Installing Che on Microsoft Azure

Microsoft Azure is a cloud computing service for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Follow the instructions below to install and enable Che on Microsoft Azure.

Prerequisites

helm: The package manager for Kubernetes. See: Installing Helm.
az: The Microsoft Azure CLI command line tool. See: How to install Microsoft Azure CLI.
kubelogin: The credential plugin. See: How to install kubelogin.

Preparing Microsoft Azure for Che installation

Prepare Microsoft Azure for Che installation.

Procedure

Create a resource group (to list the locations, use the az account list-locations command):

# Resource group name
ECLIPSE_CHE_RESOURCE_GROUP=eclipse-che

# Azure region
AZURE_REGION=centralus

az group create --name $ECLIPSE_CHE_RESOURCE_GROUP --location $AZURE_REGION

Create a cluster admins group:

# Azure Active Directory group name
AAD_GROUP_NAME=AKSAdmins

az ad group create --display-name $AAD_GROUP_NAME --mail-nickname $AAD_GROUP_NAME

Add the current user to the cluster admins group:

az ad group member add --group $AAD_GROUP_NAME \
  --member-id $(az ad signed-in-user show --query id --output tsv)

Create the Microsoft Entra integrated cluster:

# Azure Kubernetes Service cluster name
AKS_CLUSTER_NAME=eclipse-che

az aks create \
  --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
  --name $AKS_CLUSTER_NAME \
  --enable-aad \
  --aad-admin-group-object-ids $(az ad group list --query "[?displayName=='$AAD_GROUP_NAME'].id" --output tsv) \
  --generate-ssh-keys

Get the user credentials to access your cluster:

az aks get-credentials \
  --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
  --name $AKS_CLUSTER_NAME \
  --admin

Set kubelogin to use the Microsoft Azure CLI:
```
kubelogin convert-kubeconfig -l azurecli
```
View the pods in the cluster :
```
kubectl get pods --all-namespaces
```
Verification

All pods in the running state are displayed.

Additional resources

Enable Azure managed identity authentication for Kubernetes clusters with kubelogin

Installing NGINX Ingress Controller on Microsoft Azure Kubernetes Service

Use the following instructions to install the NGINX Ingress Controller on Microsoft Azure Kubernetes Service.

Procedure

Install NGINX Ingress Controller:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

helm install ingress-nginx ingress-nginx/ingress-nginx \
  --wait \
  --create-namespace \
  --namespace ingress-nginx \
  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz

Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

kubectl get services ingress-nginx-controller --namespace ingress-nginx
NAME                                 TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.0.65.52     XX.XXX.XX.XXX   80:31104/TCP,443:32552/TCP   13m

Additional resources

Create an unmanaged ingress controller

Installing cert-manager on Microsoft Azure Kubernetes Service

Learn how to install cert-manager on Microsoft Azure Kubernetes Service.

Procedure

Install cert-manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install cert-manager jetstack/cert-manager \
  --wait \
  --create-namespace \
  --namespace cert-manager \
  --set installCRDs=true

Additional resources

Use TLS with an ingress controller on Azure Kubernetes Service (AKS)

Configuring DNS on Microsoft Azure

Configure DNS on Microsoft Azure. Before you start, make sure you have a registered domain.

Prerequisites

A registered domain.

Procedure

Define the domain name.
```
DOMAIN_NAME=azr.my-ide.cloud
```

Create a DNS zone:

az network dns zone create \
  --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
  --name $DOMAIN_NAME

Create a DNS record set:

az network dns record-set a add-record \
  --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
  --zone-name $DOMAIN_NAME \
  --record-set-name "*" \
  --ipv4-address $(kubectl get service -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')

If you use a registrar such as GoDaddy, you will need to add the following two DNS records in your registrar and point them to the IP address of the ingress controller:

type: A
names: @ and *

Additional resources

Create a Microsoft Azure DNS zone and record using Microsoft Azure CLI

Creating Let’s Encrypt certificate for che on Microsoft Azure

Follow these instructions to create a Let’s Encrypt certificate for Che on Microsoft Azure.

Procedure

Create a service principal:

CERT_MANAGER_SERVICE_PRINCIPAL_NAME=cert-manager-eclipse-che
CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID=$(az ad sp create-for-rbac --name $CERT_MANAGER_SERVICE_PRINCIPAL_NAME --query "appId" --output tsv)

Give access to the DNS zone:

az role assignment create \
  --assignee $CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID \
  --scope $(az network dns zone show --name $DOMAIN_NAME --resource-group $ECLIPSE_CHE_RESOURCE_GROUP --query "id" --output tsv) \
  --role "DNS Zone Contributor"

Create the eclipse-che namespace:
```
kubectl create namespace eclipse-che
```

Create a Service Account Secret:

kubectl create secret generic azuredns-config \
  --from-literal=clientSecret=$(az ad sp create-for-rbac --name $CERT_MANAGER_SERVICE_PRINCIPAL_NAME --query "password" --output tsv) \
  --namespace eclipse-che

Create the Issuer and replace MY_EMAIL_ADDRESS with a valid address:

kubectl apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: che-letsencrypt
  namespace: eclipse-che
spec:
  acme:
    solvers:
    - dns01:
        azureDNS:
          clientID: $CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID
          clientSecretSecretRef:
            name: azuredns-config
            key: clientSecret
          subscriptionID: $(az account show --query "id" --output tsv)
          tenantID: $(az account show --query "tenantId" --output tsv)
          resourceGroupName: $ECLIPSE_CHE_RESOURCE_GROUP
          hostedZoneName: $DOMAIN_NAME
    email: MY_EMAIL_ADDRESS
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
EOF

Create the Certificate:

kubectl apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: che-tls
  namespace: eclipse-che
spec:
  secretName: che-tls
  issuerRef:
    name: che-letsencrypt
    kind: Issuer
  commonName: '$DOMAIN_NAME'
  dnsNames:
  - '$DOMAIN_NAME'
  - '*.$DOMAIN_NAME'
  usages:
    - server auth
    - digital signature
    - key encipherment
    - key agreement
    - data encipherment
EOF

If you use a registrar such as GoDaddy, you need to duplicate the following DNS records in your registrar:

type: TXT
name: _acme-challenge.

Additional resources

Deploy cert-manager on Azure Kubernetes Service (AKS) and use Let’s Encrypt to sign a certificate for an HTTPS website

Registering a client application in Microsoft Entra ID

Learn how to register a client application in Microsoft Entra ID

Procedure

Create the application:

# Eclipse Che Application display name
ECLIPSE_CHE_APPLICATION_DISPLAY_NAME="Eclipse Che"

az ad app create \
  --display-name $ECLIPSE_CHE_APPLICATION_DISPLAY_NAME \
  --enable-access-token-issuance \
  --required-resource-accesses '[{"resourceAccess":[{"id":"34a47c2f-cd0d-47b4-a93c-2c41130c671c","type":"Scope"}],"resourceAppId":"6dae42f8-4368-4678-94ff-3960e28e3630"},{"resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}],"resourceAppId":"00000003-0000-0000-c000-000000000000"}]' \
  --optional-claims '{"accessToken":[{"additionalProperties":[],"essential":false,"name":"groups","source":null}]}'  \
  --sign-in-audience AzureADMyOrg \
  --web-redirect-uris https://$DOMAIN_NAME/oauth/callback

Update the application group membership claims:

az ad app update \
  --id $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].id" --output tsv) \
  --set groupMembershipClaims=SecurityGroup

Additional resources

Installing Che on Microsoft Azure Kubernetes Service

Install Che on Microsoft Azure Kubernetes Service.

Procedure

Prepare a CheCluster patch YAML file:

cat > che-cluster-patch.yaml << EOF
spec:
  networking:
    auth:
      identityProviderURL: "https://sts.windows.net/$(az account show --query "tenantId" --output tsv)/v2.0/"
      identityToken: access_token
      oAuthClientName: $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].appId" --output tsv)
      oAuthSecret: $(az ad app credential reset --id $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].id" --output tsv) --query "password" --output tsv)
      oAuthScope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read
      gateway:
        deployment:
          containers:
          - env:
            - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
              value: "true"
            name: oauth-proxy
  components:
    cheServer:
      extraProperties:
        CHE_OIDC_AUTH__SERVER__URL: "https://sts.windows.net/$(az account show --query "tenantId" --output tsv)/v2.0/"
        CHE_OIDC_EMAIL__CLAIM: unique_name
EOF

Deploy Che:

chectl server:deploy \
       --platform=k8s \
       --che-operator-cr-patch-yaml=che-cluster-patch.yaml \
       --skip-oidc-provider-check \
       --skip-cert-manager \
       --domain=$DOMAIN_NAME

Navigate to the Che cluster instance:
```
$ chectl dashboard:open
```

Additional resources

Installing Eclipse Che on the Azure Kubernetes Service (AKS)