Closed gidduhome closed 1 year ago
Eclipse Che requires OIDC Identity Provider configured on the k8s cluster since 7.42.0
See similar issues: https://github.com/eclipse/che/issues/21136 https://github.com/eclipse/che/issues/21049
Doc: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server https://dexidp.io/docs/kubernetes/
Hello @tolusha thank you for response.
I understood that OIDC provider is required for Eclipse-Che. In case of minikube, it was provided as default DEX installation. Do you have any plans to do same with K8 for later releases? OR is it expected that we need to configure it K8 explicitly always? At least, now I don't even have access to go back to previous versions, as chectl is not allowing it. Also,Just as an fyi, I'm trying to do all these on OKE (Oracle Kubernetes Engine)
@gidduhome We do have plans [1] [1] https://github.com/eclipse/che/issues/21176
Thank you @tolusha
Same issue here. I doesn't found a good doc that explain all step to successfully deploy eclipse che with chectl on k8s plateform, maybee with Google Openid or github Oauth.
@tolusha I have tried installing keycloak OIDC within the kubernetes cluster as part of OIDC requirement for chectl. However this seems to fail as well . Could you please provide your steps/documentation on how you were able to install it in your local machine
Same problem for me, don't found any easy solution for K8S on docker desktop (windows), and will have the same problem when going to production with managed K8S on OVH.
Che need to have an embeded solution, or enough documentation to do it :)
For information, i did install keycloak with succes on my k8s, and configure it as oidc for kubernetes API.
But when I launch
chectl server:deploy --domain=my-domain.com --platform=k8s
I'm having this error :
√ Verify Kubernetes API...OK
√ 👀 Looking for an already existing Eclipse Che instance
√ Verify if Eclipse Che is deployed into namespace "eclipse-che"...it is not
× Check if OIDC Provider installed...NOT INSTALLED
→ API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access
-…
🧪 DevWorkspace engine
OIDC is activate and I use it to login with kubectl, so don't undestund where is the problem. Here is my kube config :
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: Lxxx==
server: https://XXXX.k8s.ovh.net
name: INTERNE
contexts:
- context:
cluster: INTERNE
user: keycloax-admin-INTERNE
name: keycloax-admin@INTERNE
current-context: keycloax-admin@INTERNE
kind: Config
preferences: {}
users:
- name: keycloax-admin-INTERNE
user:
client-certificate-data: LxxxK
client-key-data: Lxxx=
Any idea about the problem ?
if it can help, here is some more logs :
2022-03-08T16:05:41.345Z Error: Command server:deploy failed. Error log: C:/Users/xxxx/AppData/Local/chectl/error.log. Eclipse Che logs: C:/Users/xxxx/AppData/Local/Temp/chectl-logs/1646755540473.
2022-03-08T16:05:41.345Z at newError (C:/ProgramData/chectl/chectl/lib/util.js:199:19)
2022-03-08T16:05:41.345Z at Object.wrapCommandError (C:/ProgramData/chectl/chectl/lib/util.js:195:12)
2022-03-08T16:05:41.345Z at Deploy.<anonymous> (C:/ProgramData/chectl/chectl/lib/commands/server/deploy.js:189:35)
2022-03-08T16:05:41.345Z at Generator.throw (<anonymous>)
2022-03-08T16:05:41.345Z at rejected (C:/ProgramData/chectl/chectl/node_modules/tslib/tslib.js:115:69)
2022-03-08T16:05:41.345Z Cause: Error: API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-check' flag
2022-03-08T16:05:41.345Z at C:/ProgramData/chectl/chectl/lib/commands/server/deploy.js:409:19
2022-03-08T16:05:41.345Z at Generator.next (<anonymous>)
2022-03-08T16:05:41.345Z at fulfilled (C:/ProgramData/chectl/chectl/node_modules/tslib/tslib.js:114:62)
Hi,
I have read the source cli code to look how it control that the ODIC is enabled. It search api-server pod on kube-system namespace to look if oidc parameter is set.
If you are on managed k8s, you haven't access on this namespace (hidden for client), so it failed.
You need to set --skip-oidc-provider-check
Hello, I am on a managed K8S, but i have access to kube-system namespace. Their is no "api-server" pods. Here is the available pods :
Maybe this check is not a good solution.
Any way, I will use --skip-oidc-provider-check
Thank you for your help
Issues go stale after 180
days of inactivity. lifecycle/stale
issues rot after an additional 7
days of inactivity and eventually close.
Mark the issue as fresh with /remove-lifecycle stale
in a new comment.
If this issue is safe to close now please do so.
Moderators: Add lifecycle/frozen
label to avoid stale mode.
I am new to this , my company provides different corporate trainings and we wanted to use che .
But i tried installation on all platform like azure , aws and gcc
SSL installation is not workig ,,, (i will do that separately )
but the installation fails on × Check if OIDC Provider installed...[Not Found] → API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-che
its not anywhere on the default docs i am following
https://www.eclipse.org/che/docs/che-7/installation-guide/installing-che-on-google-cloud-platform/
Hello. @kushalg-1212
New docs [1] don't cover deploying Eclipse Che on Kubernetes cluster. There is a great blog post about Installing Eclipse Che on (AKS) [2] Explanation how to deploy Eclipse Che on Rancher [3] and GKE [4]
In general, to deploy Eclipse Che on Kubernetes we need to know a couple of things:
Prepare patch file
cat >>cr-patch.yaml <<EOF
apiVersion: org.eclipse.che/v2
spec:
networking:
domain: <DOMAIN>
auth:
identityProviderURL: <IDENTITY_PROVIDER_URL>
oAuthClientName: <CLIENT_ID>
oAuthSecret: <CLIENT_SECRET>
EOF
Deploy Eclipse Che
chectl server:deploy --platform k8s --che-operator-cr-patch-yaml cr-patch.yaml --skip-oidc-provider-check
[1] https://www.eclipse.org/che/docs/stable/administration-guide/installing-che-locally/ [2] https://che.eclipseprojects.io/2022/07/25/@karatkep-installing-eclipse-che-on-aks.html [3] https://github.com/eclipse/che/issues/21049#issuecomment-1022108499 [4] https://github.com/eclipse/che/issues/21049#issuecomment-1067776895
Summary
Hi, I'm trying to install eclipse-che 7.43.0 on kubernetes cluster. This is always failing with error that
Kubernetes API Server needs to be configured with OIDC provider
. This is the same even if I use--skip-oidc-provider-check
otpion.Error: API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-check' flag
I also configured
--che-operator-cr-patch-yaml
with external keycloak option with no different result.Here is my command execution:
chectl server:deploy --installer=operator --platform=k8s --multiuser --che-operator-cr-patch-yaml=poc_minimal_che_config.yaml -v=7.43.0 --chenamespace=poc
Error log:
8:57.860Z Cause: Error: API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-check' flag 2022-02-10T15:48:57.860Z at ~/.local/share/chectl/client/7.43.0/lib/commands/server/deploy.js:440:19 2022-02-10T15:48:57.860Z at Generator.next (<anonymous>) 2022-02-10T15:48:57.860Z at fulfilled (~/.local/share/chectl/client/7.43.0/node_modules/tslib/tslib.js:114:62) 2022-02-10T15:51:14.742Z Warning: Consider using the more reliable 'OLM' installer when deploying a stable release of Eclipse Che (--installer=olm). 2022-02-10T15:51:14.742Z at Object.warn (/root/.local/share/chectl/client/7.43.0/node_modules/@oclif/errors/lib/index.js:49:15) 2022-02-10T15:51:14.742Z at Deploy.warn (/root/.local/share/chectl/client/7.43.0/node_modules/@oclif/command/lib/command.js:57:16) 2022-02-10T15:51:14.742Z at OperatorTasks.<anonymous> (/root/.local/share/chectl/client/7.43.0/lib/tasks/installers/operator.js:151:25) 2022-02-10T15:51:14.742Z at Generator.next (<anonymous>) 2022-02-10T15:51:14.742Z at fulfilled (/root/.local/share/chectl/client/7.43.0/node_modules/tslib/tslib.js:114:62) 2022-02-10T15:51:14.742Z at runMicrotasks (<anonymous>) 2022-02-10T15:51:14.742Z at processTicksAndRejections (node:internal/process/task_queues:96:5) 2022-02-10T16:01:23.053Z Error: Command server:deploy failed. Error log: /root/.cache/chectl/error.log. 2022-02-10T16:01:23.053Z at newError (~/.local/share/chectl/client/7.43.0/lib/util.js:199:19) 2022-02-10T16:01:23.053Z at Object.wrapCommandError (~/.local/share/chectl/client/7.43.0/lib/util.js:195:12) 2022-02-10T16:01:23.053Z at Deploy.<anonymous> (~/.local/share/chectl/client/7.43.0/lib/commands/server/deploy.js:226:35) 2022-02-10T16:01:23.053Z at Generator.throw (<anonymous>) 2022-02-10T16:01:23.053Z at rejected (~/.local/share/chectl/client/7.43.0/node_modules/tslib/tslib.js:115:69) 2022-02-10T16:01:23.053Z at runMicrotasks (<anonymous>) 2022-02-10T16:01:23.053Z Cause: Error: Failed to start a pod, reason: Error, exitCode: 137
Relevant information
No response