The Workspace Building Block (BB) provisions a trifecta of capabilities — storage, runtime, and tooling — designed to simplify how users work with data, collaborate, and deploy applications.
A workspace combines:
- Storage Resources — object storage or network volumes for persisting and sharing data.
- Runtime Environments — isolated Kubernetes namespaces or vClusters providing a full Kubernetes API surface for workloads.
- Domain-Specific Tooling — such as VSCode Server–based datalabs preconfigured for EO data exploration, analysis, and processing workflows.
These three elements are managed through Kubernetes-native abstractions — a Storage resource for object storage (MinIO, AWS S3, OTC, etc.) and a Datalab resource providing an interactive development and exploraration environment.
See: Storage CRD · Datalab CRD
Both layers are orchestrated by the Workspace API & UI, which exposes a REST API and web interface to manage users, storage, and runtime resources for individuals or teams.
See: Workspace OpenAPI Specification
- Compute Provisioning — Allocates compute environments within Kubernetes using namespaces or vClusters for isolation and resource control.
- Object Storage Provisioning — Creates and manages workspace-specific object storage, including access policies and credentials.
- Application Setup — Deploys ready-to-use user environments such as VSCode datalabs or the Workspace UI.
- IAM Integration — Uses Keycloak to automate user, group, and role management, ensuring secure access across all layers.
The Workspace BB is built on Crossplane — an open-source control plane that extends Kubernetes with declarative resource provisioning and composable custom APIs through Compositions (see Workspace Pipeline). This enables domain-specific abstractions such as “Storage” and “Datalab” to be defined declaratively and combined into higher-level resource types. As a result, infrastructure and service provisioning can be described, versioned, and managed like any other Kubernetes resource.
The main low-level providers on which these two compositions are built include:
- Provider-Kubernetes — manages native Kubernetes resources.
- Provider-Helm — installs and configures Helm-based components.
- Provider-Keycloak — provisions users, clients, and roles for IAM.
- Provider-MinIO — handles S3-compatible object storage.
Other providers can be used interchangeably, e.g. to use AWS S3, OTC OBS, or similar APIs instead of MinIO.
Each workspace includes a Datalab, a VSCode Server instance deployed into a Kubernetes namespace or a dynamically created vCluster.
A datalab is preconfigured with workspace-specific storage credentials, allowing seamless integration with data-access libraries such as Boto3 and equipped with commonly used command-line tools like AWS CLI and rclone. Together, this ready-made setup provides immediate access to workspace data for analysis, automation, and large-scale file transfers. In addition, the browser-based interface enables interactive data exploration through a unified file abstraction layer. This file abstraction is established via CSI drivers, enabling data to be mounted as volumes or accessed through higher-level tooling. These integrations further support advanced capabilities such as packaging related data objects or sharing individual assets via presigned URLs.
This repository serves as an umbrella for documentation and dynamic Helm-chart creation.
Published charts appear as GitHub Packages under this repository here.
Please note that Crossplane v2 and the providers listed above must be installed in the cluster before deploying any of the Workspace Helm charts.
These providers supply the foundational CRDs required by the workspace-pipeline and dependency charts.
No specific configuration values are required for this chart.
| Key | Type | Description |
|---|---|---|
clusterIngressDomain |
string | Base domain under which Educates workshop environments will be exposed (e.g., ngx.develop.eoepca.org). |
clusterIngressClass |
string | Ingress class used by Educates (e.g., nginx). |
tlsCertificateRef.name |
string | Name of the TLS secret used for Educates ingress. |
tlsCertificateRef.namespace |
string | Namespace where the TLS secret resides (e.g., workspace). |
| Key | Type | Description |
|---|---|---|
environmentconfig.iam.realm |
string | Keycloak realm name for Workspace authentication. |
environmentconfig.ingress.class |
string | Ingress class to use (e.g., nginx). |
environmentconfig.ingress.domain |
string | Domain for all Workspace UIs and services. |
environmentconfig.ingress.secret |
string | TLS secret for the domain. |
environmentconfig.storage.endpoint |
string | S3-compatible endpoint (e.g., https://minio.develop.eoepca.org). |
environmentconfig.storage.forcePathStyle |
bool | Use path-style addressing (true for MinIO/OTC). |
environmentconfig.storage.provider |
string | Storage provider label (MinIO, AWS, Other, etc.). |
environmentconfig.storage.region |
string | Region or identifier for the object storage backend. |
environmentconfig.storage.secretNamespace |
string | Namespace for generated storage credentials. |
environmentconfig.storage.type |
string | Storage type (s3). |
environmentconfig.network.serviceCIDR |
string | Kubernetes service CIDR (e.g., 10.43.0.0/12). |
environmentconfig.packages |
array | Optional list of extension packages to inject into workshops, each item supports name and files[].image.url. |
environmentconfig.auth.type |
string | Authentication mode, credentials (default) prompts for storage credentials; none adds no additional check. |
environmentconfig.default.quota.memory |
string | Default memory quota for Datalab sessions when unspecified. Default: 2Gi. |
environmentconfig.default.quota.storage |
string | Default volume size (PVC) for Datalab sessions when unspecified. Default: 1Gi. |
environmentconfig.default.quota.budget |
string | Default resource budget class (small, medium, large, …). Default: medium. |
Apache 2.0 (Apache License Version 2.0, January 2004)
https://www.apache.org/licenses/LICENSE-2.0