Has anybody a recent Eclipse Che release (i.e. a release with release date in 2023 or 2024) up-and-running on Azure Cloud? about che HOT 18 CLOSED

Hello @KTzerras
I've recently validated the documentation.
What kind of error do you have?

from che.

We executed (as we believe 1:1) several instructions of page https://eclipse.dev/che/docs/stable/administration-guide/installing-che-on-microsoft-azure/

The only deviations we made were the following

a) instead of executing the following commands

AAD_GROUP_NAME=AKSAdmins

az ad group create --display-name $AAD_GROUP_NAME --mail-nickname $AAD_GROUP_NAME

az ad signed-in-user show --query id --output tsv
az ad group member add --group $AAD_GROUP_NAME
--member-id $(az ad signed-in-user show --query id --output tsv)

we set up a user group named "SoMa Developers" via the Azure Portal, assigned 3 users to it and used the UUID of this user group in the command

az aks create
--resource-group $ECLIPSE_CHE_RESOURCE_GROUP
--name $AKS_CLUSTER_NAME
--enable-aad
--aad-admin-group-object-ids <UUID of the user group "SoMa Developers">
--generate-ssh-keys

b) Furthermore, we applied the following che-cluster-patch.yaml:

spec:
networking:
auth:
identityProviderURL: "https://sts.windows.net/1e6eb10c-ccbd-416a-9410-XXXXXXXXXX/v2.0/"
identityToken: access_token
oAuthClientName: 58affa1d-fdb7-4365-b9c1-XXXXXXXXXXX
oAuthSecret: gKO8QaSk6ryE3mzSMWXwKXXXXXXXXX-XXXXXXX
oAuthScope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read
gateway:
deployment:
containers:
- env:
- name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
value: "true"
name: oauth-proxy
components:
cheServer:
extraProperties:
CHE_OIDC_AUTH__SERVER__URL: "https://sts.windows.net/1e6eb10c-ccbd-416a-9410-XXXXXXXXX/v2.0/"
CHE_OIDC_EMAIL__CLAIM: unique_name

c) Furthermore, since in the documentation it was not clear what value we should put in the variable $ECLIPSE_CHE_APPLICATION_ID in the following command:

oAuthSecret: $(az ad app credential reset --id $ECLIPSE_CHE_APPLICATION_ID --query "password" --output tsv)

we decided to put the value that we received via the command

az ad app list --query "[?displayName=='Eclipse Che'].appId" --output tsv

in the variable $ECLIPSE_CHE_APPLICATION_ID of the above command.

After successful deployment (no error message was reported) via the command

chectl server:deploy --platform=k8s --che-operator-cr-patch-yaml=che-cluster-patch.yaml --skip-oidc-provider-check --skip-cert-manager --domain=ide.software-machines.online

we navigated to the Che cluster instance via the command

chectl dashboard:open

and received 500 Internal Server Error in the Browser and in the log file we received the errors contained in the attachment

REMARK: While trying to resolve this error we also executed again the command

oAuthSecret: $(az ad app credential reset --id $ECLIPSE_CHE_APPLICATION_ID --query "password" --output tsv)

but by putting this time the value that we received via the command

az ad app list --query "[?displayName=='Eclipse Che'].Id" --output tsv

as you had suggested to us in the Ticket #22849

This though did not solve the problem.

Thank you in advance for an advice

from che.

Let me try to replicate it.

from che.

I created a group, added a new user to it (as you described).
Then I followed the documentation and deployed Eclipse Che on AKS

from che.

from che.

Hello @tolusha, these are good news!
Just 2 questions:

1. Was the che-cluster-patch.yaml you used equivalent to the one we used (c.f. b) above)?
2. Did you use
   az ad app list --query "[?displayName=='Eclipse Che'].appId" --output tsv
   or
   az ad app list --query "[?displayName=='Eclipse Che'].Id" --output tsv
   as a value for the variable $ECLIPSE_CHE_APPLICATION_ID (c.f. c) above)?

from che.

I used the one from [1], it was id
[1] https://eclipse.dev/che/docs/next/administration-guide/installing-che-on-microsoft-azure/#installing-che-on-microsoft-azure-kubernetes-service

from che.

@KTzerras I've too setup in last month. Worked fine for me.

from che.

Thanks for your quick response @tolusha and @maheshrajrp
I am a colleague of @KTzerras and speaking on his behalf.

After receiving your suggestions that everything was functioning properly, we are attempting a clean installation from scratch and have reached the stage where we need to declare our domain name.

We already have a registered domain ( it looks like “ultraXXXX.cloud” ) and of course all of its subdomains. In our previous installation, we declared the domain variables as shown below:
DOMAIN_NAME="ultraXXXX.cloud"

The only exception was when executing the chectl server deploy command where in the equivalent field we were using “che.ultraXXXX.cloud”

To clarify, in your installations, how did you declare the DOMAIN_NAME fields?

Thank you in advance

from che.

Hello, @NickLagogiannis
In my case it was DOMAIN_NAME=eclipse-che-<...>.site for all steps.
So, using che.<..>.cloud might be a culprit.

from che.

Hi @NickLagogiannis ,
mine was similar to dev.example.club.

from che.

Thanks for your reply,

We tried to make a clean installation again using the same domain name in each field. We followed again the installation guide step by step , with the addition of an extra DNS record set using the symbol "@".

We had tried using only "*" DNS record set, but the browser couldn't find our page at all (similar to : eclipse-che-<...>.site ). So having two record sets solved this issue.

After following the guide again until the end, we are still experiencing the same issue internal server error and the log files of oauth proxy are the same.

I am attaching a document containning every step i have followed in order to delete and make a clean installation with its equivallent responses. Do you have any suggestions or observations that could help us fixing this issue?

Eclipse-Che_Installation_Detailed_Actions.pdf

Thank you very much for your time.

from che.

@NickLagogiannis
Let me prepare some video guide, I hope it will help to identify issues.

from che.

from che.

Hello, @KTzerras
Unfortunately I have a second thought about recording video.
It might reveal some sensitive data during recording.

We had tried using only "*" DNS record set, but the browser couldn't find our page at all (similar to : eclipse-che-<...>.site ). So having two record sets solved this issue.

I had to add 2 DNS record set * and @ as well but only for my registrar.

I went through the uploaded documentation and I didn't see that you replicated _acme-challenge record.
Could you print the error you had once more time, because I barely can see it in the attachment.

from che.

Hello @tolusha ,
Sure, this is the output of command after error 500 occurs: kubectl logs -n eclipse-che -l component=che-gateway -c oauth-proxy

10.244.4.8:54862 - bdd679579037615aaa9ec32faa3464a1 - - [2024/03/29 10:40:32] software-machines.online GET / "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 200 173 0.015
10.244.4.8:54862 - 6e261b7f98965dcb6cd5d653bd2d889f - - [2024/03/29 10:40:33] software-machines.online GET / "/dashboard/static/preload/accept-factory-link.js" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 200 10964 0.002
[2024/03/29 10:40:33] [oauthproxy.go:959] No valid authentication in request. Initiating login.
10.244.4.8:54862 - 65bcaf6f86f4fc09c9143554be98289b - - [2024/03/29 10:40:33] software-machines.online GET - "/dashboard/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 302 430 0.000
[2024/03/29 10:40:34] [oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-03-29T10:40:34","request-id":"622704fd-1d27-474a-a2c6-3e61c0e3ccd5","client-request-id":"622704fd-1d27-474a-a2c6-3e61c0e3ccd5"}}}
10.244.4.8:54862 - 742562785ab04d57a928a09bc5274ce3 - - [2024/03/29 10:40:34] software-machines.online GET - "/oauth/callback?code=0.AXkADLFuHr3MakGUEMNmXXrAe91qDK0FxtFPmS0DjGnIQRUMAeo.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P8uTMryZSzFA7xYG1Dq03eRECJ-kLEskKKCmjxRW7hu4ZNHILWUda12-mV5f5KYbZqKiiZTL1Vb7Dr0V8sQmPTXwQNHwj_tOuWB4ZxsoSS9nG53YjphZIbfYquPLvFfhV_7ZxZct0WYdobaIuJYfrj2OXKc1Ju-YPsxqCVrflXYTrxWbeaaky1uK7SKVl_Dt-mRfR8dBhf7ldQcCm8_xA2xX9_mQCqzXa5APYeuGWpINgLLy8lc5-pk5PTz5j97aajAbPX1XcJw55bngl2giHJ-hnA9X1H2Vj3JZWqWh8fpXtcGd2RdWb-_uMiKSvndWoBO2rmDPvGDH7O79nxt_fOARUPO60yFfPsNSgFMRd7hd8EBlCd2T4ckDw0UL6XiZisd0sa3nh6pJx-BYkz7esIgqDE6UstpNBNcv6VvLMVU4BpBFkaBfPlH1di-g2WrMSIHsAavxKW0jL5rcXHf7cMp8LDIuBgWLdbpi3rMvCTeIwNs2Pu9cB2v9Q5kfSRWB3LWLC4_OR2HauSbU4h3X3fn8YWspRUdOecFEfzlrP3dRNyV5-rLau3fcjrAyOzVy6m59gX0PhmpVqwYgis4LjYqMA-8FshZX6z_cxAF9mpOIQATTfhy9-N8bA1FBxOPSCE4dohhwX_shqGMaWLmQnmEEeLqoXwyhAsUjyCmprGjUV6X0kePK8ZgwV5OsL6hQbZaFAbTiAcqo8uELVcBBY1G3QZnkwVc1QkQV8yPrxytJbWOAFmpbyImcdfVKARWYwT32SgmzkWt5WxBwzLi&state=UCHJp8QCmRsuE_o4mdP8Bz2Em5BYl_xF7NAMUzLksBE%3a%2fdashboard%2f&session_state=4dea82d7-6c4a-43f2-827f-987e003da937" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 500 2836 0.481
[2024/03/29 10:40:34] [oauthproxy.go:959] No valid authentication in request. Initiating login.
10.244.4.8:54862 - 1e176b3f437081ef51c109f21142fd03 - - [2024/03/29 10:40:34] software-machines.online GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 302 429 0.000
[2024/03/29 10:40:35] [oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-03-29T10:40:35","request-id":"6b3d25b0-a95c-4e0b-841b-ef44394abbb0","client-request-id":"6b3d25b0-a95c-4e0b-841b-ef44394abbb0"}}}
10.244.4.8:54862 - 13260d714368eb1a9773862d351c4198 - - [2024/03/29 10:40:35] software-machines.online GET - "/oauth/callback?code=0.AXkADLFuHr3MakGUEMNmXXrAe91qDK0FxtFPmS0DjGnIQRUMAeo.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P_xq1r5XgsPIOPVHQ-ki_HmTy9T5gnLfJaRFV8wL6VaJRyufms5mQItLmnltNHrcYvie6ZdUXmFIPBWXzyAhRWZ4-Fd5-KuaWx70ZCqcriet_dJieKOTay48TjirIcoxs8vYUOzRst-PG5SlbcO6UmrSjJjchX8JpCaNX6SOtUfzoQ2G54ZGO811Q5P2kMRww3vXr0ZAUXWNpIuliDpOiY9Q5meDq95txwLiSaTr2NdSfma8fB6A77OnNTrhlxCHBDrWxBCXXITqRbh8reirsV6DwH5uUAYgF6J4ASsymMv93TtTufGw4o94L-f7HzEHEC-yWTnFfMeRPLvvg-MFd5UToSwKYEVv_vgR_e94x0BXcsPqlJhjYQa_P97Z12rhG49OJMn7dkolzwNfJLuDNHm0Cxr3ERE2MEUdIAsIMkVG2XEOMHS3SZRITyUibT7KoTDuDiC1N91Sw58Eh2-lsqQsPeK2KrNJjjMdNM18Y1ZqAl1ycOq5Apw8oj9Q2npmFKZiH7THDQbxP1uQWV21Vt2nFGgIERI-VMy9s1K5R-cO2L0PuSx3LnJ9mJv8H8CUp7JmAvEPPHLh7FCfw1-sYVzRdoU3j3A8p4af6VQK0Afe-0gVYdK1-Qt0SAdOJCTadyHdnd4Tb5uU79uonvj7yXoG4EkuIPk38G8UEbLSetJB5EeV0mz_e7k6dUlaDuLTy-wwyK6uM84I-RKWJAylBYjSe_rIusjy5hNHHdmM01y-dhhqg11sZwDJOxiOPV0dl1LqC_Qk9lTfJiV&state=m71pv4lD6g8P0u-SRv2ZBmHMcrxVZT4zc1pmgohG6gk%3a%2ffavicon.ico&session_state=4dea82d7-6c4a-43f2-827f-987e003da937" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" 500 2836 0.149

I am uploading it again also as a screenshot:

from che.

@NickLagogiannis Just a suggestion, might be a entire different approach, but might help with blame game.

In my case, I completely skipped Azure DNS, and used a typical A record (I use porkbun DNS). Ignored the cert-manger, and used Che's default inbuilt cert-manager and it worked like a charm.

Edit: Used an ingress-controller external IP for DNS.

from che.

We gave it up: Installing EclipseChe on Azure is a Sisyphus task. We successfully moved to Eclipse Theia.
Nevertheless thank you very much for your support :-)

from che.