Use templates only to deploy Che to OpenShift

[ghost]

The purpose of this PR is to:

1. Eventually get rid of deployment scripts to avoid deployment complexity
2. Use OpenShift way of creating objects when user input is required

What is done

1. OpenShift templates and other objects are introduced
2. All env vars are parameterized and a user can provide own values
3. Readme answers some questions and covers deployment of all Che flavors in all possible configurations.

Why not a single template?

There's no universal template that will fit all use cases. It will be easier to use upstream che-server template for those who depend on it.

Is it tested?

Yes. MiniShift and OSO. Both single and multi user. http and https

Will existing scripts go away?

Eventually, yes. But not immediately. As soon as those who depend on current deployment scripts are ready to migrate, scripts will be deleted.

Does Che deployment have all envs as parameters?

No, only those that make sense at a first glance. Further PRs are welcome.

Will these changes break CI tests?

Even though there are changes in eclipse/che-keycloak Dockerfile, a different entrypoint script is used in Keycloak deployment. So, both deployment script and templates works well, even though they use the same images.

What about Keycloak configuration pod?

Master and Che realm, as well as admin user for Keycloak and Che are created in keycloak image entrypoint.

Will docs be provided?

There's README.md to start with, but eventually docs will be updated to reference template based deployment method.

How to test?

Follow instructions in README. Use eivantsov/keycloak as Keycloak image for Keycloak deployment:

oc process -f multi/keycloak-template.yaml -p ROUTING_SUFFIX=$(minishift ip).nip.io -p IMAGE_KEYCLOAK=eivantsov/keycloak | oc apply -f -

[sleshchenko]

Actually, PVC is used by Single-User Che to store H2 Database file. Please, add a note that without PVC Single-User Che will lose all data after Pod restarting.

[ghost]

Good point will do. For single user PVC is created by default - this is what I suggest in an example command.

But once again - good point.

[ghost]

Fixed

[sleshchenko]

Why doesn't this parameter have value? It makes sense to configure it for multi-cluster mode (When Che Server is started on one OS cluster while Workspace are created on another one)

[ghost]

Fixed

[sleshchenko]

Please add a variable here. It makes sense to configure it. On newest OpenShift instances it may be disabled, and workspace start may speed up.

[ghost]

Fixed

[sleshchenko]

Why OPENSHIFT_USERNAME, OPENSHIFT_PASSWORD but TOKEN? Maybe it would be better to name them in the same way.

[ghost]

Fixed

[sleshchenko]

It makes sense to place CHE_INFRA_KUBERNETES_PASSWORD and CHE_INFRA_KUBERNETES_USERNAME together.

[ghost]

Fixed

[sleshchenko]

How can it be configured if there is no specified value?

[ghost]

Fixed

[sleshchenko]

Are you sure that it makes sense to specify status here?

[ghost]

Removed

[sleshchenko]

Why do we need it?

[ghost]

Removed

[sleshchenko]

Where is it removed? I still see few creationTimestamp fields in this template. Do I have an issue with browser cache?

[riuvshin]

is that mandatory change? :)

[ghost]

New line?

[ghost]

Fixed

[benoitf]

maybe we could add which command will list parameters for a given template ?

$ oc process --parameters -f <filename>

[garagatyi]

+1

[ghost]

Added a note in readme

[benoitf]

FYI sometimes Che is written che sometimes Che

[benoitf]

is there any word expected after and set ?

[ghost]

Fixed

[benoitf]

like https here have spaces around

[ghost]

Fixed

[benoitf]

could WS_PROTOCOL/TLS be automatically computed based on the fact that it's https ?

[ghost]

I wish a template can handle some ifs. I failed to find a good universal solution. Any help is appreciated.

[l0rd]

Instead oc process -f <template> | oc apply -f - you could use a single command oc new-app -f <template> .... .

Besides the fact that it's a single command oc new-app has an option to add applications env vars even if these were not defined in the template: -e ENV_VAR_KEY=ENV_VAR_VALUE (c.f. oc new-app reference). That may be useful for our use cases.

[ghost]

Good point. Examples updated

[garagatyi]

It would be useful to have a command to get this value if there is a command for that.

[ghost]

I wish I knew such a command :)

[benoitf]

could we create a dummy service then we got the default routing suffix and then we can display/reuse it ?

[ghost]

Not sure I understand. Dummy service for what?

[benoitf]

@eivantsov If I create a dummy application on openshift like nginx app and I create a service nginx and expose port 80, openshift will provide me an URL. From this URL I can guess the "routing suffix" so user has a way to find it (through a command that can try to create app, create service and route and then display the url and delete project)

It's just to have a way to provide to users "hey we can give you some hints around this routing suffix"

[ghost]

A lame workaround may be updating Che dc after routes for Che and Keycloak are created. This will add complexity to commands, but this way, no input is required from a user

[benoitf]

in my approach, it was a way to see what the route could be.
in your approach, we create using defaults, grab values and update again.

in both case it would help "newcomers" so I'm fine.

[ghost]

Added a sub-section on How to get routing suffix.

[garagatyi]

Interestingly oc process supports golang templates with -t option and looks like they support if clauses https://golang.org/pkg/text/template/
With this approach, we would have something similar to helm I suppose.

[garagatyi]

I would suggest using set before applying template

[ghost]

We don't have dc/che at that point. I need to create Che deploymentConfig and then set volume for it.

The spec says oc set volumes RESOURCE/NAME --add|--remove|--list [options] so I need an object to modify, while process just produces output.

[garagatyi]

I would put this section somewhere in the end - more advanced stuff

[garagatyi]

Looks like step with creation of the project is missing here

[ghost]

Fixed

[garagatyi]

Looks like it is not.

[ghost]

I can see it

[garagatyi]

Looks like ports are declared twice

[ghost]

FIxed

[garagatyi]

Is it needed?

[garagatyi]

Is it needed?

[garagatyi]

Is it needed?

[garagatyi]

Is it needed?

[garagatyi]

Is it needed?

[garagatyi]

Is it needed?

[gorkem]

Do we want to retire the minishift add-on eventually as well? @l0rd @eivantsov

[ghost]

@gorkem good question. That's two sets of yamls to maintain. Though from user's perspective, applying an addon is somewhat easier.

I tried to craft a simple CLI that deploys to MiniShift and OCP https://github.com/eivantsov/che-cli, lame code but works well, and all a user needs to do is:

oc login
oc new-project che
./eclipse-che deploy

to deploy to MiniShift. Works with OSO Pro too. I know Florent has some rust cli too.

Maybe we should look in this direction and start with an OpenShift CLI that will make it easy to deploy to any OpenShift cluster?

[l0rd]

@gorkem that's a good point. A copy of these yaml files should be in rh-che repo too. So there will be 3 copies in 3 different repositories. Even if we retire the minishift addon we will still have the problem with rh-che. What about moving the yaml in a distinct github repository and referring to this repository? Then yaml could be versioned and published on maven central as part of the build. In this case the deployment scripts (and minishift addons) should download the yaml from the maven central as part of the deployment.

[ghost]

@l0rd can't rh use templates for upsteam repo?

[l0rd]

@l0rd can't rh use templates for upsteam repo?

How? I mean we could add instructions for rh-che developers to clone upstream repo and use these yaml but that's not ideal. And the second problem is that the openshift.io CI/CD is not so flexible. Currently that's how rh-che deployment config for osio is specified.

[ghost]

@l0rd yes, agree.. Even now, for multi user setup a user will have to git clone Che to get all yamls. Having them versioned and packaged as tar.gz is a very good idea.

[benoitf]

@l0rd could we just add a pom.xml on these upstream templates so that they could be published on m2 repository ?

[ghost]

@benoitf do you mean maven central or Che nexus?

[benoitf]

@eivantsov if #6444 is done it should be maven central as well :-)

[garagatyi]

@benoitf 👍 Yeah, we don't really need an additional repo to publish the artifact

[l0rd]

@eivantsov this PR looks like Penelope's shroud :-) What is missing to merge it? I am asking because I have opened a similar PR and I am waiting impatiently for this one to be merged.

[ghost]

@l0rd thanks for your patience and a wonderful metaphor. I have been waiting for all interested parties to have their say on templates themselves, cross platform cli that deploys to all infras and related stuff. Besides, I have introduced some changes to ocp.sh that QE uses to run daily tests, and while testing discovered a bug where PVCs were not deleted upon workspace deletion if workspace objects are created in a shared dedicated namespace (#9431) (default behavior in new templates).

Now that that QA tests show no regression , with a light heart, I merge this PR. Thanks for all suggestions and helpful remarks - they did help make templates and deployment docs better.

P.S. Old scripts and deployment yamls will stay here for a while and will be deleted in a separate PR.

Related docs PR: eclipse-che/che-docs#391