From f0317c06343b36d5db2be74322cf645d98ea3a05 Mon Sep 17 00:00:00 2001 From: Flavius Lacatusu Date: Thu, 11 Feb 2021 22:35:01 +0100 Subject: [PATCH] Fixx after suggestions Signed-off-by: Flavius Lacatusu --- .ci/cico_updates_openshift.sh | 4 ++-- .ci/oci-nightly-olm.sh | 5 ++--- .ci/oci-single-host.sh | 5 ++--- .github/bin/common.sh | 4 ++-- .github/bin/oauth-provision.sh | 31 +++++++++++++++++-------------- 5 files changed, 25 insertions(+), 24 deletions(-) diff --git a/.ci/cico_updates_openshift.sh b/.ci/cico_updates_openshift.sh index dc730978d..0cfd46de0 100755 --- a/.ci/cico_updates_openshift.sh +++ b/.ci/cico_updates_openshift.sh @@ -27,7 +27,7 @@ overrideDefaults() { runTests() { "${OPERATOR_REPO}"/olm/testUpdate.sh "openshift" "stable" ${NAMESPACE} waitEclipseCheDeployed ${LAST_PACKAGE_VERSION} - oauthProvisioned + provisionOAuth provisionPostgres startNewWorkspace waitWorkspaceStart @@ -35,6 +35,6 @@ runTests() { init overrideDefaults -provisionOpenshiftUsers +provisionOpenShiftOAuthUser initStableTemplates "openshift" "stable" runTests diff --git a/.ci/oci-nightly-olm.sh b/.ci/oci-nightly-olm.sh index e72887498..ab7c7b59d 100755 --- a/.ci/oci-nightly-olm.sh +++ b/.ci/oci-nightly-olm.sh @@ -30,22 +30,21 @@ trap "catchFinish" EXIT SIGINT overrideDefaults() { # CI_CHE_OPERATOR_IMAGE it is che operator image builded in openshift CI job workflow. More info about how works image dependencies in ci:https://github.com/openshift/ci-tools/blob/master/TEMPLATES.md#parameters-available-to-templates export OPERATOR_IMAGE=${CI_CHE_OPERATOR_IMAGE:-"quay.io/eclipse/che-operator:nightly"} - export OAUTH="true" } runTests() { # Deploy Eclipse Che applying CR applyOlmCR waitEclipseCheDeployed "nightly" - oauthProvisioned + provisionOAuth provisionPostgres startNewWorkspace waitWorkspaceStart } init -provisionOpenshiftUsers overrideDefaults +provisionOpenShiftOAuthUser patchEclipseCheOperatorSubscription printOlmCheObjects runTests diff --git a/.ci/oci-single-host.sh b/.ci/oci-single-host.sh index 48639d072..7e0589b00 100755 --- a/.ci/oci-single-host.sh +++ b/.ci/oci-single-host.sh @@ -31,14 +31,13 @@ overrideDefaults() { # CI_CHE_OPERATOR_IMAGE it is che operator image builded in openshift CI job workflow. More info about how works image dependencies in ci:https://github.com/openshift/ci-tools/blob/master/TEMPLATES.md#parameters-available-to-templates export OPERATOR_IMAGE=${CI_CHE_OPERATOR_IMAGE:-"quay.io/eclipse/che-operator:nightly"} export CHE_EXPOSURE_STRATEGY="single-host" - export OAUTH="true" } runTests() { # Deploy Eclipse Che applying CR applyOlmCR waitEclipseCheDeployed "nightly" - oauthProvisioned + provisionOAuth provisionPostgres startNewWorkspace waitWorkspaceStart @@ -46,7 +45,7 @@ runTests() { init overrideDefaults -provisionOpenshiftUsers +provisionOpenShiftOAuthUser patchEclipseCheOperatorSubscription printOlmCheObjects runTests diff --git a/.github/bin/common.sh b/.github/bin/common.sh index 948597708..05faddff9 100755 --- a/.github/bin/common.sh +++ b/.github/bin/common.sh @@ -33,7 +33,7 @@ init() { export OPERATOR_IMAGE="quay.io/eclipse/che-operator:test" export DEFAULT_DEVFILE="https://raw.githubusercontent.com/eclipse/che-devfile-registry/master/devfiles/quarkus/devfile.yaml" export CHE_EXPOSURE_STRATEGY="multi-host" - export OAUTH="false" + export OAUTH="true" export XDG_DATA_HOME=/tmp/xdg_data export XDG_CACHE_HOME=/tmp/xdg_cache @@ -309,7 +309,7 @@ applyOlmCR() { } # Create admin user inside of openshift cluster and login -function provisionOpenshiftUsers() { +function provisionOpenShiftOAuthUser() { oc create secret generic htpass-secret --from-file=htpasswd="${OPERATOR_REPO}"/.github/bin/resources/users.htpasswd -n openshift-config oc apply -f "${OPERATOR_REPO}"/.github/bin/resources/htpasswdProvider.yaml oc adm policy add-cluster-role-to-user cluster-admin user diff --git a/.github/bin/oauth-provision.sh b/.github/bin/oauth-provision.sh index 033744de0..d54828b96 100644 --- a/.github/bin/oauth-provision.sh +++ b/.github/bin/oauth-provision.sh @@ -16,12 +16,14 @@ set -o pipefail set -u # Link ocp account with Keycloak IDP -function oauthProvisioned() { +function provisionOAuth() { OCP_USER_UID=$(oc get user user -o=jsonpath='{.metadata.uid}') IDP_USER="admin" + # Get Eclipse Che IDP secrets and decode to use to connect to IDP IDP_PASSWORD=$(oc get secret che-identity-secret -n eclipse-che -o=jsonpath='{.data.password}' | base64 --decode) + # Get Auth Route if [[ "${CHE_EXPOSURE_STRATEGY}" == "single-host" ]]; then IDP_HOST="https://"$(oc get route che -n eclipse-che -o=jsonpath='{.spec.host}') fi @@ -30,24 +32,28 @@ function oauthProvisioned() { IDP_HOST="https://"$(oc get route keycloak -n eclipse-che -o=jsonpath='{.spec.host}') fi + # Get the oauth client from Eclipse Che Custom Resource OAUTH_CLIENT_NAME=$(oc get checluster eclipse-che -n eclipse-che -o=jsonpath='{.spec.auth.oAuthClientName}') - TOKEN_RESULT=$(curl -k --location --request POST ''$IDP_HOST'/auth/realms/master/protocol/openid-connect/token' \ + # Obtain from Keycloak the token to make api request authentication + IDP_TOKEN=$(curl -k --location --request POST ''$IDP_HOST'/auth/realms/master/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'username=admin' \ --data-urlencode 'password='$IDP_PASSWORD'' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_id=admin-cli' | jq -r .access_token) - echo -e "[INFO] Token: $TOKEN_RESULT" + echo -e "[INFO] IDP Token: $IDP_TOKEN" - USER_ID=$(curl --location -k --request GET ''$IDP_HOST'/auth/admin/realms/che/users' \ - --header 'Authorization: Bearer '$TOKEN_RESULT'' | jq -r '.[] | select(.username == "admin").id' ) + # Get admin user id from IDP + CHE_USER_ID=$(curl --location -k --request GET ''$IDP_HOST'/auth/admin/realms/che/users' \ + --header 'Authorization: Bearer '$IDP_TOKEN'' | jq -r '.[] | select(.username == "admin").id' ) - echo -e "[INFO] user id: $USER_ID" + echo -e "[INFO] Eclipse CHE user ID: $CHE_USER_ID" - curl --location -k --request POST ''$IDP_HOST'/auth/admin/realms/che/users/'$USER_ID'/federated-identity/openshift-v4' \ - --header 'Authorization: Bearer '$TOKEN_RESULT'' \ + # Request to link Openshift user with Identity Provider user. In this case we are linked an existed user in IDP + curl --location -k --request POST ''$IDP_HOST'/auth/admin/realms/che/users/'$CHE_USER_ID'/federated-identity/openshift-v4' \ + --header 'Authorization: Bearer '$IDP_TOKEN'' \ --header 'Content-Type: application/json' \ --data '{ "identityProvider": "openshift-v4", @@ -55,6 +61,7 @@ function oauthProvisioned() { "userName": "admin" }' +# Create OAuthClientAuthorization object for Eclipse Che in Cluster. OAUTHCLIENTAuthorization=$( oc create -f - -o jsonpath='{.metadata.name}' < path.sql UPDATE federated_identity SET token ='{"access_token":"INSERT_TOKEN_HERE","expires_in":86400,"scope":"user:full","token_type":"Bearer"}' WHERE federated_username = 'admin' @@ -83,8 +86,8 @@ EOF TOKEN=$(oc whoami -t) sed -i "s|INSERT_TOKEN_HERE|$TOKEN|g" path.sql + # Insert sql script inside of postgres and execute it. POSTGRES_POD=$(oc get pods -o json -n eclipse-che | jq -r '.items[] | select(.metadata.name | test("postgres-")).metadata.name') - oc cp path.sql "${POSTGRES_POD}":/tmp/ -n eclipse-che oc exec -it "${POSTGRES_POD}" -n eclipse-che -- bash -c "psql -U postgres -d keycloak -d keycloak -f /tmp/path.sql"