Eclipse che 7.43.0 is always failing to deploy with k8s as platform

[gidduhome]

Summary

Hi,
I'm trying to install eclipse-che 7.43.0 on kubernetes cluster. This is always failing with error that Kubernetes API Server needs to be configured with OIDC provider. This is the same even if I use --skip-oidc-provider-check otpion.

Error: API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-check' flag

I also configured --che-operator-cr-patch-yaml with external keycloak option with no different result.

Here is my command execution: chectl server:deploy --installer=operator --platform=k8s --multiuser --che-operator-cr-patch-yaml=poc_minimal_che_config.yaml -v=7.43.0 --chenamespace=poc

Error log: 8:57.860Z Cause: Error: API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-check' flag 2022-02-10T15:48:57.860Z at ~/.local/share/chectl/client/7.43.0/lib/commands/server/deploy.js:440:19 2022-02-10T15:48:57.860Z at Generator.next (<anonymous>) 2022-02-10T15:48:57.860Z at fulfilled (~/.local/share/chectl/client/7.43.0/node_modules/tslib/tslib.js:114:62) 2022-02-10T15:51:14.742Z Warning: Consider using the more reliable 'OLM' installer when deploying a stable release of Eclipse Che (--installer=olm). 2022-02-10T15:51:14.742Z at Object.warn (/root/.local/share/chectl/client/7.43.0/node_modules/@oclif/errors/lib/index.js:49:15) 2022-02-10T15:51:14.742Z at Deploy.warn (/root/.local/share/chectl/client/7.43.0/node_modules/@oclif/command/lib/command.js:57:16) 2022-02-10T15:51:14.742Z at OperatorTasks.<anonymous> (/root/.local/share/chectl/client/7.43.0/lib/tasks/installers/operator.js:151:25) 2022-02-10T15:51:14.742Z at Generator.next (<anonymous>) 2022-02-10T15:51:14.742Z at fulfilled (/root/.local/share/chectl/client/7.43.0/node_modules/tslib/tslib.js:114:62) 2022-02-10T15:51:14.742Z at runMicrotasks (<anonymous>) 2022-02-10T15:51:14.742Z at processTicksAndRejections (node:internal/process/task_queues:96:5) 2022-02-10T16:01:23.053Z Error: Command server:deploy failed. Error log: /root/.cache/chectl/error.log. 2022-02-10T16:01:23.053Z at newError (~/.local/share/chectl/client/7.43.0/lib/util.js:199:19) 2022-02-10T16:01:23.053Z at Object.wrapCommandError (~/.local/share/chectl/client/7.43.0/lib/util.js:195:12) 2022-02-10T16:01:23.053Z at Deploy.<anonymous> (~/.local/share/chectl/client/7.43.0/lib/commands/server/deploy.js:226:35) 2022-02-10T16:01:23.053Z at Generator.throw (<anonymous>) 2022-02-10T16:01:23.053Z at rejected (~/.local/share/chectl/client/7.43.0/node_modules/tslib/tslib.js:115:69) 2022-02-10T16:01:23.053Z at runMicrotasks (<anonymous>) 2022-02-10T16:01:23.053Z Cause: Error: Failed to start a pod, reason: Error, exitCode: 137

Relevant information

No response

[tolusha]

Eclipse Che requires OIDC Identity Provider configured on the k8s cluster since 7.42.0

See similar issues:
#21136
#21049

Doc:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server
https://dexidp.io/docs/kubernetes/

[gidduhome]

Hello @tolusha thank you for response.

I understood that OIDC provider is required for Eclipse-Che. In case of minikube, it was provided as default DEX installation.
Do you have any plans to do same with K8 for later releases? OR is it expected that we need to configure it K8 explicitly always?
At least, now I don't even have access to go back to previous versions, as chectl is not allowing it.
Also,Just as an fyi, I'm trying to do all these on OKE (Oracle Kubernetes Engine)

[tolusha]

@gidduhome
We do have plans [1]
[1] #21176

[gidduhome]

Thank you @tolusha

[disaster37]

Same issue here. I doesn't found a good doc that explain all step to successfully deploy eclipse che with chectl on k8s plateform, maybee with Google Openid or github Oauth.

[aushetty]

@tolusha
I have tried installing keycloak OIDC within the kubernetes cluster as part of OIDC requirement for chectl.
However this seems to fail as well . Could you please provide your steps/documentation on how you were able to install it in your local machine

[EnergieZ]

Same problem for me, don't found any easy solution for K8S on docker desktop (windows), and will have the same problem when going to production with managed K8S on OVH.

Che need to have an embeded solution, or enough documentation to do it :)

[EnergieZ]

For information, i did install keycloak with succes on my k8s, and configure it as oidc for kubernetes API.
But when I launch
chectl server:deploy --domain=my-domain.com --platform=k8s

I'm having this error :

 √ Verify Kubernetes API...OK
  √ 👀  Looking for an already existing Eclipse Che instance
    √ Verify if Eclipse Che is deployed into namespace "eclipse-che"...it is not
  × Check if OIDC Provider installed...NOT INSTALLED
    → API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access
-…
    🧪  DevWorkspace engine

OIDC is activate and I use it to login with kubectl, so don't undestund where is the problem.
Here is my kube config :

  apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: Lxxx==
    server: https://XXXX.k8s.ovh.net
  name: INTERNE
contexts:
- context:
    cluster: INTERNE
    user: keycloax-admin-INTERNE
  name: keycloax-admin@INTERNE
current-context: keycloax-admin@INTERNE
kind: Config
preferences: {}
users:
- name: keycloax-admin-INTERNE
  user:
    client-certificate-data: LxxxK
    client-key-data: Lxxx=

Any idea about the problem ?

if it can help, here is some more logs :

2022-03-08T16:05:41.345Z Error: Command server:deploy failed. Error log: C:/Users/xxxx/AppData/Local/chectl/error.log. Eclipse Che logs: C:/Users/xxxx/AppData/Local/Temp/chectl-logs/1646755540473.
2022-03-08T16:05:41.345Z     at newError (C:/ProgramData/chectl/chectl/lib/util.js:199:19)
2022-03-08T16:05:41.345Z     at Object.wrapCommandError (C:/ProgramData/chectl/chectl/lib/util.js:195:12)
2022-03-08T16:05:41.345Z     at Deploy.<anonymous> (C:/ProgramData/chectl/chectl/lib/commands/server/deploy.js:189:35)
2022-03-08T16:05:41.345Z     at Generator.throw (<anonymous>)
2022-03-08T16:05:41.345Z     at rejected (C:/ProgramData/chectl/chectl/node_modules/tslib/tslib.js:115:69)
2022-03-08T16:05:41.345Z Cause: Error: API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-check' flag
2022-03-08T16:05:41.345Z     at C:/ProgramData/chectl/chectl/lib/commands/server/deploy.js:409:19
2022-03-08T16:05:41.345Z     at Generator.next (<anonymous>)
2022-03-08T16:05:41.345Z     at fulfilled (C:/ProgramData/chectl/chectl/node_modules/tslib/tslib.js:114:62)

[disaster37]

Hi,

I have read the source cli code to look how it control that the ODIC is enabled.
It search api-server pod on kube-system namespace to look if oidc parameter is set.

If you are on managed k8s, you haven't access on this namespace (hidden for client), so it failed.
You need to set --skip-oidc-provider-check

[EnergieZ]

Hello,
I am on a managed K8S, but i have access to kube-system namespace.
Their is no "api-server" pods.
Here is the available pods :

Maybe this check is not a good solution.
Any way, I will use --skip-oidc-provider-check
Thank you for your help

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

[ghost]

I am new to this , my company provides different corporate trainings and we wanted to use che .

But i tried installation on all platform like azure , aws and gcc

SSL installation is not workig ,,, (i will do that separately )

but the installation fails on
× Check if OIDC Provider installed...[Not Found]
→ API server is not configured with OIDC Identity Provider, see details https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server. To bypass OIDC Provider check, use '--skip-oidc-provider-che

its not anywhere on the default docs i am following

https://www.eclipse.org/che/docs/che-7/installation-guide/installing-che-on-google-cloud-platform/

[tolusha]

Hello. @kushalg-1212

New docs [1] don't cover deploying Eclipse Che on Kubernetes cluster.
There is a great blog post about Installing Eclipse Che on (AKS) [2]
Explanation how to deploy Eclipse Che on Rancher [3] and GKE [4]

In general, to deploy Eclipse Che on Kubernetes we need to know a couple of things:

• kubernetes public domain
• OIDC provider url
• client id
• client secret

1. Prepare patch file

cat >>cr-patch.yaml <<EOF
apiVersion: org.eclipse.che/v2
spec:
  networking:
    domain: <DOMAIN>
    auth:
      identityProviderURL: <IDENTITY_PROVIDER_URL>
      oAuthClientName: <CLIENT_ID>
      oAuthSecret: <CLIENT_SECRET>
EOF

2. Deploy Eclipse Che

chectl server:deploy --platform k8s --che-operator-cr-patch-yaml cr-patch.yaml --skip-oidc-provider-check

[1] https://www.eclipse.org/che/docs/stable/administration-guide/installing-che-locally/
[2] https://che.eclipseprojects.io/2022/07/25/@karatkep-installing-eclipse-che-on-aks.html
[3] #21049 (comment)
[4] #21049 (comment)