From 537c8a92aaccb2aac94c59d51b3334cedcb20e8a Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Mon, 4 Jan 2021 09:48:11 +0200
Subject: [PATCH] Allow to use internal cluster service hostnames (#18707)

* Allow to use internal cluster service hostnames

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../che-keycloak/templates/deployment.yaml    |  8 ++++++++
 .../helm/che/templates/configmap.yaml         | 20 +++++++++++++++++++
 deploy/kubernetes/helm/che/values.yaml        |  4 +++-
 dockerfiles/keycloak/kc_realm_user.sh         | 20 ++++++++++++++-----
 4 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
index 1052b1d830..d62d758a72 100644
--- a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
@@ -73,6 +73,10 @@ spec:
 {{- end }}
         - name: CHE_HOST
           value: {{ template "cheHost" . }}
+{{- if .Values.global.useInternalClusterSVCNames }}
+        - name: KEYCLOAK_HOSTNAME
+          value: {{ template "keycloakHost" . }}
+{{- end }}
         - name: ROUTING_SUFFIX
           value: {{ .Values.global.ingressDomain }}
         - name: NAMESPACE
@@ -82,10 +86,14 @@ spec:
         - name: PROTOCOL
 {{- if .Values.global.tls.enabled }}
           value: "https"
+        - name: KEYCLOAK_HTTPS_PORT
+          value: "443"
         - name: PROXY_ADDRESS_FORWARDING
           value: "true"
 {{- else }}
           value: "http"
+        - name: KEYCLOAK_HTTP_PORT
+          value: "80"
 {{- end }}
 
         image: {{ .Values.image }}
diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml
index ad66e154ef..f422d9cee5 100644
--- a/deploy/kubernetes/helm/che/templates/configmap.yaml
+++ b/deploy/kubernetes/helm/che/templates/configmap.yaml
@@ -19,12 +19,20 @@ data:
   CHE_PORT: "8080"
 {{- if and .Values.global.tls .Values.global.tls.enabled }}
   CHE_API: https://{{ template "cheHost" . }}/api
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_API_INTERNAL: http://che-host.{{ .Release.Namespace }}.svc:8080/api
+  {{- else }}
   CHE_API_INTERNAL: https://{{ template "cheHost" . }}/api
+  {{- end }}
   CHE_WEBSOCKET_ENDPOINT:  wss://{{ template "cheHost" . }}/api/websocket
   CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: https://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
 {{ else }}
   CHE_API: http://{{ template "cheHost" . }}/api
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_API_INTERNAL: http://che-host.{{ .Release.Namespace }}.svc:8080/api
+  {{- else }}
   CHE_API_INTERNAL: http://{{ template "cheHost" . }}/api
+  {{- end }}
   CHE_WEBSOCKET_ENDPOINT:  ws://{{ template "cheHost" . }}/api/websocket
   CHE_WEBSOCKET_ENDPOINT__MINOR:  ws://{{ template "cheHost" . }}/api/websocket-minor
   CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: http://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
@@ -44,7 +52,11 @@ data:
 {{- if .Values.global.multiuser }}
   CHE_KEYCLOAK_CLIENT__ID: {{ .Values.cheKeycloakClientId | quote}}
   CHE_KEYCLOAK_AUTH__SERVER__URL: {{ template "keycloakAuthUrl" . }}
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: http://keycloak.{{ .Release.Namespace }}.svc:5050/auth
+  {{- else }}
   CHE_KEYCLOAK_AUTH__INTERNAL__SERVER__URL: {{ template "keycloakAuthUrl" . }}
+  {{- end }}
   CHE_KEYCLOAK_REALM: {{ .Values.cheKeycloakRealm }}
 {{- end }}
 {{- if (and .Values.global.multiuser .Values.customOidcProvider) }}
@@ -112,14 +124,22 @@ data:
   CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: {{ .Values.che.workspace.devfileRegistryUrl | quote }}
 {{- else if .Values.cheDevfileRegistry.deploy }}
   CHE_WORKSPACE_DEVFILE__REGISTRY__URL: {{ template "devfileRegistryUrl" . }}
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: http://devfile-registry.{{ .Release.Namespace }}.svc:8080
+  {{- else }}
   CHE_WORKSPACE_DEVFILE__REGISTRY__INTERNAL__URL: {{ template "devfileRegistryUrl" . }}
+  {{- end }}
 {{- end }}
 {{- if .Values.che.workspace.pluginRegistryUrl }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__URL: {{ .Values.che.workspace.pluginRegistryUrl | quote }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: {{ .Values.che.workspace.pluginRegistryUrl | quote }}
 {{- else if .Values.chePluginRegistry.deploy }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__URL: {{ template "pluginRegistryUrl" . }}
+  {{- if .Values.global.useInternalClusterSVCNames }}
+  CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: http://plugin-registry.{{ .Release.Namespace }}.svc:8080/v3
+  {{- else }}
   CHE_WORKSPACE_PLUGIN__REGISTRY__INTERNAL__URL: {{ template "pluginRegistryUrl" . }}
+  {{- end }}
 {{- end }}
 {{- if .Values.che.workspace.pluginBroker }}
   {{- if .Values.che.workspace.pluginBroker.waitTimeoutMin }}
diff --git a/deploy/kubernetes/helm/che/values.yaml b/deploy/kubernetes/helm/che/values.yaml
index 6bacad2a9c..1f2d5bdeb0 100644
--- a/deploy/kubernetes/helm/che/values.yaml
+++ b/deploy/kubernetes/helm/che/values.yaml
@@ -47,6 +47,8 @@ global:
   # Image used by endpoint watchers
   endpointWatcher:
     image: quay.io/eclipse/che-endpoint-watcher:nightly
+  # Use internal cluster svc names to communicate between components
+  useInternalClusterSVCNames: true
 
   ## Allows to enable and configure TLS
   tls:
@@ -62,7 +64,7 @@ global:
     useSelfSignedCerts: true
     selfSignedCertSecretName: self-signed-certificate
 
-    ## Name of the config-map with public certificates to add to Java trust store 
+    ## Name of the config-map with public certificates to add to Java trust store
     ## of the Che server, Keycloak and propagate into user workspaces.
     serverTrustStoreConfigMapName: ""
 
diff --git a/dockerfiles/keycloak/kc_realm_user.sh b/dockerfiles/keycloak/kc_realm_user.sh
index c5af8fbbcb..7d74f69886 100755
--- a/dockerfiles/keycloak/kc_realm_user.sh
+++ b/dockerfiles/keycloak/kc_realm_user.sh
@@ -96,14 +96,24 @@ if [ -f "$KEYSTORE_PATH" ]; then
     /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/cli/add_openshift_certificate.cli && rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 fi
 
+# Patch configuration to allow to set 'keycloak.hostname.fixed.alwaysHttps'
+sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone.xml
+sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
+
 # POSTGRES_PORT is assigned by Kubernetes controller
 # and it isn't fit to docker-entrypoin.sh.
 unset POSTGRES_PORT
 
 echo "Starting Keycloak server..."
 
-exec /opt/jboss/docker-entrypoint.sh -Dkeycloak.migration.action=import \
-                                     -Dkeycloak.migration.provider=dir \
-                                     -Dkeycloak.migration.strategy=IGNORE_EXISTING \
-                                     -Dkeycloak.migration.dir=/scripts/ \
-                                     -Djboss.bind.address=0.0.0.0
+SYS_PROPS="-Dkeycloak.migration.action=import \
+    -Dkeycloak.migration.provider=dir \
+    -Dkeycloak.migration.strategy=IGNORE_EXISTING \
+    -Dkeycloak.migration.dir=/scripts/ \
+    -Djboss.bind.address=0.0.0.0"
+
+if [ $KEYCLOAK_HOSTNAME ] && [ $PROTOCOL == "https" ]; then
+  SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=true"
+fi
+
+exec /opt/jboss/docker-entrypoint.sh $SYS_PROPS