Add flags to pass required parameters to deploy Eclipse Che on Kubernetes

eclipse-che / che

Kubernetes based Cloud Development Environments for Enterprise Teams

http://eclipse.org/che

Eclipse Public License 2.0

6.96k stars 1.19k forks source link

Add flags to pass required parameters to deploy Eclipse Che on Kubernetes #21759

Closed tolusha closed 1 year ago

tolusha commented 1 year ago

Is your task related to a problem? Please describe

Currently when user tries to deploy Eclipse Che on Kubernetes it usually fails on gateway pod

[2022/10/12 12:06:26] [main.go:54] invalid configuration:
  provider missing setting: client-id
  missing setting: client-secret or client-secret-file
  oidc provider requires an oidc issuer URL

Describe the solution you'd like

Add flags to pass the following parameters:

clientId
clientSecret
identityProviderUrl

Describe alternatives you've considered

Ensure parameters above are passed via patch file

Additional context

No response

LiJunBJZhu commented 1 year ago

@tolusha once the feature you proposed is implemented, can a Keycloak URL be provided to the che by defining IdentityProviderURL?

tolusha commented 1 year ago

@LiJunBJZhu It is possible right now to provide Keycloak URL as IdentityProviderURL. The goal of the issue is to simplify of way how user pass the required parameters. Currently it works in the following:

Prepare patch file

cat >>cr-patch.yaml <<EOF
apiVersion: org.eclipse.che/v2
spec:
networking:
auth:
  identityProviderURL: <IDENTITY_PROVIDER_URL>
  oAuthClientName: <CLIENT_ID>
  oAuthSecret: <CLIENT_SECRET>
EOF

Deploy Eclipse Che

chectl server:deploy --platform k8s --che-operator-cr-patch-yaml cr-patch.yaml --skip-oidc-provider-check --domain <DOMAIN>

LiJunBJZhu commented 1 year ago

When the keycloak is configured as the IdentityProviderURL, must the keycloak instance be the OIDC provider of k8s cluster too?

We are looking for a way to allow a keycloak user, who is not a k8s user, to sign-on the devspaces deployment.

tolusha commented 1 year ago

When the keycloak is configured as the IdentityProviderURL, must the keycloak instance be the OIDC provider of k8s cluster too?

Exactly, but it is kind of Admin responsibility to configure API server to use keycloak as OIDC provider. chectl can do nothing here ^( For instance https://www.eclipse.org/che/docs/stable/administration-guide/installing-che-on-minikube-keycloak-oidc/

tolusha commented 1 year ago

I have second thought about this issue. Instead of providing flags to set CheCluster CR fields, I added validation to ensure that needed configuration is passed via patch file with flag --che-operator-cr-patch-yaml <PATH_TO_PATCH>