Che: Can not enable oAuth on OCP 4.6 using OperatorHub with the default CR

Created on 12 Nov 2020  路  5Comments  路  Source: eclipse/che

Describe the bug

Can not enable oAuth on OCP 4.6 using OperatorHub with the default CR #18346

Che version

  • [ ] 7.21.1

Steps to reproduce

  1. fresh OCP 4.6
  2. install Eclipse Che 7.21.1 operator
  3. Create Eclipse Che CR with the default config 
apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
  namespace: eclipse-che
  name: eclipse-che
spec:
  auth:
    identityProviderURL: ''
    identityProviderRealm: ''
    identityProviderImage: ''
    identityProviderClientId: ''
    externalIdentityProvider: false
    openShiftoAuth: true
  database:
    chePostgresUser: ''
    externalDb: false
    chePostgresHostName: ''
    chePostgresPassword: ''
    chePostgresDb: ''
    chePostgresPort: ''
  metrics:
    enable: true
  server:
    pluginRegistryImage: ''
    selfSignedCert: false
    devfileRegistryImage: ''
    tlsSupport: true
    cheImageTag: ''
  storage:
    preCreateSubPaths: true
    pvcClaimSize: 1Gi
    pvcStrategy: per-workspace

ERROR: The Eclipse Che is created with oAuth disabled:

Expected behavior

The Eclipse Che is created with oAuth enabled

Runtime

OCP 4.6

Installation method

Operatorhub

Logs from operator

time="2020-11-12T14:14:12Z" level=warning msg="No Openshift identity providers. Openshift oAuth was disabled. How to add identity provider read in the Help Link: https://docs.openshift.com/container-platform/latest/authentication/understanding-identity-provider.html#identity-provider-overview_understanding-identity-provider"
areoperator kinquestion
Source
picture ibuziuk

All 5 comments

after installation with chectl I have such a configuration

spec:
  auth:
    identityProviderURL: 'https://keycloak-che.apps.cluster-2d6e.2d6e.example.opentlc.com'
    identityProviderRealm: che
    updateAdminPassword: false
    identityProviderIngress: {}
    oAuthSecret: S5T9SmPjY5J9
    oAuthClientName: eclipse-che-openshift-identity-provider-8sxaiy
    identityProviderClientId: che-public
    identityProviderPostgresSecret: che-identity-postgres-secret
    identityProviderRoute: {}
    externalIdentityProvider: false
    identityProviderSecret: che-identity-secret
    openShiftoAuth: true
  database:
    chePostgresDb: dbche
    chePostgresHostName: postgres
    chePostgresPort: '5432'
    chePostgresSecret: che-postgres-secret
    externalDb: false
  k8s:
    ingressDomain: 192.168.99.101.nip.io
    tlsSecretName: che-tls
  metrics:
    enable: true
  server:
    cheLogLevel: INFO
    externalDevfileRegistry: false
    pluginRegistryIngress: {}
    cheServerRoute: {}
    devfileRegistryIngress: {}
    cheHost: che-che.apps.cluster-2d6e.2d6e.example.opentlc.com
    selfSignedCert: false
    cheServerIngress: {}
    cheDebug: 'false'
    tlsSupport: true
    allowUserDefinedWorkspaceNamespaces: false
    pluginRegistryRoute: {}
    devfileRegistryRoute: {}
    cheImage: 'XXXX'
    externalPluginRegistry: false
    gitSelfSignedCert: false
    cheFlavor: che
    cheImageTag: 'YYY'
  storage:
    preCreateSubPaths: true
    pvcClaimSize: 1Gi
    pvcStrategy: common
skabashnyuk picture skabashnyuk on 12 Nov 2020
👍1

@skabashnyuk I suspect that previously those values were detected automatically during the installation and it was not required to add it to CR explicitly:

identityProviderURL: 'https://keycloak-che.apps.cluster-2d6e.2d6e.example.opentlc.com'
    identityProviderRealm: che
    updateAdminPassword: false
    identityProviderIngress: {}
    oAuthSecret: S5T9SmPjY5J9
    oAuthClientName: eclipse-che-openshift-identity-provider-8sxaiy
    identityProviderClientId: che-public
    identityProviderPostgresSecret: che-identity-postgres-secret
    identityProviderRoute: {}
    externalIdentityProvider: false

OAuth just worked OOTB with the default config.

@skabashnyuk also, could you please clarify which chectl command was used for installation?

ibuziuk picture ibuziuk on 12 Nov 2020

@ibuziuk
When fresh OCP cluster is set up then there are no any identity providers [1] configured and there is only one kubeadmin user.
So, if Eclipse Che is deploy with OAuth enabled then there is no way to log in since kubeadmin can't be used with OAuth [2].
That's why operator checks [3] if some identity providers configured and turn OAuth off if they don't exist.
There is enhancement [4] for this usecase. I guess it shed some lights on the problem.

[1] https://docs.openshift.com/container-platform/4.6/authentication/understanding-identity-provider.html#identity-provider-overview_understanding-identity-provider
[2] Verify if kubeadmin can be a regular OAuth user with latest Keycloak and OpenShift https://github.com/eclipse/che/issues/16835
[3] Improve operator-based deployment when kubeadmin is the only user https://github.com/eclipse/che/issues/16834
[4] Create a valid user if no one exist when deploying on OpenShift https://github.com/eclipse/che/issues/18152

tolusha picture tolusha on 13 Nov 2020
👍1

@tolusha thanks for the clarification. Indeed #18152 would be really nice to have since currently, the default config looks misleading. I believe the issue can be closed since all seem to work as exected

ibuziuk picture ibuziuk on 13 Nov 2020

Yes, that's expected behavior.

tolusha picture tolusha on 13 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

l0rd picture l0rd  路  3Comments
apupier picture apupier  路  3Comments
sleshchenko picture sleshchenko  路  3Comments
dmytro-ndp picture dmytro-ndp  路  3Comments
luckymore0520 picture luckymore0520  路  3Comments