keycloak image init containers shouldn't do post-install stuff

[benoitf]

Describe the bug

che-keycloak wait-for-postgres init container is doing

apk --no-update add curl jq

and with limited set of permissions it is not working, but in any case, image should have the binaries, not downloading them

Che version

• latest
• nightly
• other: please specify

Steps to reproduce

Init Containers:
  wait-for-postgres:
    Container ID:  docker://2aa46976f8727946c607aeae0445dd3b32b4a9a1a8da9137d2f4812518361c3f
    Image:         alpine:3.5
    Image ID:      docker-pullable://alpine@sha256:66952b313e51c3bd1987d7c4ddf5dba9bc0fb6e524eed2448fa660246b3e76ec
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
      -c
      apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for postgres to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/postgres`; adresses_length=`echo $endpoints | jq -r ".subsets[]?.addresses // [] | length"`; done;
    State:          Running
      Started:      Tue, 16 Jul 2019 16:32:39 +0200
    Ready:          False
    Restart Count:  0
    Environment:
      POD_NAMESPACE:  che (v1:metadata.namespace)
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from che-keycloak-token-7cwz9 (ro)

$ docker run --user "1000:0" --entrypoint sh -it alpine:3.5
/ $ apk --no-cache add curl jq
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
/ $ id
uid=1000 gid=0(root)

reported through
#13838

Expected behavior

no error but I'm expecting that jq and curl are already in a docker image (no post-install of these dependencies) so there is no permission issue

Runtime

• kubernetes (include output of kubectl version)
• Openshift (include output of oc version)
• minikube (include output of minikube version and kubectl version)
• minishift (include output of minishift version and oc version)
• docker-desktop + K8S (include output of docker version and kubectl version)
• other: (please specify)

Screenshots

Installation method

• chectl
• che-operator
• minishift-addon
• I don't know

Environment

• my computer
  • Windows
  • Linux
  • macOS
• Cloud
  • Amazon
  • Azure
  • GCE
  • other (please specify)
• other: please specify

[benoitf]

Using in helm/che/custom-charts/che-keycloak/templates/deployment.yaml

    spec:
      initContainers:
      - name: wait-for-postgres
        image: everpeace/curl-jq
        command: ["sh", "-c", "adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for postgres to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/postgres`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]

che-postgres is having the same commands so probably need to update the init container as well even if permissions are ok

was ok (no apk install command and use of another image than alpine)
but well it's not kind of an official image :-)

[l0rd]

This issue is a cleaned up version of #13838
cc @SDAdham

[SDAdham]

thanks @l0rd

[mshaposhnik]

any proposals for image name? besides obvious che-init?

[benoitf]

che-wait-for-postgres

[mshaposhnik]

it is used in waiting for both KK and postgres. So need more universal one.

[benoitf]

che-wait-endpoint ?

[SDAdham]

Btw, u might want to also consider for wait-for-keycloak container, there are 3 containers in total that needs the change

2 of them in yamls, the third one i dont know where it is and i can only change it in run time, my best guess, its not yaml file

I tried ur suggested image @benoitf and it works like a charm on my side

Here are the total 2 yamls that I found to be edited:

• custom-charts/che-keycloak/templates/deployment.yaml
• templates/deployment.yaml

Here, I just did another deployment just to get the container that I can't find it's image to update from the yamls

HTH

[l0rd]

@mshaposhnik @benoitf other naming ideas:che-bootstrap-watcher / che-endpoint-watcher?

[mshaposhnik]

CI job is set, image is built and seems to be working OK now.

[SDAdham]

I'm not sure if this issue is completely fixed, I am getting Error: found in requirements.yaml, but missing in charts/ directory: che-devfile-registry, che-plugin-registry, che-postgres, che-keycloak, che-jaeger, prometheus, grafana after cloning master branch

[skabashnyuk]

@SDAdham that is strange. Could you please make sure you are using the latest version of chectl and try again. If the error still appears it makes sense to create a separate issue.

[SDAdham]

@skabashnyuk I am using helm upgrade --install che --namespace dev -f ./values/tls.yaml --set global.ingressDomain=che.domain.com,global.cheDomain=che.domain.com ./

[SDAdham]

@skabashnyuk: chectl result:

  ❯ ✅  Post installation checklist                                                                                                                                                                                                                                                 ❯ PostgreSQL pod bootstrap                                                                                                                                                                                                                                                        ✔ scheduling...done.                                                                                                                                                                                                                                                           ✖ downloading images                                                                                                                                                                                                                                                             → ERR_TIMEOUT: Timeout set to pod wait timeout 300000                                                                                                                                                                                                                           starting                                                                                                                                                                                                                                                                      Keycloak pod bootstrap                                                                                                                                                                                                                                                          Devfile registry pod bootstrap                                                                                                                                                                                                                                                  Plugin registry pod bootstrap                                                                                                                                                                                                                                                   Che pod bootstrap                                                                                                                                                                                                                                                               Retrieving Che Server URL                                                                                                                                                                                                                                                       Che status check                                                                                                                                                                                                                                                          Error: ERR_TIMEOUT: Timeout set to pod wait timeout 300000
    at KubeHelper.<anonymous> (/snapshot/chectl/lib/api/kube.js:0:0)
    at Generator.next (<anonymous>)
    at fulfilled (/snapshot/chectl/node_modules/tslib/tslib.js:107:62)

Here are the pods

che                               che-5766bc4897-2xw97                                     0/1     Init:0/2           0          5m56s                                                                                                                                          che                               devfile-registry-549b9bbd5b-42qjh                        1/1     Running            0          5m57s                                                                                                                                          che                               keycloak-8667f484c9-sf5qx                                0/1     Pending            0          5m56s                                                                                                                                          che                               plugin-registry-75478b67dd-tbzdw                         1/1     Running            0          5m56s                                                                                                                                          che                               postgres-644b749668-wvv2v                                0/1     Pending            0          5m56s

[SDAdham]

Actually, please ignore my previous comment, is there any chance that we can have a standardized PVs?

I just realized that I needed to create more PVs

[skabashnyuk]

@SDAdham could you please create a new issue. It would be much easier for me to organize work and help you.

[SDAdham]

Sure, thanks @skabashnyuk I created 1 improvement and 1 issue: #14051 and #14050