[Keycloak] Fix bugs on the docker image.

[monaka]

What does this PR do?

Fix the container image for Keycloak to use Postgres instead of H2.

What issues does this PR fix or reference?

Release Notes

Docs PR

[riuvshin]

Can one of the admins verify this patch?

[riuvshin]

Can one of the admins verify this patch?

[riuvshin]

Can one of the admins verify this patch?

[monaka]

I've just tested on Helm. I guess there have the similar issue on another runtimes. But I didn't touch them as I'm not familiar with them.

[monaka]

I believe this patch itself is sane. But I encountered the another issue around authentication with Che.
I suspect there doesn't have json.erb files required by Che in the Keycloak image.
Which is better, a or b?

(a) I send the additional PR after closed this as they are separated issues.
(b) I push additional patches to his PR because the aim of this PR is to fix deployment failure.

[skabashnyuk]

@monaka can you explain how changes you've made related to the topic of this pr? Especially commented lines in kc_realm_user.sh

[monaka]

@skabashnyuk The current image doesn't contain /scripts/*.json.erb. So kc_realm_user.sh generates empty /scripts/*.json.erb. Empty JSONs cause Keycloak with Postgres crash. This is a reason why I commented out.

But actually, it should contain /scripts/*.json.erb. Che can't use Keycloak as the realm for Che will be set up by them.

This is a point I commented above. This PR itself is sane. But some additional patches will be required for complete works.

[monaka]

Let me change the title and the aim for this PR. As I tweeted, I managed to run Che on AKS (managed vanilla Kubernetes). I'm going to add some more patches to here.

[skabashnyuk]

@monaka can you please update the description of this pr with such information:

• What do you want to do?
• On wich environment? Docker, OpenShift, Kubernetes?
• Which version of infrastructure?
• Which version of Che?
• What issues do you have with current codebase? Traces, logs?

[monaka]

What do you want to do?

Enable to run Che on vanilla K8s clusters.

On wich environment? Docker, OpenShift, Kubernetes?

Kubernetes.
(Possibly Docker doesn't. Because it will use init container for bootstrapping.)

Which version of infrastructure?

Azure AKS 1.11.3.
But the issue will be reproduced all versions of K8s based infrastructure.

Which version of Che?

master branch, nightly builds.

What issues do you have with current codebase? Traces, logs?

• I can't see any tables in keycloak database on Postgres container.
• I can't see any tables in H2 for the che realm.

After fixing above,

• There is no content for the custom login page.

[monaka]

Currently, /opt/jboss/keycloak/bin/standalone.sh is called directly on bootstrapping.
But it is required to use /opt/jboss/docker-entrypoint.sh if we want to use external DB.

[ghost]

@monaka thanks for fixing it. However, I do not understand why you copied jsons? it's ok to use them from where they are

[monaka]

Indeed it's not good to put same files into different places. But I couldn't resolve how to access JSONs in init container from che-keycloak. I'm afraid my patches cause side effects to Openshift and Docker deployments, even though it might be resolved by some tricky patches to init.

[ghost]

@monaka it is ok to reuse jsons from init.

Just changing start script in the entrypoint should be enough, and you did that already

[monaka]

@eivantsov Who setups the realm for Che?

[ghost]

@monaka it happens in the entrypoint

[monaka]

Yes. In addition to patches here, we must add the patch to depoyment/keycloak like this.
I'm not sure I'm not familiar with Openshift. But I think this issue will be reproduced on it.

        - name: PROXY_ADDRESS_FORWARDING
          value: "true"
        - name: DB_VENDOR
          value: POSTGRES

[musienko-maxim]

Can one of the admins verify this PR?

[monaka]

I close this as it have not been updated.