KeyCloak + Eclipse Che Installation.md

KeyCloak + Eclipse Che Installation

• TLS Domain on Kubernetes

Prerequisites

• Kubernetes 1.19+
• Helm 3.2.0+
• Longhorn

Keycloak

helm update

helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Create keycloak-values.yaml

_DOMAIN="dev-t.xyz"
cat <<EOF > keycloak-values.yaml

extraEnv: |
  - name: KEYCLOAK_USER
    value: "admin"
  - name: KEYCLOAK_PASSWORD
    value: "admin"
  - name: KC_PROXY
    value: "edge"
  - name: KEYCLOAK_LOGLEVEL
    value: INFO
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"

ingress:
  enabled: true

  annotations:
    kubernetes.io/ingress.class: "nginx"    
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
    nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'

  rules:
    -
      # Ingress host
      host: keycloak.${_DOMAIN}
      # Paths for the host
      paths:
        - path: /
          pathType: Prefix
          # pathType: ImplementationSpecific
  # TLS configuration
  tls:
    - hosts:
        - keycloak.${_DOMAIN}
      secretName: keycloak-dev-t-xyz-tls
EOF

install

helm install keycloak codecentric/keycloak \
    --create-namespace \
    --namespace keycloak \
    -f keycloak-values.yaml

Keycloak Settings

kubectl exec statefulset/keycloak -n keycloak -- bash -c \
    "/opt/jboss/keycloak/bin/kcadm.sh config credentials \
        --server http://localhost:8080/auth \
        --realm master \
        --user admin  \
        --password admin && \
    /opt/jboss/keycloak/bin/kcadm.sh create realms \
        -s realm='che' \
        -s displayName='che' \
        -s enabled=true \
        -s registrationAllowed=false \
        -s resetPasswordAllowed=true && \
    /opt/jboss/keycloak/bin/kcadm.sh create clients \
        -r 'che' \
        -s clientId=eclipse-che \
        -s id=eclipse-che \
        -s redirectUris='[\"*\"]' \
        -s directAccessGrantsEnabled=true \
        -s secret=EclipseChe && \
    /opt/jboss/keycloak/bin/kcadm.sh create users \
        -r 'che' \
        -s username=taking \
        -s email=\"taking@duck.com\" \
        -s enabled=true \
        -s emailVerified=true &&  \
    /opt/jboss/keycloak/bin/kcadm.sh set-password \
        -r 'che' \
        --username taking \
        --new-password yourpassword"

Eclipse Che ctl

install chectl

bash <(curl -sL  https://www.eclipse.org/che/chectl/)

Create che-patch.yaml

_DOMAIN="dev-t.xyz"
cat <<EOF > che-patch.yaml
kind: CheCluster
apiVersion: org.eclipse.che/v2
spec:
  networking:
    auth:
      oAuthClientName: eclipse-che
      oAuthSecret: EclipseChe
      identityProviderURL: https://keycloak.${_DOMAIN}/auth/realms/che
  components:
    cheServer:
      extraProperties:
        CHE_OIDC_USERNAME__CLAIM: email
        CHE_LIMITS_USER_WORKSPACES_COUNT: -1
EOF

install

chectl server:deploy --platform k8s -b code.dev-t.xyz --skip-oidc-provider-check --skip-cert-manager --che-operator-cr-patch-yaml che-patch.yaml

chectl server:status

chectl dashboard:open

code.dev-t.xyz Letsencrypt Append

kubectl annotate ingress che -n eclipse-che kubernetes.io/tls-acme="true"
kubectl annotate ingress che -n cert-manager.io/cluster-issuer="letsencrypt-prod"
kubectl annotate ingress che -n nginx.ingress.kubernetes.io/ssl-redirect="true"
kubectl annotate ingress che -n nginx.ingress.kubernetes.io/backend-protocol="HTTPS"

update

chectl server:update -n eclipse-che --che-operator-cr-patch-yaml che-patch.yaml

oidc

• /etc/kubernetes/manifests/kube-apiserver.yaml
• spec > containers > command

  - --oidc-issuer-url=https://keycloak.dev-t.xyz/auth/realms/che
  - --oidc-client-id=eclipse-che
  - --oidc-username-claim=email
  - --oidc-groups-claim=groups

restart

systemctl restart kubelet

ScreenShot