Fix kc deploy on openshift (#8366)

* Improve deploy CHE multi-user to openshift

dockerfiles/init/modules/openshift/files/scripts/che-openshift.yml

@@ -2,26 +2,6 @@
 apiVersion: v1
 kind: List
 items:
-- apiVersion: v1
-  kind: ServiceAccount
-  metadata:
-    labels:
-      app: che
-    name: che
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: che
-    name: che-host
-  spec:
-    ports:
-    - name: http
-      port: 8080
-      protocol: TCP
-      targetPort: 8080
-    selector:
-      app: che
 - apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
@@ -106,16 +86,3 @@ items:
             claimName: che-data-volume
     triggers:
     - type: ConfigChange
-- apiVersion: v1
-  kind: Route
-  metadata:
-    labels:
-      app: che
-    name: che
-  spec:
-    tls:
-      insecureEdgeTerminationPolicy: Redirect
-      termination: edge
-    to:
-      kind: Service
-      name: che-host

dockerfiles/init/modules/openshift/files/scripts/deploy_che.sh

@@ -245,8 +245,7 @@ CHE_CONFIG_FILE_PATH=${CHE_CONFIG_FILE_PATH:-${DEFAULT_CHE_CONFIG_FILE_PATH}}
 cat "${CHE_DEPLOYMENT_FILE_PATH}" | \
     sed "s/          image:.*/          image: \"${CHE_IMAGE_SANITIZED}\"/" | \
     sed "s/          imagePullPolicy:.*/          imagePullPolicy: \"${IMAGE_PULL_POLICY}\"/" | \
-    inject_che_config "#CHE_MASTER_CONFIG" "${CHE_CONFIG_FILE_PATH}" | \
-    if [ "${ENABLE_SSL}" == "false" ]; then grep -v -e "tls:" -e "insecureEdgeTerminationPolicy: Redirect" -e "termination: edge" ; else cat -; fi #| \
+    inject_che_config "#CHE_MASTER_CONFIG" "${CHE_CONFIG_FILE_PATH}"
 }
 
 # ---------------------------------------
@@ -336,6 +335,49 @@ else
     exit 1
 fi
 
+# -------------------------------------------------------------
+# create CHE service and route
+# -------------------------------------------------------------
+echo "[CHE] Creating serviceaccount, service and route for CHE pod"
+ echo "apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    labels:
+      app: che
+    name: che
+- apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: che
+    name: che-host
+  spec:
+    ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: che
+- apiVersion: v1
+  kind: Route
+  metadata:
+    labels:
+      app: che
+    name: che
+  spec:
+    tls:
+      insecureEdgeTerminationPolicy: Redirect
+      termination: edge
+    to:
+      kind: Service
+      name: che-host" | \
+if [ "${ENABLE_SSL}" == "false" ]; then grep -v -e "tls:" -e "insecureEdgeTerminationPolicy: Redirect" -e "termination: edge" ; else cat -; fi | \
+oc apply -f -
+
 # -------------------------------------------------------------
 # Deploying secondary servers
 # for postgres and optionally Keycloak
@@ -429,10 +471,6 @@ echo "[CHE] Deploying Che on ${OPENSHIFT_FLAVOR} (image ${CHE_IMAGE})"
 get_che_pod_config | oc apply --force=true -f -
 echo
 
-if [ "${CHE_DEDICATED_KEYCLOAK}" == "true" ]; then
-  "${COMMAND_DIR}"/multi-user/configure_and_start_keycloak.sh
-fi
-
 # --------------------------------
 # Setup debugging routes if needed
 # --------------------------------

dockerfiles/init/modules/openshift/files/scripts/multi-user/configure_and_start_keycloak.sh

@@ -1,53 +0,0 @@
-#!/bin/bash
-# Copyright (c) 2012-2017 Red Hat, Inc
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Eclipse Public License v1.0
-# which accompanies this distribution, and is available at
-# http://www.eclipse.org/legal/epl-v10.html
-#
-
-set -e
-
-# append_before_match allows to append content before matching line
-# this is needed to append content of yaml files
-# first arg is mathing string, second string to insert before match
-append_before_match() {
-    while IFS= read -r line
-    do
-      if [[ "$line" == *"$1"* ]];then
-          printf '%s\n' "$2"
-      fi
-      printf '%s\n' "$line"
-    done < /dev/stdin
-}
-
-COMMAND_DIR=$(dirname "$0")
-
-TLS_SETTINGS="  tls:
-    termination: edge
-    insecureEdgeTerminationPolicy: Allow"
-
-CHE_SERVER_ROUTE_TLS=$(oc get route che -o jsonpath='{.spec.tls}' || echo "")
-if [ "${CHE_SERVER_ROUTE_TLS}" != "" ]; then
-  oc get route/keycloak -o yaml | \
-  append_before_match "wildcardPolicy:" "${TLS_SETTINGS}" | \
-  oc replace -f -
-fi
-
-if [ "${CHE_SERVER_URL}" == "" ]; then
-  CHE_SERVER_ROUTE_HOST=$(oc get route che -o jsonpath='{.spec.host}' || echo "")
-  if [ "${CHE_SERVER_ROUTE_HOST}" == "" ]; then
-    echo "[CHE] **ERROR**: The Che server route should exist before configuring the Keycloak web origins"
-    exit 1
-  fi
-  if [ "${CHE_SERVER_ROUTE_TLS}" == "" ]; then
-    CHE_SERVER_URL="http://${CHE_SERVER_ROUTE_HOST}"
-  else
-    CHE_SERVER_URL="https://${CHE_SERVER_ROUTE_HOST}"
-  fi
-fi
-DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=true
-oc set env buildconfig/keycloak-for-che CHE_SERVER_URL=${CHE_SERVER_URL} CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=${CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD:-${DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD}}
-# This waiting is needed because start-build fails without it
-sleep 3s
-oc start-build keycloak-for-che

dockerfiles/init/modules/openshift/files/scripts/multi-user/deploy_postgres_and_keycloak.sh

@@ -12,6 +12,88 @@ export CHE_EPHEMERAL=${CHE_EPHEMERAL:-false}
 
 "$COMMAND_DIR"/deploy_postgres_only.sh
 
+# append_before_match allows to append content before matching line
+# this is needed to append content of yaml files
+# first arg is mathing string, second string to insert before match
+append_before_match() {
+    while IFS= read -r line
+    do
+      if [[ "$line" == *"$1"* ]];then
+          printf '%s\n' "$2"
+      fi
+      printf '%s\n' "$line"
+    done < /dev/stdin
+}
+
+if [ "${CHE_SERVER_URL}" == "" ]; then
+  CHE_SERVER_ROUTE_HOST=$(oc get route che -o jsonpath='{.spec.host}' || echo "")
+  if [ "${CHE_SERVER_ROUTE_HOST}" == "" ]; then
+    echo "[CHE] **ERROR**: The Che server route should exist before configuring the Keycloak web origins"
+    exit 1
+  fi
+  if [ "${CHE_SERVER_ROUTE_TLS}" == "" ]; then
+    CHE_SERVER_URL="http://${CHE_SERVER_ROUTE_HOST}"
+  else
+    CHE_SERVER_URL="https://${CHE_SERVER_ROUTE_HOST}"
+  fi
+fi
+DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=true
+
+# apply KC build config
+oc apply -f - <<-EOF
+
+apiVersion: v1
+kind: BuildConfig
+metadata:
+  name: keycloak-for-che
+spec:
+  nodeSelector: null
+  output:
+    to:
+      kind: ImageStreamTag
+      name: 'keycloak:latest'
+  postCommit: {}
+  resources: {}
+  runPolicy: Serial
+  source:
+    images:
+      - from:
+          kind: ImageStreamTag
+          name: 'che-init:latest'
+        paths:
+          - destinationDir: ./themes/
+            sourcePath: /etc/puppet/modules/keycloak/files/che/
+          - destinationDir: ./realms/
+            sourcePath: /etc/puppet/modules/keycloak/templates/.
+          - destinationDir: .s2i/bin/
+            sourcePath: /files/s2i/keycloak/assemble
+          - destinationDir: .s2i/bin/
+            sourcePath: /files/s2i/keycloak/run
+    type: Image
+  strategy:
+    sourceStrategy:
+      env:
+          - name: "CHE_SERVER_URL"
+            value: "${CHE_SERVER_URL}"
+          - name: "CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD"
+            value: "${CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD:-${DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD}}"
+      from:
+        kind: ImageStreamTag
+        name: 'keycloak-source:latest'
+    type: Source
+  triggers:
+  - type: "ImageChange"
+    imageChange: {}
+  - type: "ImageChange"
+    imageChange:
+      from:
+        kind: "ImageStreamTag"
+        name: "che-init:latest"
+status:
+
+EOF
+
+# apply all yaml files from "$COMMAND_DIR"/keycloak/
 oc apply -f "$COMMAND_DIR"/keycloak/
 
 if [ "${CHE_EPHEMERAL}" == "true" ]; then
@@ -20,6 +102,17 @@ if [ "${CHE_EPHEMERAL}" == "true" ]; then
   oc delete pvc/keycloak-data
 fi
 
+TLS_SETTINGS="  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Allow"
+
+CHE_SERVER_ROUTE_TLS=$(oc get route che -o jsonpath='{.spec.tls}' || echo "")
+if [ "${CHE_SERVER_ROUTE_TLS}" != "" ]; then
+  oc get route/keycloak -o yaml | \
+  append_before_match "wildcardPolicy:" "${TLS_SETTINGS}" | \
+  oc replace -f -
+fi
+
 IMAGE_KEYCLOACK=${IMAGE_KEYCLOACK:-"jboss/keycloak-openshift:3.3.0.CR2-3"}
 
 oc apply -f - <<-EOF
@@ -38,3 +131,5 @@ spec:
       scheduled: true
 
 EOF
+
+"$COMMAND_DIR"/wait_until_keycloak_is_available.sh

dockerfiles/init/modules/openshift/files/scripts/multi-user/keycloak/build-config.yaml

@@ -1,50 +0,0 @@
-# Copyright (c) 2012-2017 Red Hat, Inc
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Eclipse Public License v1.0
-# which accompanies this distribution, and is available at
-# http://www.eclipse.org/legal/epl-v10.html
-#
-
-apiVersion: v1
-kind: BuildConfig
-metadata:
-  name: keycloak-for-che
-spec:
-  nodeSelector: null
-  output:
-    to:
-      kind: ImageStreamTag
-      name: 'keycloak:latest'
-  postCommit: {}
-  resources: {}
-  runPolicy: Serial
-  source:
-    images:
-      - from:
-          kind: ImageStreamTag
-          name: 'che-init:latest'
-        paths:
-          - destinationDir: ./themes/
-            sourcePath: /etc/puppet/modules/keycloak/files/che/
-          - destinationDir: ./realms/
-            sourcePath: /etc/puppet/modules/keycloak/templates/.
-          - destinationDir: .s2i/bin/
-            sourcePath: /files/s2i/keycloak/assemble
-          - destinationDir: .s2i/bin/
-            sourcePath: /files/s2i/keycloak/run
-    type: Image
-  strategy:
-    sourceStrategy:
-      from:
-        kind: ImageStreamTag
-        name: 'keycloak-source:latest'
-    type: Source
-  triggers:
-  - type: "ImageChange" 
-    imageChange: {}
-  - type: "ImageChange" 
-    imageChange:
-      from:
-        kind: "ImageStreamTag"
-        name: "che-init:latest"
-status:

dockerfiles/init/modules/openshift/files/scripts/multi-user/wait_until_keycloak_is_available.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+set -e
+
+echo "[CHE] This script is going to wait until Keycloak is deployed and available"
+
+command -v oc >/dev/null 2>&1 || { echo >&2 "[CHE] [ERROR] Command line tool oc (https://docs.openshift.org/latest/cli_reference/get_started_cli.html) is required but it's not installed. Aborting."; exit 1; }
+command -v jq >/dev/null 2>&1 || { echo >&2 "[CHE] [ERROR] Command line tool jq (https://stedolan.github.io/jq) is required but it's not installed. Aborting."; exit 1; }
+
+echo "[CHE] wait Keycloak pod booting..."
+available=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status")
+progressing=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status")
+
+DEPLOYMENT_TIMEOUT_SEC=1200
+POLLING_INTERVAL_SEC=5
+end=$((SECONDS+DEPLOYMENT_TIMEOUT_SEC))
+while [[ "${available}" != "\"True\"" || "${progressing}" != "\"True\"" ]] && [ ${SECONDS} -lt ${end} ]; do
+    available=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status")
+    progressing=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status")
+    timeout_in=$((end-SECONDS))
+    echo "[CHE] Deployment is in progress...(Available.status=${available}, Progressing.status=${progressing}, Timeout in ${timeout_in}s)"
+    sleep ${POLLING_INTERVAL_SEC}
+done
+
+if [ "${progressing}" == "\"True\"" ]; then
+    echo "[CHE] Keycloak deployed successfully"
+elif [ "${progressing}" == "False" ]; then
+    echo "[CHE] [ERROR] Keycloak deployment failed. Aborting. Run command 'oc rollout status keycloak' to get more details."
+elif [ ${SECONDS} -ge ${end} ]; then
+    echo "[CHE] [ERROR] Deployment timeout. Aborting."
+    exit 1
+fi

dockerfiles/init/modules/openshift/files/scripts/ocp.sh

@@ -201,9 +201,6 @@ deploy_che_to_ocp() {
       bash deploy_che.sh ${DEPLOY_SCRIPT_ARGS}
     fi
     wait_until_server_is_booted
-    if [ $CHE_MULTIUSER == true ]; then
-        wait_until_kc_is_booted
-    fi
 }
 
 server_is_booted() {
@@ -228,32 +225,6 @@ wait_until_server_is_booted() {
   echo "Done!"
 }
 
-wait_until_kc_is_booted() {
-  echo "[CHE] wait Keycloak pod booting..."
-  available=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status")
-  progressing=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status")
-
-  DEPLOYMENT_TIMEOUT_SEC=1200
-  POLLING_INTERVAL_SEC=5
-  end=$((SECONDS+DEPLOYMENT_TIMEOUT_SEC))
-  while [[ "${available}" != "\"True\"" || "${progressing}" != "\"True\"" ]] && [ ${SECONDS} -lt ${end} ]; do
-    available=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status")
-    progressing=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status")
-    timeout_in=$((end-SECONDS))
-    echo "[CHE] Deployment is in progress...(Available.status=${available}, Progressing.status=${progressing}, Timeout in ${timeout_in}s)"
-    sleep ${POLLING_INTERVAL_SEC}
-  done
-
-  if [ "${progressing}" == "\"True\"" ]; then
-    echo "[CHE] Keycloak deployed successfully"
-  elif [ "${progressing}" == "False" ]; then
-    echo "[CHE] [ERROR] Keycloak deployment failed. Aborting. Run command 'oc rollout status keycloak' to get more details."
-  elif [ ${SECONDS} -ge ${end} ]; then
-    echo "[CHE] [ERROR] Deployment timeout. Aborting."
-    exit 1
-  fi
-}
-
 destroy_ocp() {
     $OC_BINARY login -u system:admin
     $OC_BINARY delete pvc --all