Merge pull request #207 from iankko/KEYCLOAK-15633

[KEYCLOAK-15633] Add support for "${prefix}_CONNECTION_PROPERTY_*" for non-XA datasources too

Author: ASzc

modules/eap/setup/eap/modules/added/launch/datasource-common.sh

@@ -49,10 +49,16 @@ function clearDatasourceEnv() {
   unset ${prefix}_BACKGROUND_VALIDATION
   unset ${prefix}_BACKGROUND_VALIDATION_MILLIS
 
-  for xa_prop in $(compgen -v | grep -s "${prefix}_XA_CONNECTION_PROPERTY_"); do
-    unset ${xa_prop}
+### Start of RH-SSO add-on -- KEYCLOAK-15633:
+### -----------------------------------------
+### Remove / undefine also "${prefix}_CONNECTION_PROPERTY_*" env vars when
+### removing / undefining "${prefix}_XA_CONNECTION_PROPERTY_*" env vars
+  for property in $(compgen -v | grep -oPs "${prefix}(|_XA)_CONNECTION_PROPERTY_"); do
+    unset "${property}"
   done
 }
+### End of RH-SSO add-on
+### --------------------
 
 function clearDatasourcesEnv() {
   IFS=',' read -a db_backends <<< $DB_SERVICE_PREFIX_MAPPING
@@ -372,42 +378,99 @@ function generate_external_datasource() {
   fi
 }
 
+### Start of RH-SSO add-on -- KEYCLOAK-15633:
+### -----------------------------------------
+### Allow specification of datasource connection properties for:
+### 1) XA datasources via the DB_XA_CONNECTION_PROPERTY_<property_name> and
+### 2) Non-XA datasources via the DB_CONNECTION_PROPERTY_<property_name>
+###
+### environment variable(s) defined on the container image. The <property_name>
+### in the above expressions is the actual name of the connection property to
+### be set on the underlying datasource.
+###
+function inject_connection_properties_to_datasource_xml() {
+  local ds="${1}"
+
+  local failed="false"
+  local is_xa_ds="false"
+
+  if [[ "${ds}" =~ \<datasource[[:space:]].*$ ]]; then
+    local conn_prop_env_var="${prefix}_CONNECTION_PROPERTY_"
+    local conn_prop_xml_elem_name="connection-property"
+  elif [[ "${ds}" =~ \<xa-datasource[[:space:]].*$ ]]; then
+    local conn_prop_env_var="${prefix}_XA_CONNECTION_PROPERTY_"
+    local conn_prop_xml_elem_name="xa-datasource-property"
+    is_xa_ds="true"
+  else
+    log_warning "Unable to determine if '${ds}' datasource is a non-XA or XA one."
+    log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
+    failed="true"
+  fi
+
+  declare -ra conn_props=($(compgen -v | grep -s "${conn_prop_env_var}"))
+  if [ "${is_xa_ds}" == "true" ] && [ -z "${conn_props}" ]; then
+    log_warning "At least one ${prefix}_XA_CONNECTION_PROPERTY_property for datasource ${service_name} is required."
+    log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
+    failed="true"
+  fi
+
+  if [ "${failed}" != "true" ]; then
+    for property in "${conn_props[@]}"; do
+      prop_name=$(sed -e "s/${conn_prop_env_var}//g" <<< "${property}")
+      prop_value=$(find_env "${property}")
+      if [ ! -z "${prop_value}" ]; then
+          ds="${ds}
+               <${conn_prop_xml_elem_name} name=\"${prop_name}\">${prop_value}</${conn_prop_xml_elem_name}>"
+      fi
+    done
+  fi
+
+  # 'ds' value of empty string indicates an error occurred earlier
+  if [ "${failed}" == "true" ]; then
+    echo ""
+  else
+    echo "${ds}"
+  fi
+}
+### End of RH-SSO add-on
+### --------------------
+
 function generate_external_datasource_xml() {
+
+### Start of RH-SSO add-on -- KEYCLOAK-15633:
+### -----------------------------------------
+### Modify the 'generate_external_datasource_xml()' method to
+### allow specification of connection properties also for non-XA datasources
+
   local failed="false"
+  local ds_universal_attrs="jndi-name=\"${jndi_name}\" pool-name=\"${pool_name}\" enabled=\"true\" use-java-context=\"true\" statistics-enabled=\"\${wildfly.datasources.statistics-enabled:\${wildfly.statistics-enabled:false}}\""
 
   if [ -n "$NON_XA_DATASOURCE" ] && [ "$NON_XA_DATASOURCE" = "true" ]; then
-    ds="<datasource jta=\"${jta}\" jndi-name=\"${jndi_name}\" pool-name=\"${pool_name}\" enabled=\"true\" use-java-context=\"true\" statistics-enabled=\"\${wildfly.datasources.statistics-enabled:\${wildfly.statistics-enabled:false}}\">
-          <connection-url>${url}</connection-url>
-          <driver>$driver</driver>"
+    ds="<datasource jta=\"${jta}\" ${ds_universal_attrs}>
+          <connection-url>${url}</connection-url>"
   else
-    ds=" <xa-datasource jndi-name=\"${jndi_name}\" pool-name=\"${pool_name}\" enabled=\"true\" use-java-context=\"true\" statistics-enabled=\"\${wildfly.datasources.statistics-enabled:\${wildfly.statistics-enabled:false}}\">"
-    local xa_props=$(compgen -v | grep -s "${prefix}_XA_CONNECTION_PROPERTY_")
-    if [ -z "$xa_props" ]; then
-      log_warning "At least one ${prefix}_XA_CONNECTION_PROPERTY_property for datasource ${service_name} is required. Datasource will not be configured."
-      failed="true"
-    else
-
-      for xa_prop in $(echo $xa_props); do
-        prop_name=$(echo "${xa_prop}" | sed -e "s/${prefix}_XA_CONNECTION_PROPERTY_//g")
-        prop_val=$(find_env $xa_prop)
-        if [ ! -z ${prop_val} ]; then
-          ds="$ds <xa-datasource-property name=\"${prop_name}\">${prop_val}</xa-datasource-property>"
-        fi
-      done
+    ds="<xa-datasource ${ds_universal_attrs}>"
+  fi
 
-      ds="$ds
-             <driver>${driver}</driver>"
-    fi
+  ds=$(inject_connection_properties_to_datasource_xml "${ds}")
+  # 'ds' value of empty string indicates an error occurred earlier
+  if [ "${ds}" == "" ]; then
+    failed="true"
   fi
 
+  ds="$ds
+       <driver>${driver}</driver>"
+### End of RH-SSO add-on
+### --------------------
+
   if [ -n "$tx_isolation" ]; then
     ds="$ds
-             <transaction-isolation>$tx_isolation</transaction-isolation>"
+            <transaction-isolation>$tx_isolation</transaction-isolation>"
   fi
 
   if [ -n "$min_pool_size" ] || [ -n "$max_pool_size" ]; then
     if [ -n "$NON_XA_DATASOURCE" ] && [ "$NON_XA_DATASOURCE" = "true" ]; then
-       ds="$ds
+      ds="$ds
              <pool>"
     else
       ds="$ds
@@ -473,9 +536,19 @@ function generate_external_datasource_xml() {
   fi
 }
 
+### Start of RH-SSO add-on -- KEYCLOAK-15633:
+### -----------------------------------------
+### Allow specification of datasource connection properties for:
+### 1) XA datasources via the DB_XA_CONNECTION_PROPERTY_<property_name> and
+### 2) Non-XA datasources via the DB_CONNECTION_PROPERTY_<property_name>
+###
+### environment variable(s) defined on the container image. The <property_name>
+### in the above expressions is the actual name of the connection property to
+### be set on the underlying datasource.
+###
 function generate_external_datasource_cli() {
   local failed="false"
-
+  local is_xa_ds="false"
   local subsystem_addr="/subsystem=datasources"
   local ds_resource="${subsystem_addr}"
   local other_ds_resource
@@ -487,32 +560,41 @@ function generate_external_datasource_cli() {
   ds_tmp_key_values["statistics-enabled"]="\${wildfly.datasources.statistics-enabled:\${wildfly.statistics-enabled:false}}"
   ds_tmp_key_values["driver-name"]="${driver}"
 
-  local -A ds_tmp_xa_connection_properties
+  local -A ds_tmp_connection_properties
 
   if [ -n "$NON_XA_DATASOURCE" ] && [ "$NON_XA_DATASOURCE" = "true" ]; then
     ds_resource="${subsystem_addr}/data-source=${pool_name}"
     other_ds_resource="${subsystem_addr}/xa-data-source=${pool_name}"
 
+    local conn_prop_env_var="${prefix}_CONNECTION_PROPERTY_"
+    local conn_prop_cli_elem_name="connection-properties"
+
     ds_tmp_key_values["jta"]="${jta}"
     ds_tmp_key_values['connection-url']="${url}"
 
   else
     ds_resource="${subsystem_addr}/xa-data-source=${pool_name}"
     other_ds_resource="${subsystem_addr}/data-source=${pool_name}"
 
-    local xa_props=$(compgen -v | grep -s "${prefix}_XA_CONNECTION_PROPERTY_")
-    if [ -z "$xa_props" ] && [ "$driver" != "postgresql" ] && [ "$driver" != "mysql" ]; then
-      log_warning "At least one ${prefix}_XA_CONNECTION_PROPERTY_property for datasource ${service_name} is required. Datasource will not be configured."
+    local conn_prop_env_var="${prefix}_XA_CONNECTION_PROPERTY_"
+    local conn_prop_cli_elem_name="xa-datasource-properties"
+    is_xa_ds="true"
+
+    declare -ra conn_props=($(compgen -v | grep -s "${conn_prop_env_var}"))
+    if [ "${is_xa_ds}" == "true" ] && [ -z "${conn_props}" ]; then
+      log_warning "At least one ${prefix}_XA_CONNECTION_PROPERTY_property for datasource ${service_name} is required."
+      log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
       failed="true"
     else
-
-      for xa_prop in $(echo $xa_props); do
-        prop_name=$(echo "${xa_prop}" | sed -e "s/${prefix}_XA_CONNECTION_PROPERTY_//g")
-        prop_val=$(find_env $xa_prop)
-        if [ ! -z ${prop_val} ]; then
-          ds_tmp_xa_connection_properties["$prop_name"]="$prop_val"
-        fi
-      done
+      if [ "${failed}" != "true" ]; then
+        for property in "${conn_props[@]}"; do
+          prop_name=$(sed -e "s/${conn_prop_env_var}//g" <<< "${property}")
+          prop_value=$(find_env "${property}")
+          if [ ! -z "${prop_value}" ]; then
+            ds_tmp_connection_properties["${prop_name}"]="${prop_value}"
+          fi
+        done
+      fi
     fi
   fi
 
@@ -559,11 +641,11 @@ function generate_external_datasource_cli() {
   done
   ds_tmp_add="${ds_tmp_add})"
 
-  # Add the xa-ds properties
-  local ds_tmp_xa_properties
-  for key in "${!ds_tmp_xa_connection_properties[@]}"; do
-    ds_tmp_xa_properties="${ds_tmp_xa_properties}
-        $ds_resource/xa-datasource-properties=${key}:add(value=\"${ds_tmp_xa_connection_properties[$key]}\")
+  # Add the connection properties to both XA & non-XA datasource
+  local ds_tmp_conn_props_add
+  for key in "${!ds_tmp_connection_properties[@]}"; do
+    ds_tmp_conn_props_add="${ds_tmp_conn_props_add}
+        $ds_resource/${conn_prop_cli_elem_name}=${key}:add(value=\"${ds_tmp_connection_properties[$key]}\")
     "
   done
 
@@ -589,9 +671,12 @@ function generate_external_datasource_cli() {
 
     batch
     ${ds_tmp_add}
-    ${ds_tmp_xa_properties}
+    ${ds_tmp_conn_props_add}
     run-batch
   "
+### End of RH-SSO add-on
+### --------------------
+
   if [ "$failed" == "true" ]; then
     echo ""
   else
@@ -810,10 +895,12 @@ function map_properties() {
     if [ -z "$(eval echo \$${prefix}_XA_CONNECTION_PROPERTY_URL)" ]; then
       if [ -z "${!serverNameVar}" ] || [ -z "${!portVar}" ] || [ -z "${!databaseNameVar}" ]; then
         if [ "$prefix" != "$service" ]; then
-          log_warning "Missing configuration for datasource $prefix. ${service}_SERVICE_HOST, ${service}_SERVICE_PORT, and/or ${prefix}_DATABASE is missing. Datasource will not be configured."
+          log_warning "Missing configuration for datasource $prefix. ${service}_SERVICE_HOST, ${service}_SERVICE_PORT, and/or ${prefix}_DATABASE is missing."
+          log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
           eval ${invalidVar}="true"
         else
-          log_warning "Missing configuration for XA datasource $prefix. Either ${prefix}_XA_CONNECTION_PROPERTY_URL or $serverNameVar, and $portVar, and $databaseNameVar is required. Datasource will not be configured."
+          log_warning "Missing configuration for XA datasource $prefix. Either ${prefix}_XA_CONNECTION_PROPERTY_URL or $serverNameVar, and $portVar, and $databaseNameVar is required."
+          log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
           eval ${invalidVar}="true"
         fi
       else
@@ -823,7 +910,8 @@ function map_properties() {
       fi
     fi
   else
-    log_warning "Missing configuration for datasource $prefix. ${service}_SERVICE_HOST, ${service}_SERVICE_PORT, and/or ${prefix}_DATABASE is missing. Datasource will not be configured."
+    log_warning "Missing configuration for datasource $prefix. ${service}_SERVICE_HOST, ${service}_SERVICE_PORT, and/or ${prefix}_DATABASE is missing."
+    log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
     eval ${invalidVar}="true"
   fi
 
@@ -950,7 +1038,8 @@ function inject_datasource() {
   fi
 
   if [ -z "$driver" ]; then
-    log_warning "DRIVER not set for datasource ${service_name}. Datasource will not be configured."
+    log_warning "DRIVER not set for datasource ${service_name}."
+    log_warning "Datasource '$(basename ${jndi_name})' will not be configured."
   else
     datasource=$(generate_datasource "${service,,}-${prefix}" "$jndi" "$username" "$password" "$host" "$port" "$database" "$checker" "$sorter" "$driver" "$service_name" "$jta" "$validate" "$url")
 
@@ -1054,4 +1143,4 @@ function inject_job_repository() {
     echo "${cli}" >> "${DEFAULT_JOB_REPOSITORY_FILE}"
   fi
 
-}
+}

s2i/postgresql/README.md

@@ -0,0 +1,14 @@
+# SSL/TLS support for PostgreSQL SQL database server container image
+
+The [PostgreSQL 10 SQL database server](https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1)
+doesn't support SSL/TLS encryption by default. In order to enable the
+SSL/TLS encryption, the PostgreSQL server container image needs to be
+extended using the [source-to-image](https://github.com/openshift/source-to-image)
+method. Refer to [_*Extending image*_](https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1)
+and primarily to [the available example](https://github.com/sclorg/postgresql-container/tree/master/examples/enable-ssl)
+for additional details.
+
+This (sub)directory contains all the information needed to enable SSL/TLS
+support for the [PostgreSQL 10 SQL database server](https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1)
+used in the available PostgreSQL [templates](https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/templates)
+for [Red Hat Single Sign-On 7.5 for OpenJDK / OpenJ9 on OpenShift container images](https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev).

s2i/postgresql/enable-ssl/README.md

@@ -0,0 +1,10 @@
+# Example to enable SSL/TLS for the PostgreSQL SQL database server container image
+
+Inspired by the ["enable-ssl"](https://github.com/sclorg/postgresql-container/tree/master/examples/enable-ssl)
+example from the Red Hat Software Collections PostgreSQL container images repository.
+
+Compared to the original, this example does NOT store the TLS certificate & private
+key files directly in the repository. Instead of that, those files are generated
+on the fly by the PostgreSQL OpenShift service using the OpenShift's service serving
+certificate secrets mechanism based on the corresponding annotation applied to the
+definition of the PostgreSQL service.

s2i/postgresql/enable-ssl/postgresql-cfg/ssl.conf

@@ -0,0 +1,13 @@
+ssl = on
+# The TLS certificate & key are generated using the OpenShift's service serving
+# certificate secrets via corresponding annotation of the PostgreSQL service
+# and stored into a read-only persistent volume, corresponding to the OpenShift
+# secret.
+#
+# Later the 'postgresql-pre-start/enable_ssl.sh' script, present in this
+# repository, copies the generated TLS certificate & key to by current UID
+# writable "/var/run/postgresql/pki" directory, so it's possible to correct
+# the permissions of the TLS private key to mode required by PostgreSQL server
+ssl_cert_file = '/var/run/postgresql/pki/tls.crt'                   # PostgreSQL server certificate
+ssl_key_file  = '/var/run/postgresql/pki/tls.key'                   # PostgreSQL server private key
+ssl_ca_file   = '/run/secrets/kubernetes.io/serviceaccount/ca.crt'  # OpenShift CA

s2i/postgresql/enable-ssl/postgresql-pre-start/enable_ssl.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# Copy the TLS certificate & key generated by the OpenShift's service serving
+# certificate secrets from "/etc/pki/postgresql" (which is mounted read-only,
+# since coming from secret) to "/var/run/postgresql/pki", so it's possible to
+# correct the permissions of the TLS private key as required below
+SOURCE_DIR="/etc/pki/postgresql"
+DESTINATION_DIR="/var/run/postgresql/pki"
+if [ ! -d "${DESTINATION_DIR}" ]; then
+  mkdir -p "${DESTINATION_DIR}"
+fi
+cp "${SOURCE_DIR}"/tls.{crt,key} "${DESTINATION_DIR}"
+
+# PostgreSQL will fail to start and throw an error like:
+#
+#   FATAL:  private key file "/path/to/key" has group or world access
+#   File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
+#
+# if the permissions of the TLS private key are incorrect.
+#
+# Thus correct the permissions so PostgreSQL server can start successfully
+chmod 0600 "${DESTINATION_DIR}/tls.key"