From 95c442e5b578c8f9363b6588aad02bc4153e1fc1 Mon Sep 17 00:00:00 2001 From: Anatoliy Bazko Date: Wed, 27 May 2020 18:04:14 +0300 Subject: [PATCH] Set sslRequired=NONE by updating DB --- pkg/controller/che/che_controller.go | 6 +++-- pkg/controller/che/create.go | 6 ++--- pkg/controller/che/exec.go | 37 ++++++++++++++++++++-------- pkg/controller/che/update.go | 6 ++--- pkg/deploy/exec_commands.go | 12 +++++++++ templates/keycloak_provision | 3 +-- 6 files changed, 50 insertions(+), 20 deletions(-) diff --git a/pkg/controller/che/che_controller.go b/pkg/controller/che/che_controller.go index e0bc46614..ee419c276 100644 --- a/pkg/controller/che/che_controller.go +++ b/pkg/controller/che/che_controller.go @@ -630,8 +630,8 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e if err != nil { return reconcile.Result{}, err } - provisioned := ExecIntoPod(podToExec, pgCommand, "create Keycloak DB, user, privileges", instance.Namespace) - if provisioned { + err = ExecIntoPod(podToExec, pgCommand, "create Keycloak DB, user, privileges", instance.Namespace) + if err == nil { for { instance.Status.DbProvisoned = true if err := r.UpdateCheCRStatus(instance, "status: provisioned with DB and user", "true"); err != nil && @@ -809,6 +809,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e keycloakRealmClientStatus := instance.Status.KeycloakProvisoned if !keycloakRealmClientStatus { if err := r.CreateKeycloakResources(instance, request, deploy.KeycloakDeploymentName); err != nil { + logrus.Error(err) return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err } } @@ -820,6 +821,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e openShiftIdentityProviderStatus := instance.Status.OpenShiftoAuthProvisioned if !openShiftIdentityProviderStatus { if err := r.CreateIdentityProviderItems(instance, request, cheFlavor, deploy.KeycloakDeploymentName, isOpenShift4); err != nil { + logrus.Error(err) return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err } } diff --git a/pkg/controller/che/create.go b/pkg/controller/che/create.go index 8008e1118..bbae00868 100644 --- a/pkg/controller/che/create.go +++ b/pkg/controller/che/create.go @@ -106,8 +106,8 @@ func (r *ReconcileChe) CreateIdentityProviderItems(instance *orgv1.CheCluster, r logrus.Errorf("Failed to retrieve pod name. Further exec will fail") return err } - provisioned := ExecIntoPod(podToExec, openShiftIdentityProviderCommand, "create OpenShift identity provider", instance.Namespace) - if provisioned { + err = ExecIntoPod(podToExec, openShiftIdentityProviderCommand, "create OpenShift identity provider", instance.Namespace) + if err == nil { for { instance.Status.OpenShiftoAuthProvisioned = true if err := r.UpdateCheCRStatus(instance, "status: provisioned with OpenShift identity provider", "true"); err != nil && @@ -118,7 +118,7 @@ func (r *ReconcileChe) CreateIdentityProviderItems(instance *orgv1.CheCluster, r break } } - return nil + return err } return nil } diff --git a/pkg/controller/che/exec.go b/pkg/controller/che/exec.go index 0f694a97d..7ff64d62f 100644 --- a/pkg/controller/che/exec.go +++ b/pkg/controller/che/exec.go @@ -19,8 +19,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/reconcile" ) -func ExecIntoPod(podName string, provisionCommand string, reason string, ns string) (provisioned bool) { - +func ExecIntoPod(podName string, provisionCommand string, reason string, ns string) error { command := []string{"/bin/bash", "-c", provisionCommand} logrus.Infof("Running exec to %s in pod %s", reason, podName) // print std if operator is run in debug mode (TODO) @@ -28,21 +27,39 @@ func ExecIntoPod(podName string, provisionCommand string, reason string, ns stri if err != nil { logrus.Errorf("Error exec'ing into pod: %v: , command: %s", err, command) logrus.Errorf(stderr) - return false + return err } logrus.Info("Exec successfully completed") - return true + return nil } func (r *ReconcileChe) CreateKeycloakResources(instance *orgv1.CheCluster, request reconcile.Request, deploymentName string) (err error) { - cheHost := instance.Spec.Server.CheHost - keycloakProvisionCommand := deploy.GetKeycloakProvisionCommand(instance, cheHost) - podToExec, err := k8sclient.GetDeploymentPod(deploymentName, instance.Namespace) + command := deploy.GetSwitchSslRequiredToNoneCommand() + podToExec, err := k8sclient.GetDeploymentPod(deploy.PostgresDeploymentName, instance.Namespace) + if err != nil { + return err + } + + err = ExecIntoPod(podToExec, command, "Set sslRequired=none for master realm.", instance.Namespace) if err != nil { - logrus.Errorf("Failed to retrieve pod name. Further exec will fail") + return err } - provisioned := ExecIntoPod(podToExec, keycloakProvisionCommand, "create realm, client and user", instance.Namespace) - if provisioned { + + podToExec, err = k8sclient.GetDeploymentPod(deploymentName, instance.Namespace) + if err != nil { + return err + } + + command = deploy.GetKeycloakReloadCommand(instance) + err = ExecIntoPod(podToExec, command, "Reload keycloak", instance.Namespace) + if err != nil { + return err + } + + cheHost := instance.Spec.Server.CheHost + keycloakProvisionCommand := deploy.GetKeycloakProvisionCommand(instance, cheHost) + err = ExecIntoPod(podToExec, keycloakProvisionCommand, "create realm, client and user", instance.Namespace) + if err == nil { instance, err := r.GetCR(request) if err != nil { if errors.IsNotFound(err) { diff --git a/pkg/controller/che/update.go b/pkg/controller/che/update.go index aa8c55e3b..c0d418f00 100644 --- a/pkg/controller/che/update.go +++ b/pkg/controller/che/update.go @@ -53,10 +53,10 @@ func (r *ReconcileChe) ReconcileIdentityProvider(instance *orgv1.CheCluster, isO deleteOpenShiftIdentityProviderProvisionCommand := deploy.GetDeleteOpenShiftIdentityProviderProvisionCommand(instance, isOpenShift4) podToExec, err := k8sclient.GetDeploymentPod(keycloakDeployment.Name, instance.Namespace) if err != nil { - logrus.Errorf("Failed to retrieve pod name. Further exec will fail") + return false, err } - provisioned := ExecIntoPod(podToExec, deleteOpenShiftIdentityProviderProvisionCommand, "delete OpenShift identity provider", instance.Namespace) - if provisioned { + err = ExecIntoPod(podToExec, deleteOpenShiftIdentityProviderProvisionCommand, "delete OpenShift identity provider", instance.Namespace) + if err == nil { oAuthClient := &oauth.OAuthClient{} oAuthClientName := instance.Spec.Auth.OAuthClientName if err := r.client.Get(context.TODO(), types.NamespacedName{Name: oAuthClientName, Namespace: ""}, oAuthClient); err != nil { diff --git a/pkg/deploy/exec_commands.go b/pkg/deploy/exec_commands.go index fc762644f..1bbe98968 100644 --- a/pkg/deploy/exec_commands.go +++ b/pkg/deploy/exec_commands.go @@ -33,6 +33,18 @@ func GetPostgresProvisionCommand(identityProviderPostgresSecret string) (command return command } +func GetSwitchSslRequiredToNoneCommand() string { + return "psql keycloak -c \"update REALM set ssl_required='NONE' where id = 'master'\"" +} + +func GetKeycloakReloadCommand(cr *orgv1.CheCluster) string { + jbossCli := "/opt/jboss/keycloak/bin/jboss-cli.sh" + if DefaultCheFlavor(cr) == "codeready" { + jbossCli = "/opt/eap/bin/jboss-cli.sh" + } + return jbossCli + " --connect command=:reload" +} + func GetKeycloakProvisionCommand(cr *orgv1.CheCluster, cheHost string) (command string) { requiredActions := "" updateAdminPassword := cr.Spec.Auth.UpdateAdminPassword diff --git a/templates/keycloak_provision b/templates/keycloak_provision index e1ec81278..a8872a98d 100644 --- a/templates/keycloak_provision +++ b/templates/keycloak_provision @@ -2,7 +2,6 @@ $script config credentials --server http://0.0.0.0:8080/auth \ --realm master \ --user $keycloakAdminUserName \ --password $keycloakAdminPassword \ -&& $script update realms/master -s sslRequired=none \ && $script get realms/$keycloakRealm; \ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \ && $script create realms -s realm='$keycloakRealm' \ @@ -33,4 +32,4 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \ --cclientid broker \ --rolename read-token \ && CLIENT_ID=$($script get clients -r '$keycloakRealm' -q clientId=broker | sed -n 's/.*"id" *: *"\([^"]\+\).*/\1/p') \ -&& $script update clients/$CLIENT_ID -r '$keycloakRealm' -s "defaultRoles+=read-token" \ No newline at end of file +&& $script update clients/$CLIENT_ID -r '$keycloakRealm' -s "defaultRoles+=read-token"