From db06e09472bd13b583b228dc71f543e5333936c8 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 27 Nov 2024 15:03:28 +0100 Subject: [PATCH 01/12] feat: Installing che on EKS Signed-off-by: Anatolii Bazko --- antora.yml | 2 + .../examples/snip_che-installing-che.adoc | 1 + modules/administration-guide/nav.adoc | 1 + .../pages/installing-che-in-the-cloud.adoc | 1 + ...-on-amazon-elastic-kubernetes-service.adoc | 35 ++++ ...for-amazon-elastic-kubernetes-service.adoc | 39 ++++ ...-on-amazon-elastic-kubernetes-service.adoc | 113 +++++++++++ ...-on-amazon-elastic-kubernetes-service.adoc | 174 +++++++++++++++++ ...-on-amazon-elastic-kubernetes-service.adoc | 24 +++ ...-on-amazon-elastic-kubernetes-service.adoc | 55 ++++++ ...on-microsoft-azure-kubernetes-service.adoc | 1 - ...-on-amazon-elastic-kubernetes-service.adoc | 62 ++++++ ...-on-amazon-elastic-kubernetes-service.adoc | 182 ++++++++++++++++++ 13 files changed, 689 insertions(+), 1 deletion(-) create mode 100644 modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc create mode 100644 modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc diff --git a/antora.yml b/antora.yml index 381325d054..338c776f52 100644 --- a/antora.yml +++ b/antora.yml @@ -110,6 +110,8 @@ asciidoc: theia-endpoint-image: eclipse/che-theia-endpoint-runtime:next editor-definition-samples-link: link:https://github.com/eclipse-che/che-operator/tree/main/editors-definitions[Editors definitions samples] devfile-api-version: 2.3.0 + eks: Amazon Elastic Kubernetes Service + eks-short: Amazon EKS ext: collector: - run: diff --git a/modules/administration-guide/examples/snip_che-installing-che.adoc b/modules/administration-guide/examples/snip_che-installing-che.adoc index 8a360e1f3a..8228f6048d 100644 --- a/modules/administration-guide/examples/snip_che-installing-che.adoc +++ b/modules/administration-guide/examples/snip_che-installing-che.adoc @@ -14,6 +14,7 @@ You can deploy only one instance of {prod-short} per cluster. * xref:installing-che-on-openshift-using-the-web-console.adoc[] * xref:installing-che-in-a-restricted-environment.adoc[] * xref:installing-che-on-microsoft-azure.adoc[] +* xref:installing-che-on-amazon-elastic-kubernetes-service.adoc[] .Installing {prod-short} on a local single-node cluster diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index a85fcb205c..7f312c2de0 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -21,6 +21,7 @@ *** xref:installing-che-on-openshift-using-the-web-console.adoc[] *** xref:installing-che-in-a-restricted-environment.adoc[] *** xref:installing-che-on-microsoft-azure.adoc[] +*** xref:installing-che-on-amazon-elastic-kubernetes-service.adoc[] ** xref:installing-che-locally.adoc[] *** xref:installing-che-on-red-hat-openshift-local.adoc[] *** xref:installing-che-on-minikube.adoc[] diff --git a/modules/administration-guide/pages/installing-che-in-the-cloud.adoc b/modules/administration-guide/pages/installing-che-in-the-cloud.adoc index 24cc78d858..7f934307fd 100644 --- a/modules/administration-guide/pages/installing-che-in-the-cloud.adoc +++ b/modules/administration-guide/pages/installing-che-in-the-cloud.adoc @@ -22,3 +22,4 @@ Follow the instructions below to start the {prod-short} Server in the cloud by u * xref:installing-che-on-openshift-using-the-web-console.adoc[] * xref:installing-che-in-a-restricted-environment.adoc[] * xref:installing-che-on-microsoft-azure.adoc[] +* xref:installing-che-on-amazon-elastic-kubernetes-service.adoc[] diff --git a/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..a2fa7392b9 --- /dev/null +++ b/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,35 @@ +:_content-type: ASSEMBLY +:description: Installing {prod-short} on {eks} +:keywords: overview, installing-{prod-id-short}-on-amazon-elastic-kubernetes-service.adoc +:navtitle: Installing {prod-short} on {eks} + +[id="installing-{prod-id-short}-on-amazon-elastic-kubernetes-service.adoc"] += Installing {prod-short} on {eks} + +{eks} (Amazon EKS) is a managed {kubernetes} service to run {kubernetes} in the AWS cloud and on-premises data centers. + +Follow the instructions below to install and enable {prod-short} on {eks-short}. + +.Prerequisites + +* `helm`: The package manager for {kubernetes}. See: link:https://helm.sh/docs/intro/install/[Installing Helm]. + +* `{prod-cli}`. See: xref:installing-the-chectl-management-tool.adoc[]. + +* `aws`: The AWS Command Line Interface. See: link:https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html[AWS CLI install and update instructions] + +* `eksctl`: The Command Line Interface for creating and managing {kubernetes} clusters on {eks-short}. See: link:https://eksctl.io/installation/[Installing eksctl] + +include::partial$configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + +include::partial$proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + +include::partial$proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + +include::partial$proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + +include::partial$proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + +include::partial$proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + +include::partial$proc_installing-che-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] \ No newline at end of file diff --git a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..2a21934fda --- /dev/null +++ b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,39 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-on-amazon-elastic-kubernetes-service + +[id="configuring-environment-variables-for-amazon-elastic-kubernetes-service"] += Configuring environment variables for {eks-short} + +Follow this guide to define environment variables and update your `kubeconfig` to connect to {eks-short}. + +.Prerequisites + +* Amazon EKS cluster. See: link:https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html[Create an Amazon EKS cluster] + +.Procedure + +. Define the cluster name: ++ +[source,subs="attributes+"] +---- +CHE_EKS_CLUSTER_NAME=che +---- + +. Define the region: ++ +[source,subs="attributes+"] +---- +CHE_EKS_CLUSTER_REGION=eu-central-1 +---- + +. Update `kubeconfig`: ++ +[source,subs="attributes+"] +---- +aws eks update-kubeconfig --region $CHE_EKS_CLUSTER_REGION --name $CHE_EKS_CLUSTER_NAME +---- + +.Additional resources + +* link:https://aws.amazon.com/eks/[{eks}] diff --git a/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..01954ff507 --- /dev/null +++ b/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,113 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-on-amazon-elastic-kubernetes-service + +[id="configuring-DNS-on-amazon-elastic-kubernetes-service"] += Configuring DNS on {eks-short} + +Configure DNS on {eks-short}. + +.Prerequisites + +* A registered domain. See: link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html[Registering a new domain on {eks-short}]. + +.Procedure + +. Define the previously registered domain name: ++ +[source,shell] +---- +DOMAIN_NAME=eclipse-che-eks-clould.click +---- + +. Define domain name for Keycloak OIDC provider: ++ +[source,shell] +---- +KEYCLOAK_DOMAIN_NAME=keycloak.$DOMAIN_NAME +---- + +. Find out the hosted zone ID for the domain: ++ +[source,shell] +---- +HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $DOMAIN_NAME --query "HostedZones[0].Id" --output text) +---- + +. Find out the Canonical Hosted Zone ID for the load balancer: ++ +[source,shell] +---- +CANONICAL_HOSTED_ZONE_ID=$(aws elbv2 describe-load-balancers --query "LoadBalancers[0].CanonicalHostedZoneId" --output text) +---- + +. Find out the DNS name for the load balancer: ++ +[source,shell] +---- +DNS_NAME=$({orch-cli} get service -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}') +---- + +. Create a DNS record set: ++ +[source,subs="attributes+"] +---- +aws route53 change-resource-record-sets \ + --hosted-zone-id $HOSTED_ZONE_ID \ + --change-batch ' + { + "Comment": "Ceating a record set", + "Changes": [{ + "Action" : "CREATE", + "ResourceRecordSet" : { + "Name" : "'"$DOMAIN_NAME"'", + "Type" : "A", + "AliasTarget" : { + "HostedZoneId" : "'"$CANONICAL_HOSTED_ZONE_ID"'", + "DNSName" : "'"$DNS_NAME"'", + "EvaluateTargetHealth" : false + } + } + }] + } + ' +---- + +. Verify that you can access the domain externally: ++ +[source,subs="attributes+"] +---- +until curl $DOMAIN_NAME; do sleep 5s; done +---- + +. Create a DNS record set: ++ +[source,subs="attributes+"] +---- +aws route53 change-resource-record-sets \ + --hosted-zone-id $HOSTED_ZONE_ID \ + --change-batch ' + { + "Comment": "Ceating a record set", + "Changes": [{ + "Action" : "CREATE", + "ResourceRecordSet" : { + "Name" : "'"KEYCLOAK_DOMAIN_NAME"'", + "Type" : "A", + "AliasTarget" : { + "HostedZoneId" : "'"$CANONICAL_HOSTED_ZONE_ID"'", + "DNSName" : "'"$DNS_NAME"'", + "EvaluateTargetHealth" : false + } + } + }] + } + ' +---- + +. Verify that you can access the Keycloak domain externally: ++ +[source,subs="attributes+"] +---- +until curl $KEYCLOAK_DOMAIN_NAME; do sleep 5s; done +---- \ No newline at end of file diff --git a/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..7dea1719ce --- /dev/null +++ b/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,174 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-on-amazon-elastic-kubernetes-service + +[id="creating-lets-encrypt-certificate-for-{prod-id-short}-on-amazon-elastic-kubernetes-service"] += Creating Let's Encrypt certificate for {prod-short} on {eks-short} + +Follow these instructions to create a Let's Encrypt certificate for {prod-short} on {eks-short}. + +.Procedure + +. Create an IAM OIDC provider: ++ +[source,subs="attributes+"] +---- +eksctl utils associate-iam-oidc-provider --cluster $CHE_EKS_CLUSTER_NAME --approve +---- + +. Create a service principal: ++ +[source,subs="attributes+"] +---- +aws iam create-policy \ + --policy-name cert-manager-acme-dns01-route53 \ + --description "This policy allows cert-manager to manage ACME DNS01 records in Route53 hosted zones. See https://cert-manager.io/docs/configuration/acme/dns01/route53" \ + --policy-document file:///dev/stdin <__ <1> + privateKeySecretRef: + name: {prod-id-short}-letsencrypt-production + solvers: + - dns01: + route53: + region: $CHE_EKS_CLUSTER_REGION + role: arn:aws:iam::$\{AWS_ACCOUNT_ID}:role/cert-manager-acme-dns01-route53 + auth: + kubernetes: + serviceAccountRef: + name: cert-manager-acme-dns01-route53 +EOF +---- +<1> Replace `____` with your email address. + +. Create the {prod-namespace} namespace: ++ +[source,subs="attributes+"] +---- +{orch-cli} create namespace {prod-namespace} +---- + +. Create the Certificate: ++ +[source,subs="+attributes,+quotes"] +---- +{orch-cli} apply -f - << EOF +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: che-tls + namespace: {prod-namespace} +spec: + secretName: che-tls + issuerRef: + name: {prod-id-short}-letsencrypt + kind: ClusterIssuer + commonName: '$DOMAIN_NAME' + dnsNames: + - '$DOMAIN_NAME' + - '*.$DOMAIN_NAME' + usages: + - server auth + - digital signature + - key encipherment + - key agreement + - data encipherment +EOF +---- + +. Wait for the `che-tls` secret to be created: ++ +[source,subs="attributes+"] +---- +until {orch-cli} get secret -n {prod-namespace} che-tls; do sleep 5s; done +---- + +.Additional resources + +* link:https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/[cert-manager Installation Guide] + + diff --git a/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..baf85c63fb --- /dev/null +++ b/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,24 @@ +[id="installing-cert-manager-on-amazon-elastic-kubernetes-service"] += Installing cert-manager on {eks-short} + +Use the following instructions to install the link:https://cert-manager.io[cert-manager] on {eks-short}. + +.Procedure + +. Install `cert-manager` using `Helm`: ++ +[source,subs="attributes+"] +---- +helm repo add jetstack https://charts.jetstack.io +helm repo update + +helm install cert-manager jetstack/cert-manager \ + --wait \ + --create-namespace \ + --namespace cert-manager \ + --set crds.enabled=true +---- + +.Additional resources + +* link:https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/[cert-manager Installation Guide] diff --git a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..532720959e --- /dev/null +++ b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,55 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-on-amazon-elastic-kubernetes-service + +[id="installing-che-on-amazon-elastic-kubernetes-service"] += Installing {prod-short} on {eks-short} + +Follow these instructions to install {prod-short} on {eks-short}. + +.Procedure + +. Prepare a CheCluster patch YAML file: ++ +[source,shell,subs="attributes+"] +---- +cat > che-cluster-patch.yaml << EOF +spec: + networking: + auth: + oAuthClientName: k8s-client + oAuthSecret: eclipse-che + identityProviderURL: "https://$KEYCLOAK_HOST/realms/che" + gateway: + oAuthProxy: + cookieExpireSeconds: 300 + deployment: + containers: + - env: + - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL + value: "http://$KEYCLOAK_HOST/realms/che/protocol/openid-connect/logout?id_token_hint=\{id_token}" + name: oauth-proxy + components: + cheServer: + extraProperties: + CHE_OIDC_EMAIL__CLAIM: email +EOF +---- + +. Deploy {prod-short}: ++ +[source,subs="attributes+"] +---- +{prod-cli} server:deploy \ + --platform k8s \ + --domain $DOMAIN_NAME \ + --che-operator-cr-patch-yaml che-patch.yaml \ + --skip-cert-manager +---- + +. Navigate to the {prod-short} cluster instance: ++ +[subs="+attributes,+quotes"] +---- +{prod-cli} dashboard:open +---- diff --git a/modules/administration-guide/partials/proc_installing-che-on-microsoft-azure-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-che-on-microsoft-azure-kubernetes-service.adoc index 62fb692f9c..009f1cef9f 100644 --- a/modules/administration-guide/partials/proc_installing-che-on-microsoft-azure-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-che-on-microsoft-azure-kubernetes-service.adoc @@ -44,7 +44,6 @@ EOF chectl server:deploy \ --platform=k8s \ --che-operator-cr-patch-yaml=che-cluster-patch.yaml \ - --skip-oidc-provider-check \ --skip-cert-manager \ --domain=$DOMAIN_NAME ---- diff --git a/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..ff01b40c57 --- /dev/null +++ b/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,62 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-on-amazon-elastic-kubernetes-service + +[id="installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service"] += Installing Ingress-Nginx Controller on {eks-short} + +Use the following instructions to install the link:https://kubernetes.github.io/ingress-nginx/[Ingress-Nginx Controller] on {eks-short}. + +.Procedure + +. Install the `Ingress-Nginx Controller` using `Helm`: ++ +[source,subs="attributes+"] +---- +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update + +helm install ingress-nginx ingress-nginx/ingress-nginx \ + --wait \ + --create-namespace \ + --namespace ingress-nginx \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol"=tcp \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"=nlb +---- + +. Wait for the external IP: ++ +[source,subs="attributes+"] +---- +{orch-cli} get services ingress-nginx-controller --namespace ingress-nginx +---- +The output will be similar to: ++ +[source,subs="attributes+"] +---- +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +ingress-nginx-controller LoadBalancer 10.0.65.52 XXX.elb.amazonaws.com 80:32711/TCP,443:31294/TCP 75s +---- +. Verify that you can access the load balancer externally: ++ +[source,subs="attributes+"] +---- +until curl $({orch-cli} get service -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}'); do sleep 5s; done +---- +You should receive the output similar to: ++ +[source,html,subs="attributes+"] +---- + +404 Not Found + +

404 Not Found

+
nginx
+ + +---- + +.Additional resources + +* link:https://kubernetes.github.io/ingress-nginx/deploy/[Ingress-Nginx Controller Installation Guide] \ No newline at end of file diff --git a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..9bc42038ee --- /dev/null +++ b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,182 @@ +[id="installing-keycloak-on-amazon-elastic-kubernetes-service"] += Installing Keycloak on {eks} + +Learn how to install https://www.keycloak.org/[Keycloak] as the OpenID Connect (OIDC) provider. + +.Procedure + +. Define Keycloak host name: ++ +[source,subs="+attributes"] +---- +KEYCLOAK_HOST=keycloak.$DOMAIN_NAME +---- + +. Install Keycloak: ++ +IMPORTANT: While this guide provides a development configuration for deploying Keycloak on {kubernetes}, keep in mind that production environments require different settings, for instance configuring external databases. ++ +[source,subs="+attributes"] +---- +{orch-cli} apply -f - < Date: Wed, 27 Nov 2024 15:28:59 +0100 Subject: [PATCH 02/12] Fixup Signed-off-by: Anatolii Bazko --- ...-on-amazon-elastic-kubernetes-service.adoc | 2 ++ ...-on-amazon-elastic-kubernetes-service.adoc | 35 +++++++++++++++++++ ...-on-amazon-elastic-kubernetes-service.adoc | 4 +-- ...-on-amazon-elastic-kubernetes-service.adoc | 10 +++--- 4 files changed, 44 insertions(+), 7 deletions(-) create mode 100644 modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc diff --git a/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc index a2fa7392b9..55ff4ccc21 100644 --- a/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/pages/installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -32,4 +32,6 @@ include::partial$proc_creating-lets-encrypt-certificate-for-che-on-amazon-elasti include::partial$proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] +include::partial$proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] + include::partial$proc_installing-che-on-amazon-elastic-kubernetes-service.adoc[leveloffset=+1] \ No newline at end of file diff --git a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc new file mode 100644 index 0000000000..60a58a77b4 --- /dev/null +++ b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc @@ -0,0 +1,35 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-on-amazon-elastic-kubernetes-service + +[id="associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service"] += Associate keycloak as OIDC identity provider on {eks-short} + +Follow these instructions to associate Keycloak an OIDC identity provider on {eks-short}. + +.Procedure + +. Associate an identity provider using `eksctl`: ++ +[source,shell,subs="attributes+"] +---- +eksctl associate identityprovider \ + --cluster $CHE_EKS_CLUSTER_NAME \ + --region $CHE_EKS_CLUSTER_REGION \ + --wait \ + --config-file - << EOF +--- +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +identityProviders: + - name: my-provider + type: oidc + issuerUrl: https://$KEYCLOAK_DOMAIN/realms/che + clientId: k8s-client + usernameClaim: email +EOF +---- + +.Additional resources + +* link:https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html[Grant users access to {kubernetes} with an external OIDC provider] \ No newline at end of file diff --git a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc index 532720959e..eba0608b1b 100644 --- a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -19,7 +19,7 @@ spec: auth: oAuthClientName: k8s-client oAuthSecret: eclipse-che - identityProviderURL: "https://$KEYCLOAK_HOST/realms/che" + identityProviderURL: "https://$KEYCLOAK_DOMAIN/realms/che" gateway: oAuthProxy: cookieExpireSeconds: 300 @@ -27,7 +27,7 @@ spec: containers: - env: - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL - value: "http://$KEYCLOAK_HOST/realms/che/protocol/openid-connect/logout?id_token_hint=\{id_token}" + value: "http://$KEYCLOAK_DOMAIN/realms/che/protocol/openid-connect/logout?id_token_hint=\{id_token}" name: oauth-proxy components: cheServer: diff --git a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc index 9bc42038ee..bc17c891ea 100644 --- a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc @@ -9,7 +9,7 @@ Learn how to install https://www.keycloak.org/[Keycloak] as the OpenID Connect ( + [source,subs="+attributes"] ---- -KEYCLOAK_HOST=keycloak.$DOMAIN_NAME +KEYCLOAK_DOMAIN=keycloak.$DOMAIN_NAME ---- . Install Keycloak: @@ -37,9 +37,9 @@ spec: issuerRef: name: che-letsencrypt kind: ClusterIssuer - commonName: '$KEYCLOAK_HOST' + commonName: '$KEYCLOAK_DOMAIN' dnsNames: - - '$KEYCLOAK_HOST' + - '$KEYCLOAK_DOMAIN' usages: - server auth - digital signature @@ -112,10 +112,10 @@ spec: ingressClassName: nginx tls: - hosts: - - $KEYCLOAK_HOST + - $KEYCLOAK_DOMAIN secretName: keycloak.tls rules: - - host: $KEYCLOAK_HOST + - host: $KEYCLOAK_DOMAIN http: paths: - path: / From 18fb6568ca0098c3d767c6a926184e09e48ab67a Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 27 Nov 2024 15:41:53 +0100 Subject: [PATCH 03/12] Fixup Signed-off-by: Anatolii Bazko --- ...-identity-provider-on-amazon-elastic-kubernetes-service.adoc | 2 +- ...nstalling-keycloak-on-amazon-elastic-kubernetes-service.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc index 60a58a77b4..a783df0e00 100644 --- a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc @@ -22,7 +22,7 @@ eksctl associate identityprovider \ apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig identityProviders: - - name: my-provider + - name: {prod-id-short}-oidc type: oidc issuerUrl: https://$KEYCLOAK_DOMAIN/realms/che clientId: k8s-client diff --git a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc index bc17c891ea..9b6dbeccf8 100644 --- a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc @@ -14,7 +14,7 @@ KEYCLOAK_DOMAIN=keycloak.$DOMAIN_NAME . Install Keycloak: + -IMPORTANT: While this guide provides a development configuration for deploying Keycloak on {kubernetes}, keep in mind that production environments require different settings, for instance configuring external databases. +IMPORTANT: While this guide provides a development configuration for deploying Keycloak on {kubernetes}, remember that production environments require different settings, for instance configuring external databases. + [source,subs="+attributes"] ---- From c6d593ab6b4d97d1d72904d1798b631f2ce59578 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 28 Nov 2024 10:38:40 +0100 Subject: [PATCH 04/12] Fixup Signed-off-by: Anatolii Bazko --- ...for-amazon-elastic-kubernetes-service.adoc | 9 +++++- ...-on-amazon-elastic-kubernetes-service.adoc | 9 +++--- ...-on-amazon-elastic-kubernetes-service.adoc | 28 +++++++++---------- ...-on-amazon-elastic-kubernetes-service.adoc | 8 ++---- ...-on-amazon-elastic-kubernetes-service.adoc | 2 +- ...-on-amazon-elastic-kubernetes-service.adoc | 6 ++-- ...-on-amazon-elastic-kubernetes-service.adoc | 18 ++---------- ...-on-amazon-elastic-kubernetes-service.adoc | 17 ++++------- 8 files changed, 42 insertions(+), 55 deletions(-) diff --git a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc index 2a21934fda..801f19f681 100644 --- a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc @@ -5,7 +5,7 @@ [id="configuring-environment-variables-for-amazon-elastic-kubernetes-service"] = Configuring environment variables for {eks-short} -Follow this guide to define environment variables and update your `kubeconfig` to connect to {eks-short}. +Follow these instructions to define environment variables and update your `kubeconfig` to connect to {eks-short}. .Prerequisites @@ -13,6 +13,13 @@ Follow this guide to define environment variables and update your `kubeconfig` t .Procedure +. Find the AWS account ID: ++ +[source,subs="attributes+"] +---- +AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) +---- + . Define the cluster name: + [source,subs="attributes+"] diff --git a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc index a783df0e00..c5467f6610 100644 --- a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc @@ -9,22 +9,23 @@ Follow these instructions to associate Keycloak an OIDC identity provider on {ek .Procedure -. Associate an identity provider using `eksctl`: +. Associate Keycloak an identity provider using `eksctl`: + [source,shell,subs="attributes+"] ---- eksctl associate identityprovider \ - --cluster $CHE_EKS_CLUSTER_NAME \ - --region $CHE_EKS_CLUSTER_REGION \ --wait \ --config-file - << EOF --- apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig +metadata: + name: $CHE_EKS_CLUSTER_NAME + region: $CHE_EKS_CLUSTER_REGION identityProviders: - name: {prod-id-short}-oidc type: oidc - issuerUrl: https://$KEYCLOAK_DOMAIN/realms/che + issuerUrl: https://$KEYCLOAK_DOMAIN_NAME/realms/che clientId: k8s-client usernameClaim: email EOF diff --git a/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc index 01954ff507..1349bb647f 100644 --- a/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_configuring-dns-on-amazon-elastic-kubernetes-service.adoc @@ -5,7 +5,7 @@ [id="configuring-DNS-on-amazon-elastic-kubernetes-service"] = Configuring DNS on {eks-short} -Configure DNS on {eks-short}. +Follow these instructions to configure DNS on {eks-short}. .Prerequisites @@ -13,37 +13,37 @@ Configure DNS on {eks-short}. .Procedure -. Define the previously registered domain name: +. Define the registered domain name: + -[source,shell] +[source,subs="attributes+"] ---- -DOMAIN_NAME=eclipse-che-eks-clould.click +CHE_DOMAIN_NAME=eclipse-che-eks-clould.click ---- . Define domain name for Keycloak OIDC provider: + -[source,shell] +[source,subs="attributes+"] ---- -KEYCLOAK_DOMAIN_NAME=keycloak.$DOMAIN_NAME +KEYCLOAK_DOMAIN_NAME=keycloak.$CHE_DOMAIN_NAME ---- . Find out the hosted zone ID for the domain: + -[source,shell] +[source,subs="attributes+"] ---- -HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $DOMAIN_NAME --query "HostedZones[0].Id" --output text) +HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $CHE_DOMAIN_NAME --query "HostedZones[0].Id" --output text) ---- . Find out the Canonical Hosted Zone ID for the load balancer: + -[source,shell] +[source,subs="attributes+"] ---- CANONICAL_HOSTED_ZONE_ID=$(aws elbv2 describe-load-balancers --query "LoadBalancers[0].CanonicalHostedZoneId" --output text) ---- . Find out the DNS name for the load balancer: + -[source,shell] +[source,subs="attributes+"] ---- DNS_NAME=$({orch-cli} get service -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}') ---- @@ -60,7 +60,7 @@ aws route53 change-resource-record-sets \ "Changes": [{ "Action" : "CREATE", "ResourceRecordSet" : { - "Name" : "'"$DOMAIN_NAME"'", + "Name" : "'"$CHE_DOMAIN_NAME"'", "Type" : "A", "AliasTarget" : { "HostedZoneId" : "'"$CANONICAL_HOSTED_ZONE_ID"'", @@ -73,11 +73,11 @@ aws route53 change-resource-record-sets \ ' ---- -. Verify that you can access the domain externally: +. Verify that you can access {prod-short} domain externally: + [source,subs="attributes+"] ---- -until curl $DOMAIN_NAME; do sleep 5s; done +until curl $CHE_DOMAIN_NAME; do sleep 5s; done ---- . Create a DNS record set: @@ -92,7 +92,7 @@ aws route53 change-resource-record-sets \ "Changes": [{ "Action" : "CREATE", "ResourceRecordSet" : { - "Name" : "'"KEYCLOAK_DOMAIN_NAME"'", + "Name" : "'"$KEYCLOAK_DOMAIN_NAME"'", "Type" : "A", "AliasTarget" : { "HostedZoneId" : "'"$CANONICAL_HOSTED_ZONE_ID"'", diff --git a/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc index 7dea1719ce..2cf7a75430 100644 --- a/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_creating-lets-encrypt-certificate-for-che-on-amazon-elastic-kubernetes-service.adoc @@ -54,8 +54,6 @@ EOF + [source,subs="attributes+"] ---- -AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) - eksctl create iamserviceaccount \ --name cert-manager-acme-dns01-route53 \ --namespace cert-manager \ @@ -147,10 +145,10 @@ spec: issuerRef: name: {prod-id-short}-letsencrypt kind: ClusterIssuer - commonName: '$DOMAIN_NAME' + commonName: '$CHE_DOMAIN_NAME' dnsNames: - - '$DOMAIN_NAME' - - '*.$DOMAIN_NAME' + - '$CHE_DOMAIN_NAME' + - '*.$CHE_DOMAIN_NAME' usages: - server auth - digital signature diff --git a/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc index baf85c63fb..67af143e92 100644 --- a/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-cert-manager-on-amazon-elastic-kubernetes-service.adoc @@ -1,7 +1,7 @@ [id="installing-cert-manager-on-amazon-elastic-kubernetes-service"] = Installing cert-manager on {eks-short} -Use the following instructions to install the link:https://cert-manager.io[cert-manager] on {eks-short}. +Follow these instructions to install the link:https://cert-manager.io[cert-manager] on {eks-short}. .Procedure diff --git a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc index eba0608b1b..e071c62988 100644 --- a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -19,7 +19,7 @@ spec: auth: oAuthClientName: k8s-client oAuthSecret: eclipse-che - identityProviderURL: "https://$KEYCLOAK_DOMAIN/realms/che" + identityProviderURL: "https://$KEYCLOAK_DOMAIN_NAME/realms/che" gateway: oAuthProxy: cookieExpireSeconds: 300 @@ -27,7 +27,7 @@ spec: containers: - env: - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL - value: "http://$KEYCLOAK_DOMAIN/realms/che/protocol/openid-connect/logout?id_token_hint=\{id_token}" + value: "http://$KEYCLOAK_DOMAIN_NAME/realms/che/protocol/openid-connect/logout?id_token_hint=\{id_token}" name: oauth-proxy components: cheServer: @@ -42,7 +42,7 @@ EOF ---- {prod-cli} server:deploy \ --platform k8s \ - --domain $DOMAIN_NAME \ + --domain $CHE_DOMAIN_NAME \ --che-operator-cr-patch-yaml che-patch.yaml \ --skip-cert-manager ---- diff --git a/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc index ff01b40c57..1517b82981 100644 --- a/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service.adoc @@ -5,7 +5,7 @@ [id="installing-ingress-nginx-controller-on-amazon-elastic-kubernetes-service"] = Installing Ingress-Nginx Controller on {eks-short} -Use the following instructions to install the link:https://kubernetes.github.io/ingress-nginx/[Ingress-Nginx Controller] on {eks-short}. +Follow these instructions to install the link:https://kubernetes.github.io/ingress-nginx/[Ingress-Nginx Controller] on {eks-short}. .Procedure @@ -25,20 +25,8 @@ helm install ingress-nginx ingress-nginx/ingress-nginx \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"=nlb ---- -. Wait for the external IP: -+ -[source,subs="attributes+"] ----- -{orch-cli} get services ingress-nginx-controller --namespace ingress-nginx ----- -The output will be similar to: -+ -[source,subs="attributes+"] ----- -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -ingress-nginx-controller LoadBalancer 10.0.65.52 XXX.elb.amazonaws.com 80:32711/TCP,443:31294/TCP 75s ----- -. Verify that you can access the load balancer externally: +. Verify that you can access the load balancer externally. +It may take a few minutes for the load balancer to be created: + [source,subs="attributes+"] ---- diff --git a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc index 9b6dbeccf8..4d253b4f8f 100644 --- a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc @@ -1,17 +1,10 @@ [id="installing-keycloak-on-amazon-elastic-kubernetes-service"] = Installing Keycloak on {eks} -Learn how to install https://www.keycloak.org/[Keycloak] as the OpenID Connect (OIDC) provider. +Follow these instructions to install https://www.keycloak.org/[Keycloak] as the OpenID Connect (OIDC) provider. .Procedure -. Define Keycloak host name: -+ -[source,subs="+attributes"] ----- -KEYCLOAK_DOMAIN=keycloak.$DOMAIN_NAME ----- - . Install Keycloak: + IMPORTANT: While this guide provides a development configuration for deploying Keycloak on {kubernetes}, remember that production environments require different settings, for instance configuring external databases. @@ -37,9 +30,9 @@ spec: issuerRef: name: che-letsencrypt kind: ClusterIssuer - commonName: '$KEYCLOAK_DOMAIN' + commonName: '$KEYCLOAK_DOMAIN_NAME' dnsNames: - - '$KEYCLOAK_DOMAIN' + - '$KEYCLOAK_DOMAIN_NAME' usages: - server auth - digital signature @@ -112,10 +105,10 @@ spec: ingressClassName: nginx tls: - hosts: - - $KEYCLOAK_DOMAIN + - $KEYCLOAK_DOMAIN_NAME secretName: keycloak.tls rules: - - host: $KEYCLOAK_DOMAIN + - host: $KEYCLOAK_DOMAIN_NAME http: paths: - path: / From 490743bb5c68c78a4801ed21d43d4e5cf3c2c1be Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 28 Nov 2024 10:39:57 +0100 Subject: [PATCH 05/12] Fixup Signed-off-by: Anatolii Bazko --- ...-identity-provider-on-amazon-elastic-kubernetes-service.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc index c5467f6610..49af0f5253 100644 --- a/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_associate-keycloak-as-oidc-identity-provider-on-amazon-elastic-kubernetes-service.adoc @@ -23,7 +23,7 @@ metadata: name: $CHE_EKS_CLUSTER_NAME region: $CHE_EKS_CLUSTER_REGION identityProviders: - - name: {prod-id-short}-oidc + - name: keycloak-oidc type: oidc issuerUrl: https://$KEYCLOAK_DOMAIN_NAME/realms/che clientId: k8s-client From 3625054ebf34c5b4abac955a5a14abebf25ca942 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 28 Nov 2024 10:56:55 +0100 Subject: [PATCH 06/12] Fixup Signed-off-by: Anatolii Bazko --- ...installing-che-on-amazon-elastic-kubernetes-service.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc index e071c62988..ab1b944bc3 100644 --- a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -43,8 +43,10 @@ EOF {prod-cli} server:deploy \ --platform k8s \ --domain $CHE_DOMAIN_NAME \ - --che-operator-cr-patch-yaml che-patch.yaml \ - --skip-cert-manager + --che-operator-cr-patch-yaml che-cluster-patch.yaml \ + --skip-cert-manager \ + --k8spodreadytimeout 240000 \ + --k8spoddownloadimagetimeout 240000 ---- . Navigate to the {prod-short} cluster instance: From 96ce74702fafa5faa2d5dea9f4d7c1b48e7743e5 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 28 Nov 2024 11:36:47 +0100 Subject: [PATCH 07/12] Fixup Signed-off-by: Anatolii Bazko --- ...roc_installing-che-on-amazon-elastic-kubernetes-service.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc index ab1b944bc3..67f7f08bff 100644 --- a/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-che-on-amazon-elastic-kubernetes-service.adoc @@ -32,7 +32,7 @@ spec: components: cheServer: extraProperties: - CHE_OIDC_EMAIL__CLAIM: email + CHE_OIDC_USERNAME__CLAIM: email EOF ---- From bd35332f3f0c255df6e124a4de977d9bf727c74b Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 28 Nov 2024 12:25:15 +0100 Subject: [PATCH 08/12] Fixup Signed-off-by: Anatolii Bazko --- ...for-amazon-elastic-kubernetes-service.adoc | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc index 801f19f681..dc96bdaa64 100644 --- a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc @@ -41,6 +41,38 @@ CHE_EKS_CLUSTER_REGION=eu-central-1 aws eks update-kubeconfig --region $CHE_EKS_CLUSTER_REGION --name $CHE_EKS_CLUSTER_NAME ---- +. Ensure that you have default storage class set: ++ +[source,subs="attributes+"] +---- +{orch-cli} get storageclass +---- ++ +The output should display a storage class with `default` next to its name: ++ +[source,subs="attributes+"] +---- +NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE +gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer false 126m +---- + +. Ensure that you have default storage class set: ++ +[source,subs="attributes+"] +---- +{orch-cli} get storageclass +---- ++ +The output should display a storage class with `default` next to its name: ++ +[source,subs="attributes+"] +---- +NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE +gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer false 126m +---- + .Additional resources * link:https://aws.amazon.com/eks/[{eks}] +* link:https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/[Change the default storage class on {kubernetes} cluster] +* link:https://docs.aws.amazon.com/eks/latest/userguide/create-managed-node-group.html[Create a managed node group for {eks-short}] From 668889385dba4c5e59e46b5835a4b94997ba2cc9 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 28 Nov 2024 13:16:09 +0100 Subject: [PATCH 09/12] Fixup Signed-off-by: Anatolii Bazko --- ...les-for-amazon-elastic-kubernetes-service.adoc | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc index dc96bdaa64..324e149e4b 100644 --- a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc @@ -56,21 +56,6 @@ NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE A gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer false 126m ---- -. Ensure that you have default storage class set: -+ -[source,subs="attributes+"] ----- -{orch-cli} get storageclass ----- -+ -The output should display a storage class with `default` next to its name: -+ -[source,subs="attributes+"] ----- -NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE -gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer false 126m ----- - .Additional resources * link:https://aws.amazon.com/eks/[{eks}] From 3c8c298518e8d06a19cd1e91277ff454196a0ddf Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 29 Nov 2024 09:32:05 +0100 Subject: [PATCH 10/12] Update modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc Co-authored-by: Jana Vrbkova --- ...ronment-variables-for-amazon-elastic-kubernetes-service.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc index 324e149e4b..5d7d72b4b4 100644 --- a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc @@ -41,7 +41,7 @@ CHE_EKS_CLUSTER_REGION=eu-central-1 aws eks update-kubeconfig --region $CHE_EKS_CLUSTER_REGION --name $CHE_EKS_CLUSTER_NAME ---- -. Ensure that you have default storage class set: +. Make sure that you have the default storage class set: + [source,subs="attributes+"] ---- From 3d32ce7b81c7a17086978dc7f938d223cd45c036 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 29 Nov 2024 09:32:11 +0100 Subject: [PATCH 11/12] Update modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc Co-authored-by: Jana Vrbkova --- ...alling-keycloak-on-amazon-elastic-kubernetes-service.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc index 4d253b4f8f..9246e8cd9b 100644 --- a/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/proc_installing-keycloak-on-amazon-elastic-kubernetes-service.adoc @@ -7,7 +7,10 @@ Follow these instructions to install https://www.keycloak.org/[Keycloak] as the . Install Keycloak: + -IMPORTANT: While this guide provides a development configuration for deploying Keycloak on {kubernetes}, remember that production environments require different settings, for instance configuring external databases. +[IMPORTANT] +==== + While this guide provides a development configuration for deploying Keycloak on {kubernetes}, remember that production environments might require different settings, such as external database configuration. +==== + [source,subs="+attributes"] ---- From 26892417a27faf6914d25e5a887d261ffb8fbeed Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 29 Nov 2024 14:08:11 +0100 Subject: [PATCH 12/12] Fixup Signed-off-by: Anatolii Bazko --- ...ment-variables-for-amazon-elastic-kubernetes-service.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc index 5d7d72b4b4..cbc36ed0a9 100644 --- a/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc +++ b/modules/administration-guide/partials/configuring-environment-variables-for-amazon-elastic-kubernetes-service.adoc @@ -9,7 +9,7 @@ Follow these instructions to define environment variables and update your `kubec .Prerequisites -* Amazon EKS cluster. See: link:https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html[Create an Amazon EKS cluster] +* Amazon EKS cluster with storage addon. See: link:https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html[Create an Amazon EKS cluster] .Procedure @@ -59,5 +59,6 @@ gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer f .Additional resources * link:https://aws.amazon.com/eks/[{eks}] -* link:https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/[Change the default storage class on {kubernetes} cluster] +* link:https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html[Store Kubernetes volumes with Amazon EBS] * link:https://docs.aws.amazon.com/eks/latest/userguide/create-managed-node-group.html[Create a managed node group for {eks-short}] +* link:https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/[Change the default storage class on {kubernetes} cluster]