KeyCloak + Eclipse Che Installation
Kubernetes 1.19+
Helm 3.2.0+
Longhorn
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Create keycloak-values.yaml
_DOMAIN="dev-t.xyz"
cat <<EOF > keycloak-values.yaml
extraEnv: |
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: KC_PROXY
value: "edge"
- name: KEYCLOAK_LOGLEVEL
value: INFO
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'
rules:
-
# Ingress host
host: keycloak.${_DOMAIN}
# Paths for the host
paths:
- path: /
pathType: Prefix
# pathType: ImplementationSpecific
# TLS configuration
tls:
- hosts:
- keycloak.${_DOMAIN}
secretName: keycloak-dev-t-xyz-tls
EOF
helm install keycloak codecentric/keycloak \
--create-namespace \
--namespace keycloak \
-f keycloak-values.yaml
kubectl exec statefulset/keycloak -n keycloak -- bash -c \
"/opt/jboss/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080/auth \
--realm master \
--user admin \
--password admin && \
/opt/jboss/keycloak/bin/kcadm.sh create realms \
-s realm='che' \
-s displayName='che' \
-s enabled=true \
-s registrationAllowed=false \
-s resetPasswordAllowed=true && \
/opt/jboss/keycloak/bin/kcadm.sh create clients \
-r 'che' \
-s clientId=eclipse-che \
-s id=eclipse-che \
-s redirectUris='[\"*\"]' \
-s directAccessGrantsEnabled=true \
-s secret=EclipseChe && \
/opt/jboss/keycloak/bin/kcadm.sh create users \
-r 'che' \
-s username=taking \
-s email=\"taking@duck.com\" \
-s enabled=true \
-s emailVerified=true && \
/opt/jboss/keycloak/bin/kcadm.sh set-password \
-r 'che' \
--username taking \
--new-password yourpassword"
bash <(curl -sL https://www.eclipse.org/che/chectl/)
_DOMAIN="dev-t.xyz"
cat <<EOF > che-patch.yaml
kind: CheCluster
apiVersion: org.eclipse.che/v2
spec:
networking:
auth:
oAuthClientName: eclipse-che
oAuthSecret: EclipseChe
identityProviderURL: https://keycloak.${_DOMAIN}/auth/realms/che
components:
cheServer:
extraProperties:
CHE_OIDC_USERNAME__CLAIM: email
CHE_LIMITS_USER_WORKSPACES_COUNT: -1
EOF
chectl server:deploy --platform k8s -b code.dev-t.xyz --skip-oidc-provider-check --skip-cert-manager --che-operator-cr-patch-yaml che-patch.yaml
chectl server:status
chectl dashboard:open
code.dev-t.xyz Letsencrypt Append
kubectl annotate ingress che -n eclipse-che kubernetes.io/tls-acme="true"
kubectl annotate ingress che -n cert-manager.io/cluster-issuer="letsencrypt-prod"
kubectl annotate ingress che -n nginx.ingress.kubernetes.io/ssl-redirect="true"
kubectl annotate ingress che -n nginx.ingress.kubernetes.io/backend-protocol="HTTPS"
chectl server:update -n eclipse-che --che-operator-cr-patch-yaml che-patch.yaml
/etc/kubernetes/manifests/kube-apiserver.yaml
spec > containers > command
- --oidc-issuer-url=https://keycloak.dev-t.xyz/auth/realms/che
- --oidc-client-id=eclipse-che
- --oidc-username-claim=email
- --oidc-groups-claim=groups
systemctl restart kubelet