Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not enable oAuth on OCP 4.6 using OperatorHub with the default CR #18346

Closed
1 task
ibuziuk opened this issue Nov 12, 2020 · 5 comments
Closed
1 task

Can not enable oAuth on OCP 4.6 using OperatorHub with the default CR #18346

ibuziuk opened this issue Nov 12, 2020 · 5 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/question Questions that haven't been identified as being feature requests or bugs.

Comments

@ibuziuk
Copy link
Member

ibuziuk commented Nov 12, 2020
edited
Loading

Describe the bug

Can not enable oAuth on OCP 4.6 using OperatorHub with the default CR #18346

Che version

  • 7.21.1

Steps to reproduce

  1. fresh OCP 4.6
  2. install Eclipse Che 7.21.1 operator
  3. Create Eclipse Che CR with the default config
apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
  namespace: eclipse-che
  name: eclipse-che
spec:
  auth:
    identityProviderURL: ''
    identityProviderRealm: ''
    identityProviderImage: ''
    identityProviderClientId: ''
    externalIdentityProvider: false
    openShiftoAuth: true
  database:
    chePostgresUser: ''
    externalDb: false
    chePostgresHostName: ''
    chePostgresPassword: ''
    chePostgresDb: ''
    chePostgresPort: ''
  metrics:
    enable: true
  server:
    pluginRegistryImage: ''
    selfSignedCert: false
    devfileRegistryImage: ''
    tlsSupport: true
    cheImageTag: ''
  storage:
    preCreateSubPaths: true
    pvcClaimSize: 1Gi
    pvcStrategy: per-workspace

ERROR: The Eclipse Che is created with oAuth disabled:

Expected behavior

The Eclipse Che is created with oAuth enabled

Runtime

OCP 4.6

Installation method

Operatorhub

Logs from operator

time="2020-11-12T14:14:12Z" level=warning msg="No Openshift identity providers. Openshift oAuth was disabled. How to add identity provider read in the Help Link: https://docs.openshift.com/container-platform/latest/authentication/understanding-identity-provider.html#identity-provider-overview_understanding-identity-provider"
@ibuziuk ibuziuk added kind/bug Outline of a bug - must adhere to the bug report template. team/platform labels Nov 12, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Nov 12, 2020
@metlos metlos added the area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator label Nov 12, 2020
@skabashnyuk
Copy link
Contributor

after installation with chectl I have such a configuration

spec:
  auth:
    identityProviderURL: 'https://keycloak-che.apps.cluster-2d6e.2d6e.example.opentlc.com'
    identityProviderRealm: che
    updateAdminPassword: false
    identityProviderIngress: {}
    oAuthSecret: S5T9SmPjY5J9
    oAuthClientName: eclipse-che-openshift-identity-provider-8sxaiy
    identityProviderClientId: che-public
    identityProviderPostgresSecret: che-identity-postgres-secret
    identityProviderRoute: {}
    externalIdentityProvider: false
    identityProviderSecret: che-identity-secret
    openShiftoAuth: true
  database:
    chePostgresDb: dbche
    chePostgresHostName: postgres
    chePostgresPort: '5432'
    chePostgresSecret: che-postgres-secret
    externalDb: false
  k8s:
    ingressDomain: 192.168.99.101.nip.io
    tlsSecretName: che-tls
  metrics:
    enable: true
  server:
    cheLogLevel: INFO
    externalDevfileRegistry: false
    pluginRegistryIngress: {}
    cheServerRoute: {}
    devfileRegistryIngress: {}
    cheHost: che-che.apps.cluster-2d6e.2d6e.example.opentlc.com
    selfSignedCert: false
    cheServerIngress: {}
    cheDebug: 'false'
    tlsSupport: true
    allowUserDefinedWorkspaceNamespaces: false
    pluginRegistryRoute: {}
    devfileRegistryRoute: {}
    cheImage: 'XXXX'
    externalPluginRegistry: false
    gitSelfSignedCert: false
    cheFlavor: che
    cheImageTag: 'YYY'
  storage:
    preCreateSubPaths: true
    pvcClaimSize: 1Gi
    pvcStrategy: common

@ibuziuk ibuziuk changed the title Can not enable 'single-host' with oAuth enabled on OCP 4.6 using OperatorHub Can not enable oAuth on OCP 4.6 using OperatorHub with the default CR Nov 12, 2020
@ibuziuk ibuziuk added the area/install Issues related to installation, including offline/air gap and initial setup label Nov 12, 2020
@ibuziuk
Copy link
Member Author

ibuziuk commented Nov 12, 2020
edited
Loading

@skabashnyuk I suspect that previously those values were detected automatically during the installation and it was not required to add it to CR explicitly:

identityProviderURL: 'https://keycloak-che.apps.cluster-2d6e.2d6e.example.opentlc.com'
    identityProviderRealm: che
    updateAdminPassword: false
    identityProviderIngress: {}
    oAuthSecret: S5T9SmPjY5J9
    oAuthClientName: eclipse-che-openshift-identity-provider-8sxaiy
    identityProviderClientId: che-public
    identityProviderPostgresSecret: che-identity-postgres-secret
    identityProviderRoute: {}
    externalIdentityProvider: false

OAuth just worked OOTB with the default config.

@skabashnyuk also, could you please clarify which chectl command was used for installation?

@tolusha tolusha removed the area/install Issues related to installation, including offline/air gap and initial setup label Nov 13, 2020
@tolusha
Copy link
Contributor

tolusha commented Nov 13, 2020
edited
Loading

@ibuziuk
When fresh OCP cluster is set up then there are no any identity providers [1] configured and there is only one kubeadmin user.
So, if Eclipse Che is deploy with OAuth enabled then there is no way to log in since kubeadmin can't be used with OAuth [2].
That's why operator checks [3] if some identity providers configured and turn OAuth off if they don't exist.
There is enhancement [4] for this usecase. I guess it shed some lights on the problem.

[1] https://docs.openshift.com/container-platform/4.6/authentication/understanding-identity-provider.html#identity-provider-overview_understanding-identity-provider
[2] Verify if kubeadmin can be a regular OAuth user with latest Keycloak and OpenShift #16835
[3] Improve operator-based deployment when kubeadmin is the only user #16834
[4] Create a valid user if no one exist when deploying on OpenShift #18152

@ibuziuk
Copy link
Member Author

ibuziuk commented Nov 13, 2020

@tolusha thanks for the clarification. Indeed #18152 would be really nice to have since currently, the default config looks misleading. I believe the issue can be closed since all seem to work as exected

@tolusha
Copy link
Contributor

tolusha commented Nov 13, 2020

Yes, that's expected behavior.

@tolusha tolusha closed this as completed Nov 13, 2020
@tolusha tolusha added kind/question Questions that haven't been identified as being feature requests or bugs. and removed kind/bug Outline of a bug - must adhere to the bug report template. status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Nov 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/question Questions that haven't been identified as being feature requests or bugs.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@metlos @ibuziuk @skabashnyuk @tolusha @che-bot