From e5c3d094ed3393cb9aeb239d938d8fb3c3cd4f62 Mon Sep 17 00:00:00 2001 From: Roman Iuvshyn Date: Tue, 23 Jan 2018 18:09:08 +0200 Subject: [PATCH] Fix kc deploy on openshift (#8366) * Improve deploy CHE multi-user to openshift --- .../openshift/files/scripts/che-openshift.yml | 33 ------- .../openshift/files/scripts/deploy_che.sh | 50 ++++++++-- .../configure_and_start_keycloak.sh | 53 ----------- .../deploy_postgres_and_keycloak.sh | 95 +++++++++++++++++++ .../multi-user/keycloak/build-config.yaml | 50 ---------- .../wait_until_keycloak_is_available.sh | 38 ++++++++ .../modules/openshift/files/scripts/ocp.sh | 29 ------ 7 files changed, 177 insertions(+), 171 deletions(-) delete mode 100755 dockerfiles/init/modules/openshift/files/scripts/multi-user/configure_and_start_keycloak.sh delete mode 100644 dockerfiles/init/modules/openshift/files/scripts/multi-user/keycloak/build-config.yaml create mode 100755 dockerfiles/init/modules/openshift/files/scripts/multi-user/wait_until_keycloak_is_available.sh diff --git a/dockerfiles/init/modules/openshift/files/scripts/che-openshift.yml b/dockerfiles/init/modules/openshift/files/scripts/che-openshift.yml index 8046ec23ee..ce136c1d99 100644 --- a/dockerfiles/init/modules/openshift/files/scripts/che-openshift.yml +++ b/dockerfiles/init/modules/openshift/files/scripts/che-openshift.yml @@ -2,26 +2,6 @@ apiVersion: v1 kind: List items: -- apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app: che - name: che -- apiVersion: v1 - kind: Service - metadata: - labels: - app: che - name: che-host - spec: - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: che - apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -106,16 +86,3 @@ items: claimName: che-data-volume triggers: - type: ConfigChange -- apiVersion: v1 - kind: Route - metadata: - labels: - app: che - name: che - spec: - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - to: - kind: Service - name: che-host diff --git a/dockerfiles/init/modules/openshift/files/scripts/deploy_che.sh b/dockerfiles/init/modules/openshift/files/scripts/deploy_che.sh index 7acc33e036..49ddae7c51 100755 --- a/dockerfiles/init/modules/openshift/files/scripts/deploy_che.sh +++ b/dockerfiles/init/modules/openshift/files/scripts/deploy_che.sh @@ -245,8 +245,7 @@ CHE_CONFIG_FILE_PATH=${CHE_CONFIG_FILE_PATH:-${DEFAULT_CHE_CONFIG_FILE_PATH}} cat "${CHE_DEPLOYMENT_FILE_PATH}" | \ sed "s/ image:.*/ image: \"${CHE_IMAGE_SANITIZED}\"/" | \ sed "s/ imagePullPolicy:.*/ imagePullPolicy: \"${IMAGE_PULL_POLICY}\"/" | \ - inject_che_config "#CHE_MASTER_CONFIG" "${CHE_CONFIG_FILE_PATH}" | \ - if [ "${ENABLE_SSL}" == "false" ]; then grep -v -e "tls:" -e "insecureEdgeTerminationPolicy: Redirect" -e "termination: edge" ; else cat -; fi #| \ + inject_che_config "#CHE_MASTER_CONFIG" "${CHE_CONFIG_FILE_PATH}" } # --------------------------------------- @@ -336,6 +335,49 @@ else exit 1 fi +# ------------------------------------------------------------- +# create CHE service and route +# ------------------------------------------------------------- +echo "[CHE] Creating serviceaccount, service and route for CHE pod" + echo "apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app: che + name: che +- apiVersion: v1 + kind: Service + metadata: + labels: + app: che + name: che-host + spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: che +- apiVersion: v1 + kind: Route + metadata: + labels: + app: che + name: che + spec: + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: che-host" | \ +if [ "${ENABLE_SSL}" == "false" ]; then grep -v -e "tls:" -e "insecureEdgeTerminationPolicy: Redirect" -e "termination: edge" ; else cat -; fi | \ +oc apply -f - + # ------------------------------------------------------------- # Deploying secondary servers # for postgres and optionally Keycloak @@ -429,10 +471,6 @@ echo "[CHE] Deploying Che on ${OPENSHIFT_FLAVOR} (image ${CHE_IMAGE})" get_che_pod_config | oc apply --force=true -f - echo -if [ "${CHE_DEDICATED_KEYCLOAK}" == "true" ]; then - "${COMMAND_DIR}"/multi-user/configure_and_start_keycloak.sh -fi - # -------------------------------- # Setup debugging routes if needed # -------------------------------- diff --git a/dockerfiles/init/modules/openshift/files/scripts/multi-user/configure_and_start_keycloak.sh b/dockerfiles/init/modules/openshift/files/scripts/multi-user/configure_and_start_keycloak.sh deleted file mode 100755 index 17491aece5..0000000000 --- a/dockerfiles/init/modules/openshift/files/scripts/multi-user/configure_and_start_keycloak.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash -# Copyright (c) 2012-2017 Red Hat, Inc -# All rights reserved. This program and the accompanying materials -# are made available under the terms of the Eclipse Public License v1.0 -# which accompanies this distribution, and is available at -# http://www.eclipse.org/legal/epl-v10.html -# - -set -e - -# append_before_match allows to append content before matching line -# this is needed to append content of yaml files -# first arg is mathing string, second string to insert before match -append_before_match() { - while IFS= read -r line - do - if [[ "$line" == *"$1"* ]];then - printf '%s\n' "$2" - fi - printf '%s\n' "$line" - done < /dev/stdin -} - -COMMAND_DIR=$(dirname "$0") - -TLS_SETTINGS=" tls: - termination: edge - insecureEdgeTerminationPolicy: Allow" - -CHE_SERVER_ROUTE_TLS=$(oc get route che -o jsonpath='{.spec.tls}' || echo "") -if [ "${CHE_SERVER_ROUTE_TLS}" != "" ]; then - oc get route/keycloak -o yaml | \ - append_before_match "wildcardPolicy:" "${TLS_SETTINGS}" | \ - oc replace -f - -fi - -if [ "${CHE_SERVER_URL}" == "" ]; then - CHE_SERVER_ROUTE_HOST=$(oc get route che -o jsonpath='{.spec.host}' || echo "") - if [ "${CHE_SERVER_ROUTE_HOST}" == "" ]; then - echo "[CHE] **ERROR**: The Che server route should exist before configuring the Keycloak web origins" - exit 1 - fi - if [ "${CHE_SERVER_ROUTE_TLS}" == "" ]; then - CHE_SERVER_URL="http://${CHE_SERVER_ROUTE_HOST}" - else - CHE_SERVER_URL="https://${CHE_SERVER_ROUTE_HOST}" - fi -fi -DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=true -oc set env buildconfig/keycloak-for-che CHE_SERVER_URL=${CHE_SERVER_URL} CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=${CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD:-${DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD}} -# This waiting is needed because start-build fails without it -sleep 3s -oc start-build keycloak-for-che diff --git a/dockerfiles/init/modules/openshift/files/scripts/multi-user/deploy_postgres_and_keycloak.sh b/dockerfiles/init/modules/openshift/files/scripts/multi-user/deploy_postgres_and_keycloak.sh index 30f258b558..d79e0f14d1 100755 --- a/dockerfiles/init/modules/openshift/files/scripts/multi-user/deploy_postgres_and_keycloak.sh +++ b/dockerfiles/init/modules/openshift/files/scripts/multi-user/deploy_postgres_and_keycloak.sh @@ -12,6 +12,88 @@ export CHE_EPHEMERAL=${CHE_EPHEMERAL:-false} "$COMMAND_DIR"/deploy_postgres_only.sh +# append_before_match allows to append content before matching line +# this is needed to append content of yaml files +# first arg is mathing string, second string to insert before match +append_before_match() { + while IFS= read -r line + do + if [[ "$line" == *"$1"* ]];then + printf '%s\n' "$2" + fi + printf '%s\n' "$line" + done < /dev/stdin +} + +if [ "${CHE_SERVER_URL}" == "" ]; then + CHE_SERVER_ROUTE_HOST=$(oc get route che -o jsonpath='{.spec.host}' || echo "") + if [ "${CHE_SERVER_ROUTE_HOST}" == "" ]; then + echo "[CHE] **ERROR**: The Che server route should exist before configuring the Keycloak web origins" + exit 1 + fi + if [ "${CHE_SERVER_ROUTE_TLS}" == "" ]; then + CHE_SERVER_URL="http://${CHE_SERVER_ROUTE_HOST}" + else + CHE_SERVER_URL="https://${CHE_SERVER_ROUTE_HOST}" + fi +fi +DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD=true + +# apply KC build config +oc apply -f - <<-EOF + +apiVersion: v1 +kind: BuildConfig +metadata: + name: keycloak-for-che +spec: + nodeSelector: null + output: + to: + kind: ImageStreamTag + name: 'keycloak:latest' + postCommit: {} + resources: {} + runPolicy: Serial + source: + images: + - from: + kind: ImageStreamTag + name: 'che-init:latest' + paths: + - destinationDir: ./themes/ + sourcePath: /etc/puppet/modules/keycloak/files/che/ + - destinationDir: ./realms/ + sourcePath: /etc/puppet/modules/keycloak/templates/. + - destinationDir: .s2i/bin/ + sourcePath: /files/s2i/keycloak/assemble + - destinationDir: .s2i/bin/ + sourcePath: /files/s2i/keycloak/run + type: Image + strategy: + sourceStrategy: + env: + - name: "CHE_SERVER_URL" + value: "${CHE_SERVER_URL}" + - name: "CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD" + value: "${CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD:-${DEFAULT_CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD}}" + from: + kind: ImageStreamTag + name: 'keycloak-source:latest' + type: Source + triggers: + - type: "ImageChange" + imageChange: {} + - type: "ImageChange" + imageChange: + from: + kind: "ImageStreamTag" + name: "che-init:latest" +status: + +EOF + +# apply all yaml files from "$COMMAND_DIR"/keycloak/ oc apply -f "$COMMAND_DIR"/keycloak/ if [ "${CHE_EPHEMERAL}" == "true" ]; then @@ -20,6 +102,17 @@ if [ "${CHE_EPHEMERAL}" == "true" ]; then oc delete pvc/keycloak-data fi +TLS_SETTINGS=" tls: + termination: edge + insecureEdgeTerminationPolicy: Allow" + +CHE_SERVER_ROUTE_TLS=$(oc get route che -o jsonpath='{.spec.tls}' || echo "") +if [ "${CHE_SERVER_ROUTE_TLS}" != "" ]; then + oc get route/keycloak -o yaml | \ + append_before_match "wildcardPolicy:" "${TLS_SETTINGS}" | \ + oc replace -f - +fi + IMAGE_KEYCLOACK=${IMAGE_KEYCLOACK:-"jboss/keycloak-openshift:3.3.0.CR2-3"} oc apply -f - <<-EOF @@ -38,3 +131,5 @@ spec: scheduled: true EOF + +"$COMMAND_DIR"/wait_until_keycloak_is_available.sh diff --git a/dockerfiles/init/modules/openshift/files/scripts/multi-user/keycloak/build-config.yaml b/dockerfiles/init/modules/openshift/files/scripts/multi-user/keycloak/build-config.yaml deleted file mode 100644 index 921e6c50c3..0000000000 --- a/dockerfiles/init/modules/openshift/files/scripts/multi-user/keycloak/build-config.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright (c) 2012-2017 Red Hat, Inc -# All rights reserved. This program and the accompanying materials -# are made available under the terms of the Eclipse Public License v1.0 -# which accompanies this distribution, and is available at -# http://www.eclipse.org/legal/epl-v10.html -# - -apiVersion: v1 -kind: BuildConfig -metadata: - name: keycloak-for-che -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'keycloak:latest' - postCommit: {} - resources: {} - runPolicy: Serial - source: - images: - - from: - kind: ImageStreamTag - name: 'che-init:latest' - paths: - - destinationDir: ./themes/ - sourcePath: /etc/puppet/modules/keycloak/files/che/ - - destinationDir: ./realms/ - sourcePath: /etc/puppet/modules/keycloak/templates/. - - destinationDir: .s2i/bin/ - sourcePath: /files/s2i/keycloak/assemble - - destinationDir: .s2i/bin/ - sourcePath: /files/s2i/keycloak/run - type: Image - strategy: - sourceStrategy: - from: - kind: ImageStreamTag - name: 'keycloak-source:latest' - type: Source - triggers: - - type: "ImageChange" - imageChange: {} - - type: "ImageChange" - imageChange: - from: - kind: "ImageStreamTag" - name: "che-init:latest" -status: diff --git a/dockerfiles/init/modules/openshift/files/scripts/multi-user/wait_until_keycloak_is_available.sh b/dockerfiles/init/modules/openshift/files/scripts/multi-user/wait_until_keycloak_is_available.sh new file mode 100755 index 0000000000..10e395ff66 --- /dev/null +++ b/dockerfiles/init/modules/openshift/files/scripts/multi-user/wait_until_keycloak_is_available.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# Copyright (c) 2012-2017 Red Hat, Inc +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +# + +set -e + +echo "[CHE] This script is going to wait until Keycloak is deployed and available" + +command -v oc >/dev/null 2>&1 || { echo >&2 "[CHE] [ERROR] Command line tool oc (https://docs.openshift.org/latest/cli_reference/get_started_cli.html) is required but it's not installed. Aborting."; exit 1; } +command -v jq >/dev/null 2>&1 || { echo >&2 "[CHE] [ERROR] Command line tool jq (https://stedolan.github.io/jq) is required but it's not installed. Aborting."; exit 1; } + +echo "[CHE] wait Keycloak pod booting..." +available=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status") +progressing=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status") + +DEPLOYMENT_TIMEOUT_SEC=1200 +POLLING_INTERVAL_SEC=5 +end=$((SECONDS+DEPLOYMENT_TIMEOUT_SEC)) +while [[ "${available}" != "\"True\"" || "${progressing}" != "\"True\"" ]] && [ ${SECONDS} -lt ${end} ]; do + available=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status") + progressing=$(oc get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status") + timeout_in=$((end-SECONDS)) + echo "[CHE] Deployment is in progress...(Available.status=${available}, Progressing.status=${progressing}, Timeout in ${timeout_in}s)" + sleep ${POLLING_INTERVAL_SEC} +done + +if [ "${progressing}" == "\"True\"" ]; then + echo "[CHE] Keycloak deployed successfully" +elif [ "${progressing}" == "False" ]; then + echo "[CHE] [ERROR] Keycloak deployment failed. Aborting. Run command 'oc rollout status keycloak' to get more details." +elif [ ${SECONDS} -ge ${end} ]; then + echo "[CHE] [ERROR] Deployment timeout. Aborting." + exit 1 +fi diff --git a/dockerfiles/init/modules/openshift/files/scripts/ocp.sh b/dockerfiles/init/modules/openshift/files/scripts/ocp.sh index c5d50091cf..a6980638ca 100755 --- a/dockerfiles/init/modules/openshift/files/scripts/ocp.sh +++ b/dockerfiles/init/modules/openshift/files/scripts/ocp.sh @@ -201,9 +201,6 @@ deploy_che_to_ocp() { bash deploy_che.sh ${DEPLOY_SCRIPT_ARGS} fi wait_until_server_is_booted - if [ $CHE_MULTIUSER == true ]; then - wait_until_kc_is_booted - fi } server_is_booted() { @@ -228,32 +225,6 @@ wait_until_server_is_booted() { echo "Done!" } -wait_until_kc_is_booted() { - echo "[CHE] wait Keycloak pod booting..." - available=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status") - progressing=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status") - - DEPLOYMENT_TIMEOUT_SEC=1200 - POLLING_INTERVAL_SEC=5 - end=$((SECONDS+DEPLOYMENT_TIMEOUT_SEC)) - while [[ "${available}" != "\"True\"" || "${progressing}" != "\"True\"" ]] && [ ${SECONDS} -lt ${end} ]; do - available=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Available\") | .status") - progressing=$($OC_BINARY get dc keycloak -o json | jq ".status.conditions[] | select(.type == \"Progressing\") | .status") - timeout_in=$((end-SECONDS)) - echo "[CHE] Deployment is in progress...(Available.status=${available}, Progressing.status=${progressing}, Timeout in ${timeout_in}s)" - sleep ${POLLING_INTERVAL_SEC} - done - - if [ "${progressing}" == "\"True\"" ]; then - echo "[CHE] Keycloak deployed successfully" - elif [ "${progressing}" == "False" ]; then - echo "[CHE] [ERROR] Keycloak deployment failed. Aborting. Run command 'oc rollout status keycloak' to get more details." - elif [ ${SECONDS} -ge ${end} ]; then - echo "[CHE] [ERROR] Deployment timeout. Aborting." - exit 1 - fi -} - destroy_ocp() { $OC_BINARY login -u system:admin $OC_BINARY delete pvc --all