_key.pem file. This is a public key that will be used to validate internal JWT tokens.
- tbe.deployment.allowed-origins
If necessary, provide a list of CORS origins allowed by the IDE Services Server.
- server.forward-headers-strategy
Define how forwarded headers, such as
X-Forwarded-For
, from a reverse proxy are processed in a Spring Boot application. Possible values:NATIVE
: Uses the native web server's support for handling forwarded headers.FRAMEWORK
: Relies on Spring's custom mechanism to process forwarded headers.
- tbe.users.import.provider
The identity provider used in your organization. Possible values:
okta
,entra
.- tbe.users.import.url
Okta: specify the URL of the Okta instance.
Microsoft Entra ID: specify
https://graph.microsoft.com
as a value.- tbe.users.import.login-max-delay
Specify a timeout for the initial user login. IDE Services attempts to retrieve the information from Okta within the specified timeframe. If successful, the user logs in with complete data and groups. Failure to obtain the data within this timeframe results in the user being created and logged in with default attribute values. The user's groups and details will be eventually updated through periodic synchronization.
Available for: Okta.
- tbe.users.import.schedule
Specify a CRON schedule for periodical user synchronization. The default value is
0 */15 * * * *
and IDE Services launches synchronization every 15 minuted.- tbe.users.import.mapping.groups
Specify identifiers of Okta groups or object identifiers of Microsoft Entra ID groups that should be imported and mapped to IDE Services. Users who belong to these designated identity provider groups will have mirrored groups created in IDE Services with the matching group names. All other existing IDE Services users, such as those present before the group import was enabled, will be deactivated.
Additionally, if a user is removed from a designated identity provider group, they are also removed from the mirrored group in IDE Services and disabled, as group sync is the sole reference for user management.
- tbe.users.import.mapping.admin-groups
Specify identifiers of Okta groups or object identifiers of Microsoft Entra ID groups to grant administrator rights to members of these groups in IDE Services.
If a user isn’t part of these specified groups, their administrator rights in IDE Services are revoked. However, if user credentials are included in the server configuration file, these users will retain access to the IDE Services Server for emergencies, such as when the admin group is accidentally removed from the identity provider.
- tbe.download.cdn-redirect-mode
Defines how IDE Services processes requests to download IDEs coming from the Toolbox App.
Possible values:
redirect_to_service
: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.handle_redirects
: specify this option if you want to use the IDE Services Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The IDE Services Server will handle redirects in this case.note
Using this option causes the IDE Services Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.
- tbe.ij-plugins.cdn-redirect-mode
Defines how IDE Services processes requests to download plugins coming from an IDE.
Possible values:
redirect_to_service
: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.handle_redirects
: specify this option if you want to use the IDE Services Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The IDE Services Server will handle redirects in this case.note
Using this option causes the IDE Services Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.
- tbe.tbe-ij-plugin.tbe-plugin-repository-type
Specify the source for obtaining plugins. Possible values:
TBE
: specify this option if you want IDE Services to install plugins from the local plugin repository. Use this option when working in offline mode.MARKETPLACE
: specify this option if you want IDE Services to search for plugins externally on the marketplace.
- tbe.tbe-ij-plugin.cdn-redirect-mode
Defines how IDE Services processes requests to download plugins coming from the Toolbox App.
Possible values:
redirect_to_service
: specify this option if you want to send requests directly to the binary source, such as JetBrains Marketplace or your object storage. Use this option only if the binary source is accessible from developer machines.handle_redirects
: specify this option if you want to use the IDE Services Server as a proxy for requests to the binary source. Use this option if developer machines don't have direct access to the binary source (for example, if you use any proxy service for your object storage). The IDE Services Server will handle redirects in this case.note
Using this option causes the IDE Services Server to act as a proxy, which may result in consuming more resources due to the additional processing and handling of download requests.
- tbe.ai.platform.logging.format
Specify one of Logbook's formatting styles for logs. Possible values:
json
,http
, andsplunk
.- tbe.ai.platform.logging.path-prefix
To store AI logs together with other IDE Services Server data, specify the path for these log files in your object storage. The resulting layout is as follows:
$pathPrefix/${yyyy-MM-dd}/$correlationId-response.json
.- tbe.ai.platform.logging.storage-type
If you use a separate object storage for logs, specify its type:
s3
orazure
. Depending on the specified type, set up a connection to the storage of your choice.- tbe.ai.platform.logging.azure.connection-string
Provide a connection string to authorize requests to Azure storage.
- spring.r2dbc.pool.max-size
Set the maximum size of the R2DBC connection pool. Defaults to 20.
For more details, refer to the R2DBC pool documentation.
- spring.r2dbc.pool.max-idle-time
Set the maximum idle time of the connection in the pool. Negative values indicate no timeout. Defaults to 30 minutes. This value is used as an interval for background eviction of idle connections unless configuring
backgroundEvictionInterval
.For more details, refer to the R2DBC pool documentation.
Thanks for your feedback!