Unable to use external keycloak with Eclipse che

[anshumaanyadav-neudesic]

Summary

I am trying the run eclipse-che with external Keycloak. I have created a custom-resource with externalIdentityProvider set to true, and when I deploy using chectl the identityProviderURL does not changes and remains the same dex.dex:5556

I am deploying che on minikube 1.24 on windows with Hyper-V as driver and the external keycloak is running in a separate docker container.

Please let me know the correct steps to connect these two services together. custom-resource.yaml eclipse-che-logs.zip

Relevant information

Install Log

chectl server:deploy -a operator -p minikube --che-operator-cr-patch-yaml .\cr2.yaml › Current Kubernetes context: 'minikube' √ Verify Kubernetes API...OK √ 👀 Looking for an already existing Eclipse Che instance √ Verify if Eclipse Che is deployed into namespace "eclipse-che"...it is not ↓ Check if OIDC Provider installed [skipped] → Dex will be automatically installed as OIDC Identity Provider √ 🧪 DevWorkspace engine √ Verify cert-manager installation √ Check Cert Manager deployment...not deployed √ Deploy Cert Manager...done √ Wait for Cert Manager...ready √ ✈️ Minikube preflight checklist √ Verify if kubectl is installed √ Verify if minikube is installed √ Verify if minikube is running ↓ Start minikube [skipped] → Minikube is already running. √ Check Kubernetes version: Found v1.22.3. √ Verify if minikube ingress addon is enabled ↓ Enable minikube ingress addon [skipped] → Ingress addon is already enabled. √ Retrieving minikube IP and domain for ingress URLs...172.29.49.25.nip.io. √ Checking minikube version... 1.24.0 ↓ Check if cluster accessible [skipped] √ Following Eclipse Che logs √ Start following Operator logs...done √ Start following Eclipse Che Server logs...done √ Start following PostgreSQL logs...done √ Start following Keycloak logs...done √ Start following Plug-in Registry logs...done √ Start following Devfile Registry logs...done √ Start following Eclipse Che Dashboard logs...done √ Start following namespace events...done √ Create Namespace eclipse-che...[OK] √ Deploy Dex √ Create namespace: dex...[OK] √ Provide Dex certificate √ Check Cert Manager deployment...already deployed √ Wait for Cert Manager...ready √ Check Cert Manager CA certificate...generating new one √ Set up Eclipse Che certificates issuer...done √ Request self-signed certificate...done √ Wait for self-signed certificate...ready √ Read Dex certificate...[OK] √ Save Dex certificate...[OK: C:\Users\ANSHUM~1.YAD\AppData\Local\Temp\dex-ca.crt] √ Add Dex certificate to Eclipse Che certificates bundle...[OK] √ Create Dex service account...[OK] √ Create Dex cluster role...[OK] √ Create Dex cluster role binding...[OK] √ Create Dex service...[OK] √ Create Dex ingress...[OK] √ Generate Dex username and password...[OK: admin:admin] √ Create Dex configmap...[OK] √ Create Dex deployment...[OK] √ Wait for Dex is ready...[OK] √ Configure API server √ Create /etc/ca-certificates directory...[OK] √ Copy Dex certificate into Minikube...[OK] √ Configure Minikube API server...[OK] √ Wait for Minikube API server...[OK] √ 🏃‍ Running the Eclipse Che operator √ Create ServiceAccount che-operator in namespace eclipse-che...done. √ Read Roles and Bindings...done. √ Creating Roles and Bindings...done. √ Create CRD checlusters.org.eclipse.che...done. √ Waiting 5 seconds for the new Kubernetes resources to get flushed...done. √ Create deployment che-operator in namespace eclipse-che...done. √ Operator pod bootstrap √ Scheduling...done √ Downloading images...done √ Starting...done √ Prepare Eclipse Che cluster CR...Done. √ Create the Custom Resource of type checlusters.org.eclipse.che in the namespace eclipse-che...done. √ ✅ Post installation checklist √ PostgreSQL pod bootstrap √ Scheduling...done √ Downloading images...done √ Starting...done √ Devfile Registry pod bootstrap √ Scheduling...done √ Downloading images...done √ Starting...done √ Plug-in Registry pod bootstrap √ Scheduling...done √ Downloading images...done √ Starting...done √ Eclipse Che Dashboard pod bootstrap √ Scheduling...done √ Downloading images...done √ Starting...done √ Eclipse Che Server pod bootstrap √ Scheduling...done √ Downloading images...done √ Starting...done √ Eclipse Che status check...done √ Retrieving Che self-signed CA certificate...OK √ Prepare post installation output...done √ Show important messages √ Eclipse Che 'next' has been successfully deployed. √ Documentation : https://www.eclipse.org/che/docs/ √ ------------------------------------------------------------------------------- √ Users Dashboard : https://172.29.49.25.nip.io/dashboard/ √ ------------------------------------------------------------------------------- √ Plug-in Registry : https://172.29.49.25.nip.io/plugin-registry/v3/ √ Devfile Registry : https://172.29.49.25.nip.io/devfile-registry/ √ ------------------------------------------------------------------------------- √ Dex user credentials : [email protected]:admin √ Dex user credentials : user1@che:password √ Dex user credentials : user2@che:password √ Dex user credentials : user3@che:password √ Dex user credentials : user4@che:password √ Dex user credentials : user5@che:password √ ------------------------------------------------------------------------------- Command server:deploy has completed successfully in 07:38.

CheCluster Custom Resource Definition

apiVersion: org.eclipse.che/v1 kind: CheCluster metadata: annotations: che.eclipse.org/cheClusterV2alpha1Spec: | enabled: true gateway: enabled: true image: quay.io/eclipse/che--traefik:v2.5.0-eb30f9f09a65cee1fab5ef9c64cb4ec91b800dc3fdd738d62a9d4334f0114683 k8s: {} workspaces: domainEndpoints: baseDomain: 172.29.49.25.nip.io tlsSecretName: che-tls creationTimestamp: '2022-03-03T05:47:07Z' finalizers: - checluster.che.eclipse.org - cheGateway.clusterpermissions.finalizers.che.eclipse.org - cheWorkspaces.clusterpermissions.finalizers.che.eclipse.org - namespaces-editor.permissions.finalizers.che.eclipse.org - devWorkspace.permissions.finalizers.che.eclipse.org - dashboard.clusterpermissions.finalizers.che.eclipse.org generation: 9 managedFields: - apiVersion: org.eclipse.che/v1 fieldsType: FieldsV1 fieldsV1: f:spec: .: {} f:auth: .: {} f:externalIdentityProvider: {} f:identityProviderClientId: {} f:identityProviderRealm: {} f:identityProviderURL: {} f:nativeUserMode: {} f:oAuthClientName: {} f:oAuthSecret: {} f:updateAdminPassword: {} f:database: .: {} f:externalDb: {} f:devWorkspace: .: {} f:enable: {} f:k8s: .: {} f:ingressDomain: {} f:tlsSecretName: {} f:metrics: .: {} f:enable: {} f:server: .: {} f:cheDebug: {} f:gitSelfSignedCert: {} f:selfSignedCert: {} f:tlsSupport: {} f:workspaceNamespaceDefault: {} f:storage: .: {} f:preCreateSubPaths: {} f:pvcClaimSize: {} f:pvcStrategy: {} manager: unknown operation: Update time: '2022-03-03T05:47:07Z' - apiVersion: org.eclipse.che/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:finalizers: v:"dashboard.clusterpermissions.finalizers.che.eclipse.org": {} f:status: f:devfileRegistryURL: {} f:pluginRegistryURL: {} manager: manager operation: Update time: '2022-03-03T05:49:57Z' - apiVersion: org.eclipse.che/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:cheClusterRunning: {} f:cheURL: {} f:cheVersion: {} manager: manager operation: Update subresource: status time: '2022-03-03T05:51:48Z' name: eclipse-che namespace: eclipse-che resourceVersion: '4018' uid: 3a4218b5-4274-4bd6-8089-6b2634f7fc25 spec: auth: externalIdentityProvider: true identityProviderClientId: che-public identityProviderContainerResources: limits: {} request: {} identityProviderIngress: {} identityProviderRealm: eclipse-che identityProviderRoute: {} identityProviderURL: http://dex.dex:5556 nativeUserMode: true oAuthClientName: eclipse-che oAuthSecret: RbGh2/qw0jXbNweAWazbflYBrzq+jsGzy2jVP1EdYs0= updateAdminPassword: true database: chePostgresContainerResources: limits: {} request: {} chePostgresDb: dbche chePostgresHostName: postgres chePostgresPort: '5432' chePostgresSecret: che-postgres-secret externalDb: false postgresVersion: '13.3' devWorkspace: enable: true imagePuller: enable: false spec: {} k8s: ingressDomain: 172.29.49.25.nip.io tlsSecretName: che-tls metrics: enable: true server: allowUserDefinedWorkspaceNamespaces: false cheDebug: 'false' cheHost: 172.29.49.25.nip.io cheLogLevel: INFO cheServerIngress: {} cheServerRoute: {} dashboardIngress: {} dashboardRoute: {} devfileRegistryIngress: {} devfileRegistryRoute: {} externalDevfileRegistry: false externalPluginRegistry: false gitSelfSignedCert: false pluginRegistryIngress: {} pluginRegistryRoute: {} selfSignedCert: true singleHostGatewayImage: >- quay.io/eclipse/che--traefik:v2.5.0-eb30f9f09a65cee1fab5ef9c64cb4ec91b800dc3fdd738d62a9d4334f0114683 tlsSupport: true useInternalClusterSVCNames: false workspaceNamespaceDefault: -che storage: preCreateSubPaths: true pvcClaimSize: 10Gi pvcStrategy: common status: cheClusterRunning: Available cheURL: https://172.29.49.25.nip.io cheVersion: next dbProvisioned: false devfileRegistryURL: https://172.29.49.25.nip.io/devfile-registry devworkspaceStatus: gatewayHost: 172.29.49.25.nip.io gatewayPhase: Established phase: Active workspaceBaseDomain: 172.29.49.25.nip.io gitHubOAuthProvisioned: false keycloakProvisioned: false keycloakURL: '' openShiftoAuthProvisioned: false pluginRegistryURL: https://172.29.49.25.nip.io/plugin-registry/v3

[anshumaanyadav-neudesic]

I have manually update the CRD with the following:

spec:
  auth:
    externalIdentityProvider: true
    identityProviderClientId: che-public
    identityProviderRealm: jhipster
    identityProviderURL: >-https://f6b6-2405-201-3019-78d3-9846-a13e-7b14-5470.ngrok.io/auth/realms/jhipster
    openShiftoAuth: false
    updateAdminPassword: false

And the pod is up...but as soon as I try to access the che-server, Dex Login shows up.

[nils-mosbach]

Not sure if that helps, since Dex is autodeployed on minikube... If using devworkspace-mode oauth params differ slightly from the previous documentation. identityProviderRealm is ignored since its part of identityProviderURL. identityProviderClientId is ignored as well. We had to use oAuthClientName and oAuthSecret instead. That acually worked with keycloak.

Set CHE_OIDC_USERNAME__CLAIM to the setting kube-api-proxy is using.

spec:
  server:
    customCheProperties:
      CHE_OIDC_USERNAME__CLAIM: "email"

  auth:
      externalIdentityProvider: true
      identityProviderURL: 'https://auth.company.dev/auth/realms/git-dev'
      openShiftoAuth: false
      oAuthClientName: 'kubernetes'
      oAuthSecret: '0...2'

See: https://github.com/eclipse/che/issues/21049#issuecomment-1022108499

btw: Dex can also be configured to use Keycloak.

[anshumaanyadav-neudesic]

Hi @nils-mosbach , Thanks for sharing the custom-resource. But this does not work for me. I am still seeing the dex login page and I cannot login using the user from keycloak.

[tolusha]

@anshumaanyadav-neudesic

Sorry for later answer. You have to reconfigure minikube api server to use another OIDC provider, for instance:

KEYCLOAK_HOST=<KEYCLOAK_HOST>
KEYCLOAK_REALM=<REALM>
KEYCLOAK_CLIENT_ID=<CLIENT_ID>
KEYCLOAK_CA_CERT_PATH=<PATH_TO_CA_CERTIFICATE>

minikube ssh sudo "mkdir -p /etc/ca-certificates"
minikube cp ${KEYCLOAK_CA_CERT_PATH} /etc/ca-certificates/keycloak-ca.crt

minikube start \
    --extra-config=apiserver.oidc-issuer-url=https://${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM} \
    --extra-config=apiserver.oidc-username-claim=email \
    --extra-config=apiserver.oidc-client-id=${KEYCLOAK_CLIENT_ID} \
    --extra-config=apiserver.oidc-ca-file=/etc/ca-certificates/keycloak-ca.crt

[tolusha]

Here is a doc explaining how to use external Keycloak with Eclipse Che https://www.eclipse.org/che/docs/stable/administration-guide/installing-che-on-minikube-keycloak-oidc/