Issues with Websockets for Che with Nginx-Ingress Controller. #23049
Comments
Wosin
added
the
kind/question
che-bot
added
the
status/need-triage
ibuziuk
added
area/che-operator
|
@tolusha ptal |
|
@Wosin hello, could you please clarify if you followed https://eclipse.dev/che/docs/stable/administration-guide/installing-che-on-the-virtual-kubernetes-cluster/ ? if smth. is not working as expected PR to the docs should be provided to improve the installation SOP on vanilla k8s |
|
Setting Could you add them as well ? |
|
I was able to resolve this I think. I needed to set the oauth cookie expiration and then I had to add a server-snippet to get the websockets working. I'm using authelia for oidc. apiVersion: org.eclipse.che/v2
kind: CheCluster
metadata:
name: eclipse-che
namespace: eclipse-che
spec:
components:
cheServer:
extraProperties:
CHE_OIDC_USERNAME__CLAIM: email
networking:
annotations:
external-dns.alpha.kubernetes.io/target: che.mydomain.dev
kubernetes.io/ingress.class: internal
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.org/websocket-services: che-gateway
nginx.ingress.kubernetes.io/server-snippets: |
location / {
proxysetheader Upgrade $httpupgrade;
proxyhttpversion 1.1;
proxysetheader X-Forwarded-Host $httphost;
proxysetheader X-Forwarded-Proto $scheme;
proxysetheader X-Forwarded-For $remoteaddr;
proxysetheader Host $host;
proxysetheader Connection "upgrade";
proxycachebypass $httpupgrade;
}
auth:
gateway:
oAuthProxy:
cookieExpireSeconds: 300 # needs to be shorter than the oidc token lifespan
identityProviderURL: https://auth.mydomain.dev
oAuthClientName: oauth2-proxy
oAuthSecret: SUPERSECRETOIDC
domain: che.mydomain.dev |
|
@brunnels [1] https://eclipse.dev/che/docs/stable/administration-guide/installing-che/ |
|
@tolusha I'm working on getting this all installable and working via flux2 kustomize that people using k8s can use as an example. |
|
@tolusha It's almost there but I'm seeing some inconsistencies with the CheCluster v2 crd and what's actually happening. Things like It's also not clear what clusterroles my users need. The docs make it seem like just adding them to the In any case, here's current progress. https://github.com/brunnels/talos-cluster/tree/main/kubernetes/apps/eclipse-che Is there a discord or similar where we could discuss more? |
|
@tolusha turns out can't deploy without chectl right now. The che operator helm chart doesn't provide everything that's needed so it's a dead end on vanilla k8s. eclipse-che/che-operator#1655 |
|
@brunnels |
Summary
Hey!
I am facing an issue with Eclipse Che deployment on Vanilla k8s cluster running with Keycloak as OIDC provider using nginx-ingress controller. We have managed to pretty much configure and make everything work correctly, the only issue is the websocket connection.
We are using the below patch to deploy che:
As I've mentioned everything in general works okay, but the websocket connetions to
/dashboard/api/websocketare only working for as long as the initial oauth cookie is valid, after that they are failing withNo valid authentication in request. Initiating login.and we see the WebSocket connections are failing. Refer to "Network Troubleshooting" in the user guide. error on dashboard screen.After manual refresh everything is back to normal, again for the validity time of the cookie set in the configuration.Is there any documentation about setting up Che with Nginx to make sure the websocket connetions are working correctly ?
Relevant information
No response
The text was updated successfully, but these errors were encountered: