Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: How to deploy Eclipse Che on mininkube with Keycloak as OIDC pr… #2408

Merged
merged 25 commits into from
Aug 31, 2022
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
72f4b4d
feat: How to deploy Eclipse Che on mininkube with Keycloak as OIDC pr…
tolusha Jul 22, 2022
67b54d9
fixups
tolusha Jul 22, 2022
dfb3818
fixup
tolusha Jul 23, 2022
b921bfd
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Jul 26, 2022
e8959f2
fixup
tolusha Jul 27, 2022
0dbb9b2
fixup
tolusha Jul 27, 2022
75dcdfa
fixup
tolusha Jul 27, 2022
311e2b9
Fixups
tolusha Aug 1, 2022
30db51b
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
6c8b093
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
248979b
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
526b604
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
1430651
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
c9d1f14
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
756e901
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
8e42c3b
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
ddaf18b
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
4f115ad
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
6ae36fe
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
32435b7
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
d37f1de
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
40c24b0
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
0c37bbe
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
8154ae7
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
5ab0316
Update modules/administration-guide/pages/installing-che-on-minikube-…
tolusha Aug 31, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/administration-guide/nav.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
** xref:installing-che-locally.adoc[]
*** xref:installing-che-on-red-hat-openshift-local.adoc[]
*** xref:installing-che-on-minikube.adoc[]
*** xref:installing-che-on-minikube-keycloak-oidc.adoc[]
* xref:configuring-che.adoc[]
** xref:understanding-the-checluster-custom-resource.adoc[]
*** xref:using-chectl-to-configure-the-checluster-custom-resource-during-installation.adoc[]
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,313 @@
:_content-type: PROCEDURE
:navtitle: Installing {prod-short} on Minikube with {identity-provider} as OIDC Identity Provider
tolusha marked this conversation as resolved.
Show resolved Hide resolved
:description: Installing {prod-short} on Minikube with {identity-provider} as OIDC Identity Provider
tolusha marked this conversation as resolved.
Show resolved Hide resolved
:keywords: overview, installing-che-on-minikube-keycloak-oidc
:page-aliases: installation-guide:installing-che-on-minikube-keycloak-oidc, overview:installing-che-on-minikube-keycloak-oidc


[id="installing-{prod-id-short}-on-minikube-keycloak-oidc_{context}"]
= Installing {prod-short} on Minikube with {identity-provider} as OIDC Identity Provider
tolusha marked this conversation as resolved.
Show resolved Hide resolved

This article explains how to create a single-node {kubernetes} cluster with Minikube to deploy {prod-short} and
configure it to use {identity-provider} as OIDC identity provider.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this article is specific to minikube + keycloak, does it make sense to avoid the template fields? With the wrong values, this could turn into an article that refers to minikube with OpenShift version X or higher, using oc instead of kubectl.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a similar doc about deploy Eclipse Che on minikube [1] with templates instead of hardcoded values.
So, I think we don't have to care much.
/cc @max-cx

[1] https://github.com/eclipse-che/che-docs/blob/70783006917dab18651d0e9a274b98b0a176c47b/modules/administration-guide/pages/installing-che-on-minikube.adoc#L39-L38

tolusha marked this conversation as resolved.
Show resolved Hide resolved

WARNING: Remember that single-node {kubernetes} clusters are suited only for testing or development. Do *NOT* use such clusters to run {prod-short} for organizations or developer teams.
tolusha marked this conversation as resolved.
Show resolved Hide resolved

.Prerequisites

* Minikube with {kubernetes} version `{kube-ver-min}` or higher. See link:https://kubernetes.io/docs/tasks/tools/install-minikube/[Installing Minikube].
tolusha marked this conversation as resolved.
Show resolved Hide resolved

* `{orch-cli}`. See {orch-cli-link}.

* `{prod-cli}`. See xref:installing-the-chectl-management-tool.adoc[].

.Procedure

. Start Minikube. Allocate at least 8GB of RAM and 4 CPU cores:
+
----
$ minikube start --addons=ingress --vm=true --memory=8192 --cpus=4
----

. Deploy `cert-manager`. See link:https://cert-manager.io/docs/installation[Installing cert-manager].

. Deploy {identity-provider}:
+
[subs="+attributes"]
----
$ {orch-cli} apply -f - <<EOF
---
apiVersion: v1
kind: Namespace
metadata:
name: keycloak
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: keycloak-selfsigned
namespace: keycloak
labels:
app: keycloak
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-selfsigned
namespace: keycloak
labels:
app: keycloak
spec:
isCA: true
commonName: keycloak-selfsigned-ca
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: keycloak-selfsigned
kind: Issuer
group: cert-manager.io
secretName: ca.crt
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: keycloak
namespace: keycloak
labels:
app: keycloak
spec:
ca:
secretName: ca.crt
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak
namespace: keycloak
labels:
app: keycloak
spec:
isCA: false
commonName: keycloak
dnsNames:
- keycloak.$(minikube ip).nip.io
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
issuerRef:
kind: Issuer
name: keycloak
group: cert-manager.io
secretName: keycloak.tls
subject:
organizations:
- Local Eclipse Che
usages:
- server auth
- digital signature
- key encipherment
- key agreement
- data encipherment
---
apiVersion: v1
kind: Service
metadata:
name: keycloak
namespace: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:18.0.2
args: ["start-dev"]
env:
- name: KEYCLOAK_ADMIN
value: "admin"
- name: KEYCLOAK_ADMIN_PASSWORD
value: "admin"
- name: KC_PROXY
value: "edge"
ports:
- name: http
containerPort: 8080
readinessProbe:
httpGet:
path: /realms/master
port: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: keycloak
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600'
nginx.ingress.kubernetes.io/proxy-read-timeout: '3600'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
tls:
- hosts:
- keycloak.$(minikube ip).nip.io
secretName: keycloak.tls
rules:
- host: keycloak.$(minikube ip).nip.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8080
EOF
----

. Save {identity-provider} CA certificate:
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
[subs="+attributes"]
----
$ {orch-cli} get secret ca.crt -o "jsonpath={.data['ca\.crt']}" -n keycloak | base64 -d > keycloak-ca.crt
----

. Copy {identity-provider} CA certificate into `minikube`:
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
----
$ minikube ssh sudo "mkdir -p /etc/ca-certificates" && \
minikube cp keycloak-ca.crt /etc/ca-certificates/keycloak-ca.crt
----

. Configure `minikube` to use {identity-provider} as OIDC identity provider:
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
----
$ minikube start \
--extra-config=apiserver.oidc-issuer-url=https://keycloak.$(minikube ip).nip.io/realms/che \
--extra-config=apiserver.oidc-username-claim=email \
--extra-config=apiserver.oidc-client-id=k8s-client \
--extra-config=apiserver.oidc-ca-file=/etc/ca-certificates/keycloak-ca.crt
----
amisevsk marked this conversation as resolved.
Show resolved Hide resolved

. Configure {identity-provider} to create realm, client and user:
amisevsk marked this conversation as resolved.
Show resolved Hide resolved
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
[subs="+attributes"]
----
$ {orch-cli} exec deploy/keycloak -n keycloak -- bash -c \
"/opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080 \
--realm master \
--user admin \
--password admin && \
/opt/keycloak/bin/kcadm.sh create realms \
-s realm='che' \
-s displayName='che' \
-s enabled=true \
-s registrationAllowed=false \
-s resetPasswordAllowed=true && \
/opt/keycloak/bin/kcadm.sh create clients \
-r 'che' \
-s clientId=k8s-client \
-s id=k8s-client \
-s redirectUris='[\"*\"]' \
-s directAccessGrantsEnabled=true \
-s secret=eclipse-che && \
/opt/keycloak/bin/kcadm.sh create users \
-r 'che' \
-s username=test \
-s email=\"[email protected]\" \
-s enabled=true \
-s emailVerified=true && \
/opt/keycloak/bin/kcadm.sh set-password \
-r 'che' \
--username test \
--new-password test"
----

. Copy {identity-provider} CA certificate into {prod-namespace}:
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
[subs="+attributes"]
----
$ {orch-cli} create namespace {prod-namespace} && \
{orch-cli} create configmap keycloak-certs \
--from-file=keycloak-ca.crt=keycloak-ca.crt \
-n {prod-namespace} && \
{orch-cli} label configmap keycloak-certs \
app.kubernetes.io/part-of=che.eclipse.org \
app.kubernetes.io/component=ca-bundle \
-n {prod-namespace}
----

. Prepare `CheCluster` patch:
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
[subs="+attributes"]
----
$ cat > che-patch.yaml << EOF
kind: CheCluster
apiVersion: org.eclipse.che/v2
spec:
networking:
auth:
oAuthClientName: k8s-client
oAuthSecret: eclipse-che
identityProviderURL: "https://keycloak.$(minikube ip).nip.io/realms/che"
components:
cheServer:
extraProperties:
CHE_OIDC_USERNAME__CLAIM: email
EOF
----

. Create the {prod-short} instance:
+
[subs="+attributes"]
----
$ {prod-cli} server:deploy --platform k8s --domain $(minikube ip).nip.io --che-operator-cr-patch-yaml che-patch.yaml --skip-cert-manager
----

.Verification steps

. Verify the {prod-short} instance status:
+
[subs="+attributes,+quotes"]
----
$ {prod-cli} server:status
----

. Navigate to the {prod-short} cluster instance:
+
[subs="+attributes,+quotes"]
----
$ {prod-cli} dashboard:open
----

. Login to {prod-short} instance with Username: `test` and Password: `test`
tolusha marked this conversation as resolved.
Show resolved Hide resolved