Allow to use external PostgreSQL (#371)
* Allow to use exteranl PostgreSQL Signed-off-by: Anatolii Bazko <abazko@redhat.com>pull/376/head
Anatolii Bazko
GitHub
parent
57ea0f86f8
commit
c64d61faf4
|
|
@ -636,6 +636,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
|
|||
}
|
||||
|
||||
if !tests {
|
||||
identityProviderPostgresPassword := instance.Spec.Auth.IdentityProviderPostgresPassword
|
||||
identityProviderPostgresSecret := instance.Spec.Auth.IdentityProviderPostgresSecret
|
||||
if len(identityProviderPostgresSecret) > 0 {
|
||||
_, password, err := util.K8sclient.ReadSecret(identityProviderPostgresSecret, instance.Namespace)
|
||||
|
|
@ -643,9 +644,9 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
|
|||
logrus.Errorf("Failed to read '%s' secret: %s", identityProviderPostgresSecret, err)
|
||||
return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err
|
||||
}
|
||||
identityProviderPostgresSecret = password
|
||||
identityProviderPostgresPassword = password
|
||||
}
|
||||
pgCommand := deploy.GetPostgresProvisionCommand(identityProviderPostgresSecret)
|
||||
pgCommand := deploy.GetPostgresProvisionCommand(identityProviderPostgresPassword)
|
||||
dbStatus := instance.Status.DbProvisoned
|
||||
// provision Db and users for Che and Keycloak servers
|
||||
if !dbStatus {
|
||||
|
|
|
|||
|
|
@ -16,11 +16,9 @@ import (
|
|||
|
||||
orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
|
||||
oauth "github.com/openshift/api/oauth/v1"
|
||||
routev1 "github.com/openshift/api/route/v1"
|
||||
"github.com/sirupsen/logrus"
|
||||
appsv1 "k8s.io/api/apps/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/api/extensions/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"sigs.k8s.io/controller-runtime/pkg/reconcile"
|
||||
)
|
||||
|
|
@ -28,31 +26,7 @@ import (
|
|||
func (r *ReconcileChe) GetEffectiveDeployment(instance *orgv1.CheCluster, name string) (deployment *appsv1.Deployment, err error) {
|
||||
deployment = &appsv1.Deployment{}
|
||||
err = r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, deployment)
|
||||
if err != nil {
|
||||
logrus.Errorf("Failed to get %s deployment: %s", name, err)
|
||||
return nil, err
|
||||
}
|
||||
return deployment, nil
|
||||
}
|
||||
|
||||
func (r *ReconcileChe) GetEffectiveIngress(instance *orgv1.CheCluster, name string) (ingress *v1beta1.Ingress) {
|
||||
ingress = &v1beta1.Ingress{}
|
||||
err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, ingress)
|
||||
if err != nil {
|
||||
logrus.Errorf("Failed to get %s ingress: %s", name, err)
|
||||
return nil
|
||||
}
|
||||
return ingress
|
||||
}
|
||||
|
||||
func (r *ReconcileChe) GetEffectiveRoute(instance *orgv1.CheCluster, name string) (route *routev1.Route) {
|
||||
route = &routev1.Route{}
|
||||
err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, route)
|
||||
if err != nil {
|
||||
logrus.Errorf("Failed to get %s route: %s", name, err)
|
||||
return nil
|
||||
}
|
||||
return route
|
||||
return deployment, err
|
||||
}
|
||||
|
||||
func (r *ReconcileChe) GetEffectiveConfigMap(instance *orgv1.CheCluster, name string) (configMap *corev1.ConfigMap) {
|
||||
|
|
@ -84,15 +58,3 @@ func (r *ReconcileChe) GetOAuthClient(oAuthClientName string) (oAuthClient *oaut
|
|||
}
|
||||
return oAuthClient, nil
|
||||
}
|
||||
|
||||
func (r *ReconcileChe) GetDeploymentVolume(deployment *appsv1.Deployment, key string) (volume corev1.Volume) {
|
||||
volumes := deployment.Spec.Template.Spec.Volumes
|
||||
for i := range volumes {
|
||||
name := volumes[i].Name
|
||||
if name == key {
|
||||
volume = volumes[i]
|
||||
break
|
||||
}
|
||||
}
|
||||
return volume
|
||||
}
|
||||
|
|
|
|||
|
|
@ -104,7 +104,6 @@ func getSpecKeycloakDeployment(
|
|||
terminationGracePeriodSeconds := int64(30)
|
||||
cheCertSecretVersion := getSecretResourceVersion("self-signed-certificate", checluster.Namespace, clusterAPI)
|
||||
openshiftApiCertSecretVersion := getSecretResourceVersion("openshift-api-crt", checluster.Namespace, clusterAPI)
|
||||
sslRequiredUpdatedForMasterRealm := isSslRequiredUpdatedForMasterRealm(checluster, clusterAPI)
|
||||
|
||||
// add various certificates to Java trust store so that Keycloak can connect to OpenShift API
|
||||
// certificate that OpenShift router uses (for 4.0 only)
|
||||
|
|
@ -222,15 +221,19 @@ func getSpecKeycloakDeployment(
|
|||
},
|
||||
{
|
||||
Name: "POSTGRES_PORT_5432_TCP_ADDR",
|
||||
Value: "postgres",
|
||||
Value: util.GetValue(checluster.Spec.Database.ChePostgresHostName, DefaultChePostgresHostName),
|
||||
},
|
||||
{
|
||||
Name: "POSTGRES_PORT_5432_TCP_PORT",
|
||||
Value: "5432",
|
||||
Value: util.GetValue(checluster.Spec.Database.ChePostgresPort, DefaultChePostgresPort),
|
||||
},
|
||||
{
|
||||
Name: "POSTGRES_PORT",
|
||||
Value: "5432",
|
||||
Value: util.GetValue(checluster.Spec.Database.ChePostgresPort, DefaultChePostgresPort),
|
||||
},
|
||||
{
|
||||
Name: "POSTGRES_ADDR",
|
||||
Value: util.GetValue(checluster.Spec.Database.ChePostgresHostName, DefaultChePostgresHostName),
|
||||
},
|
||||
{
|
||||
Name: "POSTGRES_DATABASE",
|
||||
|
|
@ -345,19 +348,19 @@ func getSpecKeycloakDeployment(
|
|||
},
|
||||
{
|
||||
Name: "KEYCLOAK_POSTGRESQL_SERVICE_HOST",
|
||||
Value: "postgres",
|
||||
Value: util.GetValue(checluster.Spec.Database.ChePostgresHostName, DefaultChePostgresHostName),
|
||||
},
|
||||
{
|
||||
Name: "KEYCLOAK_POSTGRESQL_SERVICE_PORT",
|
||||
Value: "5432",
|
||||
Value: util.GetValue(checluster.Spec.Database.ChePostgresPort, DefaultChePostgresPort),
|
||||
},
|
||||
{
|
||||
Name: "DB_DATABASE",
|
||||
Value: KeycloakDeploymentName,
|
||||
Value: "keycloak",
|
||||
},
|
||||
{
|
||||
Name: "DB_USERNAME",
|
||||
Value: KeycloakDeploymentName,
|
||||
Value: "keycloak",
|
||||
},
|
||||
{
|
||||
Name: "DB_VENDOR",
|
||||
|
|
@ -470,10 +473,12 @@ func getSpecKeycloakDeployment(
|
|||
" && sed -i 's/WILDCARD/ANY/g' /opt/eap/bin/launch/keycloak-spi.sh && /opt/eap/bin/openshift-launch.sh -b 0.0.0.0"
|
||||
}
|
||||
|
||||
sslRequiredUpdatedForMasterRealm := isSslRequiredUpdatedForMasterRealm(checluster, clusterAPI)
|
||||
if sslRequiredUpdatedForMasterRealm {
|
||||
// update command to restart pod
|
||||
command = "echo \"ssl_required WAS UPDATED for master realm.\" && " + command
|
||||
}
|
||||
|
||||
args := []string{"-c", command}
|
||||
|
||||
deployment := &appsv1.Deployment{
|
||||
|
|
@ -581,6 +586,10 @@ func getSecretResourceVersion(name string, namespace string, clusterAPI ClusterA
|
|||
}
|
||||
|
||||
func isSslRequiredUpdatedForMasterRealm(checluster *orgv1.CheCluster, clusterAPI ClusterAPI) bool {
|
||||
if checluster.Spec.Database.ExternalDb {
|
||||
return false
|
||||
}
|
||||
|
||||
if util.IsTestMode() {
|
||||
return false
|
||||
}
|
||||
|
|
@ -620,16 +629,18 @@ func updateSslRequiredForMasterRealm(checluster *orgv1.CheCluster) error {
|
|||
}
|
||||
|
||||
func ProvisionKeycloakResources(checluster *orgv1.CheCluster, clusterAPI ClusterAPI) error {
|
||||
value, err := getSslRequiredForMasterRealm(checluster)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if value != "NONE" {
|
||||
err := updateSslRequiredForMasterRealm(checluster)
|
||||
if !checluster.Spec.Database.ExternalDb {
|
||||
value, err := getSslRequiredForMasterRealm(checluster)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if value != "NONE" {
|
||||
err := updateSslRequiredForMasterRealm(checluster)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
keycloakProvisionCommand := GetKeycloakProvisionCommand(checluster)
|
||||
|
|
|
|||
|
|
@ -22,10 +22,10 @@ import (
|
|||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
func GetPostgresProvisionCommand(identityProviderPostgresSecret string) (command string) {
|
||||
func GetPostgresProvisionCommand(identityProviderPostgresPassword string) (command string) {
|
||||
command = "OUT=$(psql postgres -tAc \"SELECT 1 FROM pg_roles WHERE rolname='keycloak'\"); " +
|
||||
"if [ $OUT -eq 1 ]; then echo \"DB exists\"; exit 0; fi " +
|
||||
"&& psql -c \"CREATE USER keycloak WITH PASSWORD '" + identityProviderPostgresSecret + "'\" " +
|
||||
"&& psql -c \"CREATE USER keycloak WITH PASSWORD '" + identityProviderPostgresPassword + "'\" " +
|
||||
"&& psql -c \"CREATE DATABASE keycloak\" " +
|
||||
"&& psql -c \"GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak\" " +
|
||||
"&& psql -c \"ALTER USER ${POSTGRESQL_USER} WITH SUPERUSER\""
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ $script config credentials --server http://0.0.0.0:8080/auth \
|
|||
--realm master \
|
||||
--user $keycloakAdminUserName \
|
||||
--password $keycloakAdminPassword \
|
||||
&& $script update realms/master -s sslRequired=none \
|
||||
&& $script config truststore --trustpass ${SSO_TRUSTSTORE_PASSWORD} ${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE} \
|
||||
&& $script get realms/$keycloakRealm; \
|
||||
if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
|
||||
|
|
|
|||
Loading…
Reference in New Issue