Configure internal access to the Open VSX registry
Restrict your Open VSX registry to internal cluster traffic by removing the public route and configuring Che to use the internal service URL. Internal routing keeps extension registry traffic within the cluster and avoids public exposure.
Prerequisites
-
You have Open VSX deployed in the
openvsxnamespace. -
You have the
kubectltool installed. -
You are logged in to the cluster as a cluster administrator.
-
You have
jqinstalled.
Procedure
-
Delete the public route for the Open VSX registry:
kubectl delete route internal -n openvsx -
Update the CheCluster custom resource to use the internal service DNS URL:
export CHECLUSTER_NAME="$(kubectl get checluster --all-namespaces -o json | jq -r '.items[0].metadata.name')" && export CHECLUSTER_NAMESPACE="$(kubectl get checluster --all-namespaces -o json | jq -r '.items[0].metadata.namespace')" && export PATCH='{"spec":{"components":{"pluginRegistry":{"openVSXURL":"http://openvsx-server.openvsx.svc:8080"}}}}' && kubectl patch checluster "${CHECLUSTER_NAME}" --type=merge --patch "${PATCH}" -n "${CHECLUSTER_NAMESPACE}" -
Restart any running workspaces to apply the new registry URL.
Verification
-
Start a workspace and verify that extensions are available in the Extensions view using the internal registry.
Additional resources