This section contains instructions for gettiong quickly started with Eclipse Che. You will learn how to:

Running Che locally

This article offers instructions for deploying and running Eclipse Che locally, on a personal workstation.

Prerequisites

To run and manage Che you need:

  • A Kubernetes or OpenShift cluster to deploy Che on

  • The chectl command-line tool for managing a Che server and its development workspaces.

Eclipse Che is available in two modes:

  • Single-user: non-authenticated Che, lighter and suited for personal desktop environments

  • Multi-user: authenticted Che, suited for the cloud, for organizations and developer teams

Instructions in this article focus on deploying and running Che in single-user mode.

Setting up a local Kubernetes or OpenShift cluster

Set up a single-node Kubernetes or OpenShift cluster on your machine using the Minikube or Minishift tools. Alternatively, on macOS or Windows, use the Docker Desktop application.

Using Minikube to set up Kubernetes

  1. Install the latest version of the kubectl tool and Minikube.

  2. Start Minikube (it is important to allocate at least 4 GB or RAM):

    $ minikube start --memory=4096

Using Minishift to set up OpenShift

  1. Install the latest version of Minishift and set the path of the oc binary.

  2. Start Minishift (it is important to allocate at least 4 GB of RAM):

    $ minishift start --memory=4096

Using Docker Desktop for Mac or Windows to set up Kubernetes

Installing the chectl management tool

Install the chectl command-line tool to be able to manage the Che Server application and development workspaces.

Installing chectl on Windows

  1. Download chectl-win.exe.

  2. Add the folder of the downloaded binary to your PATH environment variable.

Installing chectl on macOS

Run the following commands in the terminal:

$ RELEASE="20190314232124/chectl-macos" && \
URL=https://github.com/che-incubator/chectl/releases/download/${RELEASE} && \
sudo curl -sSL ${URL} -o /usr/local/bin/chectl && \
sudo chmod +x /usr/local/bin/chectl

Installing chectl on Linux

Run the following commands in the terminal:

$ RELEASE="20190314232124/chectl-linux" && \
URL=https://github.com/che-incubator/chectl/releases/download/${RELEASE} && \
sudo curl -sSL ${URL} -o /usr/local/bin/chectl && \
sudo chmod +x /usr/local/bin/chectl

Deploying Che using chectl

Start Che Server using the chectl tool.

Deploying single-user Che on Minikube

$ chectl server:start

Deploying single-user Che on Minishift

$ chectl server:start --platform minishift

Deploying multi-user Che on Minikube

$ chectl server:start --multiuser

Che deployment options using chectl

$ chectl server:start --help
Start Eclipse Che Server

USAGE
  $ chectl server:start

OPTIONS
  -a, --installer=installer            [default: helm] Installer type. Valid values are "helm" and "operator"
  -b, --domain=domain                  Domain of the Kubernetes/OpenShift cluster (e.g. starter-us-east-2.openshiftapps.com or <local-ip>.nip.io)
  -d, --debug                          Starts chectl in debug mode
  -h, --help                           show CLI help
  -i, --cheimage=cheimage              [default: eclipse/che-server:nightly] Che server container image
  -m, --multiuser                      Starts che in multi-user mode
  -n, --chenamespace=chenamespace      [default: kube-che] Kubernetes namespace where Che resources will be deployed
  -o, --cheboottimeout=cheboottimeout  (required) [default: 40000] Che server bootstrap timeout (in milliseconds)
  -p, --platform=platform              [default: minikube] Type of Kubernetes platform. Valid values are "minikube", "minishift", "docker4mac", "ocp", "oso".
  -s, --tls                            Enable TLS encryption and multi-user mode
  -t, --templates=templates            [default: /snapshot/chectl/templates] Path to the templates folder

Deploying Che on Kubernetes on AWS

Preparing the AWS system for installing Che

The following sections describe how to set up Kubernetes for Eclipse Che on Amazon Elastic Compute Cloud (Amazon EC2).

Prerequisites
  • A running instance of Kubernetes and Ingress

  • The kubectl tool installed

  • The chectl tool installed

Installing Kubernetes on Amazon EC2

  1. Set up the AWS Command Line Interface (AWS CLI). For detailed installation instructions, see Installing the AWS CLI.

  2. Check the PATH environment variable if the aws tool is not available.

  3. Install Kubernetes on EC2. There are several ways to have a running Kubernetes instance on EC2. Here, the kops tool is used to install Kubernetes. For details, see Installing Kubernetes with kops.

This document assumes that Eclipse Che must be configured to run at Che AWS Cloud.

Setting up DNS

One way to set up Domain Name System (DNS) is to create the Amazon Route53 to manage the aws.my-ide.cloud domain.

To set up DNS:

  1. Create the zone on AWS:

    $ aws route53 create-hosted-zone --name aws.my-ide.cloud --caller-reference 1
    
    \{
     "Location": "https://route53.amazonaws.com/2013-04-01/hostedzone/<ZONE-ID>",
     "HostedZone": \{
     "Id": "/hostedzone/<ZONE-ID>",
     "Name": "aws.my-ide.cloud.",
     "CallerReference": "1",
     "Config": \{
     "PrivateZone": false
     },
     "ResourceRecordSetCount": 2
     },
     "ChangeInfo": \{
     "Id": "/change/C1ZNLBU45DJUJL",
     "Status": "PENDING",
     "SubmittedAt": "2019-07-08T08:14:39.772Z"
     },
     "DelegationSet": \{
     "NameServers": [
     "ns-1693.awsdns-19.co.uk",
     "ns-1133.awsdns-13.org",
     "ns-150.awsdns-18.com",
     "ns-965.awsdns-56.net"
     ]
     }
    }
  2. Configure the four DNS nameservers on the my-ide.cloud DNS.

    dns nameservers
  3. Create the Simple Storage Service (s3) storage to store the kops configuration.

    $ aws s3 mb s3://clusters.aws.my-ide.cloud
    make_bucket: clusters.aws.my-ide.cloud
  4. Inform kops of this new service:

    $ export KOPS_STATE_STORE=s3://clusters.aws.my-ide.cloud
  5. Create the kops cluster by providing the cluster zone. For example, for Europe, the zone is eu-west-1c.

    $ kops create cluster --zones=eu-west-1c eu.aws.my-ide.cloud
  6. Create the cluster:

    $ kops update cluster eu.aws.my-ide.cloud --yes
  7. After the cluster is ready, validate it:

    $ kops validate cluster
    
    Using cluster from kubectl context: eu.aws.my-ide.cloud
    
    Validating cluster eu.aws.my-ide.cloud
    
    INSTANCE GROUPS
    NAME                ROLE    MACHINETYPE  MIN  MAX  SUBNETS
    master-eu-west-1c   Master  m3.medium    1    1    eu-west-1c
    nodes               Node    t2.medium    2    2    eu-west-1c
    
    NODE STATUS
    NAME                                         ROLE    READY
    ip-172-20-38-26.eu-west-1.compute.internal   node    True
    ip-172-20-43-198.eu-west-1.compute.internal  node    True
    ip-172-20-60-129.eu-west-1.compute.internal  master  True
    
    Your cluster eu.aws.my-ide.cloud is ready
  8. Check the cluster using the kubectl command. The kubectl context is also configured automatically by the kops tool:

    $ kubectl config current-context
    eu.aws.my-ide.cloud
    
    $ kubectl get pods --all-namespaces
    
    All the pods in the running state are displayed.

Installing Ingress-nginx

To install Ingress-nginx:

  1. Install the default configuration.

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
  2. Install the configuration for AWS.

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-l4.yaml
    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/patch-configmap-l4.yaml

    The following output confirms that the Ingress controller is running.

    $ kubectl get pods --namespace ingress-nginx
    NAME                                        READY   STATUS    RESTARTS   AGE
    nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s
  3. Find the external IP of ingress-nginx.

    $ kubectl get services --namespace ingress-nginx -o jsonpath='{.items[].status.loadBalancer.ingress[0].hostname}'
    Ade9c9f48b2cd11e9a28c0611bc28f24-1591254057.eu-west-1.elb.amazonaws.com

    Troubleshooting: If the output is empty, it implies that the cluster has configuration issues. Use the following command to find the cause of the issue:

    $ kubectl describe service -n ingress-nginx ingress-nginx

    Output similar to the following means a needed role must be created manually:

    arn:aws:sts::269287474311:assumed-role...4bff is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::269287474311:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing

    Run the following command to create the role:

    $ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
  4. Add hosts on route 53 with this given hostname https://console.aws.amazon.com/route53/home?region=eu-west-1#hosted-zones:

  5. Create the wildcard DNS (for .aws-my-ide.cloud) with the previous hostname and ensure to add the dot (.) at the end of the hostname. In the Type drop-down list, select CNAME.

    create record set

    The following is an example of the resulting window after adding all the values.

    create record set all values

    The che.aws.my-ide.cloud address must resolve to an IP address.

    $ host che.aws.my-ide.cloud
    che.aws.my-ide.cloud is an alias for ade9c9f48b2cd11e9a28c0611bc28f24-1591254057.eu-west-1.elb.amazonaws.com.
    ade9c9f48b2cd11e9a28c0611bc28f24-1591254057.eu-west-1.elb.amazonaws.com has address 54.77.155.195

It is now possible to install Eclipse Che on this existing Kubernetes instance.

Enabling the TLS and DNS challenge

To use the Cloud DNS and TLS, some service accounts must be enabled to have cert-manager managing the DNS challenge for the Let’s Encrypt service.

  1. Create a new permission file.

  2. Use the following command to obtain the zone ID:

    $ aws route53 list-hosted-zones
    {
        "HostedZones": [
            {
                "Id": "/hostedzone/ABCDEFGH",
                "Name": "aws.my-ide.cloud.",
                "CallerReference": "1",
                "Config": {
                    "PrivateZone": false
                },
                "ResourceRecordSetCount": 5
            }
        ]
    }
  3. Copy the following content and replace INSERT_ZONE_ID with the route53 zone ID:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "route53:GetChange",
                    "route53:ListHostedZonesByName"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "route53:ChangeResourceRecordSets"
                ],
                "Resource": [
                    "arn:aws:route53:::hostedzone/<INSERT_ZONE_ID>"
                ]
            }
        ]
    }
  4. In the EC2 Dashboard, identify the IAM role used by the master node.

    It is located under the Description tab, in the IAM role field.

    describtion tab iam role
  5. Click on the IAM role link (masters.eu.aws.my-ide.cloud, in this case).

    aws summary iam role
  6. Click the Add inline policy link at the bottom of the window.

  7. In the Create policy window, on the JSON tab, paste the content of the JSON file created earlier and click the Review policy button.

    aws create policy
  8. In the Name field, type eclipse-che-route53 and click Create Policy.

    create policy review policy

Installing cert-manager

  1. To install cert-manager, run the following commands (for details, see Installing Cert on Kubernetes):

    $ kubectl create namespace cert-manager namespace/cert-manager created
    $ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
  2. Set validate=false. If set to true, it will only work with the latest Kubernetes:

    $ kubectl apply \
      -f https://github.com/jetstack/cert-manager/releases/download/v0.8.1/cert-manager.yaml \
      --validate=false
  3. Create the Che namespace if it does not already exist:

    $ kubectl create namespace che
    namespace/che created
  4. Create the cert-manager user:

    $ aws iam create-user --user-name cert-manager
    {
        "User": {
            "Path": "/",
            "UserName": "cert-manager",
            "UserId": "ABCDEF",
            "Arn": "arn:aws:iam::1234:user/cert-manager",
            "CreateDate": "2019-07-30T13:50:48Z"
        }
    }
  5. Create the access key:

    {
        "AccessKey": {
            "UserName": "cert-manager",
            "AccessKeyId": "ABCDEF",
            "Status": "Active",
            "SecretAccessKey": "mySecret",
            "CreateDate": "2019-07-30T13:52:59Z"
        }
    }
    Remember the access key for later use.
  6. Create a secret from the SecretAccessKey content.

    $ kubectl create secret generic aws-cert-manager-access-key \
      --from-literal=CLIENT_SECRET=<REPLACE WITH SecretAccessKey content> -n cert-manager
  7. Use the Add inline policy link to add the inline policy to AWS Cert-Manager.

    aws summary iam role
  8. Paste the following inline policy in the JSON tab:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "route53:GetChange",
                "Resource": "arn:aws:route53:::change/"
            },
            {
                "Effect": "Allow",
                "Action": "route53:ChangeResourceRecordSets",
                "Resource": "arn:aws:route53:::hostedzone/"
            },
            {
                "Effect": "Allow",
                "Action": "route53:ListHostedZonesByName",
                "Resource": "*"
            }
        ]
    }
    json review policy
  9. Click Review policy.

    create policy review
  10. In the Name field, type route53, and click Create policy.

  11. To create the certificate issuer, change the email address and specify the accessKeyID:

    $ cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: ClusterIssuer
    metadata:
      name: che-certificate-issuer
    spec:
      acme:
        dns01:
          providers:
          - route53:
              region: eu-west-1
              accessKeyID: <USE ACCESS_KEY_ID_CREATED_BEFORE>
              secretAccessKeySecretRef:
                name: aws-cert-manager-access-key
                key: CLIENT_SECRET
            name: route53
        email: florent@example.com
        privateKeySecretRef:
          name: letsencrypt
        server: https://acme-v02.api.letsencrypt.org/directory
    EOF
  12. Add the certificate by editing the domain name value (aws.my-ide.cloud, in this case) and the dnsName value:

    $ cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
     name: che-tls
     namespace: che
    spec:
     secretName: che-tls
     issuerRef:
       name: che-certificate-issuer
       kind: ClusterIssuer
     dnsNames:
       - '.aws.my-ide.cloud'
     acme:
       config:
         - dns01:
             provider: route53
           domains:
             - '.aws.my-ide.cloud'
    EOF
  13. Check if the issuerRef name is the same as the ClusterIssuer. A new DNS challenge is being added to the DNS zone for Let’s encrypt.

    aws hosted zones dns

    The cert-manager logs should contain information about the DNS challenge.

  14. Obtain the logs using the following command (here, cert-manager-8d478bb45-sdfmz is the name of the cert-manager pod):

    $ kubectl logs -f cert-manager-8d478bb45-sdfmz -n cert-manager
    I0730 14:46:25.382385       1 sync.go:274] Need to create 0 challenges
    I0730 14:46:25.382401       1 sync.go:319] Waiting for all challenges for order "che-tls-3365293372" to enter 'valid' state
    I0730 14:46:25.382431       1 controller.go:204] cert-manager/controller/orders "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3365293372"
    I0730 14:46:25.382813       1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3365293372-0"
    I0730 14:46:25.382843       1 controller.go:213] cert-manager/controller/challenges "level"=0 "msg"="syncing resource" "key"="che/che-tls-3365293372-0"
    I0730 14:46:25.383037       1 dns.go:101] Presenting DNS01 challenge for domain "aws.my-ide.cloud"
    I0730 14:47:03.061546       1 dns.go:112] Checking DNS propagation for "aws.my-ide.cloud" using name servers: [100.64.0.10:53]
    I0730 14:47:03.220952       1 dns.go:124] Waiting DNS record TTL (60s) to allow propagation of DNS record for domain "_acme-challenge.aws.my-ide.cloud.”
  15. Ensure that the certificate is ready:

    $ kubectl describe certificate/che-tls -n che
    Status:
      Conditions:
        Last Transition Time:  2019-07-30T14:46:23Z
        Message:               Certificate issuance in progress. Temporary certificate issued.
        Reason:                TemporaryCertificate
        Status:                False
        Type:                  Ready
    Events:
      Type    Reason        Age   From          Message
      ----    ------        ----  ----          -------
      Normal  OrderCreated  50s   cert-manager  Created Order resource "che-tls-3365293372"
  16. Wait for the status to become OK and ensure that the log contains the following entry:

    I0729 13:56:26.140886       1 conditions.go:143] Found status change for Certificate "che-tls" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-07-29 13:56:26.140866531 +0000 UTC m=+4557.134131468
  17. Ensure that the status is up-to-date using the following command:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
      Conditions:
        Last Transition Time:  2019-07-30T14:48:07Z
        Message:               Certificate is up to date and has not expired
        Reason:                Ready
        Status:                True
        Type:                  Ready
      Not After:               2019-10-28T13:48:05Z
    Events:
      Type    Reason         Age    From          Message
      ----    ------         ----   ----          -------
      Normal  OrderCreated   5m29s  cert-manager  Created Order resource "che-tls-3365293372"
      Normal  OrderComplete  3m46s  cert-manager  Order "che-tls-3365293372" completed successfully
      Normal  CertIssued     3m45s  cert-manager  Certificate issued successfully

Installing Che on Kubernetes using the chectl command

Procedure

To install Che:

  1. Run the following command:

    $ chectl server:start --platform=k8s --installer=helm --domain=aws.my-ide.cloud --multiuser --tls
      ✔ ✈️  Kubernetes preflight checklist
        ✔ Verify if kubectl is installed
        ✔ Verify remote kubernetes status...done.
        ✔ Verify domain is set...set to aws.my-ide.cloud.
      ✔ 🏃‍  Running Helm to install Che
        ✔ Verify if helm is installed
        ✔ Check for TLS secret prerequisites...che-tls secret found.
        ✔ Create Tiller Role Binding...it already exist.
        ✔ Create Tiller Service Account...it already exist.
        ✔ Create Tiller RBAC
        ✔ Create Tiller Service...it already exist.
        ✔ Preparing Che Helm Chart...done.
        ✔ Updating Helm Chart dependencies...done.
        ✔ Deploying Che Helm Chart...done.
      ✔ ✅  Post installation checklist
        ✔ PostgreSQL pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Keycloak pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Che pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Retrieving Che Server URL...https://che-che.aws.my-ide.cloud
        ✔ Che status check
    Command server:start has completed successfully.
  2. The certificate generated by Let’s Encrypt is a valid certificate.

    certificate generate lets encrypt
    eclipse che welcome to your workspace

Installing Che on OpenShift 3 using the operator

Prerequisites
  • A running instance of OpenShift 3.11

  • The oc tool installed

  • The chectl tool installed

  • Administrator rights to the OpenShift installation (needed by che-role)

Preparing OpenShift for installing Che

Procedure

To install Che on OpenShift 3 using the operator:

  1. Log in to OpenShift (copy the login command from the OpenShift console):

    $ oc login https://master.rhpds311.openshift.opentlc.com:443 --token=<token>
    log into openshift
  2. Check if the latest oc binary tool is installed on the system:

    $ oc version
    oc v3.11.0+0cbc58b
    kubernetes v1.11.0+d4cacc0
    features: Basic-Auth
    
    Server https://master.rhpds311.openshift.opentlc.com:443
    openshift v3.11.43
    kubernetes v1.11.0+d4cacc0
  3. Give a domain to chectl. This is the remote hostname that will be accessible. If it is unknown, obtain it with a new project using the following command:

    $ oc new-project hello-world
    $ oc new-app centos/httpd-24-centos7~https://github.com/openshift/httpd-ex
    $ oc expose svc/httpd-ex
    $ oc get route httpd-ex
    NAME     HOST/PORT                                                PATH     SERVICES PORT     TERMINATION WILDCARD
    httpd-ex httpd-ex-hello-world.apps.rhpds311.openshift.opentlc.com httpd-ex          8080-tcp             None
  4. Extract the domain from httpd-ex-hello-world.apps.rhpds311.openshift.opentlc.com. It is the part after the first name: apps.rhpds311.openshift.opentlc.com.

  5. Remove the project:

    $ oc delete project hello-world

Installing Che on OpenShift using the Operator

Procedure

To install Che on OpenShift using the Operator:

  1. Create a new project called che:

    $ oc new-project che
  2. Invoke chectl:

    $ chectl server:start --platform=openshift --installer=operator --domain=apps.rhpds311.openshift.opentlc.com
      ✔ ✈️  Openshift preflight checklist
        ✔ Verify if oc is installed...done.
        ✔ Verify if openshift is running...done.
        ✔ Verify domain is set...set to apps.rhpds311.openshift.opentlc.com.
      ✔ 🏃‍  Running the Che Operator
        ✔ Copying operator resources...done.
        ✔ Create Namespace (che)...It already exist.
        ✔ Create ServiceAccount che-operator in namespace che...done.
        ✔ Create Role che-operator in namespace che...done.
        ✔ Create RoleBinding che-operator in namespace che...done.
        ✔ Create CRD checlusters.org.eclipse.che...done.
        ✔ Waiting 5 seconds for the new Kubernetes resources to get flushed...done.
        ✔ Create deployment che-operator in namespace che...done.
        ✔ Create Che Cluster eclipse-che in namespace che...done.
      ✔ ✅  Post installation checklist
        ✔ PostgreSQL pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Keycloak pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Che pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Retrieving Che Server URL...http://che-che.apps.rhpds311.openshift.opentlc.com
        ✔ Che status check
    Command server:start has completed successfully.

Installing Che on OpenShift using the Operator and SSL

Prerequisites

The installation of Che on OpenShift using the Operator and SSL requires the --tls option.

Procedure

To install Che on OpenShift using the Operator and SSL:

  1. Run this command:

     $ ./bin/run server:start --platform=openshift --installer=operator --domain=apps.rhpds311.openshift.opentlc.com --tls
      ✔ ✈️  Openshift preflight checklist
        ✔ Verify if oc is installed...done.
        ✔ Verify if openshift is running...done.
        ✔ Verify domain is set...set to apps.rhpds311.openshift.opentlc.com.
      ✔ 🏃‍  Running the Che Operator
        ✔ Copying operator resources...done.
        ✔ Create Namespace (che)...done.
        ✔ Create ServiceAccount che-operator in namespace che...done.
        ✔ Create Role che-operator in namespace che...done.
        ✔ Create RoleBinding che-operator in namespace che...done.
        ✔ Create CRD checlusters.org.eclipse.che...It already exist.
        ✔ Waiting 5 seconds for the new Kubernetes resources to get flushed...done.
        ✔ Create deployment che-operator in namespace che...done.
        ✔ Create Che Cluster eclipse-che in namespace che...done.
      ✔ ✅  Post installation checklist
        ✔ PostgreSQL pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Keycloak pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Che pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Retrieving Che Server URL...https://che-che.apps.rhpds311.openshift.opentlc.com
        ✔ Che status check
    Command server:start has completed successfully.

Here, the link https://che-che.apps.rhpds311.openshift.opentlc.com is now prefixed with HTTPS and Let’s Encrypt has created the certificates.

Installing Che on OpenShift 4 from OperatorHub

Eclipse Che can be installed from OpenShift OperatorHub.

Installing Che on OpenShift 4

Procedure

To install Che on OpenShift 4:

Creating the che project

  1. Create a project named che using the Projects tab.

  2. Click the Create Project button.

    open shift create project
  3. In the Name field, type che and click the Create button.

    create project button

Installing the operator

  1. After the Che project is created, install the operator. In the left panel, expand Catalog and click OperatorHub.

    catalog operatorhub
  2. In the Search by keyword field, type eclipse che.

    eclipse che in openshift creation
  3. Click Eclipse Che.

    select eclipse che in openshift
  4. Click the Install button in the Eclipse Che pop-up window.

    install eclipse che in openshift
  5. In the A specific namespace field in the cluster drop-down list, select che. Click the Subscribe button.

    eclipse che create operator subscription

    The operator is successfully installed and is available in the Installed Operators section.

    eclipse che overview

Deploying Che

  1. Navigate to the Catalog → Installed Operators section.

    eclipse che installed operators

    Eclipse Che is displayed as an installed operator having the InstallSucceeded status.

  2. To deploy Che, click Eclipse Che in the list of installed operators.

    eclipse che overview provided apis
  3. Click the Create New link in Provided APIs section.

    cc eclipse che cluster
  4. Leave the default values as they are and click the Create button in the bottom-left corner of the window.

    create che cluster intalled operators

    As a result, the Eclipse Che cluster is created.

    eclipse che cluster create che cluster

Tracking the Che deployment

  1. To track the deployment, click the eclipse-che cluster.

    eclipse che cluster overview
  2. Click the Resources tab.

    eclipse che resources tab

    It is also possible to track the deployment using the command line and the following two commands:

    $ oc project che
    $ oc get pods
    NAME                            READY     STATUS    RESTARTS   AGE
    che-8495f4946b-jrzdc            0/1       Running   0          86s
    che-operator-578765d954-99szg   1/1       Running   0          42m
    keycloak-74fbfb9654-g9vp5       1/1       Running   0          4m32s
    postgres-5d579c6847-w6wx5       1/1       Running   0          5m14s

Viewing che-operator logs

  1. To view the che-operator logs, run the following command:

    $ oc logs --tail=10 -f che-operator-578765d954-99szg
    time="2019-07-12T09:48:29Z" level=info msg="Exec successfully completed"
    time="2019-07-12T09:48:29Z" level=info msg="Updating eclipse-che CR with status: provisioned with OpenShift identity provider: true"
    time="2019-07-12T09:48:29Z" level=info msg="Custom resource eclipse-che updated"
    time="2019-07-12T09:48:29Z" level=info msg="Creating a new object: ConfigMap, name: che"
    time="2019-07-12T09:48:29Z" level=info msg="Creating a new object: ConfigMap, name: custom"
    time="2019-07-12T09:48:29Z" level=info msg="Creating a new object: Deployment, name: che"
    time="2019-07-12T09:48:30Z" level=info msg="Updating eclipse-che CR with status: Che API: Unavailable"
    time="2019-07-12T09:48:30Z" level=info msg="Custom resource eclipse-che updated"
    time="2019-07-12T09:48:30Z" level=info msg="Waiting for deployment che. Default timeout: 420 seconds"
  2. To obtain the Eclipse Che URL, wait for the logs to show the following information:

    time="2019-07-12T09:50:13Z" level=info msg="Updating eclipse-che CR with Eclipse Che server URL: http://che-che.apps.cluster-fre-f0a2.fre-f0a2.openshiftworkshop.com"
    time="2019-07-12T09:50:13Z" level=info msg="Custom resource eclipse-che updated"
    time="2019-07-12T09:50:13Z" level=info msg="Eclipse Che is now available at: http://che-che.apps.cluster-fre-f0a2.fre-f0a2.openshiftworkshop.com"
    time="2019-07-12T09:50:13Z" level=info msg="Updating eclipse-che CR with version: 7.0.0-RC-2.0"

    The URL is also displayed in the Eclipse Che cluster on the Installed Operators window in the ECLIPSE CHE URL field.

    eclipse che url filef overview
  3. Click on the Eclipse Che URL link to display the Eclipse Che login page.

    eclipse che login page
  4. To log in, use OpenShift OAuth or register as a new user. To use OAuth, the user must grant permissions to log in to Eclipse Che.

    authorize access for eclipse che openshift
  5. Update account information.

    update account information eclipse che

    When the user is logged in, the Eclipse Che Dashboard displays where the user can create a workspace.

    eclipse che loading
    eclipse che loading

Enabling SSL on OpenShift 4

Procedure

To enable SSL on Openshift 4:

  1. Toggle the TLS MODE switch to True.

    set that value to true enabeling tls mode
    tls mode true
  2. Click Confirm change.

  3. In the Resources section, the pods are restarted.

    resource section pods are restarted
  4. Click the ECLIPSE CHE URL link.

    eclipse che url link

    Notice that the link is redirected to HTTPS.

    link is redirected to https

    A valid Let’s Encrypt certificate is available, and Che is available on HTTPS.

che running on openshift v4
Figure 1. An example of Eclipse Che running on OpenShift v4.1 with SSL

Installing Che on Google Cloud Platform

Creating a Google Kubernetes Engine instance

This section describes how to create a Google Kubernetes Engine instance.

Prerequisites
  • The Google Cloud SDK is installed. See Installing Google Cloud SDK.

    To install the SDK on macOS, use the $ brew cask install google-cloud-sdk command.

Procedure
  1. Create a Kubernetes cluster. For details, see Creating a cluster.

  2. Create a new project with the eclipse-che-1 ID in the Google Cloud Platform (GCP) web console.

  3. Configure the different default options (such as using the europe-wes1-b zone) in the shell:

    $ gcloud config set project eclipse-che-1
    $ gcloud config set compute/zone europe-west1-b
    $ gcloud config set compute/region europe-west1
  4. Check if all the components are up-to-date:

    $ gcloud components update
    All components are up to date.
  5. Create a cluster with the name eclipse-che:

    $ gcloud container clusters create eclipse-che --zone europe-west1-b
  6. Wait for the cluster to be ready.

  7. The Kubernetes context is defined automatically. To verify it:

    $ kubectl config current-context
    gke_eclipse-che-1_europe-west1-b_eclipse-che

Preparing Google Cloud Platform for installing Che

Creating a Google Kubernetes Engine instance

This section describes how to create a Google Kubernetes Engine instance.

Prerequisites
  • The Google Cloud SDK is installed. See Installing Google Cloud SDK.

    To install the SDK on macOS, use the $ brew cask install google-cloud-sdk command.

Procedure
  1. Create a Kubernetes cluster. For details, see Creating a cluster.

  2. Create a new project with the eclipse-che-1 ID in the Google Cloud Platform (GCP) web console.

  3. Configure the different default options (such as using the europe-wes1-b zone) in the shell:

    $ gcloud config set project eclipse-che-1
    $ gcloud config set compute/zone europe-west1-b
    $ gcloud config set compute/region europe-west1
  4. Check if all the components are up-to-date:

    $ gcloud components update
    All components are up to date.
  5. Create a cluster with the name eclipse-che:

    $ gcloud container clusters create eclipse-che --zone europe-west1-b
  6. Wait for the cluster to be ready.

  7. The Kubernetes context is defined automatically. To verify it:

    $ kubectl config current-context
    gke_eclipse-che-1_europe-west1-b_eclipse-che

Installing Ingress on Kubernetes

Procedure

Eclipse Che uses Ingress.

Procedure

To install Ingress-nginx:

  1. Install the default configuration:

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
  2. Install the configuration for cloud:

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

    The following output confirms that the Ingress controller is running:

    $ kubectl get pods --namespace ingress-nginx
    NAME                                        READY   STATUS    RESTARTS   AGE
    nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s

    Wait for the container to run.

  3. Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

    $ kubectl get services  --namespace ingress-nginx
    NAME           TYPE          CLUSTER-IP   EXTERNAL-IP    PORT(S)                     AGE
    ingress-nginx  LoadBalancer  10.0.97.244  40.89.129.194  80:31107/TCP,443:30629/TCP  8m59s
  4. Get the external IP of Ingress-nginx.

    $ kubectl get services --namespace ingress-nginx \
      -o jsonpath='{.items[].status.loadBalancer.ingress[0].ip}'
    40.89.129.194

Installing DNS on Google Cloud Platform

Procedure
  1. Using the Cloud DNS, create a zone called eclipse-che and, for example, a DNS name gcp.my-ide.cloud. Click the Create button.

    creating dns zone on gcp

    The Cloud DNS zone is created.

    cloud dns zone on gcp
  2. Click the Registrar Setup link in the top-right corner of the window. The name servers (NS) to be added to the registrar are displayed.

    registrar setup gcp
  3. Update the DNS zone (example: ovh domain).

  4. Add the *.gcp.my-ide.cloud entry to the external Ingress IP on the cloud DNS.

    dns settings gcp

Enabling the TLS and DNS challenge on Google Cloud Platform

Procedure

To use the Cloud DNS and TLS, service accounts must be enabled, and cert-manager must manage the DNS challenge for the Let’s Encrypt service.

  1. Create a service account with the given name:

    $ gcloud iam service-accounts create dns01-solver --display-name "dns01-solver"
  2. Add the policy binding to the IAM policy of the eclipse-che-1 project (replace the eclipse-che-1 project name with the name of your project):

    $ gcloud projects add-iam-policy-binding eclipse-che-1 \
      --member serviceAccount:dns01-solver@eclipse-che-1.iam.gserviceaccount.com \
      --role roles/dns.admin

    The following is the output of this command:

    Updated IAM policy for project [eclipse-che-1].
    
    bindings:
    - members:
     - serviceAccount:service-779451692063@compute-system.iam.gserviceaccount.com
     role: roles/compute.serviceAgent
    - members:
     - serviceAccount:service-779451692063@container-engine-robot.iam.gserviceaccount.com
     role: roles/container.serviceAgent
    - members:
     - serviceAccount:dns01-solver@eclipse-che-1.iam.gserviceaccount.com
     role: roles/dns.admin
    - members:
     - serviceAccount:779451692063-compute@developer.gserviceaccount.com
     - serviceAccount:779451692063@cloudservices.gserviceaccount.com
     - serviceAccount:service-779451692063@containerregistry.iam.gserviceaccount.com
     role: roles/editor
    - members:
     - user:<email-address>
     role: roles/owner
    etag: <some-tag>
    version: 1

Creating a Service Account Secret on Google Cloud Platform

Procedure

To access the service account, cert-manager uses a key stored in a Kubernetes Secret.

  1. Create a key for the service account and download it as a JSON file:

    $ gcloud iam service-accounts keys create key.json \
      --iam-account mailto:dns01-solver@eclipse-che-1.iam.gserviceaccount.com[_dns01-solver@eclipse-che-1.iam.gserviceaccount.com_]

    The following is the output of the preceding command:

    created key [05e94ca2e7754b94a63049605ee8d2813d16ff37] of type [json] as [key.json] for [dns01-solver@eclipse-che-1.iam.gserviceaccount.com]

    The key file is generated:

    $ ls -la key.json
    -rw------- 1 joe staff 2318 Jul 29 12:13 key.json
    Keep the key file safe, and do not share it with anyone because it can be used to gain access to your cloud resources. The key file can be deleted after it has been used to generate the Secret.
  2. Create a Secret from this file.

    $ kubectl create secret generic clouddns-dns01-solver-svc-acct --from-file=key.json

Installing cert-manager on Kubernetes

Procedure
  1. To install cert-manager:

    $ kubectl create namespace cert-manager
    namespace/cert-manager created
    
    $ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
    
    $ kubectl apply \
      -f https://github.com/jetstack/cert-manager/releases/download/v0.8.1/cert-manager.yaml --validate=false
  2. Create the che namespace if it does not exist already:

    $ kubectl create namespace che
    namespace/che created
  3. Create the certificate issuer. Replace your email address in the email field:

    $ cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: ClusterIssuer
    metadata:
     name: che-certificate-issuer
    spec:
     acme:
     dns01:
     providers:
     - clouddns:
     project: eclipse-che-1
     serviceAccountSecretRef:
     key: key.json
     name: clouddns-dns01-solver-svc-acct
     name: clouddns
     email: joe@example.com
     privateKeySecretRef:
     name: letsencrypt
     server: https://acme-v02.api.letsencrypt.org/directory[_https://acme-v02.api.letsencrypt.org/directory_]
    EOF
  4. Create the certificate. Edit the domain name:

    $ cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
     name: che-tls
     namespace: che
    spec:
     secretName: che-tls
     issuerRef:
     name: che-certificate-issuer
     kind: ClusterIssuer
     dnsNames:
     - '*.gcp.my-ide.cloud'
     acme:
     config:
     - dns01:
     provider: clouddns
     domains:
     - '*.gcp.my-ide.cloud'
    EOF
  5. Check that the issuerRef name is the same as the ClusterIssuer. A new DNS challenge is added to the DNS zone for Let’s Encrypt.

    dns challenge gcp
  6. The cert-manager logs should contain information about the DNS challenge. To get the logs (here, cert-manager-8d478bb45-2924h is the name of the cert-manager pod):

    $ kubectl logs -f -n cert-manager cert-manager-8d478bb45-2924h
    
    I0729 13:50:39.414729 1 dns.go:112] Checking DNS propagation for "gcp.my-ide.cloud" using name servers: [10.112.0.10:53]
    
    E0729 13:50:39.422521 1 sync.go:180] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"gcp.my-ide.cloud\" not yet propagated" "dnsName"="gcp.my-ide.cloud" "resource_kind"="Challenge" "resource_name"="che-tls-3529929423-0" "resource_namespace"="che" "type"="dns-01"
    
    I0729 13:50:39.422598 1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3529929423-0"
    
    I0729 13:50:49.406767 1 controller.go:213] cert-manager/controller/challenges "level"=0 "msg"="syncing resource" "key"="che/che-tls-3529929423-0"
    
    I0729 13:50:49.409802 1 dns.go:112] Checking DNS propagation for "gcp.my-ide.cloud" using name servers: [10.112.0.10:53]
    
    E0729 13:50:49.420131 1 sync.go:180] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"gcp.my-ide.cloud\" not yet propagated" "dnsName"="gcp.my-ide.cloud" "resource_kind"="Challenge" "resource_name"="che-tls-3529929423-0" "resource_namespace"="che" "type"="dns-01"
    
    I0729 13:50:49.420198 1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3529929423-0"
  7. Ensure that the certificate is ready:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
     Conditions:
     Last Transition Time: 2019-07-29T13:50:35Z
     Message: Certificate issuance in progress. Temporary certificate issued.
     Reason: TemporaryCertificate
     Status: False
     Type: Ready
    Events:
     Type Reason Age From Message
     ---- ------ ---- ---- -------
     Normal Generated 47s cert-manager Generated new private key
     Normal GenerateSelfSigned 47s cert-manager Generated temporary self signed certificate
     Normal OrderCreated 47s cert-manager Created Order resource "che-tls-3529929423"

    Wait for the Status to become OK, and ensure that the log contains the following entry:

    I0729 13:56:26.140886 1 conditions.go:143] Found status change for Certificate "che-tls" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-07-29 13:56:26.140866531 +0000 UTC m=+4557.134131468
  8. Ensure that the status is up-to-date:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
     Conditions:
     Last Transition Time: 2019-07-29T13:56:26Z
     Message: Certificate is up to date and has not expired
     Reason: Ready
     Status: True
     Type: Ready
     Not After: 2019-10-27T12:56:24Z

Installing Che on Google Cloud Platform using chectl

Procedure

To install Che on Google Cloud Platform, run the following chectl command:

$ chectl server:start --installer=helm --platform=k8s --tls --domain=gcp.my-ide.cloud --multiuser
 ✔ ✈️ Kubernetes preflight checklist
 ✔ Verify if kubectl is installed
 ✔ Verify remote kubernetes status...done.
 ✔ Verify domain is set...set to gcp.my-ide.cloud.
 ✔ 🏃‍ Running Helm to install Che
 ✔ Verify if helm is installed
 ✔ Check for TLS secret prerequisites...che-tls secret found.
 ✔ Create Tiller Role Binding...it already exist.
 ✔ Create Tiller Service Account...it already exist.
 ✔ Create Tiller RBAC
 ✔ Create Tiller Service...it already exist.
 ✔ Preparing Che Helm Chart...done.
 ✔ Updating Helm Chart dependencies...done.
 ✔ Deploying Che Helm Chart...done.
 ✔ ✅ Post installation checklist
 ✔ PostgreSQL pod bootstrap
 ✔ scheduling...done.
 ✔ downloading images...done.
 ✔ starting...done.
 ✔ Keycloak pod bootstrap
 ✔ scheduling...done.
 ✔ downloading images...done.
 ✔ starting...done.
 ✔ Che pod bootstrap
 ✔ scheduling...done.
 ✔ downloading images...done.
 ✔ starting...done.
 ✔ Retrieving Che Server URL...https://che-che.gcp.my-ide.cloud
 ✔ Che status check
Command server:start has completed successfully.
keycloak and che with valid wildcard certs
Figure 2. Keycloak and Che with valid wildcard certificates
che user dashboard gcp
Figure 3. Che user dashboard

title: Installing Che on Microsoft Azure keywords: tags: [] sidebar: che_7_docs permalink: che-7/installing-eclipse-che-on-microsoft-azure.html folder: che-7/installation-guide summary: ---

Installing Che on Microsoft Azure

Preparing Azure for installing Che

Procedure

To set up the Azure environment for Che:

  1. Install the Azure command-line tool. For details, see Install the Azure CLI.

    For example, on macOS:

    $ brew update && brew install azure-cli
  2. Log in to Azure:

    $ az login
  3. Create an Azure group (to list the locations, use the az account list-locations command):

    $ az group create --name eclipseCheResourceGroup --location francecentral
    {
      "id": "/subscriptions/ab0f7986-a280-481c-a47d-98fa45ff94ca/resourceGroups/eclipseCheResourceGroup",
      "location": "francecentral",
      "managedBy": null,
      "name": "eclipseCheResourceGroup",
      "properties": {
        "provisioningState": "Succeeded"
      },
      "tags": null,
      "type": null
    }
  4. Create the cluster:

    $ az aks create --resource-group eclipseCheResourceGroup \
      --name eclipse-che --node-count 1 --enable-addons monitoring --generate-ssh-keys
  5. Configure kubectl:

    $ az aks get-credentials --name eclipse-che --resource-group eclipseCheResourceGroup
    Merged "eclipse-che" as current context in /Users/benoitf/.kube/config
  6. Check the Kubernetes context:

    $ kubectl config current-context
    eclipse-che
    
    $ kubectl get pods --all-namespaces

    All the pods in the running state are displayed.

Installing Ingress on Kubernetes

Procedure

Eclipse Che uses Ingress.

Procedure

To install Ingress-nginx:

  1. Install the default configuration:

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
  2. Install the configuration for cloud:

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

    The following output confirms that the Ingress controller is running:

    $ kubectl get pods --namespace ingress-nginx
    NAME                                        READY   STATUS    RESTARTS   AGE
    nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s

    Wait for the container to run.

  3. Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

    $ kubectl get services  --namespace ingress-nginx
    NAME           TYPE          CLUSTER-IP   EXTERNAL-IP    PORT(S)                     AGE
    ingress-nginx  LoadBalancer  10.0.97.244  40.89.129.194  80:31107/TCP,443:30629/TCP  8m59s
  4. Get the external IP of Ingress-nginx.

    $ kubectl get services --namespace ingress-nginx \
      -o jsonpath='{.items[].status.loadBalancer.ingress[0].ip}'
    40.89.129.194

Configuring DNS on Azure

Procedure

To configure DNS on Azure:

  1. In the Azure web console, navigate to HomeDNS zones.

    dns zone in microsoft azure
  2. Create a new zone.

    1. In the Resource group drop-down list, click eclipseCheResourceGroup.

      selecting the resource group
    2. In the Instance details section, in the Name field, type the name of the domain (azr.my-ide.cloud, in this case).

    3. Click the Review + create button.

      entering the name fo the domain
  3. Click the Create button.

    completing the creation of the zone

    The created zone and the list of name servers (NS) are displayed in the DNS Zones section.

    list of created zones and NS

    These servers must be configured with the registrar of the domain.

  4. Navigate to the Azure DNS zone, and click the + Record set button (record set button).

  5. To add a record set:

    1. In the Name field, type *.

    2. In the IP Address field, select the external IP of Ingress-nginx controller that the user had obtained in the [installing-ingress-on-azure] section (40.89.129.194, in this case).

      adding a record set

      The following is an example of an added DNS zone:

      example of an added dns zone

Enabling the TLS and DNS challenge on Azure

To use Azure DNS and TLS, permissions must be granted to have cert-manager managing the DNS challenge for the Let’s Encrypt service.

Procedure
  1. Set the variable for the domain:

    AZURE_CERT_MANAGER_DNS_NAME=azr.my-ide.cloud
  2. Generate the secrets:

    AZURE_CERT_MANAGER_SP_APP_ID=$(az ad sp create-for-rbac --name cert-manager-eclipse-che --query "appId" --output tsv)
    AZURE_CERT_MANAGER_SP_PASSWORD=$(az ad sp create-for-rbac --name cert-manager-eclipse-che --query "password" --output tsv)
  3. Lower the permissions of the service principal (SP):

    $ az role assignment delete --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role Contributor
  4. Give access to the DNS zone:

    DNS_ID=$(az network dns zone show --name $AZURE_CERT_MANAGER_DNS_NAME --resource-group eclipseCheResourceGroup --query "id" --output tsv)
    
    $ az role assignment create --assignee $AZURE_CERT_MANAGER_SP_APP_ID \
      --role "DNS Zone Contributor" --scope $DNS_ID
  5. Check the permissions:

    $ az role assignment list --assignee $AZURE_CERT_MANAGER_SP_APP_ID
  6. Get the Service Principal App ID and password for the configuration:

    $ echo ID=$AZURE_CERT_MANAGER_SP_APP_ID
    $ echo PASSWORD=$AZURE_CERT_MANAGER_SP_PASSWORD

reating a Service Account Secret on Azure

The secret must be in the cert-manager namespace. Otherwise the secret cannot be found, and cert-manager reports errors.

Procedure

To create the secret, run the following command:

$ kubectl create secret generic azuredns-config \
  --from-literal=CLIENT_SECRET=$AZURE_CERT_MANAGER_SP_PASSWORD -n cert-manager

Installing cert-manager on Azure

Procedure
  1. To install the cert-manager on Azure, start by creating the cert-manager namespace:

    $ kubectl create namespace cert-manager
    namespace/cert-manager created
    
    $ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
  2. Set validate=false. Without it, cert-manager only works with the latest Kubernetes version:

    $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.8.1/cert-manager.yaml --validate=false
  3. Create the che namespace if it does not already exist:

    $ kubectl create namespace che
    namespace/che created
  4. Create the certificate issuer. Enter your email address in the email field:

    cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: ClusterIssuer
    metadata:
      name: che-certificate-issuer
    spec:
      acme:
        dns01:
          providers:
          - azuredns:
              # Service principal clientId (It's the value printed in the previous lines: echo ID=$AZURE_CERT_MANAGER_SP_APP_ID )
              clientID: <AZURE_CERT_MANAGER_SP_APP_ID>
              # A secretKeyRef to a service principal ClientSecret (password)
              # ref: https://docs.microsoft.com/en-us/azure/container-service/kubernetes/container-service-kubernetes-service-principal
              clientSecretSecretRef:
                name: azuredns-config
                key: CLIENT_SECRET
              # Azure subscription Id that can be obtained with command:
              # $ az account show  | jq -r '.id'
              subscriptionID: <SUBSCRIPTION_ID>
              # Azure AD tenant Id that can be obtained with command:
              # $ az account show  | jq -r '.tenantId'
              tenantID: <TENANT_ID>
              resourceGroupName: eclipseCheResourceGroup
              # The DNS Zone to use
              hostedZoneName: azr.my-ide.cloud
            name: azuredns
        email: florent@example.com
        privateKeySecretRef:
          name: letsencrypt
        server: https://acme-v02.api.letsencrypt.org/directory
    EOF
  5. Create the certificate. Edit the domain name:

    cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
     name: che-tls
     namespace: che
    spec:
     secretName: che-tls
     issuerRef:
       name: che-certificate-issuer
       kind: ClusterIssuer
     dnsNames:
       - '*.azr.my-ide.cloud'
     acme:
       config:
         - dns01:
             provider: azuredns
           domains:
             - '*.azr.my-ide.cloud'
    EOF
  6. Check that the issuerRef name is the same as the ClusterIssuer. A new DNS challenge is added to the DNS zone for Let’s Encrypt.

    new dns challenge added

    The cert-manager logs should contain information about the DNS challenge.

  7. Obtain the logs using the following command (here, cert-manager-8d478bb45-2924h is the name of the cert-manager pod):

    $  kubectl logs -f -n cert-manager cert-manager-8d478bb45-2924h
  8. Ensure that the certificate is ready:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
      Conditions:
        Last Transition Time:  2019-07-29T13:50:35Z
        Message:               Certificate issuance in progress. Temporary certificate issued.
        Reason:                TemporaryCertificate
        Status:                False
        Type:                  Ready
    
    Events:
      Type    Reason              Age   From          Message
      ----    ------              ----  ----          -------
      Normal  Generated           47s   cert-manager  Generated new private key
      Normal  GenerateSelfSigned  47s   cert-manager  Generated temporary self signed certificate
      Normal  OrderCreated        47s   cert-manager  Created Order resource "che-tls-3529929423”
  9. Wait for the status to show OK and ensure that the log contains the following:

    $ kubectl describe certificate/che-tls -n che
    Name:         che-tls
    Namespace:    che
    Labels:       <none>
    Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                    {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"che-tls","namespace":"che"},"spec":{...
    API Version:  certmanager.k8s.io/v1alpha1
    Kind:         Certificate
    Metadata:
      Creation Timestamp:  2019-07-30T08:22:13Z
      Generation:          1
      Resource Version:    76822
      Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/che/certificates/che-tls
      UID:                 225a1cfb-b2a3-11e9-9e1c-76b96a78248b
    Spec:
      Acme:
        Config:
          dns01:
            Provider:  azuredns
          Domains:
            *.azr.my-ide.cloud
      Dns Names:
        *.azr.my-ide.cloud
      Issuer Ref:
        Kind:       ClusterIssuer
        Name:       che-certificate-issuer
      Secret Name:  che-tls
    Status:
      Conditions:
        Last Transition Time:  2019-07-30T08:23:21Z
        Message:               Certificate is up to date and has not expired
        Reason:                Ready
        Status:                True
        Type:                  Ready
      Not After:               2019-10-28T07:23:19Z
    Events:
      Type    Reason         Age   From          Message
      ----    ------         ----  ----          -------
      Normal  OrderCreated   102s  cert-manager  Created Order resource "che-tls-3633081213"
      Normal  OrderComplete  34s   cert-manager  Order "che-tls-3633081213" completed successfully
      Normal  CertIssued     34s   cert-manager  Certificate issued successfully

Installing Che on Azure using the chectl command

Procedure

To install Che, run the following chectl command:

$ chectl server:start --installer=helm --platform=k8s --tls \
  --domain=azr.my-ide.cloud --multiuser
  ✔ ✈️  Kubernetes preflight checklist
    ✔ Verify if kubectl is installed
    ✔ Verify remote kubernetes status...done.
    ✔ Verify domain is set...set to azr.my-ide.cloud.
  ✔ 🏃‍  Running Helm to install Che
    ✔ Verify if helm is installed
    ✔ Check for TLS secret prerequisites...che-tls secret found.
    ✔ Create Tiller Role Binding...done.
    ✔ Create Tiller Service Account...done.
    ✔ Create Tiller RBAC
    ✔ Create Tiller Service...done.
    ✔ Preparing Che Helm Chart...done.
    ✔ Updating Helm Chart dependencies...done.
    ✔ Deploying Che Helm Chart...done.
  ✔ ✅  Post installation checklist
    ✔ PostgreSQL pod bootstrap
      ✔ scheduling...done.
      ✔ downloading images...done.
      ✔ starting...done.
    ✔ Keycloak pod bootstrap
      ✔ scheduling...done.
      ✔ downloading images...done.
      ✔ starting...done.
    ✔ Che pod bootstrap
      ✔ scheduling...done.
      ✔ downloading images...done.
      ✔ starting...done.
    ✔ Retrieving Che Server URL...https://che-che.azr.my-ide.cloud
    ✔ Che status check
Command server:start has completed successfully.

Keycloak and Che now have valid wildcard certificates.

wildcard certificates for keycloak che
che user dashboard
Figure 4. Che user dashboard
Tags: