Installing Che on Microsoft Azure

Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

This section provides information about installing, enabling, and basic use of Che on Microsoft Azure.

Preparing Azure for installing Che

Procedure

To set up the Azure environment for Che:

  1. Install the Azure command-line tool. For details, see Install the Azure CLI.

    For example, on macOS:

    $ brew update && brew install azure-cli
  2. Log in to Azure:

    $ az login
  3. Create an Azure group (to list the locations, use the az account list-locations command):

    $ az group create --name eclipseCheResourceGroup --location francecentral
    {
      "id": "/subscriptions/ab0f7986-a280-481c-a47d-98fa45ff94ca/resourceGroups/eclipseCheResourceGroup",
      "location": "francecentral",
      "managedBy": null,
      "name": "eclipseCheResourceGroup",
      "properties": {
        "provisioningState": "Succeeded"
      },
      "tags": null,
      "type": null
    }
  4. Create the cluster:

    $ az aks create --resource-group eclipseCheResourceGroup \
      --name eclipse-che --node-count 1 --enable-addons monitoring --generate-ssh-keys
  5. Configure kubectl:

    $ az aks get-credentials --name eclipse-che --resource-group eclipseCheResourceGroup
    Merged "eclipse-che" as current context in /Users/benoitf/.kube/config
  6. Check the Kubernetes context:

    $ kubectl config current-context
    eclipse-che
    
    $ kubectl get pods --all-namespaces

    All the Pods in the running state are displayed.

Installing Ingress on Kubernetes

Eclipse Che uses Ingress.

Procedure

To install Ingress-nginx:

  1. Install the cloud configuration:

    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml

    The following output confirms that the Ingress controller is running:

    $ kubectl get pods --namespace ingress-nginx
    NAME                                        READY   STATUS    RESTARTS   AGE
    nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s

    Wait for the container to run.

  2. Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

    $ kubectl get services  --namespace ingress-nginx
    NAME           TYPE          CLUSTER-IP   EXTERNAL-IP    PORT(S)                     AGE
    ingress-nginx  LoadBalancer  10.0.97.244  40.89.129.194  80:31107/TCP,443:30629/TCP  8m59s
  3. Get the external IP of Ingress-nginx.

    $ kubectl get services --namespace ingress-nginx \
      -o jsonpath='{.items[].status.loadBalancer.ingress[0].ip}'
    40.89.129.194

Configuring DNS on Azure

Procedure

To configure DNS on Azure:

  1. In the Azure web console, navigate to HomeDNS zones.

    dns zone in microsoft azure
  2. Create a new zone.

    1. In the Resource group drop-down list, click eclipseCheResourceGroup.

      selecting the resource group
    2. In the Instance details section, in the Name field, type the name of the domain (azr.my-ide.cloud, in this case).

    3. Click the Review + create button.

      entering the name fo the domain
  3. Click the Create button.

    completing the creation of the zone

    The created zone and the list of name servers (NS) are displayed in the DNS Zones section.

    list of created zones and NS

    These servers must be configured with the registrar of the domain.

  4. Navigate to the Azure DNS zone, and click the + Record set button (record set button).

  5. To add a record set:

    1. In the Name field, type *.

    2. In the IP Address field, select the external IP of Ingress-nginx controller that the user had obtained in the Installing Ingress on Kubernetes section (40.89.129.194, in this case).

      adding a record set

      The following is an example of an added DNS zone:

      example of an added dns zone

Enabling the TLS and DNS challenge on Azure

To use Azure DNS and TLS, permissions must be granted to have cert-manager managing the DNS challenge for the Let’s Encrypt service.

Procedure
  1. Set the variable for the domain:

    AZURE_CERT_MANAGER_DNS_NAME=azr.my-ide.cloud
  2. Generate the secrets:

    AZURE_CERT_MANAGER_SP_APP_ID=$(az ad sp create-for-rbac --name cert-manager-eclipse-che --query "appId" --output tsv)
    AZURE_CERT_MANAGER_SP_PASSWORD=$(az ad sp create-for-rbac --name cert-manager-eclipse-che --query "password" --output tsv)
  3. Lower the permissions of the service principal (SP):

    $ az role assignment delete --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role Contributor
  4. Give access to the DNS zone:

    DNS_ID=$(az network dns zone show --name $AZURE_CERT_MANAGER_DNS_NAME --resource-group eclipseCheResourceGroup --query "id" --output tsv)
    
    $ az role assignment create --assignee $AZURE_CERT_MANAGER_SP_APP_ID \
      --role "DNS Zone Contributor" --scope $DNS_ID
  5. Check the permissions:

    $ az role assignment list --assignee $AZURE_CERT_MANAGER_SP_APP_ID
  6. Get the Service Principal App ID and password for the configuration:

    $ echo ID=$AZURE_CERT_MANAGER_SP_APP_ID
    $ echo PASSWORD=$AZURE_CERT_MANAGER_SP_PASSWORD

Creating a Service Account Secret on Azure

The secret must be in the cert-manager namespace. Otherwise the secret cannot be found, and cert-manager reports errors.

Procedure

To create the secret, run the following command:

$ kubectl create secret generic azuredns-config \
  --from-literal=CLIENT_SECRET=$AZURE_CERT_MANAGER_SP_PASSWORD -n cert-manager

Installing cert-manager on Azure

Procedure
  1. To install the cert-manager on Azure, create the cert-manager namespace:

    $ kubectl create namespace cert-manager
    namespace/cert-manager created
    
    $ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
    $ kubectl apply \
      -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml
$ kubectl apply \
 --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml
  1. Create the che namespace if it does not already exist:

    $ kubectl create namespace che
    namespace/che created
  2. Create the certificate issuer. Enter your email address in the email field and set clientID, CLIENT_SECRET subscriptionID, tenantID, hostedZoneName fields:

    cat <<EOF | kubectl apply -f -
    apiVersion: cert-manager.io/v1alpha2
    kind: ClusterIssuer
    metadata:
      name: che-certificate-issuer
    spec:
      acme:
        solvers:
        - dns01:
            azuredns:
              # Service principal clientId (It's the value printed in the previous lines: echo ID=$AZURE_CERT_MANAGER_SP_APP_ID )
              clientID: <AZURE_CERT_MANAGER_SP_APP_ID>
              # A secretKeyRef to a service principal ClientSecret (password)
              # ref: https://docs.microsoft.com/en-us/azure/container-service/kubernetes/container-service-kubernetes-service-principal
              clientSecretSecretRef:
                name: azuredns-config
                # CLIENT_SECRET is the value of AZURE_CERT_MANAGER_SP_PASSWORD
                key: <CLIENT_SECRET>
              # Azure subscription Id that can be obtained with command:
              # $ az account show  | jq -r '.id'
              subscriptionID: <SUBSCRIPTION_ID>
              # Azure AD tenant Id that can be obtained with command:
              # $ az account show  | jq -r '.tenantId'
              tenantID: <TENANT_ID>
              resourceGroupName: eclipseCheResourceGroup
              # The DNS Zone to use
              hostedZoneName: azr.my-ide.cloud
        email: florent@example.com
        privateKeySecretRef:
          name: letsencrypt
        server: https://acme-v02.api.letsencrypt.org/directory
    EOF
  3. Create the certificate. Edit the domain name:

    cat <<EOF | kubectl apply -f -
    apiVersion: cert-manager.io/v1alpha2
    kind: Certificate
    metadata:
     name: che-tls
     namespace: {prod-namespace}
    spec:
     secretName: che-tls
     issuerRef:
       name: che-certificate-issuer
       kind: ClusterIssuer
     dnsNames:
       - '*.azr.my-ide.cloud'
    EOF
  4. Check that the issuerRef name is the same as the ClusterIssuer. A new DNS challenge is added to the DNS zone for Let’s Encrypt.

    new dns challenge added

    The cert-manager logs contain information about the DNS challenge.

  5. Obtain the logs using the following command (here, cert-manager-8d478bb45-2924h is the name of the cert-manager Pod):

    $  kubectl logs -f -n cert-manager cert-manager-8d478bb45-2924h
  6. Ensure that the certificate is ready:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
      Conditions:
        Last Transition Time:  2019-07-29T13:50:35Z
        Message:               Certificate issuance in progress. Temporary certificate issued.
        Reason:                TemporaryCertificate
        Status:                False
        Type:                  Ready
    
    Events:
      Type    Reason              Age   From          Message
      ----    ------              ----  ----          -------
      Normal  Generated           47s   cert-manager  Generated new private key
      Normal  GenerateSelfSigned  47s   cert-manager  Generated temporary self signed certificate
      Normal  OrderCreated        47s   cert-manager  Created Order resource "che-tls-3529929423”
  7. Wait for the status to show OK and ensure that the log contains the following:

    $ kubectl describe certificate/che-tls -n {prod-namespace}
    Name:         che-tls
    Namespace:    che
    Labels:       <none>
    Annotations:  API Version:  cert-manager.io/v1alpha3
    Kind:         Certificate
    Metadata:
      Creation Timestamp:  2020-07-29T10:32:49Z
      Generation:          1
      Resource Version:    7961
      Self Link:           /apis/cert-manager.io/v1alpha3/namespaces/che/certificates/che-tls
      UID:                 2034c6d5-bce3-4ce8-8489-df31d02b84e9
    Spec:
      Dns Names:
        *.azr.my-ide.cloud
      Issuer Ref:
        Kind:       ClusterIssuer
        Name:       che-certificate-issuer
      Secret Name:  che-tls
    Status:
      Conditions:
        Last Transition Time:  2020-07-29T10:35:05Z
        Message:               Certificate is up to date and has not expired
        Reason:                Ready
        Status:                True
        Type:                  Ready
      Not After:               2020-10-27T09:35:02Z
    Events:
      Type    Reason        Age    From          Message
      ----    ------        ----   ----          -------
      Normal  GeneratedKey  5m49s  cert-manager  Generated a new private key
      Normal  Requested     5m49s  cert-manager  Created new CertificateRequest resource "che-tls-2082883576"
      Normal  Issued        3m34s  cert-manager  Certificate issued successfully

Installing Che on Azure using the chectl command

Prerequisites
Procedure
  • To install Che, run the following chectl command:

    $ chectl server:start --installer=helm --platform=k8s \                           --domain=azr.my-ide.cloud --multiuser
    › Current Kubernetes context: 'Eclipse Che'
      ✔ Verify Kubernetes API...OK
      ✔ 👀  Looking for an already existing Eclipse Che instance
        ✔ Verify if Eclipse Che is deployed into namespace "che"...it is not
      ✔ ✈️  Kubernetes preflight checklist
        ✔ Verify if kubectl is installed
        ✔ Verify remote kubernetes status...done.
        ✔ Check Kubernetes version: Found v1.16.10.
        ✔ Verify domain is set...set to azr.my-ide.cloud.
        ↓ Check if cluster accessible [skipped]
    Eclipse Che logs will be available in '/var/folders/tg/_5rxbhmj4xncz4szvpgswrmc0000gn/T/chectl-logs/1596019249675'
      ✔ Start following logs
        ↓ Start following Operator logs [skipped]
        ✔ Start following Eclipse Che logs...done
        ✔ Start following Postgres logs...done
        ✔ Start following Keycloak logs...done
        ✔ Start following Plugin registry logs...done
        ✔ Start following Devfile registry logs...done
      ✔ Start following events
        ✔ Start following namespace events...done
     ›   Warning: Consider using the more reliable 'OLM' installer when deploying a stable release of Eclipse Che (--installer=olm).
      ✔ 🏃‍  Running Helm to install Eclipse Che
        ✔ Verify if helm is installed
        ✔ Check Helm Version: Found v3.1.2+gd878d4d
        ✔ Create Namespace (che)...does already exist.
        ✔ Check Eclipse Che TLS certificate...TLS certificate secret found
        ✔ Check Cluster Role Binding...does not exists.
        ✔ Preparing Eclipse Che Helm Chart...done.
        ✔ Updating Helm Chart dependencies...done.
        ✔ Deploying Eclipse Che Helm Chart...done.
      ✔ ✅  Post installation checklist
        ✔ PostgreSQL pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Devfile registry pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Plugin registry pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Eclipse Che pod bootstrap
          ✔ scheduling...done.
          ✔ downloading images...done.
          ✔ starting...done.
        ✔ Retrieving Eclipse Che server URL... https://che-che.azr.my-ide.cloud
        ✔ Eclipse Che status check
      ✔ Show important messages
        ✔ Autogenerated Keycloak credentials are: "xxx:xxx"
    Command server:start has completed successfully.

Track installation events with:

$ kubectl get events --namespace che --sort-by=.metadata.creationTimestamp

Keycloak and Che now have valid wildcard certificates.

wildcard certificates for keycloak che
che user dashboard
Figure 1. Che user dashboard