From 8b1dd1527a8e950872e4b4d35cda4758464eac02 Mon Sep 17 00:00:00 2001
From: Oleksandr Andriienko <oandriie@redhat.com>
Date: Fri, 10 Sep 2021 12:36:00 +0300
Subject: [PATCH] feat: Update keycloak  from 6.0.1 to 15 (#1015)

* Use keycloak 15.  Add separated option to debug keycloak server.

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>
---
 .github/bin/common.sh                         |  11 --
 api/v1/checluster_types.go                    |   3 +
 .../che-operator.clusterserviceversion.yaml   |   4 +-
 .../manifests/org_v1_che_crd.yaml             |   3 +
 .../che-operator.clusterserviceversion.yaml   |   4 +-
 .../manifests/org_v1_che_crd.yaml             |   3 +
 config/crd/bases/org_v1_che_crd-v1beta1.yaml  |   3 +
 config/crd/bases/org_v1_che_crd.yaml          |   3 +
 .../org.eclipse.che_v1_checluster.yaml        |   1 -
 .../devworkspace/solver/che_routing_test.go   |   1 -
 .../identity-provider/deployment_keycloak.go  | 101 +++++++++---------
 pkg/deploy/ingress.go                         |   4 +
 12 files changed, 76 insertions(+), 65 deletions(-)

diff --git a/.github/bin/common.sh b/.github/bin/common.sh
index 09e2766ee..8bfa0b3f4 100755
--- a/.github/bin/common.sh
+++ b/.github/bin/common.sh
@@ -449,22 +449,11 @@ login() {
 
 # Deploy Eclipse Che behind proxy in openshift ci
 deployCheBehindProxy() {
-  # Get the ocp domain for che custom resources
-  export DOMAIN=$(oc get dns cluster -o json | jq .spec.baseDomain | sed -e 's/^"//' -e 's/"$//')
-
-  # Related issue:https://github.com/eclipse/che/issues/17681
-    cat >/tmp/che-cr-patch.yaml <<EOL
-spec:
-  server:
-    nonProxyHosts: oauth-openshift.apps.$DOMAIN
-EOL
-
   chectl server:deploy \
     --batch \
     --installer=operator \
     --platform=openshift \
     --templates=${TEMPLATES} \
-    --che-operator-cr-patch-yaml=/tmp/che-cr-patch.yaml \
     --che-operator-image ${OPERATOR_IMAGE}
   oc get checluster eclipse-che -n eclipse-che -o yaml
 }
diff --git a/api/v1/checluster_types.go b/api/v1/checluster_types.go
index 74407764c..38a2e2757 100644
--- a/api/v1/checluster_types.go
+++ b/api/v1/checluster_types.go
@@ -477,6 +477,9 @@ type CheClusterSpecAuth struct {
 	GatewayAuthorizationSidecarImage string `json:"gatewayAuthorizationSidecarImage,omitempty"`
 	// Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin.
 	GatewayHeaderRewriteSidecarImage string `json:"gatewayHeaderRewriteSidecarImage,omitempty"`
+
+	// Debug internal identity provider.
+	Debug bool `json:"debug,omitempty"`
 }
 
 // Ingress custom settings, can be extended in the future
diff --git a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
index 478eb3381..08d67e5dc 100644
--- a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
@@ -83,7 +83,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-kubernetes.v7.36.0-296.next
+  name: eclipse-che-preview-kubernetes.v7.37.0-300.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1191,4 +1191,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.36.0-296.next
+  version: 7.37.0-300.next
diff --git a/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml b/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
index 67c3590a6..3babf2552 100644
--- a/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
+++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
@@ -43,6 +43,9 @@ spec:
               auth:
                 description: Configuration settings related to the Authentication used by the Che installation.
                 properties:
+                  debug:
+                    description: Debug internal identity provider.
+                    type: boolean
                   externalIdentityProvider:
                     description: 'Instructs the Operator on whether or not to deploy a dedicated Identity Provider (Keycloak or RH SSO instance). Instructs the Operator on whether to deploy a dedicated Identity Provider (Keycloak or RH-SSO instance). By default, a dedicated Identity Provider server is deployed as part of the Che installation. When `externalIdentityProvider` is `true`, no dedicated identity provider will be deployed by the Operator and you will need to provide details about the external identity provider you are about to use. See also all the other fields starting with: `identityProvider`.'
                     type: boolean
diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
index 89c158de6..3d63c2d72 100644
--- a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@@ -76,7 +76,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.36.0-306.next
+  name: eclipse-che-preview-openshift.v7.37.0-310.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1260,4 +1260,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.36.0-306.next
+  version: 7.37.0-310.next
diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
index 911131897..5038a55e4 100644
--- a/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
+++ b/bundle/next/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
@@ -54,6 +54,9 @@ spec:
                   description: Configuration settings related to the Authentication
                     used by the Che installation.
                   properties:
+                    debug:
+                      description: Debug internal identity provider.
+                      type: boolean
                     externalIdentityProvider:
                       description: 'Instructs the Operator on whether or not to deploy
                         a dedicated Identity Provider (Keycloak or RH SSO instance).
diff --git a/config/crd/bases/org_v1_che_crd-v1beta1.yaml b/config/crd/bases/org_v1_che_crd-v1beta1.yaml
index a33953a0d..ef1b3fd2b 100644
--- a/config/crd/bases/org_v1_che_crd-v1beta1.yaml
+++ b/config/crd/bases/org_v1_che_crd-v1beta1.yaml
@@ -51,6 +51,9 @@ spec:
               description: Configuration settings related to the Authentication used
                 by the Che installation.
               properties:
+                debug:
+                  description: Debug internal identity provider.
+                  type: boolean
                 externalIdentityProvider:
                   description: 'Instructs the Operator on whether or not to deploy
                     a dedicated Identity Provider (Keycloak or RH SSO instance). Instructs
diff --git a/config/crd/bases/org_v1_che_crd.yaml b/config/crd/bases/org_v1_che_crd.yaml
index 02660a367..72ece3f6b 100644
--- a/config/crd/bases/org_v1_che_crd.yaml
+++ b/config/crd/bases/org_v1_che_crd.yaml
@@ -54,6 +54,9 @@ spec:
                   description: Configuration settings related to the Authentication
                     used by the Che installation.
                   properties:
+                    debug:
+                      description: Debug internal identity provider.
+                      type: boolean
                     externalIdentityProvider:
                       description: 'Instructs the Operator on whether or not to deploy
                         a dedicated Identity Provider (Keycloak or RH SSO instance).
diff --git a/config/samples/org.eclipse.che_v1_checluster.yaml b/config/samples/org.eclipse.che_v1_checluster.yaml
index f87f8e6f5..ec79c2e29 100644
--- a/config/samples/org.eclipse.che_v1_checluster.yaml
+++ b/config/samples/org.eclipse.che_v1_checluster.yaml
@@ -66,7 +66,6 @@ spec:
     # Also consult the `singleHostExposureType` property to further configure how the Operator and the Che server make that happen on Kubernetes.
     # `default-host` exposes the Che server on the host of the cluster. Read the docs to learn about the limitations of this approach.
     serverExposureStrategy: ''
-
   database:
     # Instructs the Operator on whether to deploy a dedicated database.
     # By default, a dedicated PostgreSQL database is deployed as part of the Che installation. When `externalDb` is `true`, no dedicated database will be deployed by the
diff --git a/controllers/devworkspace/solver/che_routing_test.go b/controllers/devworkspace/solver/che_routing_test.go
index 30bc71fb7..ce54fde5c 100644
--- a/controllers/devworkspace/solver/che_routing_test.go
+++ b/controllers/devworkspace/solver/che_routing_test.go
@@ -292,7 +292,6 @@ func TestCreateRelocatedObjectsK8S(t *testing.T) {
 	})
 }
 
-
 func TestCreateRelocatedObjectsOpenshift(t *testing.T) {
 	infrastructure.InitializeForTesting(infrastructure.OpenShiftv4)
 	cl, _, objs := getSpecObjects(t, relocatableDevWorkspaceRouting())
diff --git a/pkg/deploy/identity-provider/deployment_keycloak.go b/pkg/deploy/identity-provider/deployment_keycloak.go
index 3f1eea037..9d77b9886 100644
--- a/pkg/deploy/identity-provider/deployment_keycloak.go
+++ b/pkg/deploy/identity-provider/deployment_keycloak.go
@@ -13,7 +13,6 @@ package identity_provider
 
 import (
 	"context"
-	"net/url"
 	"regexp"
 	"strconv"
 	"strings"
@@ -233,6 +232,18 @@ func GetSpecKeycloakDeployment(
 			Name:  "DB_VENDOR",
 			Value: "POSTGRES",
 		},
+		{
+			Name:  "DB_USERNAME",
+			Value: "keycloak",
+		},
+		{
+			Name:  "DB_ADDR",
+			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresHostName, deploy.DefaultChePostgresHostName),
+		},
+		{
+			Name:  "DB_DATABASE",
+			Value: "keycloak",
+		},
 		{
 			Name:  "POSTGRES_PORT_5432_TCP_ADDR",
 			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresHostName, deploy.DefaultChePostgresHostName),
@@ -245,14 +256,6 @@ func GetSpecKeycloakDeployment(
 			Name:  "POSTGRES_PORT",
 			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresPort, deploy.DefaultChePostgresPort),
 		},
-		{
-			Name:  "POSTGRES_ADDR",
-			Value: util.GetValue(deployContext.CheCluster.Spec.Database.ChePostgresHostName, deploy.DefaultChePostgresHostName),
-		},
-		{
-			Name:  "POSTGRES_DATABASE",
-			Value: "keycloak",
-		},
 		{
 			Name:  "POSTGRES_USER",
 			Value: "keycloak",
@@ -298,7 +301,7 @@ func GetSpecKeycloakDeployment(
 	identityProviderPostgresSecret := deployContext.CheCluster.Spec.Auth.IdentityProviderPostgresSecret
 	if len(identityProviderPostgresSecret) > 0 {
 		keycloakEnv = append(keycloakEnv, corev1.EnvVar{
-			Name: "POSTGRES_PASSWORD",
+			Name: "DB_PASSWORD",
 			ValueFrom: &corev1.EnvVarSource{
 				SecretKeyRef: &corev1.SecretKeySelector{
 					Key: "password",
@@ -310,7 +313,7 @@ func GetSpecKeycloakDeployment(
 		})
 	} else {
 		keycloakEnv = append(keycloakEnv, corev1.EnvVar{
-			Name:  "POSTGRES_PASSWORD",
+			Name:  "DB_PASSWORD",
 			Value: deployContext.CheCluster.Spec.Auth.IdentityProviderPostgresPassword,
 		})
 	}
@@ -516,33 +519,12 @@ func GetSpecKeycloakDeployment(
 		keycloakEnv = append(keycloakEnv, envvar)
 	}
 
-	var enableFixedHostNameProvider string
-	if deployContext.CheCluster.IsInternalClusterSVCNamesEnabled() {
-		if cheFlavor == "che" {
-			keycloakURL, err := url.Parse(deployContext.CheCluster.Status.KeycloakURL)
-			if err != nil {
-				return nil, err
-			}
-			hostname := keycloakURL.Hostname()
-			enableFixedHostNameProvider = " && echo 'Use fixed hostname provider to make working internal network requests' && " +
-				"echo -e \"embed-server --server-config=standalone.xml --std-out=echo \n" +
-				"/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value=\"fixed\") \n" +
-				"/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.hostname,value=\"" + hostname + "\") \n"
-			if deployContext.CheCluster.Spec.Server.TlsSupport {
-				enableFixedHostNameProvider += "/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpsPort,value=\"443\") \n" +
-					"/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.alwaysHttps,value=\"true\") \n"
-			} else {
-				enableFixedHostNameProvider += "/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpPort,value=\"80\") \n"
-			}
-			enableFixedHostNameProvider += "stop-embedded-server\" > " + jbossDir + "/use_fixed_hostname_provider.cli && " +
-				jbossCli + " --file=" + jbossDir + "/use_fixed_hostname_provider.cli "
-		}
-		if cheFlavor == "codeready" {
-			keycloakEnv = append(keycloakEnv, corev1.EnvVar{
-				Name:  "KEYCLOAK_FRONTEND_URL",
-				Value: deployContext.CheCluster.Status.KeycloakURL,
-			})
-		}
+	// Enable internal network for keycloak
+	if deployContext.CheCluster.IsInternalClusterSVCNamesEnabled() && !deployContext.CheCluster.Spec.Auth.ExternalIdentityProvider {
+		keycloakEnv = append(keycloakEnv, corev1.EnvVar{
+			Name:  "KEYCLOAK_FRONTEND_URL",
+			Value: deployContext.CheCluster.Status.KeycloakURL,
+		})
 	}
 
 	evaluateKeycloakSystemProperties := "KEYCLOAK_SYS_PROPS=\"-Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled\""
@@ -562,8 +544,8 @@ func GetSpecKeycloakDeployment(
 		" && " + evaluateKeycloakSystemProperties +
 		" && " + evaluateExpectContinueEnabled +
 		" && " + evaluateReuseConnections +
-		" && " + changeConfigCommand + enableFixedHostNameProvider +
-		" && /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 -c standalone.xml $KEYCLOAK_SYS_PROPS"
+		" && " + changeConfigCommand +
+		" && /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0 -c standalone.xml $KEYCLOAK_SYS_PROPS"
 
 	if cheFlavor == "codeready" {
 		addUsernameReadonlyTheme := "baseTemplate=/opt/eap/themes/base/login/login-update-profile.ftl" +
@@ -600,6 +582,35 @@ func GetSpecKeycloakDeployment(
 		command = "echo \"ssl_required WAS UPDATED for master realm.\" && " + command
 	}
 
+	ports := []corev1.ContainerPort{
+		{
+			Name:          deploy.IdentityProviderName,
+			ContainerPort: 8080,
+			Protocol:      "TCP",
+		},
+	}
+
+	if deployContext.CheCluster.Spec.Auth.Debug {
+		ports = append(ports, corev1.ContainerPort{
+			Name:          "debug",
+			ContainerPort: 8787,
+			Protocol:      "TCP",
+		})
+
+		keycloakEnv = append(keycloakEnv, []corev1.EnvVar{
+			{
+				Name:  "DEBUG",
+				Value: "true",
+			},
+			{
+				Name:  "DEBUG_PORT",
+				Value: "*:8787",
+			},
+		}...)
+
+		command += " --debug"
+	}
+
 	args := []string{"-c", command}
 
 	deployment := &appsv1.Deployment{
@@ -638,14 +649,8 @@ func GetSpecKeycloakDeployment(
 							Command: []string{
 								"/bin/sh",
 							},
-							Args: args,
-							Ports: []corev1.ContainerPort{
-								{
-									Name:          deploy.IdentityProviderName,
-									ContainerPort: 8080,
-									Protocol:      "TCP",
-								},
-							},
+							Args:  args,
+							Ports: ports,
 							Resources: corev1.ResourceRequirements{
 								Requests: corev1.ResourceList{
 									corev1.ResourceMemory: util.GetResourceQuantity(
diff --git a/pkg/deploy/ingress.go b/pkg/deploy/ingress.go
index fe4d84b84..9f2d97237 100644
--- a/pkg/deploy/ingress.go
+++ b/pkg/deploy/ingress.go
@@ -104,6 +104,10 @@ func GetIngressSpec(
 	if ingressStrategy != "multi-host" && (component == DevfileRegistryName || component == PluginRegistryName) {
 		annotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$1"
 	}
+	// Set bigger proxy buffer size to prevent 502 auth error.
+	if component == IdentityProviderName {
+		annotations["nginx.ingress.kubernetes.io/proxy-buffer-size"] = "16k"
+	}
 	for k, v := range ingressCustomSettings.Annotations {
 		annotations[k] = v
 	}