Installing Che on Google Cloud Platform

Preparing Google Cloud Platform for installing Che

Google Cloud Platform (GCP) is a suite of cloud computing services that provides infrastructure as a service, platform as a service, and serverless computing environments.

This section provides information about how to configure the GCP environment for installing Eclipse Che.

Creating a Google Kubernetes Engine instance

This section describes how to create a Google Kubernetes Engine instance.

Prerequisites

The Google Cloud SDK is available. See Installing Google Cloud SDK.

To install the SDK on macOS, use the $ brew cask install google-cloud-sdk command.

Procedure

Ensure the gcloud tool is configured:
```
$ gcloud init
```
Create a new project with the eclipse-che-1 ID:
```
$ gcloud projects create eclipse-che-1
```
Check from GCP Web Console that the Kubernetes engine is available on this project.

Configure the different default options (such as using the europe-west1-b zone) in the shell:

$ gcloud config set project eclipse-che-1
$ gcloud config set compute/zone europe-west1-b
$ gcloud config set compute/region europe-west1

Check all the components are up-to-date:

$ gcloud components update
All components are up to date.

Create a cluster with the name eclipse-che:

$ gcloud container clusters create eclipse-che --zone europe-west1-b

Wait for the cluster to be ready.

This commands updates the Kubernetes context. To verify it:

$ kubectl config current-context
gke_eclipse-che-1_europe-west1-b_eclipse-che

Installing Ingress on Kubernetes

Eclipse Che uses Ingress.

Procedure

To install Ingress-nginx:

Install the cloud configuration:

$ kubectl apply \
  -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.41.0/deploy/static/provider/cloud/deploy.yaml

The following output confirms that the Ingress controller is running:

$ kubectl get pods --namespace ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s

Wait for the container to run.

Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

$ kubectl get services  --namespace ingress-nginx
NAME           TYPE          CLUSTER-IP   EXTERNAL-IP    PORT(S)                     AGE
ingress-nginx  LoadBalancer  10.0.97.244  40.89.129.194  80:31107/TCP,443:30629/TCP  8m59s

Get the external IP of Ingress-nginx.

$ kubectl get services --namespace ingress-nginx \
  -o jsonpath='{.items[].status.loadBalancer.ingress[0].ip}'
40.89.129.194

Installing DNS on Google Cloud Platform

Procedure

Using the Cloud DNS, create a zone called eclipse-che and, for example, a DNS name gcp.my-ide.cloud. Click the Create button.

The Cloud DNS zone is created.
Click the Registrar Setup link in the upper right corner of the window. The name servers (NS) to be added to the registrar are displayed.
Update the DNS zone (example: ovh domain).
Add the *.gcp.my-ide.cloud entry to the external Ingress IP on the cloud DNS.

Enabling the TLS and DNS challenge on Google Cloud Platform

Procedure

To use the Cloud DNS and TLS, service accounts must be enabled, and cert-manager must manage the DNS challenge for the Let’s Encrypt service.

Create a service account with the given name:

$ gcloud iam service-accounts create dns01-solver --display-name "dns01-solver"

Add the policy binding to the IAM policy of the eclipse-che-1 project (replace the eclipse-che-1 project name with the name of your project):

$ gcloud projects add-iam-policy-binding eclipse-che-1 \
  --member serviceAccount:dns01-solver@eclipse-che-1.iam.gserviceaccount.com \
  --role roles/dns.admin

The following is the output of this command:

Updated IAM policy for project [eclipse-che-1].

bindings:
- members:
 - serviceAccount:service-779451692063@compute-system.iam.gserviceaccount.com
 role: roles/compute.serviceAgent
- members:
 - serviceAccount:service-779451692063@container-engine-robot.iam.gserviceaccount.com
 role: roles/container.serviceAgent
- members:
 - serviceAccount:dns01-solver@eclipse-che-1.iam.gserviceaccount.com
 role: roles/dns.admin
- members:
 - serviceAccount:779451692063-compute@developer.gserviceaccount.com
 - serviceAccount:779451692063@cloudservices.gserviceaccount.com
 - serviceAccount:service-779451692063@containerregistry.iam.gserviceaccount.com
 role: roles/editor
- members:
 - user:<email-address>
 role: roles/owner
etag: <some-tag>
version: 1

Creating a Service Account Secret on Google Cloud Platform

Procedure

To access the service account, cert-manager uses a key stored in a Kubernetes Secret.

Create a key for the service account and download it as a JSON file:

$ gcloud iam service-accounts keys create key.json \
    --iam-account dns01-solver@eclipse-che-1.iam.gserviceaccount.com

The following is the output of the preceding command:

created key [05e94ca2e7754b94a63049605ee8d2813d16ff37] of type [json] as [key.json] for [dns01-solver@eclipse-che-1.iam.gserviceaccount.com]

The key file is generated:

$ ls -la key.json
-rw------- 1 joe staff 2318 Jul 29 12:13 key.json

Keep the key file safe, and do not share it with anyone because it can be used to gain access to your cloud resources. The key file can be deleted after it has been used to generate the Secret.

Create cert-manager namespace
```
$  kubectl create ns cert-manager
```

Create a Secret from this file.

$ kubectl create secret generic clouddns-dns01-solver-svc-acct --from-file=key.json --namespace=cert-manager

Installing cert-manager on Kubernetes

Procedure

To install cert-manager:

$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

$ kubectl apply \
  -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml \
  --validate=false

Create the che namespace if it does not exist already:

$ kubectl create namespace eclipse-che
namespace/eclipse-che created

Create the certificate issuer. Replace your email address in the email field:

$ cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: che-certificate-issuer
spec:
  acme:
    solvers:
    - dns01:
        clouddns:
          project: eclipse-che-1
          serviceAccountSecretRef:
            key: key.json
            name: clouddns-dns01-solver-svc-acct
    email: joe@example.com
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
EOF

Create the certificate. Edit the domain name:

$ cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
 name: che-tls
 namespace: eclipse-che
spec:
 secretName: che-tls
 issuerRef:
   name: che-certificate-issuer
   kind: ClusterIssuer
 dnsNames:
   - '*.gcp.my-ide.cloud'
EOF

Check that the issuerRef name is the same as the ClusterIssuer. A new DNS challenge is added to the DNS zone for Let’s Encrypt.

The cert-manager logs contain information about the DNS challenge. To get the logs (here, cert-manager-8d478bb45-2924h is the name of the cert-manager Pod):

$ kubectl logs -f -n cert-manager cert-manager-8d478bb45-2924h

I0729 13:50:39.414729 1 dns.go:112] Checking DNS propagation for "gcp.my-ide.cloud" using name servers: [10.112.0.10:53]

E0729 13:50:39.422521 1 sync.go:180] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"gcp.my-ide.cloud\" not yet propagated" "dnsName"="gcp.my-ide.cloud" "resource_kind"="Challenge" "resource_name"="che-tls-3529929423-0" "resource_namespace"="che" "type"="dns-01"

I0729 13:50:39.422598 1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3529929423-0"

I0729 13:50:49.406767 1 controller.go:213] cert-manager/controller/challenges "level"=0 "msg"="syncing resource" "key"="che/che-tls-3529929423-0"

I0729 13:50:49.409802 1 dns.go:112] Checking DNS propagation for "gcp.my-ide.cloud" using name servers: [10.112.0.10:53]

E0729 13:50:49.420131 1 sync.go:180] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"gcp.my-ide.cloud\" not yet propagated" "dnsName"="gcp.my-ide.cloud" "resource_kind"="Challenge" "resource_name"="che-tls-3529929423-0" "resource_namespace"="<eclipse-che>" "type"="dns-01"

I0729 13:50:49.420198 1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3529929423-0"

Ensure that the certificate is ready:

$ kubectl describe certificate/che-tls -n eclipse-che

Status:
 Conditions:
 Last Transition Time: 2019-07-29T13:50:35Z
 Message: Certificate issuance in progress. Temporary certificate issued.
 Reason: TemporaryCertificate
 Status: False
 Type: Ready
Events:
 Type Reason Age From Message
 ---- ------ ---- ---- -------
 Normal Generated 47s cert-manager Generated new private key
 Normal GenerateSelfSigned 47s cert-manager Generated temporary self signed certificate
 Normal OrderCreated 47s cert-manager Created Order resource "che-tls-3529929423"

Wait for the Status to become OK, and ensure that the log contains the following entry:

I0729 13:56:26.140886 1 conditions.go:143] Found status change for Certificate "che-tls" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-07-29 13:56:26.140866531 +0000 UTC m=+4557.134131468

Ensure that the status is up-to-date:

$ kubectl describe certificate/che-tls -n <eclipse-che>

Status:
 Conditions:
 Last Transition Time: 2019-07-29T13:56:26Z
 Message: Certificate is up to date and has not expired
 Reason: Ready
 Status: True
 Type: Ready
 Not After: 2019-10-27T12:56:24Z

Installing Che on Kubernetes using chectl

Kubernetes is an open-source system for automating deployment, scaling, and managing containerized applications. The following section describes the process of deploying Che on Kubernetes by using the chectl tool.

Prerequisites

The chectl management tool is available. See Using the chectl management tool.

Procedure

Install Che on Kubernetes:

$ chectl server:deploy --platform=k8s --domain=gcp.my-ide.cloud
› Current Kubernetes context: 'current-context'
  ✔ Verify Kubernetes API...OK
  ✔ 👀  Looking for an already existing Eclipse Che instance
    ✔ Verify if Eclipse Che is deployed into namespace "eclipse-che"...it is not
  ✔ ✈️  Kubernetes preflight checklist
    ✔ Verify if kubectl is installed
    ✔ Verify remote kubernetes status...done.
    ✔ Check Kubernetes version: Found v1.22.2.
    ✔ Verify domain is set...set to gcp.my-ide.cloud.
    ↓ Check if cluster accessible [skipped]
  ✔ Following Eclipse Che logs
    ✔ Start following Operator logs...done
    ✔ Start following Eclipse Che Server logs...done
    ✔ Start following PostgreSQL logs...done
    ✔ Start following Keycloak logs...done
    ✔ Start following Plug-in Registry logs...done
    ✔ Start following Devfile Registry logs...done
    ✔ Start following Eclipse Che Dashboard logs...done
    ✔ Start following namespace events...done
 ›   Warning: Consider using the more reliable 'OLM' installer when deploying a stable release of Eclipse Che (--installer=olm).
  ✔ Create Namespace eclipse-che...[Exists]
  ✔ 🏃‍  Running the Eclipse Che operator
    ✔ Create ServiceAccount che-operator in namespace eclipse-che...done.
    ✔ Read Roles and Bindings...done.
    ✔ Creating Roles and Bindings...done.
    ✔ Create CRD checlusters.org.eclipse.che...done.
    ✔ Create backup and restore CRDs...done.
    ✔ Waiting 5 seconds for the new Kubernetes resources to get flushed...done.
    ✔ Create deployment che-operator in namespace eclipse-che...done.
    ✔ Operator pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Prepare Eclipse Che cluster CR...Done.
    ✔ Create the Custom Resource of type checlusters.org.eclipse.che in the namespace eclipse-che...done.
  ✔ ✅  Post installation checklist
    ✔ PostgreSQL pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Keycloak pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Devfile Registry pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Plug-in Registry pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Eclipse Che Dashboard pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Eclipse Che Server pod bootstrap
      ✔ Scheduling...done
      ✔ Downloading images...done
      ✔ Starting...done
    ✔ Eclipse Che status check...done
  ✔ Retrieving Che self-signed CA certificate...OK
  ✔ Prepare post installation output...done
  ✔ Show important messages
    ✔ Eclipse Che 7.42 has been successfully deployed.
    ✔ Documentation             : https://www.eclipse.org/che/docs
    ✔ -------------------------------------------------------------------------------
    ✔ Users Dashboard           : https://eclipse-che-eclipse-che.gcp.my-ide.cloud
    ✔ Admin user login          : "XXX:XXX". NOTE: must change after first login.
    ✔ -------------------------------------------------------------------------------
    ✔ Plug-in Registry          : https://plugin-registry-eclipse-che.gcp.my-ide.cloud/v3
    ✔ Devfile Registry          : https://devfile-registry-eclipse-che.gcp.my-ide.cloud
    ✔ -------------------------------------------------------------------------------
    ✔ Identity Provider URL     : https://keycloak-eclipse-che.gcp.my-ide.cloud/auth
    ✔ Identity Provider login   : "XXX:XXX".
    ✔ -------------------------------------------------------------------------------
    ✔ [ACTION REQUIRED] Please add Che self-signed CA certificate into your browser: /tmp/cheCA.crt.
   Documentation how to add a CA certificate into a browser: https://www.eclipse.org/che/docs/che-7/end-user-guide/importing-certificates-to-browsers/
Command server:deploy has completed successfully in 04:25.

Verification steps

Investigate the Che logs:

$ chectl server:logs --namespace eclipse-che

Verify that the certificate settings are correct.
1. Open Eclipse Che server URL from the output of the previous command.
2. Click on the lock icon in the address bar.
3. Verify that the pop-up window displays the Connection is secure message.

Additional resources

Navigating Che using the Dashboard.

Configuring Che on Google Cloud Platform

The following section describes configuration guidelines after a Eclipse Che installation on Google Cloud Platform.

Configuring CheCluster Custom Resource with kubectl

Edit the CheCluster custom resource configuration with kubectl:

kubectl edit CheCluster/eclipse-che -n eclipse-che

For more details on configuring CheCluster custom resource, see Configuring the Che installation

Sizing Google Cloud node pools for your Eclipse Che workspaces

The default node pool is using machine types n1-standard-1. You may need to use different kind of machine to run your workspaces. See https://cloud.google.com/compute/docs/machine-types?hl=en#n1_standard_machine_types

With Google Cloud Platform, you cannot change the machine type configuration of an existing node pool.

One solution is to create a new node pool and delete the existing one afterwards. Google Kubernetes Engine would then transfer the workloads to the new node pool automatically.

Another solution is to have two node pools with one dedicated to the workspaces by configuring Eclipse Che with a NodeSelector. See Configuring workspaces nodeSelector.

Google Cloud Platform new node pool select machine type

Preferably choose machine types according the workspaces CPU and memory requirements.