Allow to use internal cluster service hostnames (#18707)

* Allow to use internal cluster service hostnames Signed-off-by: Anatolii Bazko <abazko@redhat.com>
2021-01-04 09:48:11 +02:00 · 2021-01-04 09:48:11 +02:00 · 537c8a92aa
parent c3da007d01
commit 537c8a92aa
4 changed files with 46 additions and 6 deletions
--- a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
@ -73,6 +73,10 @@ spec:
 {{- end }}
        - name: CHE_HOST
          value: {{ template "cheHost" . }}
+{{- if .Values.global.useInternalClusterSVCNames }}
+        - name: KEYCLOAK_HOSTNAME
+          value: {{ template "keycloakHost" . }}
+{{- end }}
        - name: ROUTING_SUFFIX
          value: {{ .Values.global.ingressDomain }}
        - name: NAMESPACE
@ -82,10 +86,14 @@ spec:
        - name: PROTOCOL
 {{- if .Values.global.tls.enabled }}
          value: "https"
+        - name: KEYCLOAK_HTTPS_PORT
+          value: "443"
        - name: PROXY_ADDRESS_FORWARDING
          value: "true"
 {{- else }}
          value: "http"
+        - name: KEYCLOAK_HTTP_PORT
+          value: "80"
 {{- end }}

        image: {{ .Values.image }}
--- a/deploy/kubernetes/helm/che/templates/configmap.yaml
+++ b/deploy/kubernetes/helm/che/templates/configmap.yaml
@ -19,12 +19,20 @@ data:
  CHE_PORT: "8080"
 {{- if and .Values.global.tls .Values.global.tls.enabled }}
  CHE_API: https://{{ template "cheHost" . }}/api
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_API_INTERNAL: http://che-host.{{ .Release.Namespace }}.svc:8080/api
+  {{- else }}
  CHE_API_INTERNAL: https://{{ template "cheHost" . }}/api
+  {{- end }}
  CHE_WEBSOCKET_ENDPOINT:  wss://{{ template "cheHost" . }}/api/websocket
  CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: https://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
 {{ else }}
  CHE_API: http://{{ template "cheHost" . }}/api
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_API_INTERNAL: http://che-host.{{ .Release.Namespace }}.svc:8080/api
+  {{- else }}
  CHE_API_INTERNAL: http://{{ template "cheHost" . }}/api
+  {{- end }}
  CHE_WEBSOCKET_ENDPOINT:  ws://{{ template "cheHost" . }}/api/websocket
  CHE_WEBSOCKET_ENDPOINT__MINOR:  ws://{{ template "cheHost" . }}/api/websocket-minor
  CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: http://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
@ -44,7 +52,11 @@ data:
 {{- if .Values.global.multiuser }}
  CHE_KEYCLOAK_CLIENT__ID: {{ .Values.cheKeycloakClientId | quote}}
  CHE_KEYCLOAK_AUTH__SERVER__URL: {{ template "keycloakAuthUrl" . }}
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: http://keycloak.{{ .Release.Namespace }}.svc:5050/auth
+  {{- else }}
  CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: {{ template "keycloakAuthUrl" . }}
+  {{- end }}
  CHE_KEYCLOAK_REALM: {{ .Values.cheKeycloakRealm }}
 {{- end }}
 {{- if (and .Values.global.multiuser .Values.customOidcProvider) }}
@ -112,14 +124,22 @@ data:
  CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: {{ .Values.che.workspace.devfileRegistryUrl | quote }}
 {{- else if .Values.cheDevfileRegistry.deploy }}
  CHE_WORKSPACE_DEVFILE__REGISTRY__URL: {{ template "devfileRegistryUrl" . }}
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: http://devfile-registry.{{ .Release.Namespace }}.svc:8080
+  {{- else }}
  CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: {{ template "devfileRegistryUrl" . }}
+  {{- end }}
 {{- end }}
 {{- if .Values.che.workspace.pluginRegistryUrl }}
  CHE_WORKSPACE_PLUGIN__REGISTRY__URL: {{ .Values.che.workspace.pluginRegistryUrl | quote }}
  CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: {{ .Values.che.workspace.pluginRegistryUrl | quote }}
 {{- else if .Values.chePluginRegistry.deploy }}
  CHE_WORKSPACE_PLUGIN__REGISTRY__URL: {{ template "pluginRegistryUrl" . }}
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: http://plugin-registry.{{ .Release.Namespace }}.svc:8080/v3
+  {{- else }}
  CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: {{ template "pluginRegistryUrl" . }}
+  {{- end }}
 {{- end }}
 {{- if .Values.che.workspace.pluginBroker }}
  {{- if .Values.che.workspace.pluginBroker.waitTimeoutMin }}
--- a/deploy/kubernetes/helm/che/values.yaml
+++ b/deploy/kubernetes/helm/che/values.yaml
@ -47,6 +47,8 @@ global:
  # Image used by endpoint watchers
  endpointWatcher:
    image: quay.io/eclipse/che-endpoint-watcher:nightly
+  # Use internal cluster svc names to communicate between components
+  useInternalClusterSVCNames: true

  ## Allows to enable and configure TLS
  tls:
@ -62,7 +64,7 @@ global:
    useSelfSignedCerts: true
    selfSignedCertSecretName: self-signed-certificate

-    ## Name of the config-map with public certificates to add to Java trust store 
+    ## Name of the config-map with public certificates to add to Java trust store
    ## of the Che server, Keycloak and propagate into user workspaces.
    serverTrustStoreConfigMapName: ""

--- a/dockerfiles/keycloak/kc_realm_user.sh
+++ b/dockerfiles/keycloak/kc_realm_user.sh
@ -96,14 +96,24 @@ if [ -f "$KEYSTORE_PATH" ]; then
    /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/cli/add_openshift_certificate.cli && rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 fi

+# Patch configuration to allow to set 'keycloak.hostname.fixed.alwaysHttps'
+sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone.xml
+sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
+
 # POSTGRES_PORT is assigned by Kubernetes controller
 # and it isn't fit to docker-entrypoin.sh.
 unset POSTGRES_PORT

 echo "Starting Keycloak server..."

-exec /opt/jboss/docker-entrypoint.sh -Dkeycloak.migration.action=import \
-                                     -Dkeycloak.migration.provider=dir \
-                                     -Dkeycloak.migration.strategy=IGNORE_EXISTING \
-                                     -Dkeycloak.migration.dir=/scripts/ \
-                                     -Djboss.bind.address=0.0.0.0
+SYS_PROPS="-Dkeycloak.migration.action=import \
+    -Dkeycloak.migration.provider=dir \
+    -Dkeycloak.migration.strategy=IGNORE_EXISTING \
+    -Dkeycloak.migration.dir=/scripts/ \
+    -Djboss.bind.address=0.0.0.0"
+
+if [ $KEYCLOAK_HOSTNAME ] && [ $PROTOCOL == "https" ]; then
+  SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=true"
+fi
+
+exec /opt/jboss/docker-entrypoint.sh $SYS_PROPS