diff --git a/pkg/controller/che/che_controller.go b/pkg/controller/che/che_controller.go index b162dd1bb..876d8429d 100644 --- a/pkg/controller/che/che_controller.go +++ b/pkg/controller/che/che_controller.go @@ -636,6 +636,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e } if !tests { + identityProviderPostgresPassword := instance.Spec.Auth.IdentityProviderPostgresPassword identityProviderPostgresSecret := instance.Spec.Auth.IdentityProviderPostgresSecret if len(identityProviderPostgresSecret) > 0 { _, password, err := util.K8sclient.ReadSecret(identityProviderPostgresSecret, instance.Namespace) @@ -643,9 +644,9 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e logrus.Errorf("Failed to read '%s' secret: %s", identityProviderPostgresSecret, err) return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err } - identityProviderPostgresSecret = password + identityProviderPostgresPassword = password } - pgCommand := deploy.GetPostgresProvisionCommand(identityProviderPostgresSecret) + pgCommand := deploy.GetPostgresProvisionCommand(identityProviderPostgresPassword) dbStatus := instance.Status.DbProvisoned // provision Db and users for Che and Keycloak servers if !dbStatus { diff --git a/pkg/controller/che/get.go b/pkg/controller/che/get.go index e700840fb..5201fd5db 100644 --- a/pkg/controller/che/get.go +++ b/pkg/controller/che/get.go @@ -16,11 +16,9 @@ import ( orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1" oauth "github.com/openshift/api/oauth/v1" - routev1 "github.com/openshift/api/route/v1" "github.com/sirupsen/logrus" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/api/extensions/v1beta1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/reconcile" ) @@ -28,31 +26,7 @@ import ( func (r *ReconcileChe) GetEffectiveDeployment(instance *orgv1.CheCluster, name string) (deployment *appsv1.Deployment, err error) { deployment = &appsv1.Deployment{} err = r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, deployment) - if err != nil { - logrus.Errorf("Failed to get %s deployment: %s", name, err) - return nil, err - } - return deployment, nil -} - -func (r *ReconcileChe) GetEffectiveIngress(instance *orgv1.CheCluster, name string) (ingress *v1beta1.Ingress) { - ingress = &v1beta1.Ingress{} - err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, ingress) - if err != nil { - logrus.Errorf("Failed to get %s ingress: %s", name, err) - return nil - } - return ingress -} - -func (r *ReconcileChe) GetEffectiveRoute(instance *orgv1.CheCluster, name string) (route *routev1.Route) { - route = &routev1.Route{} - err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, route) - if err != nil { - logrus.Errorf("Failed to get %s route: %s", name, err) - return nil - } - return route + return deployment, err } func (r *ReconcileChe) GetEffectiveConfigMap(instance *orgv1.CheCluster, name string) (configMap *corev1.ConfigMap) { @@ -84,15 +58,3 @@ func (r *ReconcileChe) GetOAuthClient(oAuthClientName string) (oAuthClient *oaut } return oAuthClient, nil } - -func (r *ReconcileChe) GetDeploymentVolume(deployment *appsv1.Deployment, key string) (volume corev1.Volume) { - volumes := deployment.Spec.Template.Spec.Volumes - for i := range volumes { - name := volumes[i].Name - if name == key { - volume = volumes[i] - break - } - } - return volume -} diff --git a/pkg/deploy/deployment_keycloak.go b/pkg/deploy/deployment_keycloak.go index d32e40911..1ab1adf11 100644 --- a/pkg/deploy/deployment_keycloak.go +++ b/pkg/deploy/deployment_keycloak.go @@ -104,7 +104,6 @@ func getSpecKeycloakDeployment( terminationGracePeriodSeconds := int64(30) cheCertSecretVersion := getSecretResourceVersion("self-signed-certificate", checluster.Namespace, clusterAPI) openshiftApiCertSecretVersion := getSecretResourceVersion("openshift-api-crt", checluster.Namespace, clusterAPI) - sslRequiredUpdatedForMasterRealm := isSslRequiredUpdatedForMasterRealm(checluster, clusterAPI) // add various certificates to Java trust store so that Keycloak can connect to OpenShift API // certificate that OpenShift router uses (for 4.0 only) @@ -222,15 +221,19 @@ func getSpecKeycloakDeployment( }, { Name: "POSTGRES_PORT_5432_TCP_ADDR", - Value: "postgres", + Value: util.GetValue(checluster.Spec.Database.ChePostgresHostName, DefaultChePostgresHostName), }, { Name: "POSTGRES_PORT_5432_TCP_PORT", - Value: "5432", + Value: util.GetValue(checluster.Spec.Database.ChePostgresPort, DefaultChePostgresPort), }, { Name: "POSTGRES_PORT", - Value: "5432", + Value: util.GetValue(checluster.Spec.Database.ChePostgresPort, DefaultChePostgresPort), + }, + { + Name: "POSTGRES_ADDR", + Value: util.GetValue(checluster.Spec.Database.ChePostgresHostName, DefaultChePostgresHostName), }, { Name: "POSTGRES_DATABASE", @@ -345,19 +348,19 @@ func getSpecKeycloakDeployment( }, { Name: "KEYCLOAK_POSTGRESQL_SERVICE_HOST", - Value: "postgres", + Value: util.GetValue(checluster.Spec.Database.ChePostgresHostName, DefaultChePostgresHostName), }, { Name: "KEYCLOAK_POSTGRESQL_SERVICE_PORT", - Value: "5432", + Value: util.GetValue(checluster.Spec.Database.ChePostgresPort, DefaultChePostgresPort), }, { Name: "DB_DATABASE", - Value: KeycloakDeploymentName, + Value: "keycloak", }, { Name: "DB_USERNAME", - Value: KeycloakDeploymentName, + Value: "keycloak", }, { Name: "DB_VENDOR", @@ -470,10 +473,12 @@ func getSpecKeycloakDeployment( " && sed -i 's/WILDCARD/ANY/g' /opt/eap/bin/launch/keycloak-spi.sh && /opt/eap/bin/openshift-launch.sh -b 0.0.0.0" } + sslRequiredUpdatedForMasterRealm := isSslRequiredUpdatedForMasterRealm(checluster, clusterAPI) if sslRequiredUpdatedForMasterRealm { // update command to restart pod command = "echo \"ssl_required WAS UPDATED for master realm.\" && " + command } + args := []string{"-c", command} deployment := &appsv1.Deployment{ @@ -581,6 +586,10 @@ func getSecretResourceVersion(name string, namespace string, clusterAPI ClusterA } func isSslRequiredUpdatedForMasterRealm(checluster *orgv1.CheCluster, clusterAPI ClusterAPI) bool { + if checluster.Spec.Database.ExternalDb { + return false + } + if util.IsTestMode() { return false } @@ -620,16 +629,18 @@ func updateSslRequiredForMasterRealm(checluster *orgv1.CheCluster) error { } func ProvisionKeycloakResources(checluster *orgv1.CheCluster, clusterAPI ClusterAPI) error { - value, err := getSslRequiredForMasterRealm(checluster) - if err != nil { - return err - } - - if value != "NONE" { - err := updateSslRequiredForMasterRealm(checluster) + if !checluster.Spec.Database.ExternalDb { + value, err := getSslRequiredForMasterRealm(checluster) if err != nil { return err } + + if value != "NONE" { + err := updateSslRequiredForMasterRealm(checluster) + if err != nil { + return err + } + } } keycloakProvisionCommand := GetKeycloakProvisionCommand(checluster) diff --git a/pkg/deploy/exec_commands.go b/pkg/deploy/exec_commands.go index 9ac868474..b5e5b13f4 100644 --- a/pkg/deploy/exec_commands.go +++ b/pkg/deploy/exec_commands.go @@ -22,10 +22,10 @@ import ( "github.com/sirupsen/logrus" ) -func GetPostgresProvisionCommand(identityProviderPostgresSecret string) (command string) { +func GetPostgresProvisionCommand(identityProviderPostgresPassword string) (command string) { command = "OUT=$(psql postgres -tAc \"SELECT 1 FROM pg_roles WHERE rolname='keycloak'\"); " + "if [ $OUT -eq 1 ]; then echo \"DB exists\"; exit 0; fi " + - "&& psql -c \"CREATE USER keycloak WITH PASSWORD '" + identityProviderPostgresSecret + "'\" " + + "&& psql -c \"CREATE USER keycloak WITH PASSWORD '" + identityProviderPostgresPassword + "'\" " + "&& psql -c \"CREATE DATABASE keycloak\" " + "&& psql -c \"GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak\" " + "&& psql -c \"ALTER USER ${POSTGRESQL_USER} WITH SUPERUSER\"" diff --git a/templates/keycloak_provision b/templates/keycloak_provision index 9f374f011..4e32498dd 100644 --- a/templates/keycloak_provision +++ b/templates/keycloak_provision @@ -2,6 +2,7 @@ $script config credentials --server http://0.0.0.0:8080/auth \ --realm master \ --user $keycloakAdminUserName \ --password $keycloakAdminPassword \ +&& $script update realms/master -s sslRequired=none \ && $script config truststore --trustpass ${SSO_TRUSTSTORE_PASSWORD} ${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE} \ && $script get realms/$keycloakRealm; \ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \