K8s multiuser helm

dockerfiles/init/modules/che-kubernetes-helm/Chart.yaml

@@ -1,3 +1,10 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
 apiVersion: v1
 description: A Helm chart for deploying Che to Kubernetes
 name: che-kubernetes-helm

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/Chart.yaml

@@ -0,0 +1,11 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+description: A Helm chart for Keycloak, used by Che
+name: che-keycloak
+version: 1.0.0

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/deployment.yaml

@@ -0,0 +1,90 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: keycloak
+  name: keycloak
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        io.kompose.service: keycloak
+    spec:
+      initContainers:
+      - name: wait-for-postgres
+        image: alpine:3.5
+        command: ["sh", "-c", "apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for postgres to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/postgres`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      containers:
+      - env:
+        - name: POSTGRES_PORT_5432_TCP_ADDR
+          value: postgres
+        - name: POSTGRES_PORT_5432_TCP_PORT
+          value: "5432"
+        - name: POSTGRES_DATABASE
+          value: keycloak
+        - name: POSTGRES_USER
+          value: keycloak
+        - name: POSTGRES_PASSWORD
+          value: keycloak
+        - name: KEYCLOAK_USER
+          value: admin
+        - name: KEYCLOAK_PASSWORD
+          value: admin
+        - name: CHE_HOST
+          value: {{ template "cheHost" . }}
+        image: {{ .Values.image }}
+        imagePullPolicy: Always
+        name: keycloak
+        livenessProbe:
+          failureThreshold: 11
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          tcpSocket:
+            port: 8080
+          timeoutSeconds: 30
+        readinessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: auth/js/keycloak.js
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 3
+          successThreshold: 1
+          timeoutSeconds: 1
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            memory: 1536Mi
+          requests:
+            memory: 1024Mi
+        volumeMounts:
+        - mountPath: /opt/jboss/keycloak/standalone/data
+          name: keycloak-data
+        - mountPath: /opt/jboss/keycloak/standalone/log
+          name: keycloak-log
+      restartPolicy: Always
+      volumes:
+      - name: keycloak-data
+        persistentVolumeClaim:
+          claimName: keycloak-data
+      - name: keycloak-log
+        persistentVolumeClaim:
+          claimName: keycloak-log
+  test: false
+status: {}

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/ingress.yaml

@@ -0,0 +1,42 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: keycloak-ingress
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout: "3600"
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout: "3600"
+{{- if .Values.global.tlsEnabled }}
+    kubernetes.io/tls-acme: "true"
+{{- else }}
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect: "false"
+{{- end }}
+spec:
+{{- if .Values.global.tlsEnabled }}
+  tls:
+  - hosts:
+    - {{ template "keycloakHost" . }}
+    secretName: keycloak-tls
+{{- end }}
+  rules:
+{{- if .Values.global.isHostBased }}
+  - host: {{ template "keycloakHost" . }}
+    http:
+      paths:
+      - path: /
+{{- else }}
+  - http:
+      paths:
+      - path: /auth/
+{{- end }}
+        backend:
+          serviceName: keycloak
+          servicePort: 5050
+

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-configure-job.yaml

@@ -0,0 +1,42 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keycloak-configure-job
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: wait-for-keycloak
+        image: alpine:3.5
+        command: ["sh", "-c", "apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for keycloak to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/keycloak`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      containers:
+      - name: keycloak-configure-job
+        image: {{ .Values.image }}
+        command: ["/scripts/keycloak_config.sh"]
+        env:
+          - name: HTTP_PROTOCOL
+{{- if .Values.global.tlsEnabled }}
+            value: "https"
+{{- else }}
+            value: "http"
+{{- end }}
+          - name: KC_HOST
+            value:  {{ template "keycloakHost" . }}
+          - name: CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD
+            value: {{ .Values.requireAdminPasswordChange | quote }}
+          - name: CHE_HOST
+            value: {{ template "cheHost" . }}
+      restartPolicy: Never
+  backoffLimit: 4

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-data-claim.yaml

@@ -0,0 +1,20 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    io.kompose.service: keycloak-data
+  name: keycloak-data
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+status: {}

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/keycloak-log-claim.yaml

@@ -0,0 +1,20 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    io.kompose.service: keycloak-log
+  name: keycloak-log
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+status: {}

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/service.yaml

@@ -0,0 +1,20 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: "keycloak"
+spec:
+  ports:
+  - name: "5050"
+    port: 5050
+    targetPort: 8080
+  selector:
+    io.kompose.service: keycloak
+status:
+  loadBalancer: {}

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/values.yaml

@@ -0,0 +1,13 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+# Default values for postgres.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image: eclipse/che-keycloak:nightly
+requireAdminPasswordChange: true

dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/Chart.yaml

@@ -0,0 +1,11 @@
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+
+apiVersion: v1
+description: A Helm chart for postgresql, used by Che and Keycloak
+name: che-postgres
+version: 1.0.0