From 1b93390b276715d6e88c1b8321293ec50b32f02e Mon Sep 17 00:00:00 2001 From: Michal Vala Date: Wed, 8 Dec 2021 09:30:07 +0100 Subject: [PATCH 01/29] native user auth docs Signed-off-by: Michal Vala --- modules/administration-guide/nav.adoc | 1 + ...guring-minikube-github-authentication.adoc | 7 +++ .../pages/configuring-openshift-oauth.adoc | 2 +- ...anaging-identities-and-authorizations.adoc | 2 +- .../partials/assembly_authorizing-users.adoc | 2 + ...anaging-identities-and-authorizations.adoc | 1 + .../partials/con_che-operator.adoc | 3 + .../partials/con_gateway.adoc | 7 ++- ...guring-minikube-github-authentication.adoc | 59 +++++++++++++++++++ 9 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 modules/administration-guide/pages/configuring-minikube-github-authentication.adoc create mode 100644 modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index f638e6d110..66e9607461 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -68,3 +68,4 @@ ** xref:configuring-authorization.adoc[] ** xref:configuring-openshift-oauth.adoc[] ** xref:removing-user-data.adoc[] +** xref:configuring-minikube-github-authentication.adoc[] diff --git a/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc b/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc new file mode 100644 index 0000000000..663dcebc41 --- /dev/null +++ b/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc @@ -0,0 +1,7 @@ +[id="configuring-openshift-oauth"] +// = Configuring OpenShift OAuth +:navtitle: Configuring Minikube Github Authentication +:keywords: administration-guide, configuring-openshift-oauth +:page-aliases: .:configuring-minikube-github-authentication + +include::partial$proc_configuring-minikube-github-authentication.adoc[] diff --git a/modules/administration-guide/pages/configuring-openshift-oauth.adoc b/modules/administration-guide/pages/configuring-openshift-oauth.adoc index f234084068..11a1f5cfee 100644 --- a/modules/administration-guide/pages/configuring-openshift-oauth.adoc +++ b/modules/administration-guide/pages/configuring-openshift-oauth.adoc @@ -1,7 +1,7 @@ [id="configuring-openshift-oauth"] // = Configuring OpenShift OAuth :navtitle: Configuring OpenShift OAuth -:keywords: end-user-guide, configuring-openshift-oauth +:keywords: administration-guide, configuring-openshift-oauth :page-aliases: .:configuring-openshift-oauth include::partial$proc_configuring-openshift-oauth.adoc[] diff --git a/modules/administration-guide/pages/managing-identities-and-authorizations.adoc b/modules/administration-guide/pages/managing-identities-and-authorizations.adoc index 8534724939..2adc2dc4f7 100644 --- a/modules/administration-guide/pages/managing-identities-and-authorizations.adoc +++ b/modules/administration-guide/pages/managing-identities-and-authorizations.adoc @@ -1,7 +1,7 @@ [id="managing-identities-and-authorizations"] // = Managing identities and authorizations :navtitle: Managing identities and authorizations -:keywords: end-user-guide, managing-identities-and-authorizations +:keywords: administration-guide, managing-identities-and-authorizations :page-aliases: .:managing-identities-and-authorizations include::partial$assembly_managing-identities-and-authorizations.adoc[] diff --git a/modules/administration-guide/partials/assembly_authorizing-users.adoc b/modules/administration-guide/partials/assembly_authorizing-users.adoc index a8b4e04e0f..5a1a062330 100644 --- a/modules/administration-guide/partials/assembly_authorizing-users.adoc +++ b/modules/administration-guide/partials/assembly_authorizing-users.adoc @@ -33,5 +33,7 @@ include::partial$proc_listing-che-permissions.adoc[leveloffset=+1] include::partial$proc_assigning-che-permissions.adoc[leveloffset=+1] +include::partial$con_devworkspace_auth.adoc[leveloffset=+1] + :context: {parent-context-of-authorizing-users} diff --git a/modules/administration-guide/partials/assembly_managing-identities-and-authorizations.adoc b/modules/administration-guide/partials/assembly_managing-identities-and-authorizations.adoc index 019f0f8c68..3528756b34 100644 --- a/modules/administration-guide/partials/assembly_managing-identities-and-authorizations.adoc +++ b/modules/administration-guide/partials/assembly_managing-identities-and-authorizations.adoc @@ -13,5 +13,6 @@ This section describes different aspects of managing identities and authorizatio * xref:configuring-authorization.adoc[] * xref:removing-user-data.adoc[] * xref:configuring-openshift-oauth.adoc[] +* xref:configuring-minikube-github-authentication.adoc[] :context: {parent-context-of-managing-identities-and-authorizations} diff --git a/modules/administration-guide/partials/con_che-operator.adoc b/modules/administration-guide/partials/con_che-operator.adoc index 37cfd94aba..7c669e5dd1 100644 --- a/modules/administration-guide/partials/con_che-operator.adoc +++ b/modules/administration-guide/partials/con_che-operator.adoc @@ -17,7 +17,10 @@ Creates and controls the necessary {orch-name} objects to run a {prod-short} ins `CheCluster` custom resource (CR):: On a cluster with the {prod-short} operator, it is possible to create a `CheCluster` custom resource (CR). The {prod-short} operator ensure full lifecycle management of the {prod-short} server components on this {prod-short} instance. +The {prod-short} operator is also provides routing for Devworkspaces by configuring the `che-gateway`. + .Additional resources * xref:installation-guide:configuring-the-che-installation.adoc[] * xref:installation-guide:installing-che.adoc[] +* xref:administration-guide:gateway.adoc[] diff --git a/modules/administration-guide/partials/con_gateway.adoc b/modules/administration-guide/partials/con_gateway.adoc index 622bcaa53c..e4b7d1a164 100644 --- a/modules/administration-guide/partials/con_gateway.adoc +++ b/modules/administration-guide/partials/con_gateway.adoc @@ -1,7 +1,12 @@ [id="gateway_{context}"] = Gateway -The {prod-short} gateway is a Traefik instance applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. +The {prod-short} gateway consists of 3 main parts: + +* *link:https://github.com/traefik/traefik[Traefik]* instance responsible for requests routing +* *link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2-proxy]* ensuring authentication and initiating oauth flow +* *link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy]* applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. + The {prod-short} operator manages it as the `che-gateway` Deployment. It controls access to: diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc new file mode 100644 index 0000000000..75cee999a5 --- /dev/null +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -0,0 +1,59 @@ +[id="configuring-minikube-github-authentication_{context}"] += Configuring Minikube with GitHub Authentication + +== Authentication on Kubernetes +On Kubernetes, link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2 Proxy] is deployed as che-gateway sidecar ensuring requests authentication. Then Kubernetes apiserver must have configured OIDC issuer to know about users identities and CheCluster CR must be configured with: +``` +spec: + auth: + identityProviderURL: + oAuthClientName: + oAuthSecret: +``` + +Chectl can configure minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on minikube with devworkspace engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party Identity Providers, like GitHub. + +=== Setup GitHub as identity provider on Kubernetes +To setup GitHub as {prod-short} identity provider + +. Create OAuth App in GitHub at https://github.com/settings/applications/new (see link:https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app[GitHub documentation]): ++ +[source] +---- +Application name: Eclipse Che <1> +Homepage URL: https://.nip.io <2> +Authorization callback URL: https://dex..nip.io/callback <3> +---- ++ +<1> Name is only displayed on GitHub. It is not used internally so it can be any name. +<2> Main URL to Che instance. +<3> Callback URL to Dex. Chectl deploys Dex on `dex.` subdomain. ++ +Note: To get minikube ip, run `$ minikube ip` in the terminal. + + +. On GitHub Generate new client secret for just created OAuth application + +. edit dex configmap `kubectl edit configmap dex -n dex` +``` +connectors: +- type: github + id: github + name: GitHub + config: + clientID: <1> + clientSecret: <2> + redirectURI: https://dex..nip.io/callback <3> +``` ++ +<1> OAuth client id copied from GitHub OAuth application +<2> OAuth client secret, generated at GitHub in previous step +<3> Callback URL to Dex. This must match configuration in GitHub OAuth application from step 1. ++ +See link:https://dexidp.io/docs/connectors/github/[Dex documentation] for details + +Note: To remove dex static users, delete all `enablePasswordDB` and `staticPasswords` sections. + +. restart Dex pod to load new configuration `kubectl delete pod dex -n dex` + +. On next opening {prod-short} URL, user will be prompted with GitHub login From 89b4f183ff61e51d10d93f7434168caeb6e9e75b Mon Sep 17 00:00:00 2001 From: Michal Vala Date: Wed, 8 Dec 2021 13:18:50 +0100 Subject: [PATCH 02/29] fix lang errors Signed-off-by: Michal Vala --- modules/administration-guide/partials/con_che-operator.adoc | 2 +- modules/administration-guide/partials/con_gateway.adoc | 2 +- .../proc_configuring-minikube-github-authentication.adoc | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/administration-guide/partials/con_che-operator.adoc b/modules/administration-guide/partials/con_che-operator.adoc index 7c669e5dd1..4c6cec828c 100644 --- a/modules/administration-guide/partials/con_che-operator.adoc +++ b/modules/administration-guide/partials/con_che-operator.adoc @@ -17,7 +17,7 @@ Creates and controls the necessary {orch-name} objects to run a {prod-short} ins `CheCluster` custom resource (CR):: On a cluster with the {prod-short} operator, it is possible to create a `CheCluster` custom resource (CR). The {prod-short} operator ensure full lifecycle management of the {prod-short} server components on this {prod-short} instance. -The {prod-short} operator is also provides routing for Devworkspaces by configuring the `che-gateway`. +The {prod-short} operator is also provides routing for {devworkspace} by configuring the `che-gateway`. .Additional resources diff --git a/modules/administration-guide/partials/con_gateway.adoc b/modules/administration-guide/partials/con_gateway.adoc index e4b7d1a164..a6090a4274 100644 --- a/modules/administration-guide/partials/con_gateway.adoc +++ b/modules/administration-guide/partials/con_gateway.adoc @@ -4,7 +4,7 @@ The {prod-short} gateway consists of 3 main parts: * *link:https://github.com/traefik/traefik[Traefik]* instance responsible for requests routing -* *link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2-proxy]* ensuring authentication and initiating oauth flow +* *link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2-proxy]* ensuring authentication and initiating OAuth flow * *link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy]* applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. The {prod-short} operator manages it as the `che-gateway` Deployment. diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 75cee999a5..96215c556f 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -2,7 +2,7 @@ = Configuring Minikube with GitHub Authentication == Authentication on Kubernetes -On Kubernetes, link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2 Proxy] is deployed as che-gateway sidecar ensuring requests authentication. Then Kubernetes apiserver must have configured OIDC issuer to know about users identities and CheCluster CR must be configured with: +On {kubernetes}, link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2 Proxy] is deployed as che-gateway sidecar ensuring requests authentication. Then {kubernetes} must have configured OIDC issuer to know about users identities and CheCluster CR must be configured with: ``` spec: auth: @@ -11,7 +11,7 @@ spec: oAuthSecret: ``` -Chectl can configure minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on minikube with devworkspace engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party Identity Providers, like GitHub. +Chectl can configure minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. === Setup GitHub as identity provider on Kubernetes To setup GitHub as {prod-short} identity provider @@ -29,7 +29,7 @@ Authorization callback URL: https://dex..nip.io/callback <3> <2> Main URL to Che instance. <3> Callback URL to Dex. Chectl deploys Dex on `dex.` subdomain. + -Note: To get minikube ip, run `$ minikube ip` in the terminal. +Note: To get minikube IP, run `$ minikube ip` in the terminal. . On GitHub Generate new client secret for just created OAuth application From 5394b64915f8a30e9945bab68349c9f5a6736c17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 9 Dec 2021 14:38:43 +0100 Subject: [PATCH 03/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 96215c556f..5fa72ce68d 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -11,7 +11,7 @@ spec: oAuthSecret: ``` -Chectl can configure minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. +Chectl can configure minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on Minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. === Setup GitHub as identity provider on Kubernetes To setup GitHub as {prod-short} identity provider From caf2214d90f07513b210e1ca6fa43e1fcbb56260 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 9 Dec 2021 14:39:06 +0100 Subject: [PATCH 04/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 5fa72ce68d..87829edc61 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -29,7 +29,7 @@ Authorization callback URL: https://dex..nip.io/callback <3> <2> Main URL to Che instance. <3> Callback URL to Dex. Chectl deploys Dex on `dex.` subdomain. + -Note: To get minikube IP, run `$ minikube ip` in the terminal. +Note: To get Minikube IP, run `$ minikube ip` in the terminal. . On GitHub Generate new client secret for just created OAuth application From e2a698e294d68ea00fbee202cb6acb310ddfdd8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 9 Dec 2021 14:39:42 +0100 Subject: [PATCH 05/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 87829edc61..a51d6bcde0 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -34,7 +34,7 @@ Note: To get Minikube IP, run `$ minikube ip` in the terminal. . On GitHub Generate new client secret for just created OAuth application -. edit dex configmap `kubectl edit configmap dex -n dex` +. edit Dex configmap `kubectl edit configmap dex -n dex` ``` connectors: - type: github From e4d96e86c5694b62c846aa4e864965c5e4038b88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 9 Dec 2021 14:41:31 +0100 Subject: [PATCH 06/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index a51d6bcde0..f38d4b2917 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -52,7 +52,7 @@ connectors: + See link:https://dexidp.io/docs/connectors/github/[Dex documentation] for details -Note: To remove dex static users, delete all `enablePasswordDB` and `staticPasswords` sections. +Note: To remove Dex static users, delete all `enablePasswordDB` and `staticPasswords` sections. . restart Dex pod to load new configuration `kubectl delete pod dex -n dex` From 0c9005cf6c197d7df1e92c12a3ade16fcdbb8a07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 9 Dec 2021 14:43:00 +0100 Subject: [PATCH 07/29] Update Spelling.yml --- .vale/styles/CheDocs/Spelling.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.vale/styles/CheDocs/Spelling.yml b/.vale/styles/CheDocs/Spelling.yml index d655cb15fd..ac55c4e30d 100644 --- a/.vale/styles/CheDocs/Spelling.yml +++ b/.vale/styles/CheDocs/Spelling.yml @@ -128,6 +128,7 @@ filters: - Datadog - Dev - DevWorkspace + - Dex - DNS - Docker - Dockerfile From fffdb05fefa1656b50ab00f6b0f6fa902f30b728 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 9 Dec 2021 18:21:57 +0100 Subject: [PATCH 08/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index f38d4b2917..c8f7ccb4d0 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -11,7 +11,7 @@ spec: oAuthSecret: ``` -Chectl can configure minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on Minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. +Chectl can configure Minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on Minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. === Setup GitHub as identity provider on Kubernetes To setup GitHub as {prod-short} identity provider From d2e48b3faf649b80631d9160a8cdfdb158efecf3 Mon Sep 17 00:00:00 2001 From: Michal Vala Date: Fri, 10 Dec 2021 12:40:42 +0100 Subject: [PATCH 09/29] update devworkspace installation doc Signed-off-by: Michal Vala --- .../proc_enabling-dev-workspace-operator.adoc | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc index 8468f91652..aff1adf889 100644 --- a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc +++ b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc @@ -2,11 +2,12 @@ [id="enabling-dev-workspace-operator_{context}"] = Enabling {devworkspace} operator -This procedure describes how to enable the {devworkspace} operator to support the Devfile 2.0.0 file format and mentions how to do so on existing instances or those about to be installed. +This procedure describes how to enable the {devworkspace} operator to support the Devfile v2 file format and mentions how to do so on existing instances or those about to be installed. .Prerequisites * The `{orch-cli}` and `{prod-cli}` tools are available. +* .Procedure @@ -32,18 +33,25 @@ spec: + [subs="+quotes,+attributes"] ---- -$ {prod-cli} server:deploy --che-operator-cr-patch-yaml=patch.yaml ... +$ {prod-cli} server:deploy --workspace-engine=dev-workspace ... ---- -+ -`patch.yaml` must contain the following: -+ + +ifeval::["{project-context}" == "che"] +[WARNING] +==== +{prod-cli} will automatically setup Dex as OIDC provider on Minikube. For other {kubernetes} clusters, setup OIDC provider following cluster provider documentation and set the following values in {prod-checluster} Custom Resource (CR): + [source,yaml,subs="+quotes"] ---- spec: - devWorkspace: - enable: true + auth: + identityProviderURL: '____' <1> ---- +<1> URL to OIDC provider. +==== +endif::[] + * For already existing {prod-short} installation: + . Update `{prod-checluster}` CR using the `{orch-cli}` tool: From ebfcdced309425cf5b3da4adae6a31398c6075f5 Mon Sep 17 00:00:00 2001 From: Michal Vala Date: Fri, 10 Dec 2021 12:50:32 +0100 Subject: [PATCH 10/29] link to kubernetes oidc docs, cleanup Signed-off-by: Michal Vala --- .../partials/assembly_authorizing-users.adoc | 3 --- .../partials/proc_enabling-dev-workspace-operator.adoc | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/administration-guide/partials/assembly_authorizing-users.adoc b/modules/administration-guide/partials/assembly_authorizing-users.adoc index 5a1a062330..5e0af58bac 100644 --- a/modules/administration-guide/partials/assembly_authorizing-users.adoc +++ b/modules/administration-guide/partials/assembly_authorizing-users.adoc @@ -33,7 +33,4 @@ include::partial$proc_listing-che-permissions.adoc[leveloffset=+1] include::partial$proc_assigning-che-permissions.adoc[leveloffset=+1] -include::partial$con_devworkspace_auth.adoc[leveloffset=+1] - - :context: {parent-context-of-authorizing-users} diff --git a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc index aff1adf889..1602c6ac0e 100644 --- a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc +++ b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc @@ -39,7 +39,7 @@ $ {prod-cli} server:deploy --workspace-engine=dev-workspace ... ifeval::["{project-context}" == "che"] [WARNING] ==== -{prod-cli} will automatically setup Dex as OIDC provider on Minikube. For other {kubernetes} clusters, setup OIDC provider following cluster provider documentation and set the following values in {prod-checluster} Custom Resource (CR): +{prod-cli} will automatically setup Dex as OIDC provider on Minikube. For other {kubernetes} clusters setup link:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server[{kubernetes} OIDC] provider following cluster provider documentation and set the following values in {prod-checluster} Custom Resource (CR): [source,yaml,subs="+quotes"] ---- From f57503341d37fbbeb14c6a989868d32f81dae476 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 08:19:37 +0100 Subject: [PATCH 11/29] Apply suggestions from code review --- modules/administration-guide/nav.adoc | 5 +++-- .../pages/configuring-minikube-github-authentication.adoc | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index f28f26302c..5dfa6206c7 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -68,6 +68,7 @@ ** xref:authenticating-users.adoc[] ** xref:authorizing-users.adoc[] ** xref:configuring-authorization.adoc[] -** xref:configuring-openshift-oauth.adoc[] +*** xref:configuring-openshift-oauth.adoc[] +*** xref:configuring-minikube-github-authentication.adoc[] + ** xref:removing-user-data.adoc[] -** xref:configuring-minikube-github-authentication.adoc[] diff --git a/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc b/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc index 663dcebc41..587baa9c2c 100644 --- a/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/pages/configuring-minikube-github-authentication.adoc @@ -1,6 +1,6 @@ [id="configuring-openshift-oauth"] // = Configuring OpenShift OAuth -:navtitle: Configuring Minikube Github Authentication +:navtitle: Configuring Minikube GitHub Authentication :keywords: administration-guide, configuring-openshift-oauth :page-aliases: .:configuring-minikube-github-authentication From 7b1b6cf9a575c832251c76ca9d9363665cb161ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 10:01:37 +0100 Subject: [PATCH 12/29] Apply suggestions from code review --- ...guring-minikube-github-authentication.adoc | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index c8f7ccb4d0..5b1301e08b 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -13,10 +13,21 @@ spec: Chectl can configure Minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on Minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. -=== Setup GitHub as identity provider on Kubernetes -To setup GitHub as {prod-short} identity provider +{prod-short} is preconfigured with static users. Configure the OpenID Connect (OIDC) provider to use GitHub authentication. -. Create OAuth App in GitHub at https://github.com/settings/applications/new (see link:https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app[GitHub documentation]): +.Prerequisites + +* {prod-short} is installed on Minikube. See xref:installation-guide:installing-che-on-minikube.adoc[]. + + +.Procedure +. Get Minikube IP and remember it as `__`: ++ +---- +$ minikube ip +---- + +. link:https://github.com/settings/applications/new[Create an OAuth App] for your Minikube instance in GitHub. See link:https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app[GitHub documentation]. + [source] ---- @@ -28,11 +39,9 @@ Authorization callback URL: https://dex..nip.io/callback <3> <1> Name is only displayed on GitHub. It is not used internally so it can be any name. <2> Main URL to Che instance. <3> Callback URL to Dex. Chectl deploys Dex on `dex.` subdomain. -+ -Note: To get Minikube IP, run `$ minikube ip` in the terminal. -. On GitHub Generate new client secret for just created OAuth application +. In the GitHub OAuth application page, click btn:[Generate a new client secret] and remember the value of the generated client secret as `__`. . edit Dex configmap `kubectl edit configmap dex -n dex` ``` From 1a5762c03a5a5dc7cf61982309f6485694b671c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 10:03:50 +0100 Subject: [PATCH 13/29] Add links as attributes --- antora.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/antora.yml b/antora.yml index a470b7031f..af0b3aad2e 100644 --- a/antora.yml +++ b/antora.yml @@ -61,6 +61,9 @@ asciidoc: link-installing-an-instance: xref:installation-guide:installing-che.adoc[] link-server-identity-provider-dockerfile-location: https://github.com/eclipse-che/che-server/tree/main/dockerfiles/keycloak link-viewing-the-state-of-the-cluster-deployment-using-openshift-4-cli-tools: xref:overview:installing-che-on-openshift-4-using-operatorhub.adoc[] + link-oauth2-proxy: link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2 Proxy] + link-kube-rbac-proxy: link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] + link-oidc-issuer: link:https://dexidp.io/[Dex] namespace: namespace # In context: API namespace nodejs-stack: nodejs ocp: OpenShift Container Platform From e1871dc158a0dea284e728b6ee0da0ed63a118de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 11:16:15 +0100 Subject: [PATCH 14/29] Apply suggestions from code review --- .../administration-guide/partials/con_gateway.adoc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/administration-guide/partials/con_gateway.adoc b/modules/administration-guide/partials/con_gateway.adoc index a6090a4274..22ab06461b 100644 --- a/modules/administration-guide/partials/con_gateway.adoc +++ b/modules/administration-guide/partials/con_gateway.adoc @@ -1,11 +1,15 @@ [id="gateway_{context}"] = Gateway -The {prod-short} gateway consists of 3 main parts: +The {prod-short} gateway has three main roles: -* *link:https://github.com/traefik/traefik[Traefik]* instance responsible for requests routing -* *link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2-proxy]* ensuring authentication and initiating OAuth flow -* *link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy]* applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. +* Routing requests. It uses link:https://github.com/traefik/traefik[Traefik]. + +* Ensuring authentication with OpenID Connect (OIDC). It uses {link-oauth2-proxy}. + +* Applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. It uses {link-kube-rbac-proxy}. + +{link-oidc} is the default OIDC issuer. The {prod-short} operator deploys it with preconfigured static users. It can serve as a bridge to third party {identity-provider}, such as GitHub. The {prod-short} operator manages it as the `che-gateway` Deployment. From 5353ab3f586e441d437ac1f08e04c613d65b2ed1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 11:16:33 +0100 Subject: [PATCH 15/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- ...oc_configuring-minikube-github-authentication.adoc | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 5b1301e08b..8440925051 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -1,17 +1,6 @@ [id="configuring-minikube-github-authentication_{context}"] = Configuring Minikube with GitHub Authentication -== Authentication on Kubernetes -On {kubernetes}, link:https://github.com/oauth2-proxy/oauth2-proxy[OAuth2 Proxy] is deployed as che-gateway sidecar ensuring requests authentication. Then {kubernetes} must have configured OIDC issuer to know about users identities and CheCluster CR must be configured with: -``` -spec: - auth: - identityProviderURL: - oAuthClientName: - oAuthSecret: -``` - -Chectl can configure Minikube with link:https://dexidp.io/[Dex] as OIDC issuer with preconfigured static users. This is the default setup when deploying on Minikube with {devworkspace} engine `chectl server:deploy --platform minikube --workspace-engine=dev-workspace`. Dex can serve as a bridge to 3rd party {identity-provider}, like GitHub. {prod-short} is preconfigured with static users. Configure the OpenID Connect (OIDC) provider to use GitHub authentication. From 620940196f1bb46d034ee0e8ee878523ce1fb92c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 13:58:27 +0100 Subject: [PATCH 16/29] Update modules/administration-guide/partials/con_gateway.adoc --- modules/administration-guide/partials/con_gateway.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/con_gateway.adoc b/modules/administration-guide/partials/con_gateway.adoc index 22ab06461b..899b1ad4be 100644 --- a/modules/administration-guide/partials/con_gateway.adoc +++ b/modules/administration-guide/partials/con_gateway.adoc @@ -9,7 +9,7 @@ The {prod-short} gateway has three main roles: * Applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. It uses {link-kube-rbac-proxy}. -{link-oidc} is the default OIDC issuer. The {prod-short} operator deploys it with preconfigured static users. It can serve as a bridge to third party {identity-provider}, such as GitHub. +{link-oidc-issuer} is the default OIDC issuer. The {prod-short} operator deploys it with preconfigured static users. It can serve as a bridge to third party {identity-provider}, such as GitHub. The {prod-short} operator manages it as the `che-gateway` Deployment. From a6545ce8e0fb6452ccba6a169ca7e9892abd5b7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 14:25:44 +0100 Subject: [PATCH 17/29] Apply suggestions from code review --- .../partials/con_che-operator.adoc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/administration-guide/partials/con_che-operator.adoc b/modules/administration-guide/partials/con_che-operator.adoc index 4c6cec828c..ecc0459376 100644 --- a/modules/administration-guide/partials/con_che-operator.adoc +++ b/modules/administration-guide/partials/con_che-operator.adoc @@ -15,12 +15,17 @@ Defines the `CheCluster` {orch-name} object. Creates and controls the necessary {orch-name} objects to run a {prod-short} instance, such as pods, services, and persistent volumes. `CheCluster` custom resource (CR):: -On a cluster with the {prod-short} operator, it is possible to create a `CheCluster` custom resource (CR). The {prod-short} operator ensure full lifecycle management of the {prod-short} server components on this {prod-short} instance. - -The {prod-short} operator is also provides routing for {devworkspace} by configuring the `che-gateway`. +On a cluster with the {prod-short} operator, it is possible to create a `CheCluster` custom resource (CR). The {prod-short} operator ensure full lifecycle management of the {prod-short} server components on this {prod-short} instance: ++ +* xref:devworkspace-operator.adoc[] +* xref:gateway.adoc[] +* xref:dashboard.adoc[] +* xref:devfile-registries.adoc[] +* xref:che-server.adoc[] +* xref:postgresql.adoc[] +* xref:plug-in-registry.adoc[] .Additional resources * xref:installation-guide:configuring-the-che-installation.adoc[] * xref:installation-guide:installing-che.adoc[] -* xref:administration-guide:gateway.adoc[] From 9738741833da0252b1433dd97a21f16afff81e89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 14:29:45 +0100 Subject: [PATCH 18/29] Update modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc --- .../partials/proc_enabling-dev-workspace-operator.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc index 1602c6ac0e..5ef2d75029 100644 --- a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc +++ b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc @@ -7,7 +7,6 @@ This procedure describes how to enable the {devworkspace} operator to support th .Prerequisites * The `{orch-cli}` and `{prod-cli}` tools are available. -* .Procedure From 3b91a8ae66e581eda811ea82cd38ef620e62fad0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:12:32 +0100 Subject: [PATCH 19/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 8440925051..8b4d0740eb 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -2,7 +2,7 @@ = Configuring Minikube with GitHub Authentication -{prod-short} is preconfigured with static users. Configure the OpenID Connect (OIDC) provider to use GitHub authentication. +Configure the OpenID Connect (OIDC) issuer to use GitHub authentication rather than preconfigured static users. .Prerequisites From 46b9f328e05bf97b044a29a92e9d864e049d4ce9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:15:31 +0100 Subject: [PATCH 20/29] Update modules/administration-guide/partials/con_gateway.adoc --- modules/administration-guide/partials/con_gateway.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/administration-guide/partials/con_gateway.adoc b/modules/administration-guide/partials/con_gateway.adoc index 899b1ad4be..920f0e9cc5 100644 --- a/modules/administration-guide/partials/con_gateway.adoc +++ b/modules/administration-guide/partials/con_gateway.adoc @@ -1,15 +1,15 @@ [id="gateway_{context}"] = Gateway -The {prod-short} gateway has three main roles: +The {prod-short} gateway has following roles: * Routing requests. It uses link:https://github.com/traefik/traefik[Traefik]. -* Ensuring authentication with OpenID Connect (OIDC). It uses {link-oauth2-proxy}. +* Authenticating users with OpenID Connect (OIDC). It uses {link-oauth2-proxy}. -* Applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. It uses {link-kube-rbac-proxy}. +* Providing a default OIDC issuer, which can serve as a bridge to third party {identity-provider}, such as GitHub. {link-oidc-issuer} is the default OIDC issuer, preconfigured with static users. -{link-oidc-issuer} is the default OIDC issuer. The {prod-short} operator deploys it with preconfigured static users. It can serve as a bridge to third party {identity-provider}, such as GitHub. +* Applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. It uses {link-kube-rbac-proxy}. The {prod-short} operator manages it as the `che-gateway` Deployment. From fae8a581eee4c02f76f6d6a51e46eedab7ab1b79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:15:51 +0100 Subject: [PATCH 21/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 8b4d0740eb..0202f1c332 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -2,7 +2,7 @@ = Configuring Minikube with GitHub Authentication -Configure the OpenID Connect (OIDC) issuer to use GitHub authentication rather than preconfigured static users. +Configure the {link-oidc-issuer} OpenID Connect (OIDC) issuer to use GitHub authentication rather than preconfigured static users. .Prerequisites From ff7eb5daad1b6a66f6f97550ecef3df8f93449a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:23:56 +0100 Subject: [PATCH 22/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- ...iguring-minikube-github-authentication.adoc | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 0202f1c332..4ab2c3053c 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -32,17 +32,23 @@ Authorization callback URL: https://dex..nip.io/callback <3> . In the GitHub OAuth application page, click btn:[Generate a new client secret] and remember the value of the generated client secret as `__`. -. edit Dex configmap `kubectl edit configmap dex -n dex` -``` +. Edit the {link-oidc-issuer} config map: ++ +---- +$ kubectl edit configmap dex -n dex +---- ++ +[source,yaml,subs="+attributes,macros,quotes"] +---- connectors: - type: github id: github name: GitHub config: - clientID: <1> - clientSecret: <2> - redirectURI: https://dex..nip.io/callback <3> -``` + clientID: __ <1> + clientSecret: __ <2> + redirectURI: https://dex.__.nip.io/callback <3> +---- + <1> OAuth client id copied from GitHub OAuth application <2> OAuth client secret, generated at GitHub in previous step From 972e96e3de772db1df12e80ecaf5317289a5b285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:45:38 +0100 Subject: [PATCH 23/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 4ab2c3053c..fdf41c5404 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -60,4 +60,6 @@ Note: To remove Dex static users, delete all `enablePasswordDB` and `staticPassw . restart Dex pod to load new configuration `kubectl delete pod dex -n dex` -. On next opening {prod-short} URL, user will be prompted with GitHub login +.Verification steps + +* Open {prod-short} URL. The dashboard displays GitHub login prompt. From f6c3fb3a765334741b67c7b2459e23e5d6d6c9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:45:45 +0100 Subject: [PATCH 24/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index fdf41c5404..c713ae000b 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -58,7 +58,11 @@ See link:https://dexidp.io/docs/connectors/github/[Dex documentation] for detail Note: To remove Dex static users, delete all `enablePasswordDB` and `staticPasswords` sections. -. restart Dex pod to load new configuration `kubectl delete pod dex -n dex` +. Restart the {link-oidc-issuer} pod: ++ +---- +$ kubectl delete pod dex -n dex +---- .Verification steps From e64d9896da6f85171b1c1f7a0c39251c3b1bc9fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:46:04 +0100 Subject: [PATCH 25/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index c713ae000b..58140073ee 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -53,8 +53,6 @@ connectors: <1> OAuth client id copied from GitHub OAuth application <2> OAuth client secret, generated at GitHub in previous step <3> Callback URL to Dex. This must match configuration in GitHub OAuth application from step 1. -+ -See link:https://dexidp.io/docs/connectors/github/[Dex documentation] for details Note: To remove Dex static users, delete all `enablePasswordDB` and `staticPasswords` sections. From e8ee0bc9f9a58297fb6e5d86439ba8abae5d28a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:46:11 +0100 Subject: [PATCH 26/29] Update modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc --- .../proc_configuring-minikube-github-authentication.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 58140073ee..9cb941f887 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -2,7 +2,9 @@ = Configuring Minikube with GitHub Authentication -Configure the {link-oidc-issuer} OpenID Connect (OIDC) issuer to use GitHub authentication rather than preconfigured static users. +On Minikube, {prod-cli} provides a default OpenID Connect (OIDC) issuer, which can serve as a bridge to third party {identity-provider}, such as GitHub. +{link-oidc-issuer} is the default OIDC issuer, preconfigured with static users. +Configure {link-oidc-issuer} to use GitHub authentication. .Prerequisites From 065c669b4f4d91180a0cb845168b2850f47b4125 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 21 Dec 2021 15:46:17 +0100 Subject: [PATCH 27/29] Update modules/administration-guide/partials/con_gateway.adoc --- modules/administration-guide/partials/con_gateway.adoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/administration-guide/partials/con_gateway.adoc b/modules/administration-guide/partials/con_gateway.adoc index 920f0e9cc5..30e2e71e29 100644 --- a/modules/administration-guide/partials/con_gateway.adoc +++ b/modules/administration-guide/partials/con_gateway.adoc @@ -7,8 +7,6 @@ The {prod-short} gateway has following roles: * Authenticating users with OpenID Connect (OIDC). It uses {link-oauth2-proxy}. -* Providing a default OIDC issuer, which can serve as a bridge to third party {identity-provider}, such as GitHub. {link-oidc-issuer} is the default OIDC issuer, preconfigured with static users. - * Applying {orch-name} Role based access control (RBAC) policies to control access to any {prod-short} resource. It uses {link-kube-rbac-proxy}. The {prod-short} operator manages it as the `che-gateway` Deployment. From fa5d00ae622990359ed915fed3e7c6ef324079fe Mon Sep 17 00:00:00 2001 From: Michal Vala Date: Wed, 22 Dec 2021 11:34:41 +0100 Subject: [PATCH 28/29] grammar fixes Signed-off-by: Michal Vala --- modules/administration-guide/partials/con_che-operator.adoc | 2 +- .../proc_configuring-minikube-github-authentication.adoc | 4 ++-- .../partials/proc_enabling-dev-workspace-operator.adoc | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/administration-guide/partials/con_che-operator.adoc b/modules/administration-guide/partials/con_che-operator.adoc index ecc0459376..a6e89e9b2c 100644 --- a/modules/administration-guide/partials/con_che-operator.adoc +++ b/modules/administration-guide/partials/con_che-operator.adoc @@ -15,7 +15,7 @@ Defines the `CheCluster` {orch-name} object. Creates and controls the necessary {orch-name} objects to run a {prod-short} instance, such as pods, services, and persistent volumes. `CheCluster` custom resource (CR):: -On a cluster with the {prod-short} operator, it is possible to create a `CheCluster` custom resource (CR). The {prod-short} operator ensure full lifecycle management of the {prod-short} server components on this {prod-short} instance: +On a cluster with the {prod-short} operator, it is possible to create a `CheCluster` custom resource (CR). The {prod-short} operator ensures the full lifecycle management of the {prod-short} server components on this {prod-short} instance: + * xref:devworkspace-operator.adoc[] * xref:gateway.adoc[] diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 9cb941f887..29c0d44f64 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -28,8 +28,8 @@ Authorization callback URL: https://dex..nip.io/callback <3> ---- + <1> Name is only displayed on GitHub. It is not used internally so it can be any name. -<2> Main URL to Che instance. -<3> Callback URL to Dex. Chectl deploys Dex on `dex.` subdomain. +<2> Main URL to {prod-short} instance. +<3> Callback URL to Dex. {prod-cli} deploys Dex on `dex.` subdomain. . In the GitHub OAuth application page, click btn:[Generate a new client secret] and remember the value of the generated client secret as `__`. diff --git a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc index 5ef2d75029..6b73c09fe8 100644 --- a/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc +++ b/modules/installation-guide/partials/proc_enabling-dev-workspace-operator.adoc @@ -38,7 +38,7 @@ $ {prod-cli} server:deploy --workspace-engine=dev-workspace ... ifeval::["{project-context}" == "che"] [WARNING] ==== -{prod-cli} will automatically setup Dex as OIDC provider on Minikube. For other {kubernetes} clusters setup link:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server[{kubernetes} OIDC] provider following cluster provider documentation and set the following values in {prod-checluster} Custom Resource (CR): +{prod-cli} will automatically setup Dex as the OIDC provider on Minikube. For other {kubernetes} clusters setup link:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server[{kubernetes} OIDC] provider following cluster provider documentation and set the following values in {prod-checluster} Custom Resource (CR): [source,yaml,subs="+quotes"] ---- @@ -47,7 +47,7 @@ spec: identityProviderURL: '____' <1> ---- -<1> URL to OIDC provider. +<1> URL to the OIDC provider. ==== endif::[] From 67e99ffb702fd9e6b8be1cd4ad64a3d6355dca04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 22 Dec 2021 11:46:56 +0100 Subject: [PATCH 29/29] Apply suggestions from code review --- .../proc_configuring-minikube-github-authentication.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc index 29c0d44f64..e9942432ab 100644 --- a/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc +++ b/modules/administration-guide/partials/proc_configuring-minikube-github-authentication.adoc @@ -20,9 +20,9 @@ $ minikube ip . link:https://github.com/settings/applications/new[Create an OAuth App] for your Minikube instance in GitHub. See link:https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app[GitHub documentation]. + -[source] +[source,subs="+attributes,macros,quotes"] ---- -Application name: Eclipse Che <1> +Application name: {prod-short} <1> Homepage URL: https://.nip.io <2> Authorization callback URL: https://dex..nip.io/callback <3> ----