From e977ad1cca42ef5b493340ab79157f8ce019f4d1 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 4 Feb 2026 13:03:28 +0100 Subject: [PATCH 01/19] feat: Support OpenShift external IDP Signed-off-by: Anatolii Bazko --- antora.yml | 3 +- .../examples/snip_che-installing-che.adoc | 1 + modules/administration-guide/nav.adoc | 1 + .../pages/installing-che-in-the-cloud.adoc | 1 + ...he-on-openshift-with-keycloak-as-oidc.adoc | 236 ++++++++++++++++++ 5 files changed, 240 insertions(+), 2 deletions(-) create mode 100644 modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc diff --git a/antora.yml b/antora.yml index aeaead6d5a..7a80f28097 100644 --- a/antora.yml +++ b/antora.yml @@ -31,8 +31,7 @@ asciidoc: devworkspace-id: devworkspace docker-cli: docker hosted-che-docs: xref:hosted-che:hosted-che.adoc[] - identity-provider-legacy-id: keycloak - identity-provider-legacy: Keycloak + keycloak: Keycloak image-puller-cr-name: KubernetesImagePuller image-puller-deployment-id: kubernetes-image-puller-operator image-puller-deployment-name: kubernetes-image-puller diff --git a/modules/administration-guide/examples/snip_che-installing-che.adoc b/modules/administration-guide/examples/snip_che-installing-che.adoc index 8228f6048d..85aba42271 100644 --- a/modules/administration-guide/examples/snip_che-installing-che.adoc +++ b/modules/administration-guide/examples/snip_che-installing-che.adoc @@ -12,6 +12,7 @@ You can deploy only one instance of {prod-short} per cluster. * xref:installing-che-on-openshift-using-cli.adoc[] * xref:installing-che-on-openshift-using-the-web-console.adoc[] +* xref:installing-che-on-openshift-with-keycloak-as-oidc.adoc[] * xref:installing-che-in-a-restricted-environment.adoc[] * xref:installing-che-on-microsoft-azure.adoc[] * xref:installing-che-on-amazon-elastic-kubernetes-service.adoc[] diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index 6b19ae5c1f..645f64c105 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -21,6 +21,7 @@ ** xref:installing-che-in-the-cloud.adoc[] *** xref:installing-che-on-openshift-using-cli.adoc[] *** xref:installing-che-on-openshift-using-the-web-console.adoc[] +*** xref:installing-che-on-openshift-with-keycloak-as-oidc.adoc[] *** xref:installing-che-in-a-restricted-environment.adoc[] *** xref:installing-che-on-microsoft-azure.adoc[] *** xref:installing-che-on-amazon-elastic-kubernetes-service.adoc[] diff --git a/modules/administration-guide/pages/installing-che-in-the-cloud.adoc b/modules/administration-guide/pages/installing-che-in-the-cloud.adoc index 7f934307fd..ac922b6f8a 100644 --- a/modules/administration-guide/pages/installing-che-in-the-cloud.adoc +++ b/modules/administration-guide/pages/installing-che-in-the-cloud.adoc @@ -20,6 +20,7 @@ Follow the instructions below to start the {prod-short} Server in the cloud by u * xref:installing-che-on-openshift-using-cli.adoc[] * xref:installing-che-on-openshift-using-the-web-console.adoc[] +* xref:installing-che-on-openshift-with-keycloak-as-oidc.adoc[] * xref:installing-che-in-a-restricted-environment.adoc[] * xref:installing-che-on-microsoft-azure.adoc[] * xref:installing-che-on-amazon-elastic-kubernetes-service.adoc[] diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc new file mode 100644 index 0000000000..5ac8735159 --- /dev/null +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -0,0 +1,236 @@ +:_content-type: PROCEDURE +:description: Installing {prod-short} on OpenShift with {keycloak} as external identity provider +:keywords: overview, installing, openshift, keycloak, oidc +:navtitle: Installing {prod-short} on OpenShift with {keycloak} as external identity provider + + +[id="installing-che-on-openshift-with-keycloak-as-oidc"] += Installing {prod-short} on OpenShift with {keycloak} as external identity provider + +You can Install {prod-short} on OpenShift when Keycloak is configured as an external identity provider for the cluster. + +.Prerequisites + +* An active `oc` session with administrative permissions to the OpenShift cluster. See link:https://docs.openshift.com/container-platform/{ocp4-ver}/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI]. + +* {keycloak} is configured as an external identity provider for OpenShift. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/authentication_and_authorization/external-auth[Enabling direct authentication with an external OIDC identity provider]. + +.Procedure + +. Define the namespace where {keycloak} is installed: ++ +[source,shell] +---- +KEYCLOAK_NAMESPACE= +---- + +. Define the {keycloak} realm used for OpenShift authentication: ++ +[source,shell] +---- +OPENSHIFT_REALM= +---- + +. Define the {keycloak} URL: ++ +[source,shell] +---- +KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --template='{{ .spec.host }}') +---- + +. Create a `{prod-id}` client in the {keycloak} Admin Console: ++ +-- +.. Within the realm used for OpenShift authentication, select *Clients* on the left-hand navigation bar. +.. Select the *Create client* button. +.. On the *General Settings* page: ++ +... Enter `eclipse-che` in the *Client ID* field. +... Optionally enter a *Name* and *Description* for the OAuth client. +... Click *Next*. +.. On the *Capability config* page: ++ +... Toggle *Client authentication* to *On*. +... Click *Next*. +... Click *Save*. + +.. Navigate to the *Credentials* tab of the newly created client and copy the *Client secret* value. You will need this value in a later step. +-- + +. Add the `{prod-id}` client to the audiences list in the OpenShift authentication configuration: ++ +[source,shell,subs="+quotes,+attributes"] +---- +{orch-cli} patch authentication.config/cluster --type=json \ + -p='[{"op": "add", "path": "/spec/oidcProviders/0/issuer/audiences/-", "value": "{prod-id}"}]' +---- ++ +[NOTE] +==== +If you have multiple OIDC providers configured, adjust the array index in the path (currently `0`) to match your {keycloak} provider's position in the configuration. +==== + +. Wait for the `kube-apiserver` cluster operator to roll out the configuration changes: ++ +[source,shell,subs="+quotes,+attributes"] +---- +watch {orch-cli} get co kube-apiserver +---- + +. Create a {orch-namespace} for {prod-short}: ++ +[subs="+quotes,attributes"] +---- +{orch-cli} create {orch-namespace} {prod-namespace} +---- + +. Create a secret for the OAuth client in the {prod-short} namespace: ++ +[source,yaml,subs="+quotes,+attributes"] +---- +{orch-cli} apply -f - <__ <1> +EOF +---- +<1> The client secret value from the `eclipse-che` client in Keycloak. + + +. Create the `ConfigMap` with a {keycloak} certificate in the `{prod-namespace}` namespace. +If {keycloak} uses a certificate that is already trusted by OpenShift, this step may be omitted. ++ +[source,shell,subs="+attributes"] +---- +openssl s_client \ + -connect "$(echo "$KEYCLOAK_URL" | sed 's|https://||'):443" \ + -showcerts < /dev/null \ +| sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ +> keycloak-ca.crt + +{orch-cli} create configmap keycloak-certs \ + --from-file=keycloak-ca.crt=keycloak-ca.crt \ + -n {prod-namespace} && \ +{orch-cli} label configmap keycloak-certs \ + app.kubernetes.io/part-of=che.eclipse.org \ + app.kubernetes.io/component=ca-bundle \ + -n {prod-namespace} +---- + +. Prepare the `CheCluster` patch: ++ +[source,shell,subs="+attributes"] +---- +cat > che-patch.yaml << EOF +kind: CheCluster +apiVersion: org.eclipse.che/v2 +spec: + networking: + auth: + oAuthClientName: {prod-id} + oAuthSecret: {prod-id}-oauth-secret + identityProviderURL: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM" + gateway: + oAuthProxy: + cookieExpireSeconds: 300 + deployment: + containers: + - name: oauth-proxy + env: + - name: OAUTH2_PROXY_CODE_CHALLENGE_METHOD + value: S256 + - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL + value: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM/protocol/openid-connect/logout?id_token_hint={id_token}" + components: + cheServer: + extraProperties: + CHE_OIDC_GROUPS__CLAIM: '' <1> + CHE_OIDC_GROUPS__PREFIX: '' <2> + CHE_OIDC_USERNAME__CLAIM: '' <3> + CHE_OIDC_USERNAME__PREFIX: '' <4> +EOF +---- +<1> The claim to use for extracting user groups. +<2> The prefix to add to group names. Empty string means no prefix. +<3> The claim to use for extracting the username. +<4> The prefix to add to usernames from the external authentication system. ++ +[NOTE] +==== +These values must match the corresponding claim and prefix settings configured in the `authentication.config/cluster` resource. To view the current cluster configuration, run: + +[source,shell,subs="+attributes"] +---- +{orch-cli} get authentication.config/cluster -o yaml +---- +==== ++ +. Create the {prod-short} instance with `{prod-cli}`: ++ +[source,shell,subs="+attributes"] +---- +{prod-cli} server:deploy \ + --platform openshift \ + --che-operator-cr-patch-yaml che-patch.yaml +---- + +. Update a `{prod-id}` client to set {prod-short} callback URL: ++ +-- +.. Open {keycloak} Admin Console +.. Within the realm used for OpenShift authentication, click on `{prod-id}` client +... In the *Valid redirect URIs* field, enter the redirect URIs for your {prod-short} installation. +Can be obtained with the following command: ++ +[source,shell,subs="+quotes,+attributes"] +---- +echo "$({orch-cli} get checluster {prod-checluster} -n {prod-namespace} -o jsonpath='{.status.cheURL}')/oauth/callback" +---- +... Click *Save*. +-- + +. Create a `ClusterRoleBinding` to grant users access to {prod-short}: ++ +[source,shell,subs="+quotes,+attributes"] +---- +{orch-cli} apply -f - < +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ____ <2> +EOF +---- +<1> Users must have at least the `self-provisioner` role to access {prod-short}. +<2> The name of the user group from {keycloak} that should be granted access to {prod-short}. + +.Verification steps + +. Verify the {prod-short} instance status: ++ +[source,shell,subs="+attributes"] +---- +{prod-cli} server:status +---- + +. Navigate to the {prod-short} cluster instance: ++ +[source,shell,subs="+attributes"] +---- +{prod-cli} dashboard:open +---- + +. Log in to the {prod-short} instance. From 210b84483fd4dfc6bb50a6b7473752db60fcacb2 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Mon, 9 Feb 2026 15:53:24 +0100 Subject: [PATCH 02/19] fixup Signed-off-by: Anatolii Bazko --- ...he-on-openshift-with-keycloak-as-oidc.adoc | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 5ac8735159..cd705470a1 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -33,7 +33,7 @@ OPENSHIFT_REALM= . Define the {keycloak} URL: + -[source,shell] +[source,shell,subs="+quotes,+attributes"] ---- KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --template='{{ .spec.host }}') ---- @@ -41,11 +41,11 @@ KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --te . Create a `{prod-id}` client in the {keycloak} Admin Console: + -- -.. Within the realm used for OpenShift authentication, select *Clients* on the left-hand navigation bar. +.. Within the realm used for OpenShift authentication, select *Clients* on the left side of the navigation bar. .. Select the *Create client* button. .. On the *General Settings* page: + -... Enter `eclipse-che` in the *Client ID* field. +... Enter `{prod-id}` in the *Client ID* field. ... Optionally enter a *Name* and *Description* for the OAuth client. ... Click *Next*. .. On the *Capability config* page: @@ -61,13 +61,21 @@ KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --te + [source,shell,subs="+quotes,+attributes"] ---- -{orch-cli} patch authentication.config/cluster --type=json \ - -p='[{"op": "add", "path": "/spec/oidcProviders/0/issuer/audiences/-", "value": "{prod-id}"}]' +{orch-cli} patch authentication.config/cluster \ + --type='json' \ + -p='[ + { + "op": "add", + "path": "/spec/oidcProviders/0/issuer/audiences/-", + "value": "{prod-id}" + } + ]' ---- + [NOTE] ==== -If you have multiple OIDC providers configured, adjust the array index in the path (currently `0`) to match your {keycloak} provider's position in the configuration. +If you have multiple OIDC providers configured, adjust the array index in the path +(currently 0) to match your {keycloak} provider's position in the configuration. ==== . Wait for the `kube-apiserver` cluster operator to roll out the configuration changes: @@ -92,7 +100,7 @@ watch {orch-cli} get co kube-apiserver apiVersion: v1 kind: Secret metadata: - name: {prod-id}-oauth-secret + name: oauth-secret namespace: {prod-namespace} labels: app.kubernetes.io/part-of: che.eclipse.org @@ -100,7 +108,7 @@ stringData: oAuthSecret: ____ <1> EOF ---- -<1> The client secret value from the `eclipse-che` client in Keycloak. +<1> The client secret value from the `{prod-id} client in {keycloak}. . Create the `ConfigMap` with a {keycloak} certificate in the `{prod-namespace}` namespace. @@ -134,7 +142,7 @@ spec: networking: auth: oAuthClientName: {prod-id} - oAuthSecret: {prod-id}-oauth-secret + oAuthSecret: oauth-secret identityProviderURL: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM" gateway: oAuthProxy: From 0c8f05bf46282a42855f027dd9c83fbfbf943066 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 12 Mar 2026 16:56:56 +0100 Subject: [PATCH 03/19] fixes Signed-off-by: Anatolii Bazko --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index cd705470a1..c4f95e29db 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -1,5 +1,5 @@ :_content-type: PROCEDURE -:description: Installing {prod-short} on OpenShift with {keycloak} as external identity provider +:description: Installing {prod-short} on Red Hat OpenShift with {keycloak} as external identity provider :keywords: overview, installing, openshift, keycloak, oidc :navtitle: Installing {prod-short} on OpenShift with {keycloak} as external identity provider From 5820f32e9b769676800fbca0414abca7f3eb1530 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:25:42 +0100 Subject: [PATCH 04/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index c4f95e29db..08771360ab 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -5,7 +5,7 @@ [id="installing-che-on-openshift-with-keycloak-as-oidc"] -= Installing {prod-short} on OpenShift with {keycloak} as external identity provider += Install {prod-short} on OpenShift with {keycloak} as external identity provider You can Install {prod-short} on OpenShift when Keycloak is configured as an external identity provider for the cluster. From f53bf9c0e070f65ca11a5ee034810736a68eeb38 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:25:56 +0100 Subject: [PATCH 05/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 08771360ab..b2d8233668 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -7,7 +7,7 @@ [id="installing-che-on-openshift-with-keycloak-as-oidc"] = Install {prod-short} on OpenShift with {keycloak} as external identity provider -You can Install {prod-short} on OpenShift when Keycloak is configured as an external identity provider for the cluster. +Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external OIDC identity provider for centralized user authentication. .Prerequisites From 74baf970d191f3be8692bbd6a9dcb829e0197d27 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:26:08 +0100 Subject: [PATCH 06/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index b2d8233668..21345c76eb 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -11,7 +11,7 @@ Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external .Prerequisites -* An active `oc` session with administrative permissions to the OpenShift cluster. See link:https://docs.openshift.com/container-platform/{ocp4-ver}/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI]. +* An active `{orch-cli}` session with administrative permissions to the OpenShift cluster. See link:https://docs.openshift.com/container-platform/{ocp4-ver}/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI]. * {keycloak} is configured as an external identity provider for OpenShift. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/authentication_and_authorization/external-auth[Enabling direct authentication with an external OIDC identity provider]. From d0f4542e5ddee66eebc44704c05e407fb4c36762 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:26:20 +0100 Subject: [PATCH 07/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 21345c76eb..8070881295 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -13,7 +13,7 @@ Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external * An active `{orch-cli}` session with administrative permissions to the OpenShift cluster. See link:https://docs.openshift.com/container-platform/{ocp4-ver}/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI]. -* {keycloak} is configured as an external identity provider for OpenShift. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/authentication_and_authorization/external-auth[Enabling direct authentication with an external OIDC identity provider]. +* {keycloak} is configured as an external identity provider for OpenShift. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/{ocp4-ver}/html/authentication_and_authorization/external-auth[Enabling direct authentication with an external OIDC identity provider]. .Procedure From 50a0c5180010e5632b3fa31f6136f4c5a5950b2a Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:26:31 +0100 Subject: [PATCH 08/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 8070881295..1548724af6 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -19,9 +19,9 @@ Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external . Define the namespace where {keycloak} is installed: + -[source,shell] +[source,bash,subs="+quotes"] ---- -KEYCLOAK_NAMESPACE= +KEYCLOAK_NAMESPACE=____ ---- . Define the {keycloak} realm used for OpenShift authentication: From 02c2d6ef4972981614af62c7805948e309829127 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:26:42 +0100 Subject: [PATCH 09/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 1548724af6..677d2fd50f 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -108,7 +108,7 @@ stringData: oAuthSecret: ____ <1> EOF ---- -<1> The client secret value from the `{prod-id} client in {keycloak}. +<1> The client secret value from the `{prod-id}` client in {keycloak}. . Create the `ConfigMap` with a {keycloak} certificate in the `{prod-namespace}` namespace. From 8687221f3d53f4659a5409e18bb442868901f01f Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:26:58 +0100 Subject: [PATCH 10/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 677d2fd50f..265a6f6466 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -111,8 +111,7 @@ EOF <1> The client secret value from the `{prod-id}` client in {keycloak}. -. Create the `ConfigMap` with a {keycloak} certificate in the `{prod-namespace}` namespace. -If {keycloak} uses a certificate that is already trusted by OpenShift, this step may be omitted. +. Optional: Create the `ConfigMap` with a {keycloak} certificate in the `{prod-namespace}` namespace. If {keycloak} uses a certificate that is already trusted by OpenShift, skip this step. + [source,shell,subs="+attributes"] ---- From 064430955eb446531a71fad52366982c509a8516 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:27:15 +0100 Subject: [PATCH 11/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 265a6f6466..15378a052b 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -224,7 +224,7 @@ EOF <1> Users must have at least the `self-provisioner` role to access {prod-short}. <2> The name of the user group from {keycloak} that should be granted access to {prod-short}. -.Verification steps +.Verification . Verify the {prod-short} instance status: + From 7fd315de7bfac621af0e127cf977abf605ec46e8 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:27:44 +0100 Subject: [PATCH 12/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 15378a052b..34e3d5332e 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -190,10 +190,9 @@ These values must match the corresponding claim and prefix settings configured i . Update a `{prod-id}` client to set {prod-short} callback URL: + -- -.. Open {keycloak} Admin Console -.. Within the realm used for OpenShift authentication, click on `{prod-id}` client -... In the *Valid redirect URIs* field, enter the redirect URIs for your {prod-short} installation. -Can be obtained with the following command: +.. Open the {keycloak} Admin Console. +.. Within the realm used for OpenShift authentication, click the `{prod-id}` client. +... In the *Valid redirect URIs* field, enter the redirect URI for your {prod-short} installation. To obtain the redirect URI, run the following command: + [source,shell,subs="+quotes,+attributes"] ---- From 320e4e790b1f1f148a4f7ebda6d692a69b9eee88 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:27:56 +0100 Subject: [PATCH 13/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 34e3d5332e..f4875cf175 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -46,7 +46,7 @@ KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --te .. On the *General Settings* page: + ... Enter `{prod-id}` in the *Client ID* field. -... Optionally enter a *Name* and *Description* for the OAuth client. +... Optional: Enter a *Name* and *Description* for the OAuth client. ... Click *Next*. .. On the *Capability config* page: + From 954eaa9fa60914d444a953b0c669662ec27578ab Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:28:09 +0100 Subject: [PATCH 14/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index f4875cf175..50e3c841d4 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -54,7 +54,7 @@ KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --te ... Click *Next*. ... Click *Save*. -.. Navigate to the *Credentials* tab of the newly created client and copy the *Client secret* value. You will need this value in a later step. +.. Navigate to the *Credentials* tab of the newly created client and copy the *Client secret* value for use when applying the OAuth client secret. -- . Add the `{prod-id}` client to the audiences list in the OpenShift authentication configuration: From 0ff47caebc8642db6449d67ba6dec1e5b4406f42 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:28:22 +0100 Subject: [PATCH 15/19] Update modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc Co-authored-by: Gaurav Trivedi <90042568+gtrivedi88@users.noreply.github.com> --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index 50e3c841d4..e6eb84534a 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -87,7 +87,7 @@ watch {orch-cli} get co kube-apiserver . Create a {orch-namespace} for {prod-short}: + -[subs="+quotes,attributes"] +[source,bash,subs="+quotes,+attributes"] ---- {orch-cli} create {orch-namespace} {prod-namespace} ---- From cfd94b4a9cd7cd50681c6a2db92155cd2ae6765d Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:33:21 +0100 Subject: [PATCH 16/19] fixes Signed-off-by: Anatolii Bazko --- ...-che-on-openshift-with-keycloak-as-oidc.adoc | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index e6eb84534a..b731893711 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -17,24 +17,17 @@ Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external .Procedure -. Define the namespace where {keycloak} is installed: +. Define the environment variables: + -[source,bash,subs="+quotes"] +[source,shell,subs="+quotes,+attributes"] ---- +# The {keycloak} namespace: KEYCLOAK_NAMESPACE=____ ----- -. Define the {keycloak} realm used for OpenShift authentication: -+ -[source,shell] ----- +# The {keycloak} realm used for OpenShift authentication: OPENSHIFT_REALM= ----- -. Define the {keycloak} URL: -+ -[source,shell,subs="+quotes,+attributes"] ----- +# The {keycloak} URL KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --template='{{ .spec.host }}') ---- From 244bcab6b6f150025593e46dd62ca9c4c94e629a Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 27 Mar 2026 12:40:35 +0100 Subject: [PATCH 17/19] fixes Signed-off-by: Anatolii Bazko --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index b731893711..bdc5865501 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -13,7 +13,7 @@ Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external * An active `{orch-cli}` session with administrative permissions to the OpenShift cluster. See link:https://docs.openshift.com/container-platform/{ocp4-ver}/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI]. -* {keycloak} is configured as an external identity provider for OpenShift. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/{ocp4-ver}/html/authentication_and_authorization/external-auth[Enabling direct authentication with an external OIDC identity provider]. +* {keycloak} is configured as an external identity provider for OpenShift. See link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/authentication_and_authorization/external-auth[Enabling direct authentication with an external OIDC identity provider]. .Procedure From 54ed2c006fff7f06fc547c4a819467506b20fe22 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Mon, 30 Mar 2026 12:09:33 +0200 Subject: [PATCH 18/19] fixes Signed-off-by: Anatolii Bazko --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index bdc5865501..a0a7e0cb2e 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -146,8 +146,7 @@ spec: - name: OAUTH2_PROXY_CODE_CHALLENGE_METHOD value: S256 - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL - value: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM/protocol/openid-connect/logout?id_token_hint={id_token}" - components: + value: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM/protocol/openid-connect/logout?id_token_hint=\{id_token}" components: cheServer: extraProperties: CHE_OIDC_GROUPS__CLAIM: '' <1> From 485d754aa9878b4276a5457a63ed7755d6802104 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Mon, 30 Mar 2026 12:12:00 +0200 Subject: [PATCH 19/19] fixes Signed-off-by: Anatolii Bazko --- .../installing-che-on-openshift-with-keycloak-as-oidc.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc index a0a7e0cb2e..bdc130bae6 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-with-keycloak-as-oidc.adoc @@ -146,7 +146,8 @@ spec: - name: OAUTH2_PROXY_CODE_CHALLENGE_METHOD value: S256 - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL - value: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM/protocol/openid-connect/logout?id_token_hint=\{id_token}" components: + value: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM/protocol/openid-connect/logout?id_token_hint=\{id_token}" + components: cheServer: extraProperties: CHE_OIDC_GROUPS__CLAIM: '' <1>