Installing Che on Microsoft Azure

Microsoft Azure is a cloud computing service for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Follow the instructions below to install and enable Che on Microsoft Azure.

Prerequisites

Preparing Microsoft Azure for Che installation

Prepare Microsoft Azure for Che installation.

Procedure
  1. Log in to Microsoft Azure:

    az login
  2. Create a resource group (to list the locations, use the az account list-locations command):

    # Resource group name
    ECLIPSE_CHE_RESOURCE_GROUP=eclipse-che
    
    # Azure region
    AZURE_REGION=centralus
    
    az group create --name $ECLIPSE_CHE_RESOURCE_GROUP --location $AZURE_REGION
  3. Create a cluster admins group:

    # Azure Active Directory group name
    AAD_GROUP_NAME=AKSAdmins
    
    az ad group create --display-name $AAD_GROUP_NAME --mail-nickname $AAD_GROUP_NAME
  4. Add the current user to the cluster admins group:

    az ad group member add --group $AAD_GROUP_NAME \
      --member-id $(az ad signed-in-user show --query id --output tsv)
  5. Create the Microsoft Entra integrated cluster:

    # Azure Kubernetes Service cluster name
    AKS_CLUSTER_NAME=eclipse-che
    
    az aks create \
      --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
      --name $AKS_CLUSTER_NAME \
      --enable-aad \
      --aad-admin-group-object-ids $(az ad group list --query "[?displayName=='$AAD_GROUP_NAME'].id" --output tsv) \
      --generate-ssh-keys
  6. Get the user credentials to access your cluster:

    az aks get-credentials \
      --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
      --name $AKS_CLUSTER_NAME \
      --admin
  7. Set kubelogin to use the Microsoft Azure CLI:

    kubelogin convert-kubeconfig -l azurecli
  8. View the pods in the cluster :

    kubectl get pods --all-namespaces
  9. Verification

All pods in the running state are displayed.

Installing NGINX Ingress Controller on Microsoft Azure Kubernetes Service

Use the following instructions to install the NGINX Ingress Controller on Microsoft Azure Kubernetes Service.

Procedure
  1. Install NGINX Ingress Controller:

    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
    helm repo update
    
    helm install ingress-nginx ingress-nginx/ingress-nginx \
      --wait \
      --create-namespace \
      --namespace ingress-nginx \
      --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
  2. Wait for the external IP. Note that a <pending> status for the external IP is shown before the exact external IP address is displayed.

    kubectl get services ingress-nginx-controller --namespace ingress-nginx
    NAME                                 TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
    ingress-nginx-controller             LoadBalancer   10.0.65.52     XX.XXX.XX.XXX   80:31104/TCP,443:32552/TCP   13m

Installing cert-manager on Microsoft Azure Kubernetes Service

Learn how to install cert-manager on Microsoft Azure Kubernetes Service.

Procedure
  1. Install cert-manager

    helm repo add jetstack https://charts.jetstack.io
    helm repo update
    
    helm install cert-manager jetstack/cert-manager \
      --wait \
      --create-namespace \
      --namespace cert-manager \
      --set installCRDs=true

Configuring DNS on Microsoft Azure

Configure DNS on Microsoft Azure. Before you start, make sure you have a registered domain.

Prerequisites
  • A registered domain.

Procedure
  1. Define the domain name.

    DOMAIN_NAME=azr.my-ide.cloud
  2. Create a DNS zone:

    az network dns zone create \
      --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
      --name $DOMAIN_NAME
  3. Create a DNS record set:

    az network dns record-set a add-record \
      --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \
      --zone-name $DOMAIN_NAME \
      --record-set-name "*" \
      --ipv4-address $(kubectl get service -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')

If you use a registrar such as GoDaddy, you will need to add the following two DNS records in your registrar and point them to the IP address of the ingress controller:

  • type: A

  • names: @ and *

Creating Let’s Encrypt certificate for che on Microsoft Azure

Follow these instructions to create a Let’s Encrypt certificate for Che on Microsoft Azure.

Procedure
  1. Create a service principal:

    CERT_MANAGER_SERVICE_PRINCIPAL_NAME=cert-manager-eclipse-che
    CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID=$(az ad sp create-for-rbac --name $CERT_MANAGER_SERVICE_PRINCIPAL_NAME --query "appId" --output tsv)
  2. Give access to the DNS zone:

    az role assignment create \
      --assignee $CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID \
      --scope $(az network dns zone show --name $DOMAIN_NAME --resource-group $ECLIPSE_CHE_RESOURCE_GROUP --query "id" --output tsv) \
      --role "DNS Zone Contributor"
  3. Create the eclipse-che namespace:

    kubectl create namespace eclipse-che
  4. Create a Service Account Secret:

    kubectl create secret generic azuredns-config \
      --from-literal=clientSecret=$(az ad sp create-for-rbac --name $CERT_MANAGER_SERVICE_PRINCIPAL_NAME --query "password" --output tsv) \
      --namespace eclipse-che
  5. Create the Issuer and replace MY_EMAIL_ADDRESS with a valid address:

    kubectl apply -f - << EOF
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: che-letsencrypt
      namespace: eclipse-che
    spec:
      acme:
        solvers:
        - dns01:
            azureDNS:
              clientID: $CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID
              clientSecretSecretRef:
                name: azuredns-config
                key: clientSecret
              subscriptionID: $(az account show --query "id" --output tsv)
              tenantID: $(az account show --query "tenantId" --output tsv)
              resourceGroupName: $ECLIPSE_CHE_RESOURCE_GROUP
              hostedZoneName: $DOMAIN_NAME
        email: MY_EMAIL_ADDRESS
        privateKeySecretRef:
          name: letsencrypt
        server: https://acme-v02.api.letsencrypt.org/directory
    EOF
  6. Create the Certificate:

    kubectl apply -f - << EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: che-tls
      namespace: eclipse-che
    spec:
      secretName: che-tls
      issuerRef:
        name: che-letsencrypt
        kind: Issuer
      commonName: '$DOMAIN_NAME'
      dnsNames:
      - '$DOMAIN_NAME'
      - '*.$DOMAIN_NAME'
      usages:
        - server auth
        - digital signature
        - key encipherment
        - key agreement
        - data encipherment
    EOF

If you use a registrar such as GoDaddy, you need to duplicate the following DNS records in your registrar:

  • type: TXT

  • name: _acme-challenge.

Registering a client application in Microsoft Entra ID

Learn how to register a client application in Microsoft Entra ID

Procedure
  1. Create the application:

    # Eclipse Che Application display name
    ECLIPSE_CHE_APPLICATION_DISPLAY_NAME="Eclipse Che"
    
    az ad app create \
      --display-name $ECLIPSE_CHE_APPLICATION_DISPLAY_NAME \
      --enable-access-token-issuance \
      --required-resource-accesses '[{"resourceAccess":[{"id":"34a47c2f-cd0d-47b4-a93c-2c41130c671c","type":"Scope"}],"resourceAppId":"6dae42f8-4368-4678-94ff-3960e28e3630"},{"resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}],"resourceAppId":"00000003-0000-0000-c000-000000000000"}]' \
      --optional-claims '{"accessToken":[{"additionalProperties":[],"essential":false,"name":"groups","source":null}]}'  \
      --sign-in-audience AzureADMyOrg \
      --web-redirect-uris https://$DOMAIN_NAME/oauth/callback
  2. Update the application group membership claims:

    az ad app update \
      --id $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].id" --output tsv) \
      --set groupMembershipClaims=SecurityGroup

Installing Che on Microsoft Azure Kubernetes Service

Install Che on Microsoft Azure Kubernetes Service.

Procedure
  1. Prepare a CheCluster patch YAML file:

    cat > che-cluster-patch.yaml << EOF
    spec:
      networking:
        auth:
          identityProviderURL: "https://sts.windows.net/$(az account show --query "tenantId" --output tsv)/v2.0/"
          identityToken: access_token
          oAuthClientName: $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].appId" --output tsv)
          oAuthSecret: $(az ad app credential reset --id $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].id" --output tsv) --query "password" --output tsv)
          oAuthScope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read
          gateway:
            deployment:
              containers:
              - env:
                - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
                  value: "true"
                name: oauth-proxy
      components:
        cheServer:
          extraProperties:
            CHE_OIDC_AUTH__SERVER__URL: "https://sts.windows.net/$(az account show --query "tenantId" --output tsv)/v2.0/"
            CHE_OIDC_EMAIL__CLAIM: unique_name
    EOF
  2. Deploy Che:

    chectl server:deploy \
           --platform=k8s \
           --che-operator-cr-patch-yaml=che-cluster-patch.yaml \
           --skip-cert-manager \
           --domain=$DOMAIN_NAME
  3. Navigate to the Che cluster instance:

    $ chectl dashboard:open