Update ssl_requires to NONE

Signed-off-by: Anatoliy Bazko <abazko@redhat.com>
eclipse-che · May 29, 2020 · 4ce1c47 · 4ce1c47
1 parent b7e108f
commit 4ce1c47
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 102 deletions.
diff --git a/pkg/controller/che/che_controller.go b/pkg/controller/che/che_controller.go
@@ -52,9 +52,6 @@ import (
 )
 
 var log = logf.Log.WithName("controller_che")
-var (
-	k8sclient = util.GetK8Client()
-)
 
 // Add creates a new CheCluster Controller and adds it to the Manager. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
@@ -552,13 +549,13 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			}
 		}
 
-		if k8sclient.IsPVCExists(deploy.DefaultPostgresVolumeClaimName, instance.Namespace) {
-			k8sclient.DeletePVC(deploy.DefaultPostgresVolumeClaimName, instance.Namespace)
+		if util.K8sclient.IsPVCExists(deploy.DefaultPostgresVolumeClaimName, instance.Namespace) {
+			util.K8sclient.DeletePVC(deploy.DefaultPostgresVolumeClaimName, instance.Namespace)
 		}
 	} else {
 		if !tests {
-			if k8sclient.IsPVCExists(deploy.DefaultCheVolumeClaimName, instance.Namespace) {
-				k8sclient.DeletePVC(deploy.DefaultCheVolumeClaimName, instance.Namespace)
+			if util.K8sclient.IsPVCExists(deploy.DefaultCheVolumeClaimName, instance.Namespace) {
+				util.K8sclient.DeletePVC(deploy.DefaultCheVolumeClaimName, instance.Namespace)
 			}
 		}
 	}
@@ -567,8 +564,8 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	externalDB := instance.Spec.Database.ExternalDb
 	if !externalDB {
 		if cheMultiUser == "false" {
-			if k8sclient.IsDeploymentExists(deploy.PostgresDeploymentName, instance.Namespace) {
-				k8sclient.DeleteDeployment(deploy.PostgresDeploymentName, instance.Namespace)
+			if util.K8sclient.IsDeploymentExists(deploy.PostgresDeploymentName, instance.Namespace) {
+				util.K8sclient.DeleteDeployment(deploy.PostgresDeploymentName, instance.Namespace)
 			}
 		} else {
 			postgresLabels := deploy.GetLabels(instance, deploy.PostgresDeploymentName)
@@ -615,7 +612,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			if !tests {
 				identityProviderPostgresSecret := instance.Spec.Auth.IdentityProviderPostgresSecret
 				if len(identityProviderPostgresSecret) > 0 {
-					_, password, err := k8sclient.ReadSecret(identityProviderPostgresSecret, instance.Namespace)
+					_, password, err := util.K8sclient.ReadSecret(identityProviderPostgresSecret, instance.Namespace)
 					if err != nil {
 						logrus.Errorf("Failed to read '%s' secret: %s", identityProviderPostgresSecret, err)
 						return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err
@@ -626,12 +623,12 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 				dbStatus := instance.Status.DbProvisoned
 				// provision Db and users for Che and Keycloak servers
 				if !dbStatus {
-					podToExec, err := k8sclient.GetDeploymentPod(deploy.PostgresDeploymentName, instance.Namespace)
+					podToExec, err := util.K8sclient.GetDeploymentPod(deploy.PostgresDeploymentName, instance.Namespace)
 					if err != nil {
 						return reconcile.Result{}, err
 					}
-					provisioned := ExecIntoPod(podToExec, pgCommand, "create Keycloak DB, user, privileges", instance.Namespace)
-					if provisioned {
+					_, err = util.K8sclient.ExecIntoPod(podToExec, pgCommand, "create Keycloak DB, user, privileges", instance.Namespace)
+					if err == nil {
 						for {
 							instance.Status.DbProvisoned = true
 							if err := r.UpdateCheCRStatus(instance, "status: provisioned with DB and user", "true"); err != nil &&
@@ -721,8 +718,8 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 
 	if !ExternalKeycloak {
 		if cheMultiUser == "false" {
-			if k8sclient.IsDeploymentExists("keycloak", instance.Namespace) {
-				k8sclient.DeleteDeployment("keycloak", instance.Namespace)
+			if util.K8sclient.IsDeploymentExists("keycloak", instance.Namespace) {
+				util.K8sclient.DeleteDeployment("keycloak", instance.Namespace)
 			}
 		} else {
 			keycloakLabels := deploy.GetLabels(instance, "keycloak")
@@ -806,10 +803,20 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			}
 
 			if !tests {
-				keycloakRealmClientStatus := instance.Status.KeycloakProvisoned
-				if !keycloakRealmClientStatus {
-					if err := r.CreateKeycloakResources(instance, request, deploy.KeycloakDeploymentName); err != nil {
-						return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err
+				if !instance.Status.KeycloakProvisoned {
+					if err := deploy.ProvisionKeycloakResources(instance, clusterAPI); err != nil {
+						logrus.Error(err)
+						return reconcile.Result{RequeueAfter: time.Second}, err
+					}
+
+					for {
+						instance.Status.KeycloakProvisoned = true
+						if err := r.UpdateCheCRStatus(instance, "status: provisioned with Keycloak", "true"); err != nil &&
+							errors.IsConflict(err) {
+							instance, _ = r.GetCR(request)
+							continue
+						}
+						break
 					}
 				}
 			}
@@ -1324,7 +1331,7 @@ func (r *ReconcileChe) configureProxy(instance *orgv1.CheCluster, transport *htt
 	proxyUser := instance.Spec.Server.ProxyUser
 	proxyPassword := instance.Spec.Server.ProxyPassword
 	proxySecret := instance.Spec.Server.ProxySecret
-	user, password, err := k8sclient.ReadSecret(proxySecret, instance.Namespace)
+	user, password, err := util.K8sclient.ReadSecret(proxySecret, instance.Namespace)
 	if err == nil {
 		proxyUser = user
 		proxyPassword = password

diff --git a/pkg/controller/che/create.go b/pkg/controller/che/create.go
@@ -101,13 +101,13 @@ func (r *ReconcileChe) CreateIdentityProviderItems(instance *orgv1.CheCluster, r
 			logrus.Errorf("Failed to build identity provider provisioning command")
 			return err
 		}
-		podToExec, err := k8sclient.GetDeploymentPod(keycloakDeploymentName, instance.Namespace)
+		podToExec, err := util.K8sclient.GetDeploymentPod(keycloakDeploymentName, instance.Namespace)
 		if err != nil {
 			logrus.Errorf("Failed to retrieve pod name. Further exec will fail")
 			return err
 		}
-		provisioned := ExecIntoPod(podToExec, openShiftIdentityProviderCommand, "create OpenShift identity provider", instance.Namespace)
-		if provisioned {
+		_, err = util.K8sclient.ExecIntoPod(podToExec, openShiftIdentityProviderCommand, "create OpenShift identity provider", instance.Namespace)
+		if err == nil {
 			for {
 				instance.Status.OpenShiftoAuthProvisioned = true
 				if err := r.UpdateCheCRStatus(instance, "status: provisioned with OpenShift identity provider", "true"); err != nil &&
@@ -118,7 +118,7 @@ func (r *ReconcileChe) CreateIdentityProviderItems(instance *orgv1.CheCluster, r
 				break
 			}
 		}
-		return nil
+		return err
 	}
 	return nil
 }

diff --git a/pkg/controller/che/exec.go b/pkg/controller/che/exec.go
diff --git a/pkg/controller/che/tls-secrets.go b/pkg/controller/che/tls-secrets.go
@@ -15,6 +15,8 @@ import (
 	"context"
 	"time"
 
+	"github.com/eclipse/che-operator/pkg/util"
+
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
 	"github.com/eclipse/che-operator/pkg/deploy"
 	"github.com/sirupsen/logrus"
@@ -244,7 +246,7 @@ func CheckAndUpdateTLSConfiguration(checluster *orgv1.CheCluster, clusterAPI dep
 }
 
 func deleteJob(job *batchv1.Job, checluster *orgv1.CheCluster, clusterAPI deploy.ClusterAPI) {
-	names := k8sclient.GetPodsByComponent(CheTlsJobComponentName, checluster.Namespace)
+	names := util.K8sclient.GetPodsByComponent(CheTlsJobComponentName, checluster.Namespace)
 	for _, podName := range names {
 		pod := &corev1.Pod{}
 		err := clusterAPI.Client.Get(context.TODO(), types.NamespacedName{Name: podName, Namespace: checluster.Namespace}, pod)

diff --git a/pkg/controller/che/update.go b/pkg/controller/che/update.go
@@ -16,6 +16,7 @@ import (
 
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
 	"github.com/eclipse/che-operator/pkg/deploy"
+	"github.com/eclipse/che-operator/pkg/util"
 	oauth "github.com/openshift/api/oauth/v1"
 	"github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
@@ -51,12 +52,12 @@ func (r *ReconcileChe) ReconcileIdentityProvider(instance *orgv1.CheCluster, isO
 			logrus.Errorf("Deployment %s not found: %s", keycloakDeployment.Name, err)
 		}
 		deleteOpenShiftIdentityProviderProvisionCommand := deploy.GetDeleteOpenShiftIdentityProviderProvisionCommand(instance, isOpenShift4)
-		podToExec, err := k8sclient.GetDeploymentPod(keycloakDeployment.Name, instance.Namespace)
+		podToExec, err := util.K8sclient.GetDeploymentPod(keycloakDeployment.Name, instance.Namespace)
 		if err != nil {
 			logrus.Errorf("Failed to retrieve pod name. Further exec will fail")
 		}
-		provisioned := ExecIntoPod(podToExec, deleteOpenShiftIdentityProviderProvisionCommand, "delete OpenShift identity provider", instance.Namespace)
-		if provisioned {
+		_, err = util.K8sclient.ExecIntoPod(podToExec, deleteOpenShiftIdentityProviderProvisionCommand, "delete OpenShift identity provider", instance.Namespace)
+		if err == nil {
 			oAuthClient := &oauth.OAuthClient{}
 			oAuthClientName := instance.Spec.Auth.OAuthClientName
 			if err := r.client.Get(context.TODO(), types.NamespacedName{Name: oAuthClientName, Namespace: ""}, oAuthClient); err != nil {

diff --git a/pkg/deploy/deployment_keycloak.go b/pkg/deploy/deployment_keycloak.go
@@ -14,6 +14,7 @@ package deploy
 import (
 	"context"
 	"regexp"
+	"strconv"
 	"strings"
 
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
@@ -31,21 +32,26 @@ import (
 )
 
 const (
-	KeycloakDeploymentName = "keycloak"
+	KeycloakDeploymentName   = "keycloak"
+	selectSslRequiredCommand = "OUT=$(psql keycloak -tAc \"SELECT 1 FROM REALM WHERE id = 'master'\"); " +
+		"if [ $OUT -eq 1 ]; then psql keycloak -tAc \"SELECT ssl_required FROM REALM WHERE id = 'master'\"; fi"
+	updateSslRequiredCommand = "psql keycloak -c \"update REALM set ssl_required='NONE' where id = 'master'\""
 )
 
 var (
 	trustpass              = util.GeneratePasswd(12)
 	keycloakCustomDiffOpts = cmp.Options{
 		cmp.Comparer(func(x, y appsv1.Deployment) bool {
 			return x.Annotations["che.self-signed-certificate.version"] == y.Annotations["che.self-signed-certificate.version"] &&
-				x.Annotations["che.openshift-api-crt.version"] == y.Annotations["che.openshift-api-crt.version"]
+				x.Annotations["che.openshift-api-crt.version"] == y.Annotations["che.openshift-api-crt.version"] &&
+				x.Annotations["che.keycloak-ssl-required-updated"] == y.Annotations["che.keycloak-ssl-required-updated"]
 		}),
 	}
 	keycloakAdditionalDeploymentMerge = func(specDeployment *appsv1.Deployment, clusterDeployment *appsv1.Deployment) *appsv1.Deployment {
 		clusterDeployment.Spec = specDeployment.Spec
 		clusterDeployment.Annotations["che.self-signed-certificate.version"] = specDeployment.Annotations["che.self-signed-certificate.version"]
 		clusterDeployment.Annotations["che.openshift-api-crt.version"] = specDeployment.Annotations["che.openshift-api-crt.version"]
+		clusterDeployment.Annotations["che.keycloak-ssl-required-updated"] = specDeployment.Annotations["che.keycloak-ssl-required-updated"]
 		return clusterDeployment
 	}
 )
@@ -93,6 +99,7 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 	terminationGracePeriodSeconds := int64(30)
 	cheCertSecretVersion := getSecretResourceVersion("self-signed-certificate", checluster.Namespace, clusterAPI)
 	openshiftApiCertSecretVersion := getSecretResourceVersion("openshift-api-crt", checluster.Namespace, clusterAPI)
+	sslRequiredUpdatedForMasterRealm := isSslRequiredUpdatedForMasterRealm(checluster, clusterAPI)
 
 	// add various certificates to Java trust store so that Keycloak can connect to OpenShift API
 	// certificate that OpenShift router uses (for 4.0 only)
@@ -425,6 +432,11 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 			" && echo \"feature.token_exchange=enabled\nfeature.admin_fine_grained_authz=enabled\" > /opt/eap/standalone/configuration/profile.properties  " +
 			" && sed -i 's/WILDCARD/ANY/g' /opt/eap/bin/launch/keycloak-spi.sh && /opt/eap/bin/openshift-launch.sh -b 0.0.0.0"
 	}
+
+	if sslRequiredUpdatedForMasterRealm {
+		// update command to restart pod
+		command = "echo \"ssl_required WAS UPDATED for master realm.\" && " + command
+	}
 	args := []string{"-c", command}
 
 	deployment := &appsv1.Deployment{
@@ -439,6 +451,7 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 			Annotations: map[string]string{
 				"che.self-signed-certificate.version": cheCertSecretVersion,
 				"che.openshift-api-crt.version":       openshiftApiCertSecretVersion,
+				"che.keycloak-ssl-required-updated":   strconv.FormatBool(sslRequiredUpdatedForMasterRealm),
 			},
 		},
 		Spec: appsv1.DeploymentSpec{
@@ -523,3 +536,65 @@ func getSecretResourceVersion(name string, namespace string, clusterAPI ClusterA
 	}
 	return secret.ResourceVersion
 }
+
+func isSslRequiredUpdatedForMasterRealm(checluster *orgv1.CheCluster, clusterAPI ClusterAPI) bool {
+	if util.IsTestMode() {
+		return false
+	}
+
+	clusterDeployment, _ := getClusterDeployment(KeycloakDeploymentName, checluster.Namespace, clusterAPI.Client)
+	if clusterDeployment == nil {
+		return false
+	}
+
+	value, err := strconv.ParseBool(clusterDeployment.ObjectMeta.Annotations["che.keycloak-ssl-required-updated"])
+	if err == nil && value {
+		return true
+	}
+
+	dbValue, _ := getSslRequiredForMasterRealm(checluster)
+	return dbValue == "NONE"
+}
+
+func getSslRequiredForMasterRealm(checluster *orgv1.CheCluster) (string, error) {
+	podName, err := util.K8sclient.GetDeploymentPod(PostgresDeploymentName, checluster.Namespace)
+	if err != nil {
+		return "", err
+	}
+
+	stdout, err := util.K8sclient.ExecIntoPod(podName, selectSslRequiredCommand, "", checluster.Namespace)
+	return strings.TrimSpace(stdout), err
+}
+
+func updateSslRequiredForMasterRealm(checluster *orgv1.CheCluster) error {
+	podName, err := util.K8sclient.GetDeploymentPod(PostgresDeploymentName, checluster.Namespace)
+	if err != nil {
+		return err
+	}
+
+	_, err = util.K8sclient.ExecIntoPod(podName, updateSslRequiredCommand, "Update ssl_required to NONE", checluster.Namespace)
+	return err
+}
+
+func ProvisionKeycloakResources(checluster *orgv1.CheCluster, clusterAPI ClusterAPI) error {
+	value, err := getSslRequiredForMasterRealm(checluster)
+	if err != nil {
+		return err
+	}
+
+	if value != "NONE" {
+		err := updateSslRequiredForMasterRealm(checluster)
+		if err != nil {
+			return err
+		}
+	}
+
+	keycloakProvisionCommand := GetKeycloakProvisionCommand(checluster)
+	podToExec, err := util.K8sclient.GetDeploymentPod(KeycloakDeploymentName, checluster.Namespace)
+	if err != nil {
+		logrus.Errorf("Failed to retrieve pod name. Further exec will fail")
+	}
+
+	_, err = util.K8sclient.ExecIntoPod(podToExec, keycloakProvisionCommand, "create realm, client and user", checluster.Namespace)
+	return err
+}
diff --git a/pkg/deploy/exec_commands.go b/pkg/deploy/exec_commands.go
@@ -33,7 +33,7 @@ func GetPostgresProvisionCommand(identityProviderPostgresSecret string) (command
 	return command
 }
 
-func GetKeycloakProvisionCommand(cr *orgv1.CheCluster, cheHost string) (command string) {
+func GetKeycloakProvisionCommand(cr *orgv1.CheCluster) (command string) {
 	requiredActions := ""
 	updateAdminPassword := cr.Spec.Auth.UpdateAdminPassword
 	cheFlavor := DefaultCheFlavor(cr)
@@ -67,7 +67,7 @@ func GetKeycloakProvisionCommand(cr *orgv1.CheCluster, cheHost string) (command
 		"$realmDisplayName", realmDisplayName,
 		"$keycloakClientId", keycloakClientId,
 		"$keycloakTheme", keycloakTheme,
-		"$cheHost", cheHost,
+		"$cheHost", cr.Spec.Server.CheHost,
 		"$requiredActions", requiredActions)
 	createRealmClientUserCommand := r.Replace(str)
 	command = createRealmClientUserCommand