Creating a Google Kubernetes Engine instance

This section describes how to create a Google Kubernetes Engine instance.

Prerequisites
  • The Google Cloud SDK is installed. See Installing Google Cloud SDK.

    To install the SDK on macOS, use the $ brew cask install google-cloud-sdk command.

Procedure
  1. Create a Kubernetes, version 1.9 or higher, cluster. For details, see Creating a cluster.

  2. Create a new project with the eclipse-che-1 ID in the Google Cloud Platform (GCP) web console.

  3. Configure the different default options (such as using the europe-wes1-b zone) in the shell:

    $ gcloud config set project eclipse-che-1
    $ gcloud config set compute/zone europe-west1-b
    $ gcloud config set compute/region europe-west1
  4. Check if all the components are up-to-date:

    $ gcloud components update
    All components are up to date.
  5. Create a cluster with the name eclipse-che:

    $ gcloud container clusters create eclipse-che --zone europe-west1-b
  6. Wait for the cluster to be ready.

  7. The Kubernetes context is defined automatically. To verify it:

    $ kubectl config current-context
    gke_eclipse-che-1_europe-west1-b_eclipse-che

Preparing Google Cloud Platform for installing Che

Creating a Google Kubernetes Engine instance

This section describes how to create a Google Kubernetes Engine instance.

Prerequisites
  • The Google Cloud SDK is installed. See Installing Google Cloud SDK.

    To install the SDK on macOS, use the $ brew cask install google-cloud-sdk command.

Procedure
  1. Create a Kubernetes, version 1.9 or higher, cluster. For details, see Creating a cluster.

  2. Create a new project with the eclipse-che-1 ID in the Google Cloud Platform (GCP) web console.

  3. Configure the different default options (such as using the europe-wes1-b zone) in the shell:

    $ gcloud config set project eclipse-che-1
    $ gcloud config set compute/zone europe-west1-b
    $ gcloud config set compute/region europe-west1
  4. Check if all the components are up-to-date:

    $ gcloud components update
    All components are up to date.
  5. Create a cluster with the name eclipse-che:

    $ gcloud container clusters create eclipse-che --zone europe-west1-b
  6. Wait for the cluster to be ready.

  7. The Kubernetes context is defined automatically. To verify it:

    $ kubectl config current-context
    gke_eclipse-che-1_europe-west1-b_eclipse-che

Installing Ingress on Kubernetes

Eclipse Che uses Ingress.

Procedure

To install Ingress-nginx:

  1. Install the default configuration:

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
  2. Install the configuration for cloud:

    $ kubectl apply \
      -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

    The following output confirms that the Ingress controller is running:

    $ kubectl get pods --namespace ingress-nginx
    NAME                                        READY   STATUS    RESTARTS   AGE
    nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s

    Wait for the container to run.

  3. Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

    $ kubectl get services  --namespace ingress-nginx
    NAME           TYPE          CLUSTER-IP   EXTERNAL-IP    PORT(S)                     AGE
    ingress-nginx  LoadBalancer  10.0.97.244  40.89.129.194  80:31107/TCP,443:30629/TCP  8m59s
  4. Get the external IP of Ingress-nginx.

    $ kubectl get services --namespace ingress-nginx \
      -o jsonpath='{.items[].status.loadBalancer.ingress[0].ip}'
    40.89.129.194

Installing DNS on Google Cloud Platform

Procedure
  1. Using the Cloud DNS, create a zone called eclipse-che and, for example, a DNS name gcp.my-ide.cloud. Click the Create button.

    creating dns zone on gcp

    The Cloud DNS zone is created.

    cloud dns zone on gcp
  2. Click the Registrar Setup link in the top-right corner of the window. The name servers (NS) to be added to the registrar are displayed.

    registrar setup gcp
  3. Update the DNS zone (example: ovh domain).

  4. Add the *.gcp.my-ide.cloud entry to the external Ingress IP on the cloud DNS.

    dns settings gcp

Enabling the TLS and DNS challenge on Google Cloud Platform

Procedure

To use the Cloud DNS and TLS, service accounts must be enabled, and cert-manager must manage the DNS challenge for the Let’s Encrypt service.

  1. Create a service account with the given name:

    $ gcloud iam service-accounts create dns01-solver --display-name "dns01-solver"
  2. Add the policy binding to the IAM policy of the eclipse-che-1 project (replace the eclipse-che-1 project name with the name of your project):

    $ gcloud projects add-iam-policy-binding eclipse-che-1 \
      --member serviceAccount:dns01-solver@eclipse-che-1.iam.gserviceaccount.com \
      --role roles/dns.admin

    The following is the output of this command:

    Updated IAM policy for project [eclipse-che-1].
    
    bindings:
    - members:
     - serviceAccount:service-779451692063@compute-system.iam.gserviceaccount.com
     role: roles/compute.serviceAgent
    - members:
     - serviceAccount:service-779451692063@container-engine-robot.iam.gserviceaccount.com
     role: roles/container.serviceAgent
    - members:
     - serviceAccount:dns01-solver@eclipse-che-1.iam.gserviceaccount.com
     role: roles/dns.admin
    - members:
     - serviceAccount:779451692063-compute@developer.gserviceaccount.com
     - serviceAccount:779451692063@cloudservices.gserviceaccount.com
     - serviceAccount:service-779451692063@containerregistry.iam.gserviceaccount.com
     role: roles/editor
    - members:
     - user:<email-address>
     role: roles/owner
    etag: <some-tag>
    version: 1

Creating a Service Account Secret on Google Cloud Platform

Procedure

To access the service account, cert-manager uses a key stored in a Kubernetes Secret.

  1. Create a key for the service account and download it as a JSON file:

    $ gcloud iam service-accounts keys create key.json \
      --iam-account mailto:dns01-solver@eclipse-che-1.iam.gserviceaccount.com[_dns01-solver@eclipse-che-1.iam.gserviceaccount.com_]

    The following is the output of the preceding command:

    created key [05e94ca2e7754b94a63049605ee8d2813d16ff37] of type [json] as [key.json] for [dns01-solver@eclipse-che-1.iam.gserviceaccount.com]

    The key file is generated:

    $ ls -la key.json
    -rw------- 1 joe staff 2318 Jul 29 12:13 key.json
    Keep the key file safe, and do not share it with anyone because it can be used to gain access to your cloud resources. The key file can be deleted after it has been used to generate the Secret.
  2. Create a Secret from this file.

    $ kubectl create secret generic clouddns-dns01-solver-svc-acct --from-file=key.json --namespace=cert-manager

Installing cert-manager on Kubernetes

Procedure
  1. To install cert-manager:

    $ kubectl create namespace cert-manager
    namespace/cert-manager created
    
    $ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
    
    $ kubectl apply \
      -f https://github.com/jetstack/cert-manager/releases/download/v0.8.1/cert-manager.yaml --validate=false
  2. Create the che namespace if it does not exist already:

    $ kubectl create namespace che
    namespace/che created
  3. Create the certificate issuer. Replace your email address in the email field:

    $ cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: ClusterIssuer
    metadata:
      name: che-certificate-issuer
    spec:
      acme:
        dns01:
          providers:
          - clouddns:
              project: eclipse-che-1
              serviceAccountSecretRef:
                key: key.json
                name: clouddns-dns01-solver-svc-acct
            name: clouddns
        email: joe@example.com
        privateKeySecretRef:
          name: letsencrypt
        server: https://acme-v02.api.letsencrypt.org/directory
    EOF
  4. Create the certificate. Edit the domain name:

    $ cat <<EOF | kubectl apply -f -
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
     name: che-tls
     namespace: che
    spec:
     secretName: che-tls
     issuerRef:
       name: che-certificate-issuer
       kind: ClusterIssuer
     dnsNames:
       - '*.gcp.my-ide.cloud'
     acme:
       config:
         - dns01:
             provider: clouddns
           domains:
             - '*.gcp.my-ide.cloud'
    EOF
  5. Check that the issuerRef name is the same as the ClusterIssuer. A new DNS challenge is added to the DNS zone for Let’s Encrypt.

    dns challenge gcp
  6. The cert-manager logs should contain information about the DNS challenge. To get the logs (here, cert-manager-8d478bb45-2924h is the name of the cert-manager pod):

    $ kubectl logs -f -n cert-manager cert-manager-8d478bb45-2924h
    
    I0729 13:50:39.414729 1 dns.go:112] Checking DNS propagation for "gcp.my-ide.cloud" using name servers: [10.112.0.10:53]
    
    E0729 13:50:39.422521 1 sync.go:180] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"gcp.my-ide.cloud\" not yet propagated" "dnsName"="gcp.my-ide.cloud" "resource_kind"="Challenge" "resource_name"="che-tls-3529929423-0" "resource_namespace"="che" "type"="dns-01"
    
    I0729 13:50:39.422598 1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3529929423-0"
    
    I0729 13:50:49.406767 1 controller.go:213] cert-manager/controller/challenges "level"=0 "msg"="syncing resource" "key"="che/che-tls-3529929423-0"
    
    I0729 13:50:49.409802 1 dns.go:112] Checking DNS propagation for "gcp.my-ide.cloud" using name servers: [10.112.0.10:53]
    
    E0729 13:50:49.420131 1 sync.go:180] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"gcp.my-ide.cloud\" not yet propagated" "dnsName"="gcp.my-ide.cloud" "resource_kind"="Challenge" "resource_name"="che-tls-3529929423-0" "resource_namespace"="che" "type"="dns-01"
    
    I0729 13:50:49.420198 1 controller.go:219] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="che/che-tls-3529929423-0"
  7. Ensure that the certificate is ready:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
     Conditions:
     Last Transition Time: 2019-07-29T13:50:35Z
     Message: Certificate issuance in progress. Temporary certificate issued.
     Reason: TemporaryCertificate
     Status: False
     Type: Ready
    Events:
     Type Reason Age From Message
     ---- ------ ---- ---- -------
     Normal Generated 47s cert-manager Generated new private key
     Normal GenerateSelfSigned 47s cert-manager Generated temporary self signed certificate
     Normal OrderCreated 47s cert-manager Created Order resource "che-tls-3529929423"

    Wait for the Status to become OK, and ensure that the log contains the following entry:

    I0729 13:56:26.140886 1 conditions.go:143] Found status change for Certificate "che-tls" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-07-29 13:56:26.140866531 +0000 UTC m=+4557.134131468
  8. Ensure that the status is up-to-date:

    $ kubectl describe certificate/che-tls -n che
    
    Status:
     Conditions:
     Last Transition Time: 2019-07-29T13:56:26Z
     Message: Certificate is up to date and has not expired
     Reason: Ready
     Status: True
     Type: Ready
     Not After: 2019-10-27T12:56:24Z

Installing Che on Google Cloud Platform using chectl

Prerequisites
Procedure

To install Che on Google Cloud Platform, run the following chectl command:

+

$ chectl server:start --installer=helm --platform=k8s --tls --domain=gcp.my-ide.cloud --multiuser
 ✔ ✈️ Kubernetes preflight checklist
 ✔ Verify if kubectl is installed
 ✔ Verify remote kubernetes status...done.
 ✔ Verify domain is set...set to gcp.my-ide.cloud.
 ✔ 🏃‍ Running Helm to install Che
 ✔ Verify if helm is installed
 ✔ Check for TLS secret prerequisites...che-tls secret found.
 ✔ Create Tiller Role Binding...it already exist.
 ✔ Create Tiller Service Account...it already exist.
 ✔ Create Tiller RBAC
 ✔ Create Tiller Service...it already exist.
 ✔ Preparing Che Helm Chart...done.
 ✔ Updating Helm Chart dependencies...done.
 ✔ Deploying Che Helm Chart...done.
 ✔ ✅ Post installation checklist
 ✔ PostgreSQL pod bootstrap
 ✔ scheduling...done.
 ✔ downloading images...done.
 ✔ starting...done.
 ✔ Keycloak pod bootstrap
 ✔ scheduling...done.
 ✔ downloading images...done.
 ✔ starting...done.
 ✔ Che pod bootstrap
 ✔ scheduling...done.
 ✔ downloading images...done.
 ✔ starting...done.
 ✔ Retrieving Che Server URL...https://che-che.gcp.my-ide.cloud
 ✔ Che status check
Command server:start has completed successfully.
keycloak and che with valid wildcard certs
Figure 1. Keycloak and Che with valid wildcard certificates
che user dashboard gcp
Figure 2. Che user dashboard
Tags: