rework

infrastructure/templates/apicurio.yaml

@@ -1,180 +1,16 @@
 apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  labels:
-    app: apicurio
-  name: apicurio-postgresql-data
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
----
-apiVersion: v1
 kind: Service
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  labels:
-    app: apicurio
-  name: apicurio-postgresql
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  ports:
-  - name: postgresql
-    port: 5432
-    protocol: TCP
-    targetPort: 5432
-  selector:
-    name: apicurio-postgresql
-  sessionAffinity: None
-  type: ClusterIP
----
-apiVersion: apps.openshift.io/v1
-kind: DeploymentConfig
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  labels:
-    app: apicurio
-  name: apicurio-postgresql
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  replicas: 1
-  selector:
-    name: apicurio-postgresql
-  strategy:
-    activeDeadlineSeconds: 21600
-    recreateParams:
-      timeoutSeconds: 600
-    resources: {}
-    type: Recreate
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        name: apicurio-postgresql
-    spec:
-      containers:
-      - env:
-        - name: POSTGRESQL_USER
-          value: apicurio
-        - name: POSTGRESQL_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: demo-seed
-              key: apicurio-database-password
-        - name: POSTGRESQL_DATABASE
-          value: apicurio
-        image: centos/postgresql-95-centos7
-        imagePullPolicy: Always
-        livenessProbe:
-          failureThreshold: 3
-          initialDelaySeconds: 30
-          periodSeconds: 10
-          successThreshold: 1
-          tcpSocket:
-            port: 5432
-          timeoutSeconds: 1
-        name: postgresql
-        ports:
-        - containerPort: 5432
-          protocol: TCP
-        readinessProbe:
-          exec:
-            command:
-            - /bin/sh
-            - -i
-            - -c
-            - psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c
-              'SELECT 1'
-          failureThreshold: 3
-          initialDelaySeconds: 5
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 1
-        resources:
-          limits:
-            memory: 512Mi
-        securityContext:
-          capabilities: {}
-          privileged: false
-        terminationMessagePath: /dev/termination-log
-        volumeMounts:
-        - mountPath: /var/lib/pgsql/data
-          name: postgresql-data
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
-      securityContext: {}
-      terminationGracePeriodSeconds: 30
-      volumes:
-      - name: postgresql-data
-        persistentVolumeClaim:
-          claimName: apicurio-postgresql-data
-  test: false
----
-apiVersion: image.openshift.io/v1
-kind: ImageStream
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "10"
-  name: apicurio-api
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  tags:
-  - from:
-      kind: DockerImage
-      name: apicurio/apicurio-studio-api:latest-release
-    importPolicy:
-      scheduled: true
-    name: latest-release
----
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  name: apicurio-ws
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  tags:
-  - from:
-      kind: DockerImage
-      name: apicurio/apicurio-studio-ws:latest-release
-    importPolicy:
-      scheduled: true
-    name: latest-release
----
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  name: apicurio-ui
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  tags:
-  - from:
-      kind: DockerImage
-      name: apicurio/apicurio-studio-ui:latest-release
-    importPolicy:
-      scheduled: true
-    name: latest-release
----
-apiVersion: v1
-kind: Service
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
   annotations:
     prometheus.io/path: /system/metrics
     prometheus.io/scrape: "true"
   labels:
-    app: apicurio-studio-api
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-api
+    app.kubernetes.io/instance: apicurio-studio-api
   name: apicurio-studio-api
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -191,12 +27,15 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "10"
   annotations:
     prometheus.io/path: /metrics
     prometheus.io/scrape: "true"
   labels:
-    app: apicurio-studio-ws
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-ws
+    app.kubernetes.io/instance: apicurio-studio-ws
   name: apicurio-studio-ws
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -213,9 +52,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-ui
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-ui
+    app.kubernetes.io/instance: apicurio-studio-ui
   name: apicurio-studio-ui
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -228,31 +70,31 @@ spec:
   sessionAffinity: None
   type: ClusterIP
 ---
-apiVersion: apps.openshift.io/v1
-kind: DeploymentConfig
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-api
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-api
+    app.kubernetes.io/instance: apicurio-studio-api
   name: apicurio-studio-api
   namespace: {{ .Values.projectName | quote }}
 spec:
   replicas: 1
   selector:
-    app: apicurio-studio-api
-    deploymentconfig: apicurio-studio-api
-  strategy:
-    activeDeadlineSeconds: 21600
-    recreateParams:
-      timeoutSeconds: 600
-    resources: {}
-    type: Recreate
+    matchLabels:
+      app.kubernetes.io/name: apicurio
+      app.kubernetes.io/component: apicurio-studio-api
+      app.kubernetes.io/instance: apicurio-studio-api
   template:
     metadata:
       labels:
-        app: apicurio-studio-api
-        deploymentconfig: apicurio-studio-api
+        app.kubernetes.io/name: apicurio
+        app.kubernetes.io/component: apicurio-studio-api
+        app.kubernetes.io/instance: apicurio-studio-api
     spec:
       containers:
       - env:
@@ -263,7 +105,7 @@ spec:
         - name: APICURIO_DB_DRIVER_NAME
           value: postgresql
         - name: APICURIO_DB_CONNECTION_URL
-          value: jdbc:postgresql://apicurio-postgresql:5432/apicurio
+          value: jdbc:postgresql://postgresql-server:5432/apicurio
         - name: APICURIO_DB_TYPE
           value: postgresql9
         - name: APICURIO_DB_USER_NAME
@@ -277,7 +119,7 @@ spec:
           value: 512m
         - name: APICURIO_MAX_HEAP
           value: 1400m
-        image: api:latest-release
+        image: apicurio/apicurio-studio-api:latest-release
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -311,52 +153,40 @@ spec:
             cpu: 100m
             memory: 800Mi
         terminationMessagePath: /dev/termination-log
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
       terminationGracePeriodSeconds: 30
-  triggers:
-  - imageChangeParams:
-      automatic: true
-      containerNames:
-      - apicurio-studio-api
-      from:
-        kind: ImageStreamTag
-        name: apicurio-api:latest-release
-    type: ImageChange
-  - type: ConfigChange
 ---
-apiVersion: apps.openshift.io/v1
-kind: DeploymentConfig
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-ws
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-ws
+    app.kubernetes.io/instance: apicurio-studio-ws
   name: apicurio-studio-ws
   namespace: {{ .Values.projectName | quote }}
 spec:
   replicas: 1
   selector:
-    app: apicurio-studio-ws
-    deploymentconfig: apicurio-studio-ws
-  strategy:
-    activeDeadlineSeconds: 21600
-    recreateParams:
-      timeoutSeconds: 600
-    resources: {}
-    type: Recreate
+    matchLabels:
+      app.kubernetes.io/name: apicurio
+      app.kubernetes.io/component: apicurio-studio-ws
+      app.kubernetes.io/instance: apicurio-studio-ws
   template:
     metadata:
       labels:
-        app: apicurio-studio-ws
-        deploymentconfig: apicurio-studio-ws
+        app.kubernetes.io/name: apicurio
+        app.kubernetes.io/component: apicurio-studio-ws
+        app.kubernetes.io/instance: apicurio-studio-ws
     spec:
       containers:
       - env:
         - name: APICURIO_DB_DRIVER_NAME
           value: postgresql
         - name: APICURIO_DB_CONNECTION_URL
-          value: jdbc:postgresql://apicurio-postgresql:5432/apicurio
+          value: jdbc:postgresql://postgresql-server:5432/apicurio
         - name: APICURIO_DB_TYPE
           value: postgresql9
         - name: APICURIO_DB_USER_NAME
@@ -370,7 +200,7 @@ spec:
           value: 512m
         - name: APICURIO_MAX_HEAP
           value: 1400m
-        image: ws:latest-release
+        image: apicurio/apicurio-studio-ws:latest-release
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -404,45 +234,33 @@ spec:
             cpu: 100m
             memory: 900Mi
         terminationMessagePath: /dev/termination-log
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
       terminationGracePeriodSeconds: 30
-  triggers:
-  - imageChangeParams:
-      automatic: true
-      containerNames:
-      - apicurio-studio-ws
-      from:
-        kind: ImageStreamTag
-        name: apicurio-ws:latest-release
-    type: ImageChange
-  - type: ConfigChange
 ---
-apiVersion: apps.openshift.io/v1
-kind: DeploymentConfig
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-ui
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-ui
+    app.kubernetes.io/instance: apicurio-studio-ui
   name: apicurio-studio-ui
   namespace: {{ .Values.projectName | quote }}
 spec:
   replicas: 1
   selector:
-    app: apicurio-studio-ui
-    deploymentconfig: apicurio-studio-ui
-  strategy:
-    activeDeadlineSeconds: 21600
-    recreateParams:
-      timeoutSeconds: 600
-    resources: {}
-    type: Recreate
+    matchLabels:
+      app.kubernetes.io/name: apicurio
+      app.kubernetes.io/component: apicurio-studio-ui
+      app.kubernetes.io/instance: apicurio-studio-ui
   template:
     metadata:
       labels:
-        app: apicurio-studio-ui
-        deploymentconfig: apicurio-studio-ui
+        app.kubernetes.io/name: apicurio
+        app.kubernetes.io/component: apicurio-studio-ui
+        app.kubernetes.io/instance: apicurio-studio-ui
     spec:
       containers:
       - env:
@@ -460,7 +278,7 @@ spec:
           value: 512m
         - name: APICURIO_MAX_HEAP
           value: 1200m
-        image: ui:latest-release
+        image: apicurio/apicurio-studio-ui:latest-release
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -494,27 +312,18 @@ spec:
             cpu: 100m
             memory: 700Mi
         terminationMessagePath: /dev/termination-log
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
       terminationGracePeriodSeconds: 30
-  triggers:
-  - imageChangeParams:
-      automatic: true
-      containerNames:
-      - apicurio-studio-ui
-      from:
-        kind: ImageStreamTag
-        name: apicurio-ui:latest-release
-    type: ImageChange
-  - type: ConfigChange
 ---
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-api
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-api
+    app.kubernetes.io/instance: apicurio-studio-api
   name: apicurio-studio-api
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -532,9 +341,13 @@ apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-ws
+  labels:
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-ws
+    app.kubernetes.io/instance: apicurio-studio-ws
   name: apicurio-studio-ws
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -552,9 +365,12 @@ apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "10"
   labels:
-    app: apicurio-studio-ui
+    app.kubernetes.io/name: apicurio
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/component: apicurio-studio-ui
+    app.kubernetes.io/instance: apicurio-studio-ui
   name: apicurio-studio-ui
   namespace: {{ .Values.projectName | quote }}
 spec:

infrastructure/templates/postgresql.yaml

@@ -0,0 +1,267 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql-config
+  namespace: {{ .Values.projectName | quote }}
+data:
+  ssl.conf: |
+    ssl = on
+    # The TLS certificate & key are generated using the OpenShift's service serving
+    # certificate secrets via corresponding annotation of the PostgreSQL service
+    # and stored into a read-only persistent volume, corresponding to the OpenShift
+    # secret.
+    #
+    # Later the 'postgresql-pre-start/enable_ssl.sh' script, present in this
+    # repository, copies the generated TLS certificate & key to by current UID
+    # writable "/var/run/postgresql/pki" directory, so it's possible to correct
+    # the permissions of the TLS private key to mode required by PostgreSQL server
+    ssl_cert_file = '/var/run/postgresql/pki/tls.crt'                   # PostgreSQL server certificate
+    ssl_key_file  = '/var/run/postgresql/pki/tls.key'                   # PostgreSQL server private key
+    ssl_ca_file   = '/run/secrets/kubernetes.io/serviceaccount/ca.crt'  # OpenShift CA
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql-prestart-hook
+  namespace: {{ .Values.projectName | quote }}
+data:
+  enable_ssl.sh: |
+    #!/usr/bin/env bash
+
+    set -eu
+
+    # Copy the TLS certificate & key generated by the OpenShift's service serving
+    # certificate secrets from "/etc/pki/postgresql" (which is mounted read-only,
+    # since coming from secret) to "/var/run/postgresql/pki", so it's possible to
+    # correct the permissions of the TLS private key as required below
+    SOURCE_DIR="/etc/pki/postgresql"
+    DESTINATION_DIR="/var/run/postgresql/pki"
+    if [ ! -d "${DESTINATION_DIR}" ]; then
+      mkdir -p "${DESTINATION_DIR}"
+    fi
+    cp "${SOURCE_DIR}"/tls.{crt,key} "${DESTINATION_DIR}"
+
+    # PostgreSQL will fail to start and throw an error like:
+    #
+    #   FATAL:  private key file "/path/to/key" has group or world access
+    #   File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
+    #
+    # if the permissions of the TLS private key are incorrect.
+    #
+    # Thus correct the permissions so PostgreSQL server can start successfully
+    chmod 0600 "${DESTINATION_DIR}/tls.key"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql-start-hook
+  namespace: {{ .Values.projectName | quote }}
+data:
+  create_db_user.sh: |
+    #!/usr/bin/env bash
+
+    for file in /var/run/demo-seed/*-database-password; do
+      filename="$(basename $file)"
+      user="${filename%-database-password}"
+      echo "Creating user $user..."
+      psql -q -c "CREATE USER \"$user\" WITH ENCRYPTED PASSWORD '$(cat $file)';" || true
+      echo "Creating database $user..."
+      psql -q -c "CREATE DATABASE \"$user\" OWNER \"$user\";" || true
+    done
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+    service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql-server
+  namespace: {{ .Values.projectName | quote }}
+spec:
+  ports:
+  - port: 5432
+    targetPort: 5432
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql
+  namespace: {{ .Values.projectName | quote }}
+spec:
+  clusterIP: None # Headless service
+  ports:
+  - port: 5432
+    targetPort: 5432
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql
+  namespace: {{ .Values.projectName | quote }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: postgresql-server
+      app.kubernetes.io/instance: postgresql-server
+  serviceName: "postgresql"
+  replicas: 1
+  minReadySeconds: 10
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/component: postgresql-server
+        app.kubernetes.io/instance: postgresql-server
+    spec:
+      terminationGracePeriodSeconds: 10
+      containers:
+      - env:
+        - name: POSTGRESQL_USER
+          value: admin
+        - name: POSTGRESQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: demo-seed
+              key: postgresql-admin-password
+        - name: POSTGRESQL_DATABASE
+          value: admin
+        - name: POSTGRESQL_MAX_CONNECTIONS
+        - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS
+        - name: POSTGRESQL_SHARED_BUFFERS
+        image: registry.redhat.io/rhel8/postgresql-13:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          initialDelaySeconds: 90
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: 5432
+          timeoutSeconds: 10
+        name: postgresql-server
+        ports:
+        - containerPort: 5432
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -i
+            - -c
+            - PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE
+              -c 'SELECT 1'
+          failureThreshold: 3
+          periodSeconds: 10
+          initialDelaySeconds: 90
+          successThreshold: 1
+          timeoutSeconds: 10
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/lib/pgsql/data
+          name: postgresql-data
+        - mountPath: /etc/pki/postgresql
+          name: postgresql-ssl
+          readOnly: true
+        - mountPath: /opt/app-root/src/postgresql-cfg
+          name: postgresql-config
+          readOnly: true
+        - mountPath: /opt/app-root/src/postgresql-pre-start
+          name: postgresql-prestart-hook
+          readOnly: true
+        - mountPath: /opt/app-root/src/postgresql-start
+          name: postgresql-start-hook
+          readOnly: true
+        - mountPath: /var/run/demo-seed
+          name: demo-seed
+          readOnly: true
+      volumes:
+      - name: postgresql-data
+        persistentVolumeClaim:
+          claimName: postgresql-data
+      - name: postgresql-ssl
+        secret:
+          secretName: postgresql-ssl
+      - name: postgresql-config
+        configMap:
+          name: postgresql-config
+      - name: postgresql-prestart-hook
+        configMap:
+          name: postgresql-prestart-hook
+          defaultMode: 0755
+      - name: postgresql-start-hook
+        configMap:
+          name: postgresql-start-hook
+          defaultMode: 0755
+      - name: demo-seed
+        secret:
+          secretName: demo-seed
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/version: '13'
+    app.kubernetes.io/component: postgresql-server
+    app.kubernetes.io/instance: postgresql-server
+  name: postgresql-data
+  namespace: {{ .Values.projectName | quote }}
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/templates/project.yaml

@@ -29,6 +29,7 @@ metadata:
   namespace: {{ .Values.projectName | quote }}
 type: Opaque
 data:
+  postgresql-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "postgresql-admin-password")) | b64enc | quote }}
   sso-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) | b64enc | quote }}
   sso-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) | b64enc | quote }}
   apicurio-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-apicurio-password")) | b64enc | quote }}

infrastructure/templates/sso.yaml

@@ -1,85 +1,14 @@
-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
-  name: postgresql13-for-sso76-openshift-rhel8
-  creationTimestamp: null
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-    openshift.io/display-name: PostgreSQL
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  lookupPolicy:
-    local: false
-  tags:
-  - name: 13-el8
-    annotations:
-      description: Provides a PostgreSQL 13 database on RHEL 8. For more information
-        about using this database image, including OpenShift considerations, see
-        https://github.com/sclorg/postgresql-container/blob/master/README.md.
-      iconClass: icon-postgresql
-      openshift.io/display-name: PostgreSQL 13 (RHEL 8)
-      openshift.io/provider-display-name: Red Hat, Inc.
-      tags: database,postgresql
-      version: '13'
-    from:
-      kind: DockerImage
-      name: registry.redhat.io/rhel8/postgresql-13:latest
-    generation: null
-    importPolicy: {}
-    referencePolicy:
-      type: Local
----
-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
-  name: sso76-openshift-rhel8
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-    description: Red Hat Single Sign-On 7.6 on OpenJDK
-    openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK
-    openshift.io/provider-display-name: Red Hat, Inc.
-    version: 7.6.0.GA
-  namespace: {{ .Values.projectName | quote }}
-  labels:
-    rhsso: 7.6.0.GA
-spec:
-  tags:
-  - name: '7.6'
-    annotations:
-      description: Red Hat Single Sign-On 7.6 on OpenJDK image
-      iconClass: icon-sso
-      tags: sso,keycloak,redhat,hidden
-      supports: sso:7.6
-      version: '1.0'
-      openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK
-    referencePolicy:
-      type: Local
-    from:
-      kind: DockerImage
-      name: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6
-    importPolicy: {}
-  - annotations: null
-    importPolicy: {}	
-    name: latest
-    from:
-      kind: ImageStreamTag
-      name: '7.6'
-    referencePolicy:	
-      type: Source	
----
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
-    description: The web server's https port.
-    service.alpha.openshift.io/dependencies: '[{"name": "sso-postgresql", "kind":
-      "Service"}]'
+    argocd.argoproj.io/sync-wave: "10"
     service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret
   labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
+    app.kubernetes.io/name: sso
+    app.kubernetes.io/version: '7.6.0.GA'
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: keycloak
   name: sso
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -89,89 +18,17 @@ spec:
   selector:
     deploymentConfig: sso
 ---
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  labels:
-    application: sso-postgresql-ssl
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
-  name: sso-postgresql-ssl
-  namespace: {{ .Values.projectName | quote }}
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
----
-apiVersion: build.openshift.io/v1
-kind: BuildConfig
-metadata:
-  annotations:
-    description: Build config to extend the vanilla PostgreSQL SQL database server
-      container image with SSL/TLS support.
-    argocd.argoproj.io/sync-wave: "5"
-  labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
-  name: sso-postgresql-enable-ssl
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  output:
-    to:
-      kind: ImageStreamTag
-      name: sso-postgresql-ssl:latest
-  source:
-    contextDir: s2i/postgresql/enable-ssl
-    git:
-      ref: KEYCLOAK-15633
-      uri: https://github.com/iankko/redhat-sso-7-openshift-image
-    type: Git
-  strategy:
-    sourceStrategy:
-      env:
-      - name: ARTIFACT_DIR
-        value: ${ARTIFACT_DIR}
-      - name: MAVEN_ARGS_APPEND
-      forcePull: true
-      from:
-        kind: ImageStreamTag
-        name: postgresql13-for-sso76-openshift-rhel8:13-el8
-    type: Source
-  triggers:
-  - imageChange: {}
-    type: ImageChange
-  - type: ConfigChange
----
-apiVersion: v1
-kind: Service
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-    description: The database server's port.
-    service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl-secret
-  labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
-  name: sso-postgresql
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  ports:
-  - port: 5432
-    targetPort: 5432
-  selector:
-    deploymentConfig: sso-postgresql
----
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
-    description: The JGroups ping port for clustering.
+    argocd.argoproj.io/sync-wave: "10"
     service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret
   labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
+    app.kubernetes.io/name: sso
+    app.kubernetes.io/version: '7.6.0.GA'
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: keycloak
   name: sso-ping
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -187,12 +44,12 @@ apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
-    description: Route for application's https service.
+    argocd.argoproj.io/sync-wave: "10"
   labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
+    app.kubernetes.io/name: sso
+    app.kubernetes.io/version: '7.6.0.GA'
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: keycloak
   name: sso
   namespace: {{ .Values.projectName | quote }}
 spec:
@@ -203,29 +60,31 @@ spec:
     kind: Service
     name: sso
 ---
-apiVersion: apps.openshift.io/v1
-kind: DeploymentConfig
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "10"
   labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
+    app.kubernetes.io/name: sso
+    app.kubernetes.io/version: '7.6.0.GA'
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: keycloak
   name: sso
   namespace: {{ .Values.projectName | quote }}
 spec:
   replicas: 1
   selector:
-    deploymentConfig: sso
-  strategy:
-    type: Recreate
+    matchLabels:
+      app.kubernetes.io/name: sso
+      app.kubernetes.io/component: keycloak
+      app.kubernetes.io/instance: keycloak
   template:
     metadata:
       labels:
-        application: sso
-        deploymentConfig: sso
-      name: sso
+        app.kubernetes.io/name: sso
+        app.kubernetes.io/component: keycloak
+        app.kubernetes.io/instance: keycloak
     spec:
       containers:
       - env:
@@ -233,6 +92,10 @@ spec:
           value: {{ .Values.sso.hostname | quote }}
         - name: DB_SERVICE_PREFIX_MAPPING
           value: sso-postgresql=DB
+        - name: SSO_POSTGRESQL_SERVICE_HOST
+          value: postgresql-server
+        - name: SSO_POSTGRESQL_SERVICE_PORT
+          value: "5432"
         - name: DB_JNDI
           value: java:jboss/datasources/KeycloakDS
         - name: DB_USERNAME
@@ -269,7 +132,7 @@ spec:
         - name: SSO_REALM
         - name: SSO_SERVICE_USERNAME
         - name: SSO_SERVICE_PASSWORD
-        image: sso
+        image: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -318,7 +181,7 @@ spec:
         - mountPath: /etc/x509/jgroups
           name: sso-x509-jgroups-volume
           readOnly: true
-      terminationGracePeriodSeconds: 75
+      terminationGracePeriodSeconds: 30
       volumes:
       - name: sso-x509-https-volume
         secret:
@@ -326,124 +189,3 @@ spec:
       - name: sso-x509-jgroups-volume
         secret:
           secretName: sso-x509-jgroups-secret
-  triggers:
-  - imageChangeParams:
-      automatic: true
-      containerNames:
-      - sso
-      from:
-        kind: ImageStreamTag
-        name: sso76-openshift-rhel8:7.6
-    type: ImageChange
-  - type: ConfigChange
----
-apiVersion: apps.openshift.io/v1
-kind: DeploymentConfig
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
-  name: sso-postgresql
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  replicas: 1
-  selector:
-    deploymentConfig: sso-postgresql
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        application: sso
-        deploymentConfig: sso-postgresql
-      name: sso-postgresql
-    spec:
-      containers:
-      - env:
-        - name: POSTGRESQL_USER
-          value: sso
-        - name: POSTGRESQL_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: demo-seed
-              key: sso-database-password
-        - name: POSTGRESQL_DATABASE
-          value: sso
-        - name: POSTGRESQL_MAX_CONNECTIONS
-        - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS
-        - name: POSTGRESQL_SHARED_BUFFERS
-        image: postgresql
-        imagePullPolicy: Always
-        livenessProbe:
-          failureThreshold: 3
-          initialDelaySeconds: 90
-          periodSeconds: 10
-          successThreshold: 1
-          tcpSocket:
-            port: 5432
-          timeoutSeconds: 10
-        name: sso-postgresql
-        ports:
-        - containerPort: 5432
-          protocol: TCP
-        readinessProbe:
-          exec:
-            command:
-            - /bin/sh
-            - -i
-            - -c
-            - PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE
-              -c 'SELECT 1'
-          failureThreshold: 3
-          periodSeconds: 10
-          initialDelaySeconds: 90
-          successThreshold: 1
-          timeoutSeconds: 10
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        volumeMounts:
-        - mountPath: /var/lib/pgsql/data
-          name: sso-postgresql-pvol
-        - mountPath: /etc/pki/postgresql
-          name: postgresql-ssl-volume
-          readOnly: true
-      terminationGracePeriodSeconds: 60
-      volumes:
-      - name: sso-postgresql-pvol
-        persistentVolumeClaim:
-          claimName: sso-postgresql-claim
-      - name: postgresql-ssl-volume
-        secret:
-          secretName: postgresql-ssl-secret
-  triggers:
-  - imageChangeParams:
-      automatic: true
-      containerNames:
-      - sso-postgresql
-      from:
-        kind: ImageStreamTag
-        name: sso-postgresql-ssl:latest
-    type: ImageChange
-  - type: ConfigChange
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "5"
-  labels:
-    application: sso
-    rhsso: 7.6.0.GA
-    template: sso76-x509-postgresql-persistent
-  name: sso-postgresql-claim
-  namespace: {{ .Values.projectName | quote }}
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi