feat: Update keycloak from 6.0.1 to 15 (#1015)

* Use keycloak 15. Add separated option to debug keycloak server. Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>
2021-09-10 12:36:00 +03:00 · 2021-09-10 12:36:00 +03:00 · 8b1dd1527a
parent f64dcf4bea
commit 8b1dd1527a
12 changed files with 76 additions and 65 deletions
--- a/.github/bin/common.sh
+++ b/.github/bin/common.sh
@ -449,22 +449,11 @@ login() {

 # Deploy Eclipse Che behind proxy in openshift ci
 deployCheBehindProxy() {
-  # Get the ocp domain for che custom resources
-  export DOMAIN=$(oc get dns cluster -o json | jq .spec.baseDomain | sed -e 's/^"//' -e 's/"$//')
-
-  # Related issue:https://github.com/eclipse/che/issues/17681
-    cat >/tmp/che-cr-patch.yaml <<EOL
-spec:
-  server:
-    nonProxyHosts: oauth-openshift.apps.$DOMAIN
-EOL
-
  chectl server:deploy \
    --batch \
    --installer=operator \
    --platform=openshift \
    --templates=${TEMPLATES} \
-    --che-operator-cr-patch-yaml=/tmp/che-cr-patch.yaml \
    --che-operator-image ${OPERATOR_IMAGE}
  oc get checluster eclipse-che -n eclipse-che -o yaml
 }
--- a/api/v1/checluster_types.go
+++ b/api/v1/checluster_types.go
@ -477,6 +477,9 @@ type CheClusterSpecAuth struct {
 	GatewayAuthorizationSidecarImage string `json:"gatewayAuthorizationSidecarImage,omitempty"`
 	// Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin.
 	GatewayHeaderRewriteSidecarImage string `json:"gatewayHeaderRewriteSidecarImage,omitempty"`
+
+	// Debug internal identity provider.
+	Debug bool `json:"debug,omitempty"`
 }

 // Ingress custom settings, can be extended in the future
--- a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
@ -83,7 +83,7 @@ metadata:
    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
    repository: https://github.com/eclipse-che/che-operator
    support: Eclipse Foundation
-  name: eclipse-che-preview-kubernetes.v7.36.0-296.next
+  name: eclipse-che-preview-kubernetes.v7.37.0-300.next
  namespace: placeholder
 spec:
  apiservicedefinitions: {}
@ -1191,4 +1191,4 @@ spec:
  maturity: stable
  provider:
    name: Eclipse Foundation
-  version: 7.36.0-296.next
+  version: 7.37.0-300.next
--- a/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
+++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
@ -43,6 +43,9 @@ spec:
              auth:
                description: Configuration settings related to the Authentication used by the Che installation.
                properties:
+                  debug:
+                    description: Debug internal identity provider.
+                    type: boolean
                  externalIdentityProvider:
                    description: 'Instructs the Operator on whether or not to deploy a dedicated Identity Provider (Keycloak or RH SSO instance). Instructs the Operator on whether to deploy a dedicated Identity Provider (Keycloak or RH-SSO instance). By default, a dedicated Identity Provider server is deployed as part of the Che installation. When `externalIdentityProvider` is `true`, no dedicated identity provider will be deployed by the Operator and you will need to provide details about the external identity provider you are about to use. See also all the other fields starting with: `identityProvider`.'
                    type: boolean
--- a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@ -76,7 +76,7 @@ metadata:
    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
    repository: https://github.com/eclipse-che/che-operator
    support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.36.0-306.next
+  name: eclipse-che-preview-openshift.v7.37.0-310.next
  namespace: placeholder
 spec:
  apiservicedefinitions: {}
@ -1260,4 +1260,4 @@ spec:
  maturity: stable
  provider:
    name: Eclipse Foundation
-  version: 7.36.0-306.next
+  version: 7.37.0-310.next
--- a/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
+++ b/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
@ -54,6 +54,9 @@ spec:
                  description: Configuration settings related to the Authentication
                    used by the Che installation.
                  properties:
+                    debug:
+                      description: Debug internal identity provider.
+                      type: boolean
                    externalIdentityProvider:
                      description: 'Instructs the Operator on whether or not to deploy
                        a dedicated Identity Provider (Keycloak or RH SSO instance).
--- a/config/crd/bases/org_v1_che_crd-v1beta1.yaml
+++ b/config/crd/bases/org_v1_che_crd-v1beta1.yaml
@ -51,6 +51,9 @@ spec:
              description: Configuration settings related to the Authentication used
                by the Che installation.
              properties:
+                debug:
+                  description: Debug internal identity provider.
+                  type: boolean
                externalIdentityProvider:
                  description: 'Instructs the Operator on whether or not to deploy
                    a dedicated Identity Provider (Keycloak or RH SSO instance). Instructs
--- a/config/crd/bases/org_v1_che_crd.yaml
+++ b/config/crd/bases/org_v1_che_crd.yaml
@ -54,6 +54,9 @@ spec:
                  description: Configuration settings related to the Authentication
                    used by the Che installation.
                  properties:
+                    debug:
+                      description: Debug internal identity provider.
+                      type: boolean
                    externalIdentityProvider:
                      description: 'Instructs the Operator on whether or not to deploy
                        a dedicated Identity Provider (Keycloak or RH SSO instance).
--- a/config/samples/org.eclipse.che_v1_checluster.yaml
+++ b/config/samples/org.eclipse.che_v1_checluster.yaml
@ -66,7 +66,6 @@ spec:
    # Also consult the `singleHostExposureType` property to further configure how the Operator and the Che server make that happen on Kubernetes.
    # `default-host` exposes the Che server on the host of the cluster. Read the docs to learn about the limitations of this approach.
    serverExposureStrategy: ''
-
  database:
    # Instructs the Operator on whether to deploy a dedicated database.
    # By default, a dedicated PostgreSQL database is deployed as part of the Che installation. When `externalDb` is `true`, no dedicated database will be deployed by the
--- a/controllers/devworkspace/solver/che_routing_test.go
+++ b/controllers/devworkspace/solver/che_routing_test.go
@ -292,7 +292,6 @@ func TestCreateRelocatedObjectsK8S(t *testing.T) {
 	})
 }

-
 func TestCreateRelocatedObjectsOpenshift(t *testing.T) {
 	infrastructure.InitializeForTesting(infrastructure.OpenShiftv4)
 	cl, _, objs := getSpecObjects(t, relocatableDevWorkspaceRouting())
--- a/pkg/deploy/identity-provider/deployment_keycloak.go
+++ b/pkg/deploy/identity-provider/deployment_keycloak.go
@ -13,7 +13,6 @@ package identity_provider

 import (
 	"context"
-	"net/url"
 	"regexp"
 	"strconv"
 	"strings"
@ -233,6 +232,18 @@ func GetSpecKeycloakDeployment(
 			Name:  "DB_VENDOR",
 			Value: "POSTGRES",
 		},
+		{
+			Name:  "DB_USERNAME",
+			Value: "keycloak",
+		},
+		{
+			Name:  "DB_ADDR",
+			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresHostName, deploy.DefaultChePostgresHostName),
+		},
+		{
+			Name:  "DB_DATABASE",
+			Value: "keycloak",
+		},
 		{
 			Name:  "POSTGRES_PORT_5432_TCP_ADDR",
 			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresHostName, deploy.DefaultChePostgresHostName),
@ -245,14 +256,6 @@ func GetSpecKeycloakDeployment(
 			Name:  "POSTGRES_PORT",
 			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresPort, deploy.DefaultChePostgresPort),
 		},
-		{
-			Name:  "POSTGRES_ADDR",
-			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresHostName, deploy.DefaultChePostgresHostName),
-		},
-		{
-			Name:  "POSTGRES_DATABASE",
-			Value: "keycloak",
-		},
 		{
 			Name:  "POSTGRES_USER",
 			Value: "keycloak",
@ -298,7 +301,7 @@ func GetSpecKeycloakDeployment(
 	identityProviderPostgresSecret := deployContext.CheCluster.Spec.Auth.IdentityProviderPostgresSecret
 	if len(identityProviderPostgresSecret) > 0 {
 		keycloakEnv = append(keycloakEnv, corev1.EnvVar{
-			Name: "POSTGRES_PASSWORD",
+			Name: "DB_PASSWORD",
 			ValueFrom: &corev1.EnvVarSource{
 				SecretKeyRef: &corev1.SecretKeySelector{
 					Key: "password",
@ -310,7 +313,7 @@ func GetSpecKeycloakDeployment(
 		})
 	} else {
 		keycloakEnv = append(keycloakEnv, corev1.EnvVar{
-			Name:  "POSTGRES_PASSWORD",
+			Name:  "DB_PASSWORD",
 			Value: deployContext.CheCluster.Spec.Auth.IdentityProviderPostgresPassword,
 		})
 	}
@ -516,33 +519,12 @@ func GetSpecKeycloakDeployment(
 		keycloakEnv = append(keycloakEnv, envvar)
 	}

-	var enableFixedHostNameProvider string
-	if deployContext.CheCluster.IsInternalClusterSVCNamesEnabled() {
-		if cheFlavor == "che" {
-			keycloakURL, err := url.Parse(deployContext.CheCluster.Status.KeycloakURL)
-			if err != nil {
-				return nil, err
-			}
-			hostname := keycloakURL.Hostname()
-			enableFixedHostNameProvider = " && echo 'Use fixed hostname provider to make working internal network requests' && " +
-				"echo -e \"embed-server --server-config=standalone.xml --std-out=echo \n" +
-				"/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value=\"fixed\") \n" +
-				"/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.hostname,value=\"" + hostname + "\") \n"
-			if deployContext.CheCluster.Spec.Server.TlsSupport {
-				enableFixedHostNameProvider += "/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpsPort,value=\"443\") \n" +
-					"/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.alwaysHttps,value=\"true\") \n"
-			} else {
-				enableFixedHostNameProvider += "/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpPort,value=\"80\") \n"
-			}
-			enableFixedHostNameProvider += "stop-embedded-server\" > " + jbossDir + "/use_fixed_hostname_provider.cli && " +
-				jbossCli + " --file=" + jbossDir + "/use_fixed_hostname_provider.cli "
-		}
-		if cheFlavor == "codeready" {
-			keycloakEnv = append(keycloakEnv, corev1.EnvVar{
-				Name:  "KEYCLOAK_FRONTEND_URL",
-				Value: deployContext.CheCluster.Status.KeycloakURL,
-			})
-		}
+	// Enable internal network for keycloak
+	if deployContext.CheCluster.IsInternalClusterSVCNamesEnabled() && !deployContext.CheCluster.Spec.Auth.ExternalIdentityProvider {
+		keycloakEnv = append(keycloakEnv, corev1.EnvVar{
+			Name:  "KEYCLOAK_FRONTEND_URL",
+			Value: deployContext.CheCluster.Status.KeycloakURL,
+		})
 	}

 	evaluateKeycloakSystemProperties := "KEYCLOAK_SYS_PROPS=\"-Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled\""
@ -562,8 +544,8 @@ func GetSpecKeycloakDeployment(
 		" && " + evaluateKeycloakSystemProperties +
 		" && " + evaluateExpectContinueEnabled +
 		" && " + evaluateReuseConnections +
-		" && " + changeConfigCommand + enableFixedHostNameProvider +
-		" && /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 -c standalone.xml $KEYCLOAK_SYS_PROPS"
+		" && " + changeConfigCommand +
+		" && /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0 -c standalone.xml $KEYCLOAK_SYS_PROPS"

 	if cheFlavor == "codeready" {
 		addUsernameReadonlyTheme := "baseTemplate=/opt/eap/themes/base/login/login-update-profile.ftl" +
@ -600,6 +582,35 @@ func GetSpecKeycloakDeployment(
 		command = "echo \"ssl_required WAS UPDATED for master realm.\" && " + command
 	}

+	ports := []corev1.ContainerPort{
+		{
+			Name:          deploy.IdentityProviderName,
+			ContainerPort: 8080,
+			Protocol:      "TCP",
+		},
+	}
+
+	if deployContext.CheCluster.Spec.Auth.Debug {
+		ports = append(ports, corev1.ContainerPort{
+			Name:          "debug",
+			ContainerPort: 8787,
+			Protocol:      "TCP",
+		})
+
+		keycloakEnv = append(keycloakEnv, []corev1.EnvVar{
+			{
+				Name:  "DEBUG",
+				Value: "true",
+			},
+			{
+				Name:  "DEBUG_PORT",
+				Value: "*:8787",
+			},
+		}...)
+
+		command += " --debug"
+	}
+
 	args := []string{"-c", command}

 	deployment := &appsv1.Deployment{
@ -638,14 +649,8 @@ func GetSpecKeycloakDeployment(
 							Command: []string{
 								"/bin/sh",
 							},
-							Args: args,
-							Ports: []corev1.ContainerPort{
-								{
-									Name:          deploy.IdentityProviderName,
-									ContainerPort: 8080,
-									Protocol:      "TCP",
-								},
-							},
+							Args:  args,
+							Ports: ports,
 							Resources: corev1.ResourceRequirements{
 								Requests: corev1.ResourceList{
 									corev1.ResourceMemory: util.GetResourceQuantity(
--- a/pkg/deploy/ingress.go
+++ b/pkg/deploy/ingress.go
@ -104,6 +104,10 @@ func GetIngressSpec(
 	if ingressStrategy != "multi-host" && (component == DevfileRegistryName || component == PluginRegistryName) {
 		annotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$1"
 	}
+	// Set bigger proxy buffer size to prevent 502 auth error.
+	if component == IdentityProviderName {
+		annotations["nginx.ingress.kubernetes.io/proxy-buffer-size"] = "16k"
+	}
 	for k, v := range ingressCustomSettings.Annotations {
 		annotations[k] = v
 	}