Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add an ability to add localhost to allows list for keycloak #937

Merged
merged 2 commits into from
Jul 21, 2021

Conversation

sleshchenko
Copy link
Member

@sleshchenko sleshchenko commented Jul 16, 2021

What does this PR do?

It's a draft since some of the corner cases are not tested yet.

The purpose of this PR is adding an ability to add localhost to allow list for keycloak,
but since such kind of data is not secret, it also add a mechanism for mounting additional configmap into deployment.
It's just a copying/pasting mechanism we have for secrets, sorry about that, I did not manage to prepare the better solution in my Hack&Hustle.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

it solves eclipse-che/che#19158

How to test this PR?

I did the following two stories

⚠️ Known limitation: Che Operator should be rescaled after configmap is created/updated/removed, since update script is executed only on Keycloak host change:
https://github.com/eclipse-che/che-operator/blob/main/pkg/deploy/identity-provider/identity_provider.go#L134
@tolusha is aware of it and is OK to move it out of the scope. Probably it needs to introducing one more field into status.

Test provision/update scripts with missing custom settings, and then update script with custom settings
#deploy che with custom operator image built from this PR
chectl server:deploy --platform=minikube --installer=operator --che-operator-image=sleshchenko/che-operator:keycloak-localhost

# make sure that Che is deployed and working

# create a configmap that would whitelist localhost
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: keycloak-custom-config
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: keycloak-configmap
  annotations:
    che.eclipse.org/mount-as: env
    che.eclipse.org/ADDITIONAL_REDIRECT_URIS_env-name: ADDITIONAL_REDIRECT_URIS
    che.eclipse.org/ADDITIONAL_WEBORIGINS_env-name: ADDITIONAL_WEBORIGINS
data:
  ADDITIONAL_WEBORIGINS: '"http://localhost:3000"'
  ADDITIONAL_REDIRECT_URIS: '"http://localhost:3000/*"'
EOF

oc rollout restart deployment/che-operator
# after keycloak is che operator did exec, check that keycloak has localhost in weborigin and redirect URLs for che-public client
Test provision/update scripts with custom settings
kubectl create namespace eclipse-che || true
# create a configmap that would whitelist localhost
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: keycloak-custom-config
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: keycloak-configmap
  annotations:
    che.eclipse.org/mount-as: env
    che.eclipse.org/ADDITIONAL_REDIRECT_URIS_env-name: ADDITIONAL_REDIRECT_URIS
    che.eclipse.org/ADDITIONAL_WEBORIGINS_env-name: ADDITIONAL_WEBORIGINS
data:
  ADDITIONAL_WEBORIGINS: '"http://localhost:3000"'
  ADDITIONAL_REDIRECT_URIS: '"http://localhost:3000/*"'
EOF

#deploy che with custom operator image built from this PR
chectl server:deploy --platform=minikube --installer=operator --che-operator-image=sleshchenko/che-operator:keycloak-localhost

# After Che is ready, check that keycloak has localhost in weborigin and redirect URLs for che-public client

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@openshift-ci
Copy link

openshift-ci bot commented Jul 16, 2021

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@sleshchenko sleshchenko force-pushed the configureKeycloakRedirect branch from fd30de1 to 811ed12 Compare July 19, 2021 15:22
@sleshchenko
Copy link
Member Author

reworked after debug command is moved to Makefile.
@tolusha please test it on your end. Thx!

@tolusha
Copy link
Contributor

tolusha commented Jul 21, 2021

/retest

@openshift-ci
Copy link

openshift-ci bot commented Jul 21, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sleshchenko, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants