Set sslRequired=NONE by updating DB

pkg/controller/che/che_controller.go

@@ -630,8 +630,8 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 					if err != nil {
 						return reconcile.Result{}, err
 					}
-					provisioned := ExecIntoPod(podToExec, pgCommand, "create Keycloak DB, user, privileges", instance.Namespace)
-					if provisioned {
+					err = ExecIntoPod(podToExec, pgCommand, "create Keycloak DB, user, privileges", instance.Namespace)
+					if err == nil {
 						for {
 							instance.Status.DbProvisoned = true
 							if err := r.UpdateCheCRStatus(instance, "status: provisioned with DB and user", "true"); err != nil &&
@@ -809,6 +809,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 				keycloakRealmClientStatus := instance.Status.KeycloakProvisoned
 				if !keycloakRealmClientStatus {
 					if err := r.CreateKeycloakResources(instance, request, deploy.KeycloakDeploymentName); err != nil {
+						logrus.Error(err)
 						return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err
 					}
 				}
@@ -820,6 +821,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 					openShiftIdentityProviderStatus := instance.Status.OpenShiftoAuthProvisioned
 					if !openShiftIdentityProviderStatus {
 						if err := r.CreateIdentityProviderItems(instance, request, cheFlavor, deploy.KeycloakDeploymentName, isOpenShift4); err != nil {
+							logrus.Error(err)
 							return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 5}, err
 						}
 					}

pkg/controller/che/create.go

@@ -106,8 +106,8 @@ func (r *ReconcileChe) CreateIdentityProviderItems(instance *orgv1.CheCluster, r
 			logrus.Errorf("Failed to retrieve pod name. Further exec will fail")
 			return err
 		}
-		provisioned := ExecIntoPod(podToExec, openShiftIdentityProviderCommand, "create OpenShift identity provider", instance.Namespace)
-		if provisioned {
+		err = ExecIntoPod(podToExec, openShiftIdentityProviderCommand, "create OpenShift identity provider", instance.Namespace)
+		if err == nil {
 			for {
 				instance.Status.OpenShiftoAuthProvisioned = true
 				if err := r.UpdateCheCRStatus(instance, "status: provisioned with OpenShift identity provider", "true"); err != nil &&
@@ -118,7 +118,7 @@ func (r *ReconcileChe) CreateIdentityProviderItems(instance *orgv1.CheCluster, r
 				break
 			}
 		}
-		return nil
+		return err
 	}
 	return nil
 }

pkg/controller/che/exec.go

@@ -19,30 +19,47 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
-func ExecIntoPod(podName string, provisionCommand string, reason string, ns string) (provisioned bool) {
-
+func ExecIntoPod(podName string, provisionCommand string, reason string, ns string) error {
 	command := []string{"/bin/bash", "-c", provisionCommand}
 	logrus.Infof("Running exec to %s in pod %s", reason, podName)
 	// print std if operator is run in debug mode (TODO)
 	_, stderr, err := k8sclient.RunExec(command, podName, ns)
 	if err != nil {
 		logrus.Errorf("Error exec'ing into pod: %v: , command: %s", err, command)
 		logrus.Errorf(stderr)
-		return false
+		return err
 	}
 	logrus.Info("Exec successfully completed")
-	return true
+	return nil
 }
 
 func (r *ReconcileChe) CreateKeycloakResources(instance *orgv1.CheCluster, request reconcile.Request, deploymentName string) (err error) {
-	cheHost := instance.Spec.Server.CheHost
-	keycloakProvisionCommand := deploy.GetKeycloakProvisionCommand(instance, cheHost)
-	podToExec, err := k8sclient.GetDeploymentPod(deploymentName, instance.Namespace)
+	command := deploy.GetSwitchSslRequiredToNoneCommand()
+	podToExec, err := k8sclient.GetDeploymentPod(deploy.PostgresDeploymentName, instance.Namespace)
+	if err != nil {
+		return err
+	}
+
+	err = ExecIntoPod(podToExec, command, "Set sslRequired=none for master realm.", instance.Namespace)
 	if err != nil {
-		logrus.Errorf("Failed to retrieve pod name. Further exec will fail")
+		return err
 	}
-	provisioned := ExecIntoPod(podToExec, keycloakProvisionCommand, "create realm, client and user", instance.Namespace)
-	if provisioned {
+
+	podToExec, err = k8sclient.GetDeploymentPod(deploymentName, instance.Namespace)
+	if err != nil {
+		return err
+	}
+
+	command = deploy.GetKeycloakReloadCommand(instance)
+	err = ExecIntoPod(podToExec, command, "Reload keycloak", instance.Namespace)
+	if err != nil {
+		return err
+	}
+
+	cheHost := instance.Spec.Server.CheHost
+	keycloakProvisionCommand := deploy.GetKeycloakProvisionCommand(instance, cheHost)
+	err = ExecIntoPod(podToExec, keycloakProvisionCommand, "create realm, client and user", instance.Namespace)
+	if err == nil {
 		instance, err := r.GetCR(request)
 		if err != nil {
 			if errors.IsNotFound(err) {

pkg/controller/che/update.go

@@ -53,10 +53,10 @@ func (r *ReconcileChe) ReconcileIdentityProvider(instance *orgv1.CheCluster, isO
 		deleteOpenShiftIdentityProviderProvisionCommand := deploy.GetDeleteOpenShiftIdentityProviderProvisionCommand(instance, isOpenShift4)
 		podToExec, err := k8sclient.GetDeploymentPod(keycloakDeployment.Name, instance.Namespace)
 		if err != nil {
-			logrus.Errorf("Failed to retrieve pod name. Further exec will fail")
+			return false, err
 		}
-		provisioned := ExecIntoPod(podToExec, deleteOpenShiftIdentityProviderProvisionCommand, "delete OpenShift identity provider", instance.Namespace)
-		if provisioned {
+		err = ExecIntoPod(podToExec, deleteOpenShiftIdentityProviderProvisionCommand, "delete OpenShift identity provider", instance.Namespace)
+		if err == nil {
 			oAuthClient := &oauth.OAuthClient{}
 			oAuthClientName := instance.Spec.Auth.OAuthClientName
 			if err := r.client.Get(context.TODO(), types.NamespacedName{Name: oAuthClientName, Namespace: ""}, oAuthClient); err != nil {

pkg/deploy/exec_commands.go

@@ -33,6 +33,18 @@ func GetPostgresProvisionCommand(identityProviderPostgresSecret string) (command
 	return command
 }
 
+func GetSwitchSslRequiredToNoneCommand() string {
+	return "psql keycloak -c \"update REALM set ssl_required='NONE' where id = 'master'\""
+}
+
+func GetKeycloakReloadCommand(cr *orgv1.CheCluster) string {
+	jbossCli := "/opt/jboss/keycloak/bin/jboss-cli.sh"
+	if DefaultCheFlavor(cr) == "codeready" {
+		jbossCli = "/opt/eap/bin/jboss-cli.sh"
+	}
+	return jbossCli + " --connect command=:reload"
+}
+
 func GetKeycloakProvisionCommand(cr *orgv1.CheCluster, cheHost string) (command string) {
 	requiredActions := ""
 	updateAdminPassword := cr.Spec.Auth.UpdateAdminPassword

templates/keycloak_provision

@@ -2,7 +2,6 @@ $script config credentials --server http://0.0.0.0:8080/auth \
                                         --realm master \
                                         --user $keycloakAdminUserName \
                                         --password $keycloakAdminPassword \
-&& $script update realms/master -s sslRequired=none \
 && $script get realms/$keycloakRealm; \
 if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
 && $script create realms  -s realm='$keycloakRealm' \
@@ -33,4 +32,4 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
                                         --cclientid broker \
                                         --rolename read-token \
 && CLIENT_ID=$($script get clients -r '$keycloakRealm' -q clientId=broker | sed -n 's/.*"id" *: *"\([^"]\+\).*/\1/p') \
-&& $script update clients/$CLIENT_ID -r '$keycloakRealm' -s "defaultRoles+=read-token"
+&& $script update clients/$CLIENT_ID -r '$keycloakRealm' -s "defaultRoles+=read-token"