Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for Keycloak admin secret and endpoint-watcher image configuration #18506

Merged
merged 4 commits into from
Dec 3, 2020
Merged

Adding support for Keycloak admin secret and endpoint-watcher image configuration #18506

merged 4 commits into from
Dec 3, 2020

Conversation

cccs-eric
Copy link
Contributor

@cccs-eric cccs-eric commented Dec 1, 2020
edited
Loading

What does this PR do?

Currently the only supported ways of configuring the admin user of Keycloak are:

  1. Set its username and password via helm values
  2. Leave the default admin:admin and mark them as to be changed at first login.

This PR is introducing a new way to inject the username and password using a Kubernetes secret, which make this more secure than passing values in the clear in helm values. It is adding this new way and keeping the other ones also. To create a secret recognized by the chart, you would do the following:

kubectl --namespace ${NAMESPACE} create secret generic keycloak-admin-secret \
    --from-literal=user=admin \
    --from-literal=password=XXXXXX

and then in your values.yaml:

che-keycloak:
  keycloakCredentialsSecret: "keycloak-admin-secret"
  #requireAdminPasswordChange: true
  #keycloakAdminUserName: admin
  #keycloakAdminUserPassword: admin

The PR also adds a new global value to configure quay.io/eclipse/che-endpoint-watcher:nightly image to something else, which is useful if you are using Che's helm charts from the repository and not from chectl. Otherwise, you cannot change the image and you are stuck with the nighlty build.

How to test this PR?

In order to test this, you can create a Che deployment using its helm chart. You could also modify chectl to create a Kubernetes secret with the random password it generates and then --set che-keycloak.keycloakCredentialsSecret=keycloak-admin-secret. In my opinion, modifying chectl in this regard would be a good idea.

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@cccs-eric
Added support for Keycloak admin secret
e918ee4 
Added support to change endpoint-watcher image

Signed-off-by: Eric Ladouceur <eric.ladouceur@cyber.gc.ca>
@che-bot
Copy link
Contributor

che-bot commented Dec 1, 2020

Can one of the admins verify this patch?

1 similar comment
@che-bot
Copy link
Contributor

che-bot commented Dec 1, 2020

Can one of the admins verify this patch?

@che-bot che-bot added status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. kind/enhancement A feature request - must adhere to the feature request template. labels Dec 1, 2020
@cccs-eric
Added user feedback and validation for Keycloak password
5aa43f3 
Signed-off-by: Eric Ladouceur <eric.ladouceur@cyber.gc.ca>
tolusha
tolusha reviewed Dec 3, 2020
View reviewed changes
Copy link
Contributor

@tolusha tolusha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for contribution.
I've changed some names to be consistent with --installer operator approach.

deploy/kubernetes/helm/che/custom-charts/che-keycloak/values.yaml Outdated Show resolved Hide resolved
deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml Outdated Show resolved Hide resolved
deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml Outdated Show resolved Hide resolved
deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml Outdated Show resolved Hide resolved
deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml Show resolved Hide resolved
@cccs-eric
Copy link
Contributor Author

Thank you for contribution.
I've changed some names to be consistent with --installer operator approach.

That's perfect and a good idea. I am not really familiar with the operator, so yes feel free to show the way 👍

@cccs-eric @tolusha
Apply suggestions from code review
a047a08 
Signed-off-by: Eric Ladouceur <eric.ladouceur@cyber.gc.ca>

Co-authored-by: Anatolii Bazko <abazko@redhat.com>
tolusha
tolusha approved these changes Dec 3, 2020
View reviewed changes
Copy link
Contributor

@tolusha tolusha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small remark.

deploy/kubernetes/helm/che/custom-charts/che-keycloak/values.yaml Outdated Show resolved Hide resolved
@cccs-eric @tolusha
Apply suggestions from code review
54b0bb8 
Signed-off-by: Eric Ladouceur <eric.ladouceur@cyber.gc.ca>

Co-authored-by: Anatolii Bazko <abazko@redhat.com>
@tolusha tolusha merged commit 17824f8 into eclipse-che:master Dec 3, 2020
@che-bot che-bot removed the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tolusha tolusha tolusha approved these changes

@nickboldt nickboldt Awaiting requested review from nickboldt

@sleshchenko sleshchenko Awaiting requested review from sleshchenko

Assignees
No one assigned
Labels
kind/enhancement A feature request - must adhere to the feature request template.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cccs-eric @che-bot @tolusha