Eclipse Che

Introduction

I am working to install multi-user Eclipse Che on a three node OKD cluser on AWS. There is one master and two worker nodes on a common security group. Each runs Centos. Single-user Che intalled flawlessly.

$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ec2-18-219-52-56.us-east-2.compute.amazonaws.com:8443
openshift v3.11.0+d0c29df-98
kubernetes v1.11.0+d4cacc0

The Problem

After following the steps below, the pods can't curl from the master because of an insecure connect caused by the self-signed certificate. The pod is a custom image with the ca.crt from the Che router baked into it.

I think I made the custom image incorrectly but I don't know where along the installation process is incorrect.

Prerequisite

Create an account on the Docker Hub to hold a custom image.

Installation

The admin user has the ability to use --as system:admin.

Define some useful information.

export OKD_WEB="https://ec2-WW-XX-YY-ZZ.us-east-2.compute.amazonaws.com:8443"
export OKD_USER="admin"
export OKD_PASS="XXf7XX3a2dXX"
export PRJ_ROOT="~/projects"
export IMG_ROOT="~/projects/images"
export OKD_BASE="WW.XX.YY.ZZ.xip.io"
export KYK_BASE="keycloak-eclipse-che.$OKD_BASE"

Log into OpenShift.

oc login $OKD_WEB \
  --insecure-skip-tls-verify=true \
  --username $OKD_USER \
  --password $OKD_PASS

Download Eclipse Che.

cd $PRJ_ROOT
git clone https://github.com/eclipse/che.git
export CHE_PROJECT="$(pwd)/che"

Update ocp.sh to use v3.11.0.

sed -i 's^download/v3.9.0/^download/v3.11.0/^' ./che/deploy/openshift/ocp.sh
sed -i 's^v3.9.0-191fece^v3.11.0-0cbc58b^' ./che/deploy/openshift/ocp.sh

Make deploy_che.sh executable. Then execute it.

chmod +x ./che/deploy/openshift/deploy_che.sh
./che/deploy/openshift/deploy_che.sh --multiuser --secure

The che deployment will fail.
Visit Keycloak at https://$KYK_BASE.
Click on the 'Not Secure' message in your browser.
Click on 'Certificate (invalid)'.
Click the 'Details' tab.
Click the 'Export...' button.
Save the certificate with a name like the following.

export CHE_CRT=$PRJ_ROOT/che-keycloak-ca.crt

Change permissions to 600.

chmod 600 $CHE_CRT

Create an OpenShift secret.

oc new-app \
  -f $CHE_PROJECT/deploy/openshift/templates/multi/openshift-certificate-secret.yaml \
  -p CERTIFICATE="$(cat $CHE_CRT)"

Update che deployment. This will cause a new deployment.

oc set env dc/che WS_PROTOCOL=wss TLS=true

Recreate the che route.

oc apply -f ./che/deploy/openshift/templates/https

Create Custom Image With Self-signed Certificate

Setup files.

cd $IMG_ROOT
cp $PRJ_ROOT/che-keycloak-ca.crt ./ca.crt
cat > Dockerfile <<EOF
FROM eclipse/ubuntu_jdk8
ADD ca.crt /usr/local/share/ca-certificates/ca.crt
RUN sudo update-ca-certificates
EOF

Build the image.

docker build -t medined/ubuntu_jdk8:latest

Push the image to Docker Hub.

docker push medined/ubuntu_jdk8:latest

Visit the Che route. Che takes several minutes to start.

https://che-eclipse-che.18.219.52.56.xip.io

Log into Che as admin:admin.
Change the password.

Create New Stack Using Custom Image.

Click Stacks.
Click to duplicate the Blank stack.
Click on the duplicate.
- Change the name to Blank With Cert.
- Click on Show next to Raw Configuration.
- Change the default.recipe.content to your image name (medined/ubuntu_jdk8:latest).
- Click 'Save'.
Click on Workspaces in left-hand menu.
Click on Add Workspace.
Select the Blank With Cert stack.
Click Create & Open.
Every a bit you should see a message Container started but go no farther.
Eventally the workspace will time out.

medined/README-che-installation.md