Installing Che on Microsoft Azure
Microsoft Azure is a cloud computing service for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.
Follow the instructions below to install and enable Che on Microsoft Azure.
-
helm
: The package manager for Kubernetes. See: Installing Helm. -
az
: The Microsoft Azure CLI command line tool. See: How to install Microsoft Azure CLI. -
kubelogin
: The credential plugin. See: How to install kubelogin.
Preparing Microsoft Azure for Che installation
Prepare Microsoft Azure for Che installation.
-
Log in to Microsoft Azure:
az login
-
Create a resource group (to list the locations, use the
az account list-locations
command):# Resource group name ECLIPSE_CHE_RESOURCE_GROUP=eclipse-che # Azure region AZURE_REGION=centralus az group create --name $ECLIPSE_CHE_RESOURCE_GROUP --location $AZURE_REGION
-
Create a cluster admins group:
# Azure Active Directory group name AAD_GROUP_NAME=AKSAdmins az ad group create --display-name $AAD_GROUP_NAME --mail-nickname $AAD_GROUP_NAME
-
Add the current user to the cluster admins group:
az ad group member add --group $AAD_GROUP_NAME \ --member-id $(az ad signed-in-user show --query id --output tsv)
-
Create the Microsoft Entra integrated cluster:
# Azure Kubernetes Service cluster name AKS_CLUSTER_NAME=eclipse-che az aks create \ --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \ --name $AKS_CLUSTER_NAME \ --enable-aad \ --aad-admin-group-object-ids $(az ad group list --query "[?displayName=='$AAD_GROUP_NAME'].id" --output tsv) \ --generate-ssh-keys
-
Get the user credentials to access your cluster:
az aks get-credentials \ --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \ --name $AKS_CLUSTER_NAME \ --admin
-
Set
kubelogin
to use the Microsoft Azure CLI:kubelogin convert-kubeconfig -l azurecli
-
View the pods in the cluster :
kubectl get pods --all-namespaces
-
Verification
All pods in the running state are displayed.
Installing NGINX Ingress Controller on Microsoft Azure Kubernetes Service
Use the following instructions to install the NGINX Ingress Controller on Microsoft Azure Kubernetes Service.
-
Install NGINX Ingress Controller:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install ingress-nginx ingress-nginx/ingress-nginx \ --wait \ --create-namespace \ --namespace ingress-nginx \ --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
-
Wait for the external IP. Note that a
<pending>
status for the external IP is shown before the exact external IP address is displayed.kubectl get services ingress-nginx-controller --namespace ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller LoadBalancer 10.0.65.52 XX.XXX.XX.XXX 80:31104/TCP,443:32552/TCP 13m
Installing cert-manager on Microsoft Azure Kubernetes Service
Learn how to install cert-manager on Microsoft Azure Kubernetes Service.
-
Install cert-manager
helm repo add jetstack https://charts.jetstack.io helm repo update helm install cert-manager jetstack/cert-manager \ --wait \ --create-namespace \ --namespace cert-manager \ --set installCRDs=true
Configuring DNS on Microsoft Azure
Configure DNS on Microsoft Azure. Before you start, make sure you have a registered domain.
-
A registered domain.
-
Define the domain name.
DOMAIN_NAME=azr.my-ide.cloud
-
Create a DNS zone:
az network dns zone create \ --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \ --name $DOMAIN_NAME
-
Create a DNS record set:
az network dns record-set a add-record \ --resource-group $ECLIPSE_CHE_RESOURCE_GROUP \ --zone-name $DOMAIN_NAME \ --record-set-name "*" \ --ipv4-address $(kubectl get service -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
If you use a registrar such as GoDaddy, you will need to add the following two DNS records in your registrar and point them to the IP address of the ingress controller:
-
type:
A
-
names:
@
and*
Creating Let’s Encrypt certificate for che on Microsoft Azure
Follow these instructions to create a Let’s Encrypt certificate for Che on Microsoft Azure.
-
Create a service principal:
CERT_MANAGER_SERVICE_PRINCIPAL_NAME=cert-manager-eclipse-che CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID=$(az ad sp create-for-rbac --name $CERT_MANAGER_SERVICE_PRINCIPAL_NAME --query "appId" --output tsv)
-
Give access to the DNS zone:
az role assignment create \ --assignee $CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID \ --scope $(az network dns zone show --name $DOMAIN_NAME --resource-group $ECLIPSE_CHE_RESOURCE_GROUP --query "id" --output tsv) \ --role "DNS Zone Contributor"
-
Create the eclipse-che namespace:
kubectl create namespace eclipse-che
-
Create a Service Account Secret:
kubectl create secret generic azuredns-config \ --from-literal=clientSecret=$(az ad sp create-for-rbac --name $CERT_MANAGER_SERVICE_PRINCIPAL_NAME --query "password" --output tsv) \ --namespace eclipse-che
-
Create the Issuer and replace
MY_EMAIL_ADDRESS
with a valid address:kubectl apply -f - << EOF apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: che-letsencrypt namespace: eclipse-che spec: acme: solvers: - dns01: azureDNS: clientID: $CERT_MANAGER_SERVICE_PRINCIPAL_APP_ID clientSecretSecretRef: name: azuredns-config key: clientSecret subscriptionID: $(az account show --query "id" --output tsv) tenantID: $(az account show --query "tenantId" --output tsv) resourceGroupName: $ECLIPSE_CHE_RESOURCE_GROUP hostedZoneName: $DOMAIN_NAME email:
MY_EMAIL_ADDRESS
privateKeySecretRef: name: letsencrypt server: https://acme-v02.api.letsencrypt.org/directory EOF -
Create the Certificate:
kubectl apply -f - << EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: che-tls namespace: eclipse-che spec: secretName: che-tls issuerRef: name: che-letsencrypt kind: Issuer commonName: '$DOMAIN_NAME' dnsNames: - '$DOMAIN_NAME' - '*.$DOMAIN_NAME' usages: - server auth - digital signature - key encipherment - key agreement - data encipherment EOF
If you use a registrar such as GoDaddy, you need to duplicate the following DNS records in your registrar:
-
type:
TXT
-
name:
_acme-challenge
.
Registering a client application in Microsoft Entra ID
Learn how to register a client application in Microsoft Entra ID
-
Create the application:
# Eclipse Che Application display name ECLIPSE_CHE_APPLICATION_DISPLAY_NAME="Eclipse Che" az ad app create \ --display-name $ECLIPSE_CHE_APPLICATION_DISPLAY_NAME \ --enable-access-token-issuance \ --required-resource-accesses '[{"resourceAccess":[{"id":"34a47c2f-cd0d-47b4-a93c-2c41130c671c","type":"Scope"}],"resourceAppId":"6dae42f8-4368-4678-94ff-3960e28e3630"},{"resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}],"resourceAppId":"00000003-0000-0000-c000-000000000000"}]' \ --optional-claims '{"accessToken":[{"additionalProperties":[],"essential":false,"name":"groups","source":null}]}' \ --sign-in-audience AzureADMyOrg \ --web-redirect-uris https://$DOMAIN_NAME/oauth/callback
-
Update the application group membership claims:
az ad app update \ --id $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].id" --output tsv) \ --set groupMembershipClaims=SecurityGroup
Installing Che on Microsoft Azure Kubernetes Service
Install Che on Microsoft Azure Kubernetes Service.
-
Prepare a CheCluster patch YAML file:
cat > che-cluster-patch.yaml << EOF spec: networking: auth: identityProviderURL: "https://sts.windows.net/$(az account show --query "tenantId" --output tsv)/v2.0/" identityToken: access_token oAuthClientName: $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].appId" --output tsv) oAuthSecret: $(az ad app credential reset --id $(az ad app list --query "[?displayName=='$ECLIPSE_CHE_APPLICATION_DISPLAY_NAME'].id" --output tsv) --query "password" --output tsv) oAuthScope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read gateway: deployment: containers: - env: - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL value: "true" name: oauth-proxy components: cheServer: extraProperties: CHE_OIDC_AUTH__SERVER__URL: "https://sts.windows.net/$(az account show --query "tenantId" --output tsv)/v2.0/" CHE_OIDC_EMAIL__CLAIM: unique_name EOF
-
Deploy Che:
chectl server:deploy \ --platform=k8s \ --che-operator-cr-patch-yaml=che-cluster-patch.yaml \ --skip-cert-manager \ --domain=$DOMAIN_NAME
-
Navigate to the Che cluster instance:
$ chectl dashboard:open