Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically propagate ca-certs configmap content into server and identity provider #487

Merged
merged 15 commits into from
Oct 13, 2020
Merged

Automatically propagate ca-certs configmap content into server and identity provider #487

merged 15 commits into from
Oct 13, 2020

Conversation

tolusha
Copy link
Contributor

@tolusha tolusha commented Oct 8, 2020
edited
Loading

Signed-off-by: Anatolii Bazko abazko@redhat.com

Reference issue

eclipse-che/che#17918

What does this PR do

  • add owner to ca-certs configmap (if necessary)
  • update environment variables in keyckoak and server deployments to restart pods to take into account new certificates from the ca-certs configmap.

@tolusha
Automatically propagate serverTrustStoreConfigMap context to server a…
37c5dda 
…nd identity provider

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Add missed files
f249f08 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@openshift-ci-robot
Copy link

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tolusha tolusha mentioned this pull request Oct 8, 2020
Closed
50 tasks
@tolusha
Fixes
da574bb 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Fixes
f269994 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Fix
1e2d175 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Fix
118ce6c 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Fix
f3da3ab 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Fixes
04efd68 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha tolusha marked this pull request as ready for review October 9, 2020 06:44
@tolusha tolusha changed the title Automatically propagate serverTrustStoreConfigMap context to server a… Automatically propagate ca-certs configmap content into server and identity provider Oct 9, 2020
mmorhun
mmorhun reviewed Oct 9, 2020
View reviewed changes
pkg/deploy/identity-provider/deployment_keycloak.go Outdated
@@ -221,6 +223,10 @@ func getSpecKeycloakDeployment(
}

keycloakEnv := []corev1.EnvVar{
{
Name: "CM_REVISIONS",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this in the Keycloak and Che containers env? If we need to mark something, isn't labels does the work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved.

davidfestal
davidfestal reviewed Oct 9, 2020
View reviewed changes
Copy link
Contributor

@davidfestal davidfestal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we also restart the Che server when the content of this config map changes ?
Maybe it is already done and I missed it ?

pkg/controller/che/che_controller.go Outdated
if instance.Spec.Server.ServerTrustStoreConfigMapName != "" {
trustStoreConfigMap, _ := deploy.GetClusterConfigMap(instance.Spec.Server.ServerTrustStoreConfigMapName, instance.Namespace, clusterAPI.Client)
if trustStoreConfigMap != nil {
// trustStoreConfigMap might be created by user, to detect changes we have to add the owner
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why ? Isn't the main method run regularly anyway ?
Not sure what the requirement for an owner will mean when we select all the config maps that have a given label.

@tolusha
Copy link
Contributor Author

tolusha commented Oct 9, 2020
edited
Loading

@davidfestal
We ensure that Che server is updated as well.
https://github.com/eclipse/che-operator/pull/487/files#diff-d9445e614f0d728fd140771b0fd29c50R842

@davidfestal
Copy link
Contributor

@davidfestal
Here is we ensure that Che server is updated as well.
https://github.com/eclipse/che-operator/pull/487/files#diff-d9445e614f0d728fd140771b0fd29c50R842

Oh, I see. Sorry I missed it.

@tolusha
Fixes
3b73704 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Move resources version to annotations
36e3abe 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Fix
5206038 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Copy link
Contributor Author

tolusha commented Oct 9, 2020

It is turned out that changing annotations does not restart pods.
I've to return to env variables.

@tolusha
Fiex
f6db2a6 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Revert cr.yaml
9cf64d1 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Copy link
Contributor Author

tolusha commented Oct 9, 2020

@davidfestal
It is ready to review again

davidfestal
davidfestal reviewed Oct 12, 2020
View reviewed changes
pkg/deploy/identity-provider/identity_provider.go Show resolved Hide resolved
pkg/deploy/server/deployment_che.go Outdated Show resolved Hide resolved
pkg/deploy/identity-provider/deployment_keycloak.go Outdated Show resolved Hide resolved
pkg/controller/che/che_controller.go Outdated Show resolved Hide resolved
pkg/controller/che/che_controller.go Outdated Show resolved Hide resolved
pkg/deploy/identity-provider/deployment_keycloak.go Outdated Show resolved Hide resolved
@tolusha
Fix remarks
67e7e54 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Copy link
Contributor Author

tolusha commented Oct 12, 2020

@davidfestal
All comments are addressed.

@tolusha
revert go.mod go.sum
60be304 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@openshift-ci-robot
Copy link

@tolusha: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/v5-che-operator-update 60be304 link /test v5-che-operator-update

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

davidfestal
davidfestal approved these changes Oct 13, 2020
View reviewed changes
Copy link
Contributor

@davidfestal davidfestal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great that now we won't have to rollout any POD manually after adding certificates.

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: davidfestal, tolusha
To complete the pull request process, please assign after the PR has been reviewed.
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha
Copy link
Contributor Author

tolusha commented Oct 13, 2020

@davidfestal
I am going to port changes into 7.20.x branch to have this feature done for crw 2.5

@tolusha tolusha merged commit 47a01d7 into master Oct 13, 2020
@tolusha tolusha deleted the updatedeploymentswhencacertupdated branch October 13, 2020 11:04
tolusha added a commit that referenced this pull request Oct 13, 2020
@tolusha
Automatically propagate ca-certs configmap content into server and id…
78e0dea 
…entity provider (#487)

* Automatically propagate serverTrustStoreConfigMap context to server and identity provider

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
This was referenced Oct 13, 2020
Closed
Merged
tolusha added a commit that referenced this pull request Oct 13, 2020
@tolusha
Automatically propagate ca-certs configmap content into server and id…
4954aec 
…entity provider (#487) (#493)

* Automatically propagate serverTrustStoreConfigMap context to server and identity provider

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@l0rd l0rd mentioned this pull request Oct 15, 2020
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrienkoAleksandr AndrienkoAleksandr AndrienkoAleksandr left review comments

@mmorhun mmorhun mmorhun left review comments

@davidfestal davidfestal davidfestal approved these changes

@nickboldt nickboldt Awaiting requested review from nickboldt

@vparfonov vparfonov Awaiting requested review from vparfonov

Assignees

@davidfestal davidfestal

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tolusha @openshift-ci-robot @davidfestal @AndrienkoAleksandr @mmorhun