Skip to content

Instantly share code, notes, and snippets.

@medined
Created February 18, 2019 13:47
Show Gist options
  • Save medined/d6157da9266e7374d7ae8abd3dfddebf to your computer and use it in GitHub Desktop.
Save medined/d6157da9266e7374d7ae8abd3dfddebf to your computer and use it in GitHub Desktop.
Attempt to Install Multi-User Eclipse Che On OpenShift

Eclipse Che

Introduction

I am working to install multi-user Eclipse Che on a three node OKD cluser on AWS. There is one master and two worker nodes on a common security group. Each runs Centos. Single-user Che intalled flawlessly.

$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ec2-18-219-52-56.us-east-2.compute.amazonaws.com:8443
openshift v3.11.0+d0c29df-98
kubernetes v1.11.0+d4cacc0

The Problem

After following the steps below, the pods can't curl from the master because of an insecure connect caused by the self-signed certificate. The pod is a custom image with the ca.crt from the Che router baked into it.

I think I made the custom image incorrectly but I don't know where along the installation process is incorrect.

Prerequisite

Create an account on the Docker Hub to hold a custom image.

Installation

The admin user has the ability to use --as system:admin.

  • Define some useful information.
export OKD_WEB="https://ec2-WW-XX-YY-ZZ.us-east-2.compute.amazonaws.com:8443"
export OKD_USER="admin"
export OKD_PASS="XXf7XX3a2dXX"
export PRJ_ROOT="~/projects"
export IMG_ROOT="~/projects/images"
export OKD_BASE="WW.XX.YY.ZZ.xip.io"
export KYK_BASE="keycloak-eclipse-che.$OKD_BASE"
  • Log into OpenShift.
oc login $OKD_WEB \
  --insecure-skip-tls-verify=true \
  --username $OKD_USER \
  --password $OKD_PASS
  • Download Eclipse Che.
cd $PRJ_ROOT
git clone https://github.com/eclipse/che.git
export CHE_PROJECT="$(pwd)/che"
  • Update ocp.sh to use v3.11.0.
sed -i 's^download/v3.9.0/^download/v3.11.0/^' ./che/deploy/openshift/ocp.sh
sed -i 's^v3.9.0-191fece^v3.11.0-0cbc58b^' ./che/deploy/openshift/ocp.sh
  • Make deploy_che.sh executable. Then execute it.
chmod +x ./che/deploy/openshift/deploy_che.sh
./che/deploy/openshift/deploy_che.sh --multiuser --secure
  • The che deployment will fail.

  • Visit Keycloak at https://$KYK_BASE.

  • Click on the 'Not Secure' message in your browser.

  • Click on 'Certificate (invalid)'.

  • Click the 'Details' tab.

  • Click the 'Export...' button.

  • Save the certificate with a name like the following.

export CHE_CRT=$PRJ_ROOT/che-keycloak-ca.crt
  • Change permissions to 600.
chmod 600 $CHE_CRT
  • Create an OpenShift secret.
oc new-app \
  -f $CHE_PROJECT/deploy/openshift/templates/multi/openshift-certificate-secret.yaml \
  -p CERTIFICATE="$(cat $CHE_CRT)"
  • Update che deployment. This will cause a new deployment.
oc set env dc/che WS_PROTOCOL=wss TLS=true
  • Recreate the che route.
oc apply -f ./che/deploy/openshift/templates/https

Create Custom Image With Self-signed Certificate

  • Setup files.
cd $IMG_ROOT
cp $PRJ_ROOT/che-keycloak-ca.crt ./ca.crt
cat > Dockerfile <<EOF
FROM eclipse/ubuntu_jdk8
ADD ca.crt /usr/local/share/ca-certificates/ca.crt
RUN sudo update-ca-certificates
EOF
  • Build the image.
docker build -t medined/ubuntu_jdk8:latest
  • Push the image to Docker Hub.
docker push medined/ubuntu_jdk8:latest
  • Visit the Che route. Che takes several minutes to start.
https://che-eclipse-che.18.219.52.56.xip.io
  • Log into Che as admin:admin.

  • Change the password.

Create New Stack Using Custom Image.

  • Click Stacks.

  • Click to duplicate the Blank stack.

  • Click on the duplicate.

    • Change the name to Blank With Cert.
    • Click on Show next to Raw Configuration.
    • Change the default.recipe.content to your image name (medined/ubuntu_jdk8:latest).
    • Click 'Save'.
  • Click on Workspaces in left-hand menu.

  • Click on Add Workspace.

  • Select the Blank With Cert stack.

  • Click Create & Open.

  • Every a bit you should see a message Container started but go no farther.

  • Eventally the workspace will time out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment