Comments (18)
Hello @KTzerras
I've recently validated the documentation.
What kind of error do you have?
from che.
We executed (as we believe 1:1) several instructions of page https://eclipse.dev/che/docs/stable/administration-guide/installing-che-on-microsoft-azure/
The only deviations we made were the following
a) instead of executing the following commands
AAD_GROUP_NAME=AKSAdmins
az ad group create --display-name $AAD_GROUP_NAME --mail-nickname $AAD_GROUP_NAME
az ad signed-in-user show --query id --output tsv
az ad group member add --group $AAD_GROUP_NAME
--member-id $(az ad signed-in-user show --query id --output tsv)
we set up a user group named "SoMa Developers" via the Azure Portal, assigned 3 users to it and used the UUID of this user group in the command
az aks create
--resource-group $ECLIPSE_CHE_RESOURCE_GROUP
--name $AKS_CLUSTER_NAME
--enable-aad
--aad-admin-group-object-ids <UUID of the user group "SoMa Developers">
--generate-ssh-keys
b) Furthermore, we applied the following che-cluster-patch.yaml:
spec:
networking:
auth:
identityProviderURL: "https://sts.windows.net/1e6eb10c-ccbd-416a-9410-XXXXXXXXXX/v2.0/"
identityToken: access_token
oAuthClientName: 58affa1d-fdb7-4365-b9c1-XXXXXXXXXXX
oAuthSecret: gKO8QaSk6ryE3mzSMWXwKXXXXXXXXX-XXXXXXX
oAuthScope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read
gateway:
deployment:
containers:
- env:
- name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
value: "true"
name: oauth-proxy
components:
cheServer:
extraProperties:
CHE_OIDC_AUTH__SERVER__URL: "https://sts.windows.net/1e6eb10c-ccbd-416a-9410-XXXXXXXXX/v2.0/"
CHE_OIDC_EMAIL__CLAIM: unique_name
c) Furthermore, since in the documentation it was not clear what value we should put in the variable $ECLIPSE_CHE_APPLICATION_ID in the following command:
oAuthSecret: $(az ad app credential reset --id $ECLIPSE_CHE_APPLICATION_ID --query "password" --output tsv)
we decided to put the value that we received via the command
az ad app list --query "[?displayName=='Eclipse Che'].appId" --output tsv
in the variable $ECLIPSE_CHE_APPLICATION_ID of the above command.
After successful deployment (no error message was reported) via the command
chectl server:deploy --platform=k8s --che-operator-cr-patch-yaml=che-cluster-patch.yaml --skip-oidc-provider-check --skip-cert-manager --domain=ide.software-machines.online
we navigated to the Che cluster instance via the command
chectl dashboard:open
and received 500 Internal Server Error in the Browser and in the log file we received the errors contained in the attachment
REMARK: While trying to resolve this error we also executed again the command
oAuthSecret: $(az ad app credential reset --id $ECLIPSE_CHE_APPLICATION_ID --query "password" --output tsv)
but by putting this time the value that we received via the command
az ad app list --query "[?displayName=='Eclipse Che'].Id" --output tsv
as you had suggested to us in the Ticket #22849
This though did not solve the problem.
Thank you in advance for an advice
from che.
Let me try to replicate it.
from che.
I created a group, added a new user to it (as you described).
Then I followed the documentation and deployed Eclipse Che on AKS
from che.
from che.
Hello @tolusha, these are good news!
Just 2 questions:
- Was the che-cluster-patch.yaml you used equivalent to the one we used (c.f. b) above)?
- Did you use
az ad app list --query "[?displayName=='Eclipse Che'].appId" --output tsv
or
az ad app list --query "[?displayName=='Eclipse Che'].Id" --output tsv
as a value for the variable $ECLIPSE_CHE_APPLICATION_ID (c.f. c) above)?
from che.
I used the one from [1], it was id
[1] https://eclipse.dev/che/docs/next/administration-guide/installing-che-on-microsoft-azure/#installing-che-on-microsoft-azure-kubernetes-service
from che.
@KTzerras I've too setup in last month. Worked fine for me.
from che.
Thanks for your quick response @tolusha and @maheshrajrp
I am a colleague of @KTzerras and speaking on his behalf.
After receiving your suggestions that everything was functioning properly, we are attempting a clean installation from scratch and have reached the stage where we need to declare our domain name.
We already have a registered domain ( it looks like “ultraXXXX.cloud” ) and of course all of its subdomains. In our previous installation, we declared the domain variables as shown below:
DOMAIN_NAME="ultraXXXX.cloud"
The only exception was when executing the chectl server deploy command where in the equivalent field we were using “che.ultraXXXX.cloud”
To clarify, in your installations, how did you declare the DOMAIN_NAME fields?
Thank you in advance
from che.
Hello, @NickLagogiannis
In my case it was DOMAIN_NAME=eclipse-che-<...>.site
for all steps.
So, using che.<..>.cloud
might be a culprit.
from che.
Hi @NickLagogiannis ,
mine was similar to dev.example.club.
from che.
Thanks for your reply,
We tried to make a clean installation again using the same domain name in each field. We followed again the installation guide step by step , with the addition of an extra DNS record set using the symbol "@".
We had tried using only "*" DNS record set, but the browser couldn't find our page at all (similar to : eclipse-che-<...>.site ). So having two record sets solved this issue.
After following the guide again until the end, we are still experiencing the same issue internal server error and the log files of oauth proxy are the same.
I am attaching a document containning every step i have followed in order to delete and make a clean installation with its equivallent responses. Do you have any suggestions or observations that could help us fixing this issue?
Eclipse-Che_Installation_Detailed_Actions.pdf
Thank you very much for your time.
from che.
@NickLagogiannis
Let me prepare some video guide, I hope it will help to identify issues.
from che.
from che.
Hello, @KTzerras
Unfortunately I have a second thought about recording video.
It might reveal some sensitive data during recording.
We had tried using only "*" DNS record set, but the browser couldn't find our page at all (similar to : eclipse-che-<...>.site ). So having two record sets solved this issue.
I had to add 2 DNS record set *
and @
as well but only for my registrar.
I went through the uploaded documentation and I didn't see that you replicated _acme-challenge
record.
Could you print the error you had once more time, because I barely can see it in the attachment.
from che.
Hello @tolusha ,
Sure, this is the output of command after error 500 occurs: kubectl logs -n eclipse-che -l component=che-gateway -c oauth-proxy
10.244.4.8:54862 - bdd679579037615aaa9ec32faa3464a1 - - [2024/03/29 10:40:32] software-machines.online GET / "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 200 173 0.015
10.244.4.8:54862 - 6e261b7f98965dcb6cd5d653bd2d889f - - [2024/03/29 10:40:33] software-machines.online GET / "/dashboard/static/preload/accept-factory-link.js" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 200 10964 0.002
[2024/03/29 10:40:33] [oauthproxy.go:959] No valid authentication in request. Initiating login.
10.244.4.8:54862 - 65bcaf6f86f4fc09c9143554be98289b - - [2024/03/29 10:40:33] software-machines.online GET - "/dashboard/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 302 430 0.000
[2024/03/29 10:40:34] [oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-03-29T10:40:34","request-id":"622704fd-1d27-474a-a2c6-3e61c0e3ccd5","client-request-id":"622704fd-1d27-474a-a2c6-3e61c0e3ccd5"}}}
10.244.4.8:54862 - 742562785ab04d57a928a09bc5274ce3 - - [2024/03/29 10:40:34] software-machines.online GET - "/oauth/callback?code=0.AXkADLFuHr3MakGUEMNmXXrAe91qDK0FxtFPmS0DjGnIQRUMAeo.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P8uTMryZSzFA7xYG1Dq03eRECJ-kLEskKKCmjxRW7hu4ZNHILWUda12-mV5f5KYbZqKiiZTL1Vb7Dr0V8sQmPTXwQNHwj_tOuWB4ZxsoSS9nG53YjphZIbfYquPLvFfhV_7ZxZct0WYdobaIuJYfrj2OXKc1Ju-YPsxqCVrflXYTrxWbeaaky1uK7SKVl_Dt-mRfR8dBhf7ldQcCm8_xA2xX9_mQCqzXa5APYeuGWpINgLLy8lc5-pk5PTz5j97aajAbPX1XcJw55bngl2giHJ-hnA9X1H2Vj3JZWqWh8fpXtcGd2RdWb-_uMiKSvndWoBO2rmDPvGDH7O79nxt_fOARUPO60yFfPsNSgFMRd7hd8EBlCd2T4ckDw0UL6XiZisd0sa3nh6pJx-BYkz7esIgqDE6UstpNBNcv6VvLMVU4BpBFkaBfPlH1di-g2WrMSIHsAavxKW0jL5rcXHf7cMp8LDIuBgWLdbpi3rMvCTeIwNs2Pu9cB2v9Q5kfSRWB3LWLC4_OR2HauSbU4h3X3fn8YWspRUdOecFEfzlrP3dRNyV5-rLau3fcjrAyOzVy6m59gX0PhmpVqwYgis4LjYqMA-8FshZX6z_cxAF9mpOIQATTfhy9-N8bA1FBxOPSCE4dohhwX_shqGMaWLmQnmEEeLqoXwyhAsUjyCmprGjUV6X0kePK8ZgwV5OsL6hQbZaFAbTiAcqo8uELVcBBY1G3QZnkwVc1QkQV8yPrxytJbWOAFmpbyImcdfVKARWYwT32SgmzkWt5WxBwzLi&state=UCHJp8QCmRsuE_o4mdP8Bz2Em5BYl_xF7NAMUzLksBE%3a%2fdashboard%2f&session_state=4dea82d7-6c4a-43f2-827f-987e003da937" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 500 2836 0.481
[2024/03/29 10:40:34] [oauthproxy.go:959] No valid authentication in request. Initiating login.
10.244.4.8:54862 - 1e176b3f437081ef51c109f21142fd03 - - [2024/03/29 10:40:34] software-machines.online GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 302 429 0.000
[2024/03/29 10:40:35] [oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-03-29T10:40:35","request-id":"6b3d25b0-a95c-4e0b-841b-ef44394abbb0","client-request-id":"6b3d25b0-a95c-4e0b-841b-ef44394abbb0"}}}
10.244.4.8:54862 - 13260d714368eb1a9773862d351c4198 - - [2024/03/29 10:40:35] software-machines.online GET - "/oauth/callback?code=0.AXkADLFuHr3MakGUEMNmXXrAe91qDK0FxtFPmS0DjGnIQRUMAeo.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P_xq1r5XgsPIOPVHQ-ki_HmTy9T5gnLfJaRFV8wL6VaJRyufms5mQItLmnltNHrcYvie6ZdUXmFIPBWXzyAhRWZ4-Fd5-KuaWx70ZCqcriet_dJieKOTay48TjirIcoxs8vYUOzRst-PG5SlbcO6UmrSjJjchX8JpCaNX6SOtUfzoQ2G54ZGO811Q5P2kMRww3vXr0ZAUXWNpIuliDpOiY9Q5meDq95txwLiSaTr2NdSfma8fB6A77OnNTrhlxCHBDrWxBCXXITqRbh8reirsV6DwH5uUAYgF6J4ASsymMv93TtTufGw4o94L-f7HzEHEC-yWTnFfMeRPLvvg-MFd5UToSwKYEVv_vgR_e94x0BXcsPqlJhjYQa_P97Z12rhG49OJMn7dkolzwNfJLuDNHm0Cxr3ERE2MEUdIAsIMkVG2XEOMHS3SZRITyUibT7KoTDuDiC1N91Sw58Eh2-lsqQsPeK2KrNJjjMdNM18Y1ZqAl1ycOq5Apw8oj9Q2npmFKZiH7THDQbxP1uQWV21Vt2nFGgIERI-VMy9s1K5R-cO2L0PuSx3LnJ9mJv8H8CUp7JmAvEPPHLh7FCfw1-sYVzRdoU3j3A8p4af6VQK0Afe-0gVYdK1-Qt0SAdOJCTadyHdnd4Tb5uU79uonvj7yXoG4EkuIPk38G8UEbLSetJB5EeV0mz_e7k6dUlaDuLTy-wwyK6uM84I-RKWJAylBYjSe_rIusjy5hNHHdmM01y-dhhqg11sZwDJOxiOPV0dl1LqC_Qk9lTfJiV&state=m71pv4lD6g8P0u-SRv2ZBmHMcrxVZT4zc1pmgohG6gk%3a%2ffavicon.ico&session_state=4dea82d7-6c4a-43f2-827f-987e003da937" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 500 2836 0.149
I am uploading it again also as a screenshot:
from che.
@NickLagogiannis Just a suggestion, might be a entire different approach, but might help with blame game.
In my case, I completely skipped Azure DNS, and used a typical A record (I use porkbun DNS). Ignored the cert-manger, and used Che's default inbuilt cert-manager and it worked like a charm.
Edit: Used an ingress-controller external IP for DNS.
from che.
We gave it up: Installing EclipseChe on Azure is a Sisyphus task. We successfully moved to Eclipse Theia.
Nevertheless thank you very much for your support :-)
from che.
Related Issues (20)
- Release Eclipse Che 7.88.0
- Eclipse Che docs image causes a failure in che-docs PR check
- Merge publication-builder branch with main branch in Che docs project
- Use current project directory at Che terminal creation HOT 1
- [Bug]: CVE-2023-45288 golang.org/x/net HOT 1
- Che-Code automatic rebase against upstream VS Code is failed HOT 1
- Support serving `airgap` samples from the User Dashboard based on the CR property
- Invalidate previous tokens if refresh token mode is enabled
- Workspace start page goes to cyclic reload if refresh token mode is applied HOT 3
- Deploy Che step is failing for the Smoke test of Che-Code HOT 6
- As an admin, I would like to specify the `allowList` of the URLs based on which workspaces / CDEs can be started
- "Restart from local devfile" option resulting in http error HOT 8
- In the Che CR provide a way to set the runtime class for all CDE pods HOT 2
- Move stow / kubedoc and other internal features to the Universal Base Image
- Depreacte and remove ubi 8 from the upstream UDI codebase (ubi 9 should be only supported version in the upstream)
- Prevent users from changing `controller.devfile.io/storage-type` on an existing workspace to avoid confusing & frustrating data loss
- Improve behaviour for Restart From Local Devfile action
- Improve error message of dsc/chectl if OpenShift version cannot be determined
- Devfile 2.3.0 support on the Che-Code side
- Che-Code automatic rebase against upstream VS Code is failed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from che.