{"id":22018510,"url":"https://github.com/flavienbwk/eclipse-che-kubernetes","last_synced_at":"2025-05-07T03:27:03.068Z","repository":{"id":237432847,"uuid":"622265301","full_name":"flavienbwk/eclipse-che-kubernetes","owner":"flavienbwk","description":"Cloud-based development platform on Kubernetes.","archived":false,"fork":false,"pushed_at":"2023-04-12T23:27:09.000Z","size":351,"stargazers_count":6,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-31T05:51:06.297Z","etag":null,"topics":["cloud","development","docker","eclipse-che","keycloak","kubernetes","oidc"],"latest_commit_sha":null,"homepage":"https://medium.com/@flavienb/developing-in-the-cloud-5cfc9b2236ef","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flavienbwk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-01T15:50:07.000Z","updated_at":"2023-09-29T10:14:13.000Z","dependencies_parsed_at":"2024-05-01T19:24:13.660Z","dependency_job_id":null,"html_url":"https://github.com/flavienbwk/eclipse-che-kubernetes","commit_stats":null,"previous_names":["flavienbwk/eclipse-che-kubernetes"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flavienbwk%2Feclipse-che-kubernetes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flavienbwk%2Feclipse-che-kubernetes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flavienbwk%2Feclipse-che-kubernetes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flavienbwk%2Feclipse-che-kubernetes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flavienbwk","download_url":"https://codeload.github.com/flavienbwk/eclipse-che-kubernetes/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252805805,"owners_count":21807083,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","development","docker","eclipse-che","keycloak","kubernetes","oidc"],"created_at":"2024-11-30T05:12:25.099Z","updated_at":"2025-05-07T03:27:03.049Z","avatar_url":"https://github.com/flavienbwk.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Eclipse Che on Kubernetes\n\nAll resources to instanciate Eclipse Che on your own (_kubeadm-installed_ or similar) Kubernetes cluster.\n\n:point_right: Read the Medium article : [\"Developing in the Cloud\"](https://medium.com/@flavienb/developing-in-the-cloud-5cfc9b2236ef).\n\n## Architecture and pre-requisites\n\n![Eclipse Che architecture with Kubernetes](./images/keycloak-che.jpg)\n\nEclipse Che [requires an OIDC identity provider](https://github.com/eclipse/che/issues/21160#issuecomment-1038877280) configured in your Kubernetes cluster in order to work. We will use [Keycloak](https://github.com/keycloak/keycloak) in this repo. All external flows will be routed by an [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) deployed in our Kubernetes cluster.\n\nKeycloak must be run in an external environment in order to be reachable by our Kubernetes' API server at startup.\n\nIt is recommended to setup Che on a dedicated machine (VM or baremetal) due to its heavy requirements.\n\n## Getting started\n\nAt this step, I expect you to have :\n\n- A working Kubernetes cluster up and running \n- An [Ingress Controller](https://kubernetes.github.io/ingress-nginx/deploy/) installed on your cluster\n- [Certmanager](https://cert-manager.io/docs/installation/) installed on your cluster\n- A storage class such as [OpenEBS](https://openebs.io/docs/user-guides/installation) installed on your cluster\n- Docker installed on the same machine (or a remote host, as long as you edit the following configurations)\n\nTo help you setup your standalone Kubernetes with kubeadm, use scripts in `./helpers`.\n\n### A. Setup Keycloak\n\n1. Install dependencies\n\n    - jq\n    - docker\n    - docker-compose\n\n2. **Copy** env variables\n\n    ```bash\n    cp ./keycloak/.env.example ./keycloak/.env\n    ```\n\n    Correctly set `KEYCLOAK_EXTERNAL_URL` in your `.env` file replacing `xxx.xxx.xxx.xxx` with your cluster **IP address**. Then run :\n\n    ```bash\n    export $(grep -v '^#' ./keycloak/.env | xargs)\n    ```\n\n3. **Generate** certs and start Keycloak\n\n    ```bash\n    cd keycloak\n\n    bash ./generate-certs.sh\n    docker-compose up -d\n    ```\n\n4. **Create** and configure the `kubernetes` client in Keycloak\n\n    ```bash\n    bash ./configure-keycloak.sh\n    \n    cd ..\n    kubectl create ns test-ns\n    kubectl apply -f ./rbac.yaml\n    ```\n\n    \u003e `KEYCLOAK_ADMIN_USER` will get attributed the \"admin\" role to play inside Che. A \"developer\" role can be assigned as well but has no RBAC configured related to Che : they only have access to namespace `test-ns`.\n\n### B. Bind Kubernetes to use Keycloak as OIDC provider\n\n1. Copy Keycloak's certificate to your system keystore\n\n    ```bash\n    sudo cp ./keycloak/certs/ca/root-ca.pem /etc/ca-certificates/keycloak-ca.pem\n    ```\n\n    This certificate file must be reachable by your Kubernetes cluster.\n\n2. Add the following configuration to `/etc/kubernetes/manifests/kube-apiserver.yaml`\n\n    Please **replace** `KEYCLOAK_EXTERNAL_URL` !\n\n    ```txt\n        - --oidc-issuer-url=$KEYCLOAK_EXTERNAL_URL/realms/master\n        - --oidc-client-id=kubernetes\n        - --oidc-username-claim=email\n        - --oidc-groups-prefix='keycloak:'\n        - --oidc-groups-claim=groups\n        - --oidc-ca-file=/etc/ca-certificates/keycloak-ca.pem\n    ```\n\n    :hourglass_flowing_sand: Please wait at least 1 minute and check that the cluster is still working running `kubectl get po -A`\n\n3. Make Keycloak accessible through your Ingress Controller\n\n    ```bash\n    kubectl create secret tls tls-keycloak-ingress --cert ./keycloak/certs/keycloak/keycloak.pem --key ./keycloak/certs/keycloak/keycloak.key\n\n    sed \"s|\\$KEYCLOAK_EXTERNAL_URL|${KEYCLOAK_EXTERNAL_URL#https://}|g\" ingress-keycloak-example.yaml \u003e ingress-keycloak.yaml\n    sed -i \"s|\\$CHE_EXTERNAL_URL|${CHE_EXTERNAL_URL#https://}|g\" ingress-keycloak.yaml\n    kubectl apply -f ./ingress-keycloak.yaml\n    ```\n\n### C. Install Eclipse Che\n\n1. Install the chectl command line\n\n    ```bash\n    bash \u003c(curl -sL  https://www.eclipse.org/che/chectl/)\n    ```\n\n2. Configure Keycloak certificates for Che\n\n    ```bash\n    kubectl create namespace eclipse-che\n    kubectl create configmap keycloak-certs \\\n        --from-file=keycloak-ca.crt=./keycloak/certs/keycloak/tls.crt \\\n        -n eclipse-che\n    kubectl label configmap keycloak-certs \\\n        app.kubernetes.io/part-of=che.eclipse.org \\\n        app.kubernetes.io/component=ca-bundle \\\n        -n eclipse-che\n    ```\n\n3. Generate the config file and run the install\n\n    ```bash\n    cp che-patch-example.yaml che-patch.yaml\n    sed -i \"s|\\$KEYCLOAK_CHE_CLIENT_SECRET|${KEYCLOAK_CHE_CLIENT_SECRET}|g\" che-patch.yaml\n    sed -i \"s|\\$KEYCLOAK_CHE_CLIENT_ID|${KEYCLOAK_CHE_CLIENT_ID}|g\" che-patch.yaml\n    sed -i \"s|\\$KEYCLOAK_EXTERNAL_URL|${KEYCLOAK_EXTERNAL_URL}|g\" che-patch.yaml\n    sed -i \"s|\\$CHE_EXTERNAL_URL|${CHE_EXTERNAL_URL}|g\" che-patch.yaml\n\n    chectl server:deploy --domain=${CHE_EXTERNAL_URL#*://} --platform=k8s --che-operator-cr-patch-yaml=./che-patch.yaml --telemetry=off --skip-cert-manager\n    ```\n\n    :information_source: Make sure you have a default _storage class_ installed on your cluster.\n\n    \u003e If something goes wrong, you can uninstall Che using the following commands :\n    \u003e \n    \u003e ```bash\n    \u003e chectl server:delete --delete-all --delete-namespace\n    \u003e ```\n    \u003e\n    \u003e Run again commands from step 2.\n\n4. Connect to `CHE_EXTERNAL_URL` !\n\n    ![Eclipse Che dashboard](./images/che-dashboard.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflavienbwk%2Feclipse-che-kubernetes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflavienbwk%2Feclipse-che-kubernetes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflavienbwk%2Feclipse-che-kubernetes/lists"}