Developing in the Cloud
When developing software at scale, you might need to experiment on large or very specific hardware. Having this computing capacity all for yourself is a luxury, and this is why companies sometimes want to offer shared computing resources to their collaborators.
Another reason for switching your dev environment into the Cloud is hardware maintenance. Imagine you have to administrate thousands of machines for your developers. Updating them one by one — although tools such as GPOs or Ansible exist — might be time-consuming, with some hardware that might not be supported anymore (think about GPU drivers), and each machine might be prone to upgrade errors.
A shared environment will be simpler to administrate and update over time. Of course, this is only if you are offered a good network connection.
Eclipse Che
Eclipse Che is an open-source cloud-based integrated development environment (IDE) that enables developers to create and manage code in the Cloud.
It provides a browser-based workspace that includes all the tools and resources needed to develop, build, test, and deploy applications in a containerized environment.
Basically, this is VSCode in a browser, running on your own server.
Deploying Eclipse Che on Kubernetes
This section is about deploying Eclipse Che on your own Kubernetes cluster (installed with kubeadm or similar). If you want to deploy on Minikube, please follow the official tutorial.
Pre-requisite: from now on, I consider you to have a working Kubernetes cluster setup and running with an Ingress controller installed. Your cluster must be accessible with kubectl.
General recommendations before starting your installation : Eclipse Che has heavy requirements for being deployed (Keycloak, Kubernetes with OICD, certmanager). It is recommended to dedicate a machine for your shared development environment that is NOT co-installed with production software. The reason is both for performance stability and security reasons. Do it bare-metal or deploy a dedicated VM.
Che authenticates users with OIDC using a provider such as Keycloak. We first need to install Keycloak and bind it to our Kubernetes cluster. We’ll configure a client and create the “admin” and “developers” groups.
Finally, we’ll be starting up our Eclipse Che server and creating our first workspace.
This blog article has a companion repo we will use to ease our setup.
- Clone the companion repo
git clone https://github.com/flavienbwk/eclipse-che-kubernetes && cd eclipse-che-kubernetesAs a reminder, you must have cert-manager installed on your Kubernetes cluster.
2. Install Keycloak on your cluster
cp ./keycloak/.env.example ./keycloak/.envIn ./keycloak/.env , replace “xxx.xxx.xxx.xxx” with the IP of your Kubernetes cluster.
We’re using nip.io, so we don’t have to edit our /etc/hosts file to bind a local domain name to our server IP.
Now let’s generate Keycloak’s certificates and start our server.
export $(grep -v '^#' ./keycloak/.env | xargs)
cd keycloak
bash ./generate-certs.sh
docker-compose up -dThe following commands will create and configure our “kubernetes” client, create the “admin” (cluster-wide permissions) and “developer” (che workspaces permissions only) roles, and attribute the “admin” role to our admin user.
bash ./configure-keycloak.sh
cd ..
kubectl create ns test-ns
kubectl apply -f ./rbac.yamlNow, visit https://keycloak.xxx.xxx.xxx.xxx.nip.io, click “Administration console” and log in with admin/admin credentials.
3. Configure Kubernetes to use Keycloak as OIDC provider
This will allow Eclipse Che to create development workspaces (pods, services, pvc) on behalf of our web-authenticated user inside our Kubernetes cluster.
Let’s make Keycloak’s certificate recognized by our system (and by our Kubernetes cluster) :
sudo cp ./keycloak/certs/ca/root-ca.pem /etc/ca-certificates/keycloak-ca.pemWe now need to expose Keycloak’s traffic through our Ingress Controller :
kubectl create secret tls tls-keycloak-ingress --cert ./keycloak/certs/keycloak/keycloak.pem --key ./keycloak/certs/keycloak/keycloak.key
sed "s|\$KEYCLOAK_EXTERNAL_URL|${KEYCLOAK_EXTERNAL_URL#https://}|g" ingress-keycloak-example.yaml > ingress-keycloak.yaml
sed -i "s|\$CHE_EXTERNAL_URL|${CHE_EXTERNAL_URL#https://}|g" ingress-keycloak.yaml
kubectl apply -f ./ingress-keycloak.yamlNow, add the following lines to your kube-apiserver configuration file /etc/kubernetes/manifests/kube-apiserver.yaml :
- --oidc-issuer-url=https://keycloak.xxx.xxx.xxx.xxx.nip.io/realms/master
- --oidc-client-id=kubernetes
- --oidc-username-claim=email
- --oidc-groups-prefix='keycloak:'
- --oidc-groups-claim=groups
- --oidc-ca-file=/etc/ca-certificates/keycloak-ca.pemWait about 1 minute and make sure kubectl get po -A works again. If it does not, check logs from kubelet and Keycloak.
If it works, we’re good to go ! 🙌
4. Install Eclipse Che
Che can be easily installed with the help of the chectl command line. Let’s install it :
bash <(curl -sL https://www.eclipse.org/che/chectl/)Let’s now configure Che’s namespace with Keycloak’s certificate and start the install :
kubectl create namespace eclipse-che
kubectl create configmap keycloak-certs \
--from-file=keycloak-ca.crt=./keycloak/certs/keycloak/tls.crt \
-n eclipse-che
kubectl label configmap keycloak-certs \
app.kubernetes.io/part-of=che.eclipse.org \
app.kubernetes.io/component=ca-bundle \
-n eclipse-che
cp che-patch-example.yaml che-patch.yaml
sed -i "s|\$KEYCLOAK_CHE_CLIENT_SECRET|${KEYCLOAK_CHE_CLIENT_SECRET}|g" che-patch.yaml
sed -i "s|\$KEYCLOAK_CHE_CLIENT_ID|${KEYCLOAK_CHE_CLIENT_ID}|g" che-patch.yaml
sed -i "s|\$KEYCLOAK_EXTERNAL_URL|${KEYCLOAK_EXTERNAL_URL}|g" che-patch.yaml
sed -i "s|\$CHE_EXTERNAL_URL|${CHE_EXTERNAL_URL}|g" che-patch.yaml
chectl server:deploy --domain=${CHE_EXTERNAL_URL#*://} --platform=k8s --che-operator-cr-patch-yaml=./che-patch.yaml --telemetry=off --skip-cert-manager5. Log in
Visit che.xxx.xxx.xxx.xxx.nip.io and log in.
You should see the following dashboard :
You can now enjoy a fully-featured dev environment. Congrats ✨
👏Please clap this article and ⭐ star the repo if it was useful to you!
