is keycloak removed in eclipse-che 7.42.0 ?

[Divine1]

Summary

eclipse-che i installed installed today(7.42.0) . it has dex as the identity service , previously it was keycloak. i'm not able to find the web url link in the eclipse che installation logs inorder to do user management.

previous version of eclipse che

eclipse-che url
https://che-eclipse-che.192.168.49.2.nip.io

keycloak url
https://keycloak-eclipse-che.192.168.49.2.nip.io

In the latest version of eclipse-che which i installed today (18-Jan-2022), there is no keycloak software.
How can i add new users / manage new users in this newer version ?

i'm not able to find any urlEndpoints for user management in eclipse-che installation logs

Relevant information

No response

[sparkoo]

With Devworkspace engine now being default, there is no Keycloak. Instead of using custom user management, we switched to use Kubernetes users in order to do authorization to workspace resources with kubernetes RBAC. That means, that on Minikube, we reconfigure Kubernetes apiserver to use Dex as OIDC provider.

You have few options how to manage users:

• in dex namespace, there is configmap with some static users. You can update it manually like this: https://github.com/dexidp/dex/blob/master/examples/config-dev.yaml#L142
• you can configure Dex to use for example Github as identity provider https://www.eclipse.org/che/docs/che-7/administration-guide/configuring-minikube-github-authentication/ https://dexidp.io/docs/connectors/github/
• you can install your own keycloak instance and configure Dex to use it as identity provider https://dexidp.io/docs/connectors/oidc/
• you can install your own keycloak, configure Kubernetes to use it as OIDC provider and configure Che to use it directly https://github.com/eclipse-che/che-operator/blob/main/config/crd/bases/org_v1_che_crd.yaml#L223

I'm preparing some more documentation in this area.

[Divine1]

@sparkoo thank you for the response.

below 4 namespaces got auto-created when i installed eclipse-che tool via chectl

eclipse-che
dex
devworkspace-controller
cert-manager

my organization has not provided permission to auto-create namespace, if i need a namespace, i have to request the kubernetes admin to create a new namespace for me.

So, i have to input the pre-created namespaces to chectl.

is it possible to input custom namespaces for dex devworkspace-controller cert-manager ?

i understand that new namespace will be created for each user login.
As my organization's kubernetes admin doesnot provide permission to auto-create namespaces, is there any workaround for this situation?

[sparkoo]

I'm not sure, @tolusha?

[tolusha]

is it possible to input custom namespaces for dex devworkspace-controller cert-manager ?

no, they are hardcoded

I understand that new namespace will be created for each user login.
As my organization's kubernetes admin doesnot provide permission to auto-create namespaces, is there any workaround for this situation?

I don't see, just precreate them.

[Divine1]

@tolusha

My organization has a multi-node kubernetes cluster and it is being shared across different businessUnits within the organization.

if the namespaces dex devworkspace-controller cert-manager cannot be customized and incase if another businessUnit within my organization is installing eclipse che tool for their own purpose , it would be a conflict with my team.

is my understanding correct?
Please share your thoughts on this. @tolusha

[nils-mosbach]

Does this mean, from 7.42 on there won't be an option running che with plain keycloak? So basically every che-kubernetes deployment requires reconfiguring the api server? I guess that this will cause a lot of confusion. The beauty with chectl was that you could fire up an eclipse che instance on any platform and it just worked. Setting up dex and changing api server configurations as a prequisite isn't a big deal if you figure out how it works, but its barely something most people have done before.

[Divine1]

@nils-mosbach auto-creating namespaces in my organizations kubernetes cluster is restricted. i need a solution for it. i can request the k8s admin and pre-create namespaces in my organizations k8s cluster. But those pre-created names spaces will not exactly be dex devworkspace-controller cert-manager. i'm looking for a solution to customize these namespaces during eclipse-che installation. please help

[Divine1]

@tolusha
@nils-mosbach

until che 7.41.1 i was able to use the below secret yaml format to use the devfile.yaml hosted within my gitlab account.

in che7.42.0 this secret yaml file has no effect. how to make it work?

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-personal-access-token-secret
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: scm-personal-access-token
  annotations:
    che.eclipse.org/expired-after: '-1'
    che.eclipse.org/che-userid: '355d1ce5-990e-401e-9a8c-094bca10b5b3'
    che.eclipse.org/scm-userid: '2'
    che.eclipse.org/scm-username: 'user-foo'
    che.eclipse.org/scm-url: 'https://gitlab.apps.cluster-example.com'
data:
  token: Yzh5cEt6cURxUWVCa3FKazhtaHg=

https://www.eclipse.org/che/docs/che-7/end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/#configuring_gitlab_authentication_che

[tolusha]

if another businessUnit within my organization is installing eclipse che tool for their own purpose , it would be a conflict with my team.

It is not supported to have multiple Eclipse Che deployment on the same cluster.

in che7.42.0 this secret yaml file has no effect. how to make it work?

@skabashnyuk Could you anser a question?

[skabashnyuk]

in che7.42.0 this secret yaml file has no effect. how to make it work?

I think the format remains the same. However, I assume that might be an issue with che.eclipse.org/che-userid. I thought we had some migration. @ibuziuk or @tolusha can know more.

The simplest way is just to remove it and allow the system to recreate it again or try to find your user's new che-userid and update the field.

[Divine1]

@skabashnyuk from che 7.42.0 , dex gets installed

so, in this case is che.eclipse.org/che-userid still allowed? or should we use something specific to dex ?

below is the default credentials

[Divine1]

@skabashnyuk thanks a lot for your inputs. i'm closing this ticket as i have made significant progress in the question i had.

if anybody is reading thisquestion in the future, please tag if you have doubts on this topic.

[debovema]

I'm preparing some more documentation in this area.

Really looking forward to seeing this documentation 👍
Btw @sparkoo was there some announcements about these architecture breaking changes somewhere ?
I am a bit confused as it seems to complicate the local installations.

[sparkoo]

Btw @sparkoo was there some announcements about these architecture breaking changes somewhere ? I am a bit confused as it seems to complicate the local installations.

I'm not sure, it goes together with movement to devworkspaces, because we couldn't use old auth model.

[gidduhome]

When I installed 7.43.0 on K8 platform, I dont see dex created. I presume that is only minikube. May I know what are my options to install 7.43.0 on K82. It is failing with OIDC error on K8 API server.

[tolusha]

@gidduhome
You can try to deploy Dex on you k8s platform manually.

[gidduhome]

@gidduhome You can try to deploy Dex on you k8s platform manually.

Thanks @tolusha. For me, I have keycloak configured. But while trying to integrate KeyCloak with APIServer as OIDC provider, got struck. Still, trying to figureout which yaml file which parameter to be added/edited.

[gnoejuan]

I apologize if this isn't the thread to ask, but would it be possible to have a guide? I use Che for myself and only myself. I'm having a lot of cognitive overload trying to deploy che

[Divine1]

@gnoejuan if you are using eclipse-che only for yourself, then you can deploy eclipse-che on minikube using chectl.