Code Monkey home page Code Monkey logo

eclipse-che-apb's Introduction

Eclipse Che APB

Build Status

Description

alt text

Deploy Eclipse Che into your OpenShift project using an APB.

Requirements

  • Persistent Volumes

  • Kubernetes Service Catalog and Ansible Service Broker

    ## minishift with OpenShift 3.10
export MINISHIFT_ENABLE_EXPERIMENTAL=y && \
minishift config set iso-url centos && \
minishift start --memory=8gb --cpus=4 --disk-size=50g \
                --network-nameserver 8.8.8.8 \
                --openshift-version 3.10.0-rc.0 \
                --extra-clusterup-flags "--enable=service-catalog,router,registry,web-console,persistent-volumes,rhel-imagestreams,automation-service-broker"

  • ⚠️ ASB default configuration should be changed or Eclipse Che deployment will fail:

    • openshift sandbox_role must be set to admin (default is edit) to create the correct RoleBindings for che ServiceAccount
    • dockerhub registry tag must be set to canary (default is latest) to get the most recent build of the APB
    # Edit ASB configuration
oc edit cm/broker-config -n openshift-automation-service-broker --as system:admin

# Rollout ASB to take config changes
oc rollout latest dc/openshift-automation-service-broker -n openshift-automation-service-broker --as system:admin

# Trigger APBs reload from the registries (see below for more details about the APB CLI)
apb bootstrap

Unsupported

  • TLS
  • Ephemeral storage

Usage

  • Troubleshooting Che deployment: 
    # Use the following command to retrieve the provisioning logs
oc get po --all-namespaces --as system:admin | grep eclipse-che-apb-prov | grep Running | awk '{print "oc logs --as system:admin -f -n "$1" "$2}' | bash -

# It may be useful to look at ASB logs
oc logs -f dc/openshift-automation-service-broker -n openshift-automation-service-broker --as system:admin

# Or look at the provisioning pods
oc get po --all-namespaces --as system:admin | grep eclipse-che-apb-prov
  • Uninstall (deprovisioning) Che: 
    # Trigger serviceinstance deprovisioning
oc get serviceinstance -n eclipse-che-apb | grep apb | awk '{ print $1 }' | xargs oc delete -n eclipse-che-apb serviceinstance 

# Follow the deprovisioning logs
oc get po --all-namespaces --as system:admin | grep eclipse-che-apb-dep | grep Running | awk '{print "oc logs --as system:admin -f -n "$1" "$2}' | bash -

Development

Using APB CLI

  • Install apb

    # Download and install the APB CLI bash script 
APB_URL=https://raw.githubusercontent.com/ansibleplaybookbundle/ansible-playbook-bundle/master/scripts/apb-docker-run.sh
curl -sSL "${APB_URL}" > /usr/local/bin/apb && chmod +x /usr/local/bin/apb

# The OpenShift user that will run the APB CLI should have enough privileges
OS_USER=developer
oc adm policy add-cluster-role-to-user cluster-admin "${OS_USER}"

# On minishift, for apb CLI to work properly:
eval $(minishift docker-env)

  • Build and push the APB to the local registry

    ⚠️ When using minishift a Docker deamon should run on the host as well as the one in the minishift VM. For example on OSX, Docker for Mac and minishift should be both running when executing apb commands.

    git clone [email protected]:ansibleplaybookbundle/eclipse-che-apb.git
cd eclipse-che-apb
apb list # optional
apb build
apb push

    To filter out APBs except local ones change the ASB config.

CLI Testing

This is the fastest way to test the APB using the CLI:

  • Setup the registry and the seviceaccount 
    # setup minishift
export APB_NAME=eclipse-che-apb
export OC_USER=`oc whoami` OC_PASS=`oc whoami -t`
export REGISTRY=`oc get svc/docker-registry -n default --as system:admin --template '{{.spec.clusterIP}}:{{index .spec.ports 0 "port"}}'`
oc new-project $APB_NAME
docker login -u ${OC_USER} -p ${OC_PASS} ${REGISTRY}
oc create sa apb
oc adm policy add-role-to-user admin -z apb
  • Build and push the APB image 
    docker build -t $APB_NAME .
docker tag "${APB_NAME}" "${REGISTRY}/${APB_NAME}/${APB_NAME}"
docker push "${REGISTRY}/${APB_NAME}/${APB_NAME}"
  • Test the local image 
    oc run "${APB_NAME}-test" -it --restart='Never' --image "${REGISTRY}/${APB_NAME}/${APB_NAME}" --env "OPENSHIFT_TOKEN=${OC_PASS}" --env "OPENSHIFT_TARGET=https://kubernetes.default.svc" --env "POD_NAME=${APB_NAME}-test" --env "POD_NAMESPACE=${APB_NAME}" --overrides='{"apiVersion":"v1","spec":{"serviceAccountName":"apb"}}' -- test -e namespace=${APB_NAME}
  • Deprovision 
    oc run "${APB_NAME}-dep" -it --restart='Never' --image "${REGISTRY}/${APB_NAME}/${APB_NAME}" --env "OPENSHIFT_TOKEN=${OC_PASS}" --env "OPENSHIFT_TARGET=https://kubernetes.default.svc" --env "POD_NAME=${APB_NAME}-dep" --env "POD_NAMESPACE=${APB_NAME}" --overrides='{"apiVersion":"v1","spec":{"serviceAccountName":"apb"}}' -- deprovision -e namespace=${APB_NAME}
  • Cleanup 
    oc delete all -l app=che
oc delete all -l app=keycloak
oc rsh dc/postgresql-9.6-prod bash -c "dropdb dbche" && \
oc rsh dc/postgresql-9.6-prod bash -c "dropdb keycloak" && \
oc delete all --all && \
oc delete secret postgres && \
oc delete cm che && \
oc delete rolebinding che-admin && \
oc delete serviceaccount che

Resources

eclipse-che-apb's People

Contributors

ibuziuk avatar jcpowermac avatar l0rd avatar tchughesiv avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

jcpowermac ruromero l0rd ibuziuk

eclipse-che-apb's Issues

APB service account cannot retrieve RoleBinding object

The following RoleBinding creation task

- name: Create RoleBinding
  k8s_v1beta1_role_binding:
    name: "che-admin"
    namespace: "{{ namespace }}"
    state: present
    role_ref_name: admin
    role_ref_kind: ClusterRole
    subjects:
      - kind: ServiceAccount
        name: "che"
        namespace: "{{ namespace }}"

fails with the following error:

TASK [provision-eclipse-che-apb : Create RoleBinding] **************************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: rolebindings.rbac.authorization.k8s.io \"che-admin\" is forbidden: User \"system:serviceaccount:localregistry-eclipse-che-apb-prov-6vpl5:bundle-8bdf6bec-25d8-4bbb-a2eb-b74ba42a2cf8\" cannot get rolebindings.rbac.authorization.k8s.io in the namespace \"eclipse-che-apb\": User \"system:serviceaccount:localregistry-eclipse-che-apb-prov-6vpl5:bundle-8bdf6bec-25d8-4bbb-a2eb-b74ba42a2cf8\" cannot get rolebindings.rbac.authorization.k8s.io in project \"eclipse-che-apb\""}
PLAY RECAP *********************************************************************
localhost                  : ok=43   changed=24   unreachable=0    failed=1

Creating Che ServiceAccount works fine.

And creating the RoleBidinding manually (e.g. as user developer) workspace works fine as well:

echo "apiVersion: v1
kind: RoleBinding
metadata:
  name: che-admin-2
roleRef:
  name: admin
subjects:
- kind: ServiceAccount
  name: che" | oc apply -f -

Support TLS

Add support for TLS in Keycloak and Che routes.

Confirm deployment of Che

Before exiting the role wait for Che to be available either via DC rollout status or port availability.

Che APB installation fails on minishift with default configuration

Steps to reproduce:

  • Follow the instructions from README.md
  • Select Che (APB) from the catalog

image

  • Use default setup in the wizard

image

  • ERROR: in My Project Provisioned Service for Che would have the following error:

image

infoThe service is not yet ready. Error provisioning ServiceInstance of ClusterServiceClass (K8S: "1882ffca5d72b1084e9107e3485f5066" ExternalName: "dh-eclipse-che-apb") at ClusterServiceBroker "ansible-service-broker": Status: 403; ErrorMessage: ; Description: User does not have sufficient permissions; ResponseError:

minishift version - v1.20.0+53c500a

[1] https://github.com/ansibleplaybookbundle/eclipse-che-apb#requirements

Fix Travis CI

CI is fails as soon as the command ansible-playbook in the APB image is run:

image

Failed to install on a local origin

Steps to reproduce

  1. oc cluster up
  2. https://github.com/openshift/ansible-service-broker/blob/master/scripts/run_latest_build.sh
  3. Che APB shows up in a catalog

Logs:

TASK [provision-eclipse-che-apb : include_role] ********************************

TASK [keycloak-apb/set-keycloak-uri : Get DeploymentConfig] ********************
FAILED - RETRYING: Get DeploymentConfig (20 retries left).
FAILED - RETRYING: Get DeploymentConfig (19 retries left).
FAILED - RETRYING: Get DeploymentConfig (18 retries left).
FAILED - RETRYING: Get DeploymentConfig (17 retries left).
FAILED - RETRYING: Get DeploymentConfig (16 retries left).
ok: [localhost]

TASK [keycloak-apb/set-keycloak-uri : Get keycloak https route] ****************
ok: [localhost]

TASK [keycloak-apb/set-keycloak-uri : Set keycloak uri from route] *************
ok: [localhost]

TASK [keycloak-apb/set-keycloak-uri : Test URL] ********************************
FAILED - RETRYING: Test URL (5 retries left).
FAILED - RETRYING: Test URL (4 retries left).
FAILED - RETRYING: Test URL (3 retries left).
FAILED - RETRYING: Test URL (2 retries left).
FAILED - RETRYING: Test URL (1 retries left).
fatal: [localhost]: FAILED! => {"attempts": 5, "changed": false, "content": "", "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Connection refused>", "redirected": false, "status": -1, "url": "https://keycloak-myproject.127.0.0.1.nip.io/auth/"}
...ignoring

TASK [keycloak-apb/set-keycloak-uri : Get keycloak service] ********************
ok: [localhost]

TASK [keycloak-apb/set-keycloak-uri : Set keycloak uri from service] ***********
ok: [localhost]

TASK [keycloak-apb/set-keycloak-uri : Test URL] ********************************
ok: [localhost]

TASK [keycloak-apb/set-keycloak-uri : Check if keycloak_uri has been set and verified] ***
skipping: [localhost]

TASK [provision-eclipse-che-apb : delete keycloak https route] *****************
changed: [localhost]

TASK [provision-eclipse-che-apb : Create keycloak http route] ******************
changed: [localhost]

TASK [provision-eclipse-che-apb : Set keycloak uri from route] *****************
ok: [localhost]

TASK [provision-eclipse-che-apb : include_tasks] *******************************
included: /opt/ansible/roles/provision-eclipse-che-apb/tasks/che.yml for localhost

TASK [provision-eclipse-che-apb : Create ServiceAccount] ***********************
changed: [localhost]

TASK [provision-eclipse-che-apb : Create RoleBinding] **************************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: rolebindings.rbac.authorization.k8s.io \"che-admin\" is forbidden: User \"system:serviceaccount:dh-eclipse-che-apb-prov-8m7bw:apb-8342ea52-a04d-4b54-87d6-06fdc1a257f6\" cannot get rolebindings.rbac.authorization.k8s.io in the namespace \"myproject\": User \"system:serviceaccount:dh-eclipse-che-apb-prov-8m7bw:apb-8342ea52-a04d-4b54-87d6-06fdc1a257f6\" cannot get rolebindings.rbac.authorization.k8s.io in project \"myproject\""}
	to retry, use: --limit @/opt/apb/actions/provision.retry

PLAY RECAP *********************************************************************
localhost                  : ok=46   changed=27   unreachable=0    failed=1

Add tests; travis

After deployment of Che create a workspace via the REST api and confirm that it is running.

Avoid provisioning Che twice on the same cluster

We want only one Che instance per cluster. The APB should first check if wsmaster is already running in the cluster. If it does the APB should only show a message that says that Che is already installed and provide the link to the dashboard.

Changing ASB configuration should not be a requirement

Currently a manual step at cluster scope is required in order to have Che provisioned correctly: Ansible Service Broker should be configured with openshift sandbox_role set to admin.

This makes Che installation harder and impossible in some cases.

To get rid of this manual step we could have OpenShift teams to default sandbox_role to admin. This is what this issue is about openshift/openshift-ansible#9231

If this won't work we should look at

  1. why we need a RoleBinding with role_ref_kind: ClusterRole instead of role_ref_kind: Role and
  2. if sandbox_role set to edit would be enough to create a RoleBindings with role_ref_kind: Role

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.