search

CZERTAINLY / CZERTAINLY-Helm-Charts

CZERTAINLY - Helm Charts
https://www.czertainly.com
MIT License
4 stars 2 forks source link

Create keycloak schema on start if it doesn't exists #171

Closed semik closed 9 months ago

semik commented 9 months ago

CZERTAINLY-Core is creating all necessary schemas and tables automatically. Keycloak needs single schema and it needs to be present before Keycloak starts, if it is not available, Keycloak crashes.

I've analyzed two approaches to prepare schema if not available. The first one is using initContainer, it is implemented in my fork of CZERTAINLY-Helm-Charts in the branch keycloak-schema. The problem is that there is not small container image containing just psql command, at least one well maintained. For prove of concept I've used image docker.io/3keycompany/czertainly-keycloak-optimized:develop-latest which has psql present. This approach works, but I think that creating complete container requires more resources that the second approach.

The second approach also depends on image docker.io/3keycompany/czertainly-keycloak-optimized:develop-latest but uses lifecycle.postStart hook. I think this consumes less resources than executing a complete container. Kubernetes doesn't guarantee that lifecycle.postStart hook is executed before main process of container. In my experiments it number times managed to create schema before java starts Keycloak.

Environment variables PG* are needed for psql command line tool. I decided to rename variables in dbUsername and dbPassword to database_user/password in keycloak-internal-secret to be more consistent with pyadcs-connector-secret.yaml.

PL/pgSQL code is needed to assure that lifecycle.postStart hook doesn't crash in case that database user doesn't have permissions to create schema. Database error is thrown even in situation schema exists, it looks like permissions are evaluated before conditional IF NOT EXISTS.

Please note that I've been testing with image docker.io/3keycompany/czertainly-keycloak-optimized:develop-latest: helm upgrade --namespace czertainly -i --reset-values --values=.../czertainly-values.local.yaml --set keycloakInternal.image.tag=develop-latest --wait --timeout 30m czertainly-tlm czertainly-2.11.0.tgz

3keyroman commented 9 months ago

@semik can you please also update values and documentation?