unable to access repository present inside an organization's gitlab account (visibility private)

[Divine1]

Summary

The project repository i'm working on is maintained under gitlab.company.com. The gitlab.company.com is accessible only within the corporate network and sso is required to login into the gitlab.company.com. i can add ssh keys/generate accessTokens but this will be valid only inside corporate network.

The visibility of the project repository is private

i'm maintaining thedevfile.yaml inside the same project repository.

i have eclipseche installed in minikube. The installation is successful and i'm able to clone a public / private github repository in this eclipseche instance.

the problem i face is with private gitlab.company.com repository that is accessible only within corporate network.

i get below error message when i try to open the workspace.

Please let me know how to resolve this issue

Relevant information

No response

[skabashnyuk]

@Divine1 thank you for the question. At this stage, it's important to decide the flow you want to follow.

• Is it OAuth2 integration - then you can use factories with automated authorization flow.
• SSH flow - then you have to create a workspace, set up ssh keys. After that, you'll be able to do clone/push.

Wich way do you want to follow?

[Divine1]

@skabashnyuk i would like to follow ssh flow.

[skabashnyuk]

@skabashnyuk i would like to follow ssh flow.

Ok. Now, what Che version do you have, and what workspace engine are you using. Che7 or devWrksapce, Devfile v1 or Devfile v2?

is accessible only within the corporate network

Does that mean you need to set up HTTP proxy?

[Divine1]

@skabashnyuk
image: quay.io/eclipse/che-server:7.40.2
devfile v1

HTTP proxy is not required.

Che7 or devWrksapce - what is the difference? i have installed eclipse-che via minikube. i'm with the understanding that both are same

i installed via below link

https://www.eclipse.org/che/docs/che-7/installation-guide/installing-che-on-minikube/

[skabashnyuk]

I found only this guide on how to mount a file https://www.eclipse.org/che/docs/che-7/end-user-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-workspace-container/. If you are able to create secrets in your k8s namespace I think you can follow it to mount ssh files.

@vinokurig @svor do you remember if we have documentation about how to manage ssh keys from the Theia?

[Divine1]

@skabashnyuk i have access to create secrets in my k8s namespace.

i have a doubt in the value present for settings.xml in the docs.

As per the docs, Should i encode(base64) all the data present inside settings.xml and paste it as a value for settings.xml ?

data:
  settings.xml: <base64 encoded data content here>

incase of ssh public key, should i encode(base64) the content of publickey file and put it as below ?

data:
  id_rsa.pub: <base64 encoded data content here>

[vinokurig]

@vinokurig @svor do you remember if we have documentation about how to manage ssh keys from the Theia?

This might be useful : https://www.eclipse.org/che/docs/che-7/end-user-guide/version-control/#_generating_an_ssh_key_using_the_che_command_palette

[skabashnyuk]

incase of ssh public key, should i encode(base64) the content of publickey file and put it as below ?

I think you need both. git client inside the Theia container has to have access to the private par. The public part would be checked on the opposite side (on gitlab)

However @vinokurig 's variant I like more.

[Divine1]

incase of ssh public key, should i encode(base64) the content of publickey file and put it as below ?

I think you need both. git client inside the Theia container has to have access to the private par. The public part would be checked on the opposite side (on gitlab)

However @vinokurig 's variant I like more.

the devfile.yaml will also be present inside the repository of gitlab.company.com with visibility private. Will this approach mentioned in this or this work for my scenario?

@skabashnyuk

[skabashnyuk]

the devfile.yaml will also be present inside the repository of gitlab.company.com with visibility private. Will this approach mentioned in this or this work for my scenario?

I think you are referring to factory flow. It's not the silky smooth player with ssh way scenario.
I recommend considering OAuth integration flow in this case.

[Divine1]

@skabashnyuk could you share the doc link for OAuth integration flow ?

[Divine1]

@skabashnyuk do you think the step mentioned here will be relevant for my scenario?

https://www.eclipse.org/che/docs/che-7/end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/#configuring_gitlab_authentication_che

[nils-mosbach]

@Divine1 Since we had the same issue, I can share some information what works in our case. :) We're quite happy with the OAuth Integration flow. Since i wrote down everything for another ticket, here's a quick summary what I did to get it working.

Have a look here: https://www.eclipse.org/che/docs/che-7/administration-guide/configuring-authorization/#configuring-gitlab-oauth2_che

My intention was to allow cloning private projects for all of our developers using GitLab OAuth without the need of defining SSH-Tokens or Kubernetes secrets on user side. So basically add a button to all GitLab Project-Pages (like "Open in Che") which will does the trick (Login, clone, etc.) without user interaction. Git-urls in devfiles must be http-only of course.

Thanks to the work of @skabashnyuk it now works like a charm in v7.40. Thanks a lot! (#20790)

We've setup GitLab/Keycloak/Che as described in the documentation.

• Custom Che properties in Operator-Config:
  • CHE_INTEGRATION_GITLAB_SERVER__ENDPOINTS: "https://git.company.dev/"
  • CHE_INTEGRATION_GITLAB_OAUTH__ENDPOINT: "https://git.company.dev/"
• Keycloak realm and client configured as described in the documentation
  • Created a realm "git-dev"
  • Added a identity provider "GitLab"
    • Authorization URL: https://git.company.dev/oauth/authorize
    • Token URL: https://git.company.dev/oauth/token
    • Default scopes: api read_user read_api write_repository openid profile email
    • Create a new Application in GitLab with appropriate rights and copy clientid and secret.

Our Keycloak Identity Provider config:

I installed Che using chectl. Deployment: Operator.

operator-config.yaml:

spec:
  server:
    tlsSupport: true
    customCheProperties:
      CHE_SYSTEM_SUPER__PRIVILEGED__MODE: "true"
      CHE_LIMITS_USER_WORKSPACES_RUN_COUNT: "-1"
      CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT: "9000000" 
      CHE_SYSTEM_ADMIN__NAME: mosbachn
      CHE_INTEGRATION_GITLAB_SERVER__ENDPOINTS: "https://git.company.dev/"
      CHE_INTEGRATION_GITLAB_OAUTH__ENDPOINT: "https://git.company.dev/"
    cheImagePullPolicy: Always
    devfileRegistryPullPolicy: Always
    pluginRegistryPullPolicy: Always
    
  database:
    externalDb: false
    postgresImagePullPolicy: Always

  storage:
    pvcStrategy: per-workspace
    pvcClaimSize: '5Gi'

  auth:
      externalIdentityProvider: true
      identityProviderURL: 'https://auth.company.dev/auth'
      identityProviderRealm: 'git-dev'
      identityProviderClientId: 'che'
      openShiftoAuth: false

  k8s:
      ingressDomain: 'company.dev'
      ingressStrategy: 'multi-host'
      tlsSecretName: 'tls-company-dev'

That's it. Nice and smooth without dealing with SSH tokens! :)

[Divine1]

@nils-mosbach thank you for details. this is very helpful.. i have below doubt.

I installed Che using chectl. Deployment: Operator.

operator-config.yaml:

i have already installed eclipse-che using chectl in minikube for exploring the capabilities

https://www.eclipse.org/che/docs/che-7/installation-guide/installing-che-on-minikube/

in this case, how to update operator-config.yaml which you have shared?

[nils-mosbach]

Depends on your configuration. --che-operator-cr-patch-yaml merges the changes. That's what we use for updating our configuration on a rancher provisioned cluster. Not sure if --skip-kubernetes-health-check still necessary, there was an issue with ranchers rbac implementation a while ago.

chectl server:update  \
  --deployment-name=dev-studio \
  --platform=k8s \
  --installer=operator \
  --che-operator-cr-patch-yaml=./operator-config.yaml  \
  --chenamespace=dev-studio \
  --skip-kubernetes-health-check \
  --batch

If users from OIDC are linked i would start fresh, just in case...

[Divine1]

Depends on your configuration. --che-operator-cr-patch-yaml merges the changes. That's what we use for updating our configuration on a rancher provisioned cluster. Not sure if --skip-kubernetes-health-check still necessary, there was an issue with ranchers rbac implementation a while ago.

chectl server:update  \
  --deployment-name=dev-studio \
  --platform=k8s \
  --installer=operator \
  --che-operator-cr-patch-yaml=./operator-config.yaml  \
  --chenamespace=dev-studio \
  --skip-kubernetes-health-check \
  --batch

If users from OIDC are linked i would start fresh, just in case...

i will try this out and share the feedback.

[Divine1]

@nils-mosbach

my project repository is present in https://git.company.com/ can be accessed only within corporate network (using global protect software ). i have installed the eclipse-che on minikube cluster in my personal laptop

the installation is successful. To verify if all components are working fine i opened a sample project in eclipse-che workspace

the vscode editor opened successfully. but when i try to clone a repository from the https://git.company.com/ link, by opening a terminal in vscode launched via eclipse-che, i get below 443 error (error is shown in vscode terminal in screenshot). please let me know how to overcome this network issue.

@skabashnyuk

[skabashnyuk]

my project repository is present in https://git.company.com/ can be accessed only within corporate network (using global protect software ).

Is this an HTTP proxy?
CC @tolusha

[Divine1]

my project repository is present in https://git.company.com/ can be accessed only within corporate network (using global protect software ).

Is this an HTTP proxy? CC @tolusha

i dont use any proxy urls.

i have to connect my laptop using global protect to be inside the corporate network inorder to access the https://git.company.com/ website.

i have installed eclipse-che in a minikube cluster in my laptop, but looks like eclipse-che is not able to make use of the corporate network @tolusha @skabashnyuk

[skabashnyuk]

i have to connect my laptop using global protect to be inside the corporate network inorder to access the https://git.company.com/ website.

Can you try to run any container (without using che) with git inside and try to clone https://git.company.com/. Does it work for you?

[Divine1]

@skabashnyuk

yes i'm able to clone a repository fromhttps://git.company.com/ inside the ubuntu docker container with corporate network enabled (i was able to clone by creating a personal accesstoken in gitlab.company.com as my organization uses ssoBasedLogin inorder to login into gitlab)

i disabled corporate network and tried to clone a repository fromhttps://git.company.com/ inside the ubuntu docker container. but this time the cloning process failed fatal: unable to access .... couldn't resolve host .....

[tolusha]

@Divine1
Does accessing to the repository require any certificates?
Any specific git configuration inside ubuntu docker container for clonning?

[Divine1]

@skabashnyuk @tolusha @nils-mosbach

i used the private accestoken to resolve this issue. may be this is not the best solution compared to the solution suggested by @nils-mosbach . but i was not able to make the solution shared by @nils-mosbach to work....

Thank you everybody for the support . Takecare

i'm facing few other problems, will created another ticket for it.

https://www.eclipse.org/che/docs/che-7/end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/#configuring_gitlab_authentication_che

closing this ticket