medined/README-che-installation.md

## README-che-installation.md

      
    Raw
  

              README-che-installation.md
            
          
    Eclipse Che

Introduction

I am working to install multi-user Eclipse Che on a three node OKD cluser on
AWS. There is one master and two worker nodes on a common security group. Each
runs Centos. Single-user Che intalled flawlessly.
$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ec2-18-219-52-56.us-east-2.compute.amazonaws.com:8443
openshift v3.11.0+d0c29df-98
kubernetes v1.11.0+d4cacc0

The Problem

After following the steps below, the pods can't curl from the master because
of an insecure connect caused by the self-signed certificate. The pod is a
custom image with the ca.crt from the Che router baked into it.
I think I made the custom image incorrectly but I don't know where along the
installation process is incorrect.
Prerequisite

Create an account on the Docker Hub to hold a custom image.
Installation

The admin user has the ability to use --as system:admin.

Define some useful information.

export OKD_WEB="https://ec2-WW-XX-YY-ZZ.us-east-2.compute.amazonaws.com:8443"
export OKD_USER="admin"
export OKD_PASS="XXf7XX3a2dXX"
export PRJ_ROOT="~/projects"
export IMG_ROOT="~/projects/images"
export OKD_BASE="WW.XX.YY.ZZ.xip.io"
export KYK_BASE="keycloak-eclipse-che.$OKD_BASE"


Log into OpenShift.

oc login $OKD_WEB \
  --insecure-skip-tls-verify=true \
  --username $OKD_USER \
  --password $OKD_PASS


Download Eclipse Che.

cd $PRJ_ROOT
git clone https://github.com/eclipse/che.git
export CHE_PROJECT="$(pwd)/che"


Update ocp.sh to use v3.11.0.

sed -i 's^download/v3.9.0/^download/v3.11.0/^' ./che/deploy/openshift/ocp.sh
sed -i 's^v3.9.0-191fece^v3.11.0-0cbc58b^' ./che/deploy/openshift/ocp.sh


Make deploy_che.sh executable. Then execute it.

chmod +x ./che/deploy/openshift/deploy_che.sh
./che/deploy/openshift/deploy_che.sh --multiuser --secure


The che deployment will fail.


Visit Keycloak at https://$KYK_BASE.


Click on the 'Not Secure' message in your browser.


Click on 'Certificate (invalid)'.


Click the 'Details' tab.


Click the 'Export...' button.


Save the certificate with a name like the following.


export CHE_CRT=$PRJ_ROOT/che-keycloak-ca.crt


Change permissions to 600.

chmod 600 $CHE_CRT


Create an OpenShift secret.

oc new-app \
  -f $CHE_PROJECT/deploy/openshift/templates/multi/openshift-certificate-secret.yaml \
  -p CERTIFICATE="$(cat $CHE_CRT)"


Update che deployment. This will cause a new deployment.

oc set env dc/che WS_PROTOCOL=wss TLS=true


Recreate the che route.

oc apply -f ./che/deploy/openshift/templates/https

Create Custom Image With Self-signed Certificate


Setup files.

cd $IMG_ROOT
cp $PRJ_ROOT/che-keycloak-ca.crt ./ca.crt
cat > Dockerfile <<EOF
FROM eclipse/ubuntu_jdk8
ADD ca.crt /usr/local/share/ca-certificates/ca.crt
RUN sudo update-ca-certificates
EOF


Build the image.

docker build -t medined/ubuntu_jdk8:latest


Push the image to Docker Hub.

docker push medined/ubuntu_jdk8:latest


Visit the Che route. Che takes several minutes to start.

https://che-eclipse-che.18.219.52.56.xip.io


Log into Che as admin:admin.


Change the password.


Create New Stack Using Custom Image.


Click Stacks.


Click to duplicate the Blank stack.


Click on the duplicate.

Change the name to Blank With Cert.
Click on Show next to Raw Configuration.
Change the default.recipe.content to your image name (medined/ubuntu_jdk8:latest).
Click 'Save'.


Click on Workspaces in left-hand menu.


Click on Add Workspace.


Select the Blank With Cert stack.


Click Create & Open.


Every a bit you should see a message Container started but go no farther.


Eventally the workspace will time out.