[RHSSO-1874] Fix the one-off JBoss CLI patch application mechanism

Split the actions currently performed by the 'eap' module, namely:

* Provision (setup) of the base EAP layer, and
* Possibility to apply EAP one-off patches

in two subsequent modules. This will allow:

1) To apply traditional one-off patches via jboss-cli.sh:

The patches won't need to follow the new Galleon patch format,
intended to be used at the moment of EAP slim server provisioning
via Galleon Maven distribution build.

2) To apply patches against both the EAP & RH-SSO layers:

The patches being applied only later (once the 'keycloak' layer
already is defined in the container image) enables to apply
not only one-offs for the JBoss EAP server, but also for the
RH-SSO server

Signed-off-by: Jan Lieskovsky <[email protected]>

Author: Jan Lieskovsky

image.yaml

@@ -94,26 +94,29 @@ modules:
             path: modules
 
       install:
-          # Define RH-SSO global variables & functions required by subsequent image modules.
+
+          # First define RH-SSO global variables & functions required by subsequent modules
           #
-          # IMPORTANT: This module needs to be included (sourced) in each of the following
-          #            modules using "sed -e" or "sed -i" expressions, where the regex pattern
-          #            or the replacement value is dynamic (coming from env var supplied to the
-          #            container image at runtime). See CIAM-1394 JIRA for details
+          # IMPORTANT: Include this module in each of the subsequent modules using some variable
+          #            or function definition from it
           - name: sso.rcfile
             version: '1.0'
+
+          # Setup nss_wrapper
           - name: sso.security.cve-2020-10695
             version: '1.0'
+
           # Install JDK runtime
           - name: sso-jdk
             version: &jdk_version '11'
-           # Perform all actions required by Wildfly / JBoss EAP Galleon Maven build
-           # See 'used-eap-modules-list.txt' for overview of used JBoss EAP modules,
-           # and the order they need to be called in
+
+          # Perform all actions required by Wildfly / JBoss EAP Galleon Maven build
+          # See 'used-eap-modules-list.txt' for overview of used JBoss EAP modules,
+          # and the order they need to be called in
           - name: eap
             version: '1.0'
 
-          ## RH-SSO product specific modules from modules/ path in this repository
+          # RH-SSO product specific modules from modules/ path in this repository
           - name: keycloak.openshift.clients
             version: '1.0'
           - name: sso.config.launch.setup.75
@@ -124,6 +127,12 @@ modules:
           - name: openshift-layer
           - name: keycloak-layer
 
+          # Apply any possibly needed EAP / RH-SSO patches
+          # Note: In order to properly manage also RH-SSO patches, this module
+          #       can only be called once the 'keycloak' layer was added
+          - name: sso.apply.patches
+            version: '1.0'
+
           # The extensions module can be called only after all updates to standalone-openshift.xml have been done.
           # See eg. https://access.redhat.com/solutions/3402171 for details how to use
           - name: sso-cli-extensions

modules/eap/install-eap-one-offs.sh

@@ -1,8 +1,10 @@
 schema_version: 1
 name: eap
-description: "Installs base EAP to the image."
+version: '1.0'
+description: Module to install base EAP layer to the RH-SSO container image
 
 # NOTE:
+#
 #   The former listing of all specific EAP modules to be included into the RH-SSO
 #   images was replaced with a single 'setup.eap.modules' CEKit module (therefore
 #   one new layer in the resulting built container image).
@@ -20,6 +22,7 @@ description: "Installs base EAP to the image."
 #   failed as a whole.
 #
 # IMPORTANT:
+#
 #   Do not change this approach!
 #
 #   If you need to add / list additional EAP module, not present yet, append the
@@ -36,30 +39,7 @@ description: "Installs base EAP to the image."
 #   the starting and ending comments, so the order in which the modules need
 #   to be included, is preserved and respected.
 
-version: '1.0'
-
 modules:
       install:
           - name: setup.eap.modules
             version: "1.0"
-
-execute:
-    - script: install-eap-one-offs.sh
-
-# Important:
-# ----------
-#
-# All EAP one-offs artifacts must be prefixed with "eap-one-off-" prefix and suffixed with in ".zip".
-# Ensure that only one-offs for the INSTALLED version of EAP are present, and comment all of them
-# that are obsoleted.
-#
-# For an example of proper / intended usage, see the "jbeap-18807.zip" example below.
-#
-# artifacts:
-#
-#      KEYCLOAK-13487 "jbeap-18807.zip" is obsolete in EAP-7.3.1 / RH-SSO 7.5.1, deprecate it
-#
-#      - md5: 1b6036cfcde2cf1dc05c2eb6eca228ff
-#        name: jbeap-18807.zip
-#        target: eap-one-off-jbeap-18807.zip
-#        url: http://$DOWNLOAD_SERVER/devel/candidates/JBSSO/JBSSO-7.5.0.CR2/jbeap-18807.zip

modules/eap/module.yaml

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+readonly SOURCES_DIR="/tmp/artifacts/"
+export JAVA_OPTS="${JAVA_OPTS} -Dorg.wildfly.patching.jar.invalidation=true"
+
+# Do not use for cycle, it would faile if no such files are found
+find "${SOURCES_DIR}" \( -name 'eap-one-off-*.zip' -o -name 'rh-sso-*.zip' \) | while read -r I; do
+    echo "Applying patch: '$I' ..."
+    "${JBOSS_HOME}"/bin/jboss-cli.sh --command="patch apply $I"
+done

modules/sso/apply/patches/apply-eap-rh-sso-one-off-patches.sh

@@ -0,0 +1,25 @@
+schema_version: 1
+name: sso.apply.patches
+version: '1.0'
+description: Module to apply any possibly needed EAP / RH-SSO one-off patches via jboss-cli.sh
+execute:
+- script: apply-eap-rh-sso-one-off-patches.sh
+
+# Note:
+#
+# All EAP one-offs artifacts must be prefixed with "eap-one-off-" prefix and suffixed with ".zip".
+# All RH-SSO patches must be prefixed with "rh-sso-" prefix and suffixed with ".zip".
+#
+# Ensure that only one-offs for the INSTALLED version of EAP / RH-SSO are present, and comment all
+# of them that are obsoleted.
+#
+# For an example of proper / intended usage, see the "jbeap-18807.zip" example below.
+#
+# artifacts:
+#
+#      KEYCLOAK-13487 "jbeap-18807.zip" is obsolete in EAP-7.3.1 / RH-SSO 7.5.1, deprecate it
+#
+#      - md5: 1b6036cfcde2cf1dc05c2eb6eca228ff
+#        name: jbeap-18807.zip
+#        target: eap-one-off-jbeap-18807.zip
+#        url: http://$DOWNLOAD_SERVER/devel/candidates/JBSSO/JBSSO-7.5.0.CR2/jbeap-18807.zip