Has anybody a recent Eclipse Che release (i.e. a release with release date in 2023 or 2024) up-and-running on Azure Cloud?

[KTzerras]

Summary

I installed Eclipse Che on Azure by following the instructions under https://eclipse.dev/che/docs/stable/administration-guide/installing-che-on-microsoft-azure/ and expected that I shall be able to start/login to the the IDE. This is not the case, since I receive the error message described below in this ticket.

After excessive research and trial and error attempts the problem could not be solved.

So I would like to know if installations of recent Eclipse Che releases (i.e. releases with release dates in 2023 or 2024) that are up-and-running on Azure and are successfully used for professional purposes exist out there at all.

REMARK: Hereby I am interested in the now and not in whether somebody managed to make work in the past.

With other words I seek for evidence on whether Eclipse Che can be used on the Azure Cloud for professional purposes or not.

Thank you in advance

Relevant information

No response

[tolusha]

Hello @KTzerras I've recently validated the documentation. What kind of error do you have?

[KTzerras]

We executed (as we believe 1:1) several instructions of page https://eclipse.dev/che/docs/stable/administration-guide/installing-che-on-microsoft-azure/

The only deviations we made were the following

a) instead of executing the following commands

AAD_GROUP_NAME=AKSAdmins

az ad group create --display-name $AAD_GROUP_NAME --mail-nickname $AAD_GROUP_NAME

az ad signed-in-user show --query id --output tsv az ad group member add --group $AAD_GROUP_NAME
--member-id $(az ad signed-in-user show --query id --output tsv)

we set up a user group named "SoMa Developers" via the Azure Portal, assigned 3 users to it and used the UUID of this user group in the command

az aks create
--resource-group $ECLIPSE_CHE_RESOURCE_GROUP
--name $AKS_CLUSTER_NAME
--enable-aad
--aad-admin-group-object-ids <UUID of the user group "SoMa Developers">
--generate-ssh-keys

b) Furthermore, we applied the following che-cluster-patch.yaml:

spec: networking: auth: identityProviderURL: "https://sts.windows.net/1e6eb10c-ccbd-416a-9410-XXXXXXXXXX/v2.0/" identityToken: access_token oAuthClientName: 58affa1d-fdb7-4365-b9c1-XXXXXXXXXXX oAuthSecret: gKO8Q~aS~k6ryE3mzSMWXwKXXXXXXXXX-XXXXXXX oAuthScope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read gateway: deployment: containers: - env: - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL value: "true" name: oauth-proxy components: cheServer: extraProperties: CHE_OIDC_AUTH__SERVER__URL: "https://sts.windows.net/1e6eb10c-ccbd-416a-9410-XXXXXXXXX/v2.0/" CHE_OIDC_EMAIL__CLAIM: unique_name

c) Furthermore, since in the documentation it was not clear what value we should put in the variable $ECLIPSE_CHE_APPLICATION_ID in the following command:

oAuthSecret: $(az ad app credential reset --id $ECLIPSE_CHE_APPLICATION_ID --query "password" --output tsv)

we decided to put the value that we received via the command

az ad app list --query "[?displayName=='Eclipse Che'].appId" --output tsv

in the variable $ECLIPSE_CHE_APPLICATION_ID of the above command.

After successful deployment (no error message was reported) via the command

chectl server:deploy --platform=k8s --che-operator-cr-patch-yaml=che-cluster-patch.yaml --skip-oidc-provider-check --skip-cert-manager --domain=ide.software-machines.online

we navigated to the Che cluster instance via the command

chectl dashboard:open

and received 500 Internal Server Error in the Browser and in the log file we received the errors contained in the attachment

REMARK: While trying to resolve this error we also executed again the command

oAuthSecret: $(az ad app credential reset --id $ECLIPSE_CHE_APPLICATION_ID --query "password" --output tsv)

but by putting this time the value that we received via the command

az ad app list --query "[?displayName=='Eclipse Che'].Id" --output tsv

as you had suggested to us in the Ticket https://github.com/eclipse/che/issues/22849

This though did not solve the problem.

Thank you in advance for an advice

[tolusha]

Let me try to replicate it.

[tolusha]

I created a group, added a new user to it (as you described). Then I followed the documentation and deployed Eclipse Che on AKS

[tolusha]

[KTzerras]

Hello @tolusha, these are good news! Just 2 questions:

1. Was the che-cluster-patch.yaml you used equivalent to the one we used (c.f. b) above)?
2. Did you use az ad app list --query "[?displayName=='Eclipse Che'].appId" --output tsv or az ad app list --query "[?displayName=='Eclipse Che'].Id" --output tsv as a value for the variable $ECLIPSE_CHE_APPLICATION_ID (c.f. c) above)?

[tolusha]

I used the one from [1], it was id [1] https://eclipse.dev/che/docs/next/administration-guide/installing-che-on-microsoft-azure/#installing-che-on-microsoft-azure-kubernetes-service

[maheshrajrp]

@KTzerras I've too setup in last month. Worked fine for me.

[NickLagogiannis]

Thanks for your quick response @tolusha and @maheshrajrp
I am a colleague of @KTzerras and speaking on his behalf.

After receiving your suggestions that everything was functioning properly, we are attempting a clean installation from scratch and have reached the stage where we need to declare our domain name.

We already have a registered domain ( it looks like “ultraXXXX.cloud” ) and of course all of its subdomains. In our previous installation, we declared the domain variables as shown below: DOMAIN_NAME="ultraXXXX.cloud"

The only exception was when executing the chectl server deploy command where in the equivalent field we were using “che.ultraXXXX.cloud”

To clarify, in your installations, how did you declare the DOMAIN_NAME fields?

Thank you in advance

[tolusha]

Hello, @NickLagogiannis In my case it was DOMAIN_NAME=eclipse-che-<...>.site for all steps. So, using che.<..>.cloud might be a culprit.

[maheshrajrp]

Hi @NickLagogiannis , mine was similar to dev.example.club.

[NickLagogiannis]

Thanks for your reply,

We tried to make a clean installation again using the same domain name in each field. We followed again the installation guide step by step , with the addition of an extra DNS record set using the symbol "@".

We had tried using only "*" DNS record set, but the browser couldn't find our page at all (similar to : eclipse-che-<...>.site ). So having two record sets solved this issue.

After following the guide again until the end, we are still experiencing the same issue internal server error and the log files of oauth proxy are the same.

I am attaching a document containning every step i have followed in order to delete and make a clean installation with its equivallent responses. Do you have any suggestions or observations that could help us fixing this issue?

Eclipse-Che_Installation_Detailed_Actions.pdf

Thank you very much for your time.

[tolusha]

@NickLagogiannis Let me prepare some video guide, I hope it will help to identify issues.

[KTzerras]

Hello Anatoli,

Thank you for your support, we are really clueless on how to proceed after having tried at least 3 times now to execute the instructions without success.

We are looking forward to your video guide.

With best regards

Kostas & Nikos

From: Anatolii Bazko @.> Sent: Tuesday, March 26, 2024 5:01 PM To: eclipse/che @.> Cc: KTzerras @.>; Mention @.> Subject: Re: [eclipse/che] Has anybody a recent Eclipse Che release (i.e. a release with release date in 2023 or 2024) up-and-running on Azure Cloud? (Issue #22865)

@NickLagogiannis https://github.com/NickLagogiannis Let me prepare some video guide, I hope it will help to identify issues.

Reply to this email directly, view it on GitHub https://github.com/eclipse/che/issues/22865#issuecomment-2020831510 , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ATRMXAMQREKVDQ4LNPDJ273Y2 GESPAVCNFSM6AAAAABEIPRDIWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRQHAZTC NJRGA> . You are receiving this because you were mentioned. <https://github.com/notifications/beacon/ATRMXANP2E42AXTSBRSJU5LY2GESPA5CNFS M6AAAAABEIPRDIWWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT YONYRM.gif> Message ID: @.*** @.***> >

[tolusha]

Hello, @KTzerras Unfortunately I have a second thought about recording video. It might reveal some sensitive data during recording.

We had tried using only "*" DNS record set, but the browser couldn't find our page at all (similar to : eclipse-che-<...>.site ). So having two record sets solved this issue.

I had to add 2 DNS record set * and @ as well but only for my registrar.

I went through the uploaded documentation and I didn't see that you replicated _acme-challenge record. Could you print the error you had once more time, because I barely can see it in the attachment.

[NickLagogiannis]

Hello @tolusha , Sure, this is the output of command after error 500 occurs: kubectl logs -n eclipse-che -l component=che-gateway -c oauth-proxy

10.244.4.8:54862 - bdd679579037615aaa9ec32faa3464a1 - - [2024/03/29 10:40:32] software-machines.online GET / "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 200 173 0.015 10.244.4.8:54862 - 6e261b7f98965dcb6cd5d653bd2d889f - - [2024/03/29 10:40:33] software-machines.online GET / "/dashboard/static/preload/accept-factory-link.js" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 200 10964 0.002 [2024/03/29 10:40:33] [oauthproxy.go:959] No valid authentication in request. Initiating login. 10.244.4.8:54862 - 65bcaf6f86f4fc09c9143554be98289b - - [2024/03/29 10:40:33] software-machines.online GET - "/dashboard/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 302 430 0.000 [2024/03/29 10:40:34] [oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-03-29T10:40:34","request-id":"622704fd-1d27-474a-a2c6-3e61c0e3ccd5","client-request-id":"622704fd-1d27-474a-a2c6-3e61c0e3ccd5"}}} 10.244.4.8:54862 - 742562785ab04d57a928a09bc5274ce3 - - [2024/03/29 10:40:34] software-machines.online GET - "/oauth/callback?code=0.AXkADLFuHr3MakGUEMNmXXrAe91qDK0FxtFPmS0DjGnIQRUMAeo.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P8uTMryZSzFA7xYG1Dq03eRECJ-kLEskKKCmjxRW7hu4ZNHILWUda12-mV5f5KYbZqKiiZTL1Vb7Dr0V8sQmPTXwQNHwj_tOuWB4ZxsoSS9nG53YjphZIbfYquPLvFfhV_7ZxZct0WYdobaIuJYfrj2OXKc1Ju-YPsxqCVrflXYTrxWbeaaky1uK7SKVl_Dt-mRfR8dBhf7ldQcCm8_xA2xX9_mQCqzXa5APYeuGWpINgLLy8lc5-pk5PTz5j97aajAbPX1XcJw55bngl2giHJ-hnA9X1H2Vj3JZWqWh8fpXtcGd2RdWb-_uMiKSvndWoBO2rmDPvGDH7O79nxt_fOARUPO60yFfPsNSgFMRd7hd8EBlCd2T4ckDw0UL6XiZisd0sa3nh6pJx-BYkz7esIgqDE6UstpNBNcv6VvLMVU4BpBFkaBfPlH1di-g2WrMSIHsAavxKW0jL5rcXHf7cMp8LDIuBgWLdbpi3rMvCTeIwNs2Pu9cB2v9Q5kfSRWB3LWLC4_OR2HauSbU4h3X3fn8YWspRUdOecFEfzlrP3dRNyV5-rLau3fcjrAyOzVy6m59gX0PhmpVqwYgis4LjYqMA-8FshZX6z_cxAF9mpOIQATTfhy9-N8bA1FBxOPSCE4dohhwX_shqGMaWLmQnmEEeLqoXwyhAsUjyCmprGjUV6X0kePK8ZgwV5OsL6hQbZaFAbTiAcqo8uELVcBBY1G3QZnkwVc1QkQV8yPrxytJbWOAFmpbyImcdfVKARWYwT32SgmzkWt5WxBwzLi&state=UCHJp8QCmRsuE_o4mdP8Bz2Em5BYl_xF7NAMUzLksBE%3a%2fdashboard%2f&session_state=4dea82d7-6c4a-43f2-827f-987e003da937" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 500 2836 0.481 [2024/03/29 10:40:34] [oauthproxy.go:959] No valid authentication in request. Initiating login. 10.244.4.8:54862 - 1e176b3f437081ef51c109f21142fd03 - - [2024/03/29 10:40:34] software-machines.online GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 302 429 0.000 [2024/03/29 10:40:35] [oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-03-29T10:40:35","request-id":"6b3d25b0-a95c-4e0b-841b-ef44394abbb0","client-request-id":"6b3d25b0-a95c-4e0b-841b-ef44394abbb0"}}} 10.244.4.8:54862 - 13260d714368eb1a9773862d351c4198 - - [2024/03/29 10:40:35] software-machines.online GET - "/oauth/callback?code=0.AXkADLFuHr3MakGUEMNmXXrAe91qDK0FxtFPmS0DjGnIQRUMAeo.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P_xq1r5XgsPIOPVHQ-ki_HmTy9T5gnLfJaRFV8wL6VaJRyufms5mQItLmnltNHrcYvie6ZdUXmFIPBWXzyAhRWZ4-Fd5-KuaWx70ZCqcriet_dJieKOTay48TjirIcoxs8vYUOzRst-PG5SlbcO6UmrSjJjchX8JpCaNX6SOtUfzoQ2G54ZGO811Q5P2kMRww3vXr0ZAUXWNpIuliDpOiY9Q5meDq95txwLiSaTr2NdSfma8fB6A77OnNTrhlxCHBDrWxBCXXITqRbh8reirsV6DwH5uUAYgF6J4ASsymMv93TtTufGw4o94L-f7HzEHEC-yWTnFfMeRPLvvg-MFd5UToSwKYEVv_vgR_e94x0BXcsPqlJhjYQa_P97Z12rhG49OJMn7dkolzwNfJLuDNHm0Cxr3ERE2MEUdIAsIMkVG2XEOMHS3SZRITyUibT7KoTDuDiC1N91Sw58Eh2-lsqQsPeK2KrNJjjMdNM18Y1ZqAl1ycOq5Apw8oj9Q2npmFKZiH7THDQbxP1uQWV21Vt2nFGgIERI-VMy9s1K5R-cO2L0PuSx3LnJ9mJv8H8CUp7JmAvEPPHLh7FCfw1-sYVzRdoU3j3A8p4af6VQK0Afe-0gVYdK1-Qt0SAdOJCTadyHdnd4Tb5uU79uonvj7yXoG4EkuIPk38G8UEbLSetJB5EeV0mz_e7k6dUlaDuLTy-wwyK6uM84I-RKWJAylBYjSe_rIusjy5hNHHdmM01y-dhhqg11sZwDJOxiOPV0dl1LqC_Qk9lTfJiV&state=m71pv4lD6g8P0u-SRv2ZBmHMcrxVZT4zc1pmgohG6gk%3a%2ffavicon.ico&session_state=4dea82d7-6c4a-43f2-827f-987e003da937" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 500 2836 0.149

I am uploading it again also as a screenshot:

[maheshrajrp]

@NickLagogiannis Just a suggestion, might be a entire different approach, but might help with blame game.

In my case, I completely skipped Azure DNS, and used a typical A record (I use porkbun DNS). Ignored the cert-manger, and used Che's default inbuilt cert-manager and it worked like a charm.

Edit: Used an ingress-controller external IP for DNS.

[KTzerras]

We gave it up: Installing EclipseChe on Azure is a Sisyphus task. We successfully moved to Eclipse Theia. Nevertheless thank you very much for your support :-)