Change rhsso from script to kubernetes job

base/rhsso/deploy-rhsso-job.yaml

@@ -0,0 +1,51 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: deploy-rhsso-operator
+spec:
+  template:
+    spec:
+      serviceAccountName: deploy-rhsso-operator
+      containers:
+        - name: deploy-rhsso-operator
+          image: docker.io/bitnami/kubectl:latest
+          command: ["/bin/bash", "-cx"]
+          args: ["./deploy-rhsso.sh"]
+          volumeMounts:
+            - name: rhsso-operator-resources
+              mountPath: deploy-rhsso.sh
+              subPath: deploy-rhsso.sh
+            - name: rhsso-operator-resources
+              mountPath: resources/sso-keycloak.yaml
+              subPath: sso-keycloak.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/keycloak-subscription.yaml
+              subPath: keycloak-subscription.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/no-ssl-sso-service.yaml
+              subPath: no-ssl-sso-service.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/no-ssl-sso-route.yaml
+              subPath: no-ssl-sso-route.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/operator-group.yaml.tpl
+              subPath: operator-group.yaml.tpl
+      volumes:
+        - name: rhsso-operator-resources
+          configMap:
+            name: rhsso-operator-resources
+            items:
+              - key: deploy-rhsso.sh
+                mode: 0750
+                path: deploy-rhsso.sh
+              - key: sso-keycloak.yaml
+                path: sso-keycloak.yaml
+              - key: keycloak-subscription.yaml
+                path: keycloak-subscription.yaml
+              - key: no-ssl-sso-service.yaml
+                path: no-ssl-sso-service.yaml
+              - key: no-ssl-sso-route.yaml
+                path: no-ssl-sso-route.yaml
+              - key: operator-group.yaml.tpl
+                path: operator-group.yaml.tpl
+      restartPolicy: Never

base/rhsso/deploy-rhsso.sh

@@ -4,29 +4,42 @@ set -exuo pipefail
 command -v envsubst
 
 TIMEOUT_TIME="${TIMEOUT_TIME:=125}"
-FILE_ROOT="${BASH_SOURCE%/*}"
+CTL="${CTL:=kubectl}"
+RESOURCES="${BASH_SOURCE%/*}"/resources
 
 NAMESPACE="${NAMESPACE:=tools}"
 ADMIN_USERNAME="${ADMIN_USERNAME:="admin"}"
-ADMIN_PASSWORD="${ADMIN_PASSWORD:="admin"}"
 
-export NAMESPACE ADMIN_PASSWORD ADMIN_USERNAME
+export NAMESPACE ADMIN_USERNAME
 
-function deployRHSSO {
-  <"${FILE_ROOT}"/operator-group.yaml.tpl envsubst | oc apply -n "${NAMESPACE}" -f -
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/keycloak-subscription.yaml
-  oc wait -n "${NAMESPACE}" --for=jsonpath=status.installPlanRef.name subscription rhsso-operator --timeout="$TIMEOUT_TIME"s
-  oc wait -n "${NAMESPACE}" --for=condition=Installed installplan --all --timeout="$TIMEOUT_TIME"s
+function set_kubectl_context {
+  $CTL config set-cluster ctx --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  $CTL config set-credentials user --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+  $CTL config set-context ctx --user=user --cluster=ctx
+  $CTL config use-context ctx
+}
+
+function deploy_rhsso {
+  <"${RESOURCES}"/operator-group.yaml.tpl envsubst | $CTL apply -n "${NAMESPACE}" -f -
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/keycloak-subscription.yaml
+  $CTL wait -n "${NAMESPACE}" --for=jsonpath=status.installPlanRef.name subscription rhsso-operator --timeout="$TIMEOUT_TIME"s
+  $CTL wait -n "${NAMESPACE}" installplan "$($CTL get -n "${NAMESPACE}" subscription rhsso-operator -o=jsonpath='{.status.installPlanRef.name}')" --for=condition=Installed --timeout="$TIMEOUT_TIME"s
 
-  <"${FILE_ROOT}"/credential-sso-secret.yaml.tpl envsubst | oc apply -n "${NAMESPACE}" -f -
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/sso-keycloak.yaml
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/no-ssl-sso-service.yaml
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/no-ssl-sso-route.yaml
+#   <"${RESOURCES}"/credential-sso-secret.yaml.tpl envsubst | $CTL apply -n "${NAMESPACE}" -f -
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/sso-keycloak.yaml
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/no-ssl-sso-service.yaml
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/no-ssl-sso-route.yaml
 
-  timeout "$TIMEOUT_TIME" bash -c "oc get statefulset -w -n ${NAMESPACE} -o name | grep -qm1 '^statefulset.apps/keycloak$'"
-  oc rollout -n "${NAMESPACE}" status statefulset/keycloak --timeout="$TIMEOUT_TIME"s
+  timeout "$TIMEOUT_TIME" grep -qm1 '^statefulset.apps/keycloak$' <($CTL get statefulset -w -n "${NAMESPACE}" -o name)
+  $CTL rollout -n "${NAMESPACE}" status statefulset/keycloak --timeout="$TIMEOUT_TIME"s
 
-  oc rsh -n "${NAMESPACE}" statefulset/keycloak bash -c "/opt/eap/bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user ${ADMIN_USERNAME} --password ${ADMIN_PASSWORD} --no-config"
+  ADMIN_PASSWORD="$($CTL get secret credential-sso -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d)"
+  $CTL exec --stdin --tty statefulset/keycloak -n "${NAMESPACE}" -- /bin/bash -c "/opt/eap/bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user ${ADMIN_USERNAME} --password ${ADMIN_PASSWORD} --no-config"
 }
 
-deployRHSSO
+if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
+    NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)"
+    set_kubectl_context  # if running inside kubernetes pod
+fi
+
+deploy_rhsso

base/rhsso/kustomization.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: rhsso-operator-deployment
+
+resources:
+  - rbac.yaml
+  - deploy-rhsso-job.yaml
+
+configMapGenerator:
+  - name: keycloak-operator-resources
+    files:
+      - deploy-rhsso.sh
+      - resources/sso-keycloak.yaml
+      - resources/keycloak-subscription.yaml
+      - resources/no-ssl-sso-route.yaml
+      - resources/no-ssl-sso-service.yaml
+      - resources/operator-group.yaml.tpl

base/rhsso/rbac.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: deploy-rhsso-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: deploy-rhsso-operator-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: deploy-rhsso-operator

base/rhsso/sso-keycloak.yaml → base/rhsso/resources/sso-keycloak.yaml

@@ -6,6 +6,8 @@ metadata:
   labels:
     app: sso
 spec:
+  DisableDefaultServiceMonitor: true
   externalAccess:
     enabled: true
   instances: 1
+