红帽全球峰会第 4 章 教程
本章中的教程假定您通过执行 OpenShift Container Platform 集群安装,与创建的 OpenShift 实例类似。
4.1. 为 OpenShift 镜像版本更新新红帽单点登录的数据库
请注意,以下与更新相关的点:
- 不支持从之前版本的 Red Hat Single Sign-On for OpenShift 迁移到 7.6.11 版本,因为数据库和缓存不向后兼容。
- 用于 Red Hat Single Sign-On for OpenShift 7.6.11 的模板需要 PostgreSQL 服务器版本 13。如果您有一个过时的 PostgreSQL 版本,请在更新数据库前更新 PostgreSQL 版本。
- 升级前,OpenShift 的 Red Hat Single Sign-On 版本中的实例无法运行。它们不能针对同一数据库同时运行。
- 生成的脚本不可用。它们根据数据库动态生成。
您有三种更新数据库的选择:
- 如果您有一个过时的 PostgreSQL 服务器版本,升级 PostgreSQL 服务器,然后迁移数据库。
- 允许 Red Hat Single Sign-On 7.6.11 自动迁移数据库模式
- 手动更新数据库
注意
默认情况下,当您首次启动 Red Hat Single Sign-On 7.6.11 时,数据库会被自动迁移。
4.1.1. PostgreSQL 版本升级和数据库迁移
Red Hat Single Sign-On 7.6.11 模板中存在的 PostgreSQL 服务器可能与之前使用的版本不同。例如,请考虑这种情况:
- 您使用 PostgreSQL 服务器的版本 10,运行带有 PostgreSQL 容器集的 Red Hat Single Sign-On for OpenShift 容器镜像。
- Red Hat Single Sign-On 7.6.11 容器镜像需要 PostgreSQL pod 使用 PostgreSQL 服务器的版本 13。
以下流程描述了如何将 PostgreSQL 版本升级到 13,然后迁移数据库。
流程
首先执行数据库级别备份。
oc rsh <POSTGRE-SQL-POD> pg_dump -C <DATABASE> rhsso_db.bak
$ oc rsh <POSTGRE-SQL-POD> pg_dump -C <DATABASE> rhsso_db.bakCopy to Clipboard Copied! 缩减
sso容器集。oc scale dc/sso --replicas=0
$ oc scale dc/sso --replicas=0Copy to Clipboard Copied! 编辑
dc/sso-postgresql.oc edit dc/sso-postgresql
$ oc edit dc/sso-postgresqlCopy to Clipboard Copied! 将
ImageStreamTag切换到:postgresql:13-el8。- imageChangeParams: automatic: true containerNames: - sso-postgresql from: kind: ImageStreamTag name: postgresql:13-el8 namespace: openshift- imageChangeParams: automatic: true containerNames: - sso-postgresql from: kind: ImageStreamTag name: postgresql:13-el8 namespace: openshiftCopy to Clipboard Copied! -
等待
sso-postgresqlpod 正在运行并稳定。 确保 pod
sso-postgresql具有正确的版本。oc rsh dc/sso-postgresql /bin/bash -c "psql --version"
$ oc rsh dc/sso-postgresql /bin/bash -c "psql --version" psql (PostgreSQL) 13.5Copy to Clipboard Copied! 取消设置变量
POSTGRESQL_UPGRADE,并再次部署sso-postgresqlpod。oc set env dc/sso-postgresql POSTGRESQL_UPGRADE-
$ oc set env dc/sso-postgresql POSTGRESQL_UPGRADE-Copy to Clipboard Copied! -
再次等待
sso-posgresqlpod 正在运行并稳定。 运行以下命令,为
openshift项目中的 OpenShift 更新 Red Hat Single Sign-On 7.6.11 资源的核心集合:如果使用 OpenShift 3.x 集群,请使用以下命令:
for resource in sso76-image-stream.json \ passthrough/ocp-3.x/sso76-ocp3-https.json \ passthrough/ocp-3.x/sso76-ocp3-postgresql.json \ passthrough/ocp-3.x/sso76-ocp3-postgresql-persistent.json \ reencrypt/ocp-3.x/sso76-ocp3-x509-https.json \ reencrypt/ocp-3.x/sso76-ocp3-x509-postgresql-persistent.json
$ for resource in sso76-image-stream.json \ passthrough/ocp-3.x/sso76-ocp3-https.json \ passthrough/ocp-3.x/sso76-ocp3-postgresql.json \ passthrough/ocp-3.x/sso76-ocp3-postgresql-persistent.json \ reencrypt/ocp-3.x/sso76-ocp3-x509-https.json \ reencrypt/ocp-3.x/sso76-ocp3-x509-postgresql-persistent.json do oc replace -n openshift --force -f \ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/${resource} doneCopy to Clipboard Copied! 如果使用 OpenShift 4.x 集群,请使用下列命令:
for resource in sso76-image-stream.json \ passthrough/ocp-4.x/sso76-ocp4-https.json \ passthrough/ocp-4.x/sso76-ocp4-postgresql.json \ passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.json \ reencrypt/ocp-4.x/sso76-ocp4-x509-https.json \ reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.json
$ for resource in sso76-image-stream.json \ passthrough/ocp-4.x/sso76-ocp4-https.json \ passthrough/ocp-4.x/sso76-ocp4-postgresql.json \ passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.json \ reencrypt/ocp-4.x/sso76-ocp4-x509-https.json \ reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.json do oc replace -n openshift --force -f \ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/${resource} doneCopy to Clipboard Copied!
运行以下命令,以在
openshift项目中安装 Red Hat Single Sign-On 7.6.11 OpenShift 镜像流:oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm
$ oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirmCopy to Clipboard Copied! 更新现有部署配置中的镜像更改触发器,以引用 Red Hat Single Sign-On 7.6.11 镜像。
oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]'$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]' "sso" patchedCopy to Clipboard Copied! 根据镜像更改触发器中定义的最新镜像开始推出新的 Red Hat Single Sign-On 7.6.11 镜像。
oc rollout latest dc/sso
$ oc rollout latest dc/ssoCopy to Clipboard Copied! 将
ssopod 扩展至一个副本。注意您可能希望从
dc/sso中暂时增加存活和就绪度探测阈值和值(以秒为单位)。此步骤在第一次引导时执行数据库升级,这可能需要一些时间。oc scale --replicas=1 dc/sso
$ oc scale --replicas=1 dc/ssoCopy to Clipboard Copied! 注意如果您有多个副本,请考虑扩展至一个副本。在 Red Hat Single Sign-On 启动后,您可以将 缩减回原始副本数。
4.1.2. 自动数据库迁移
此过程假设您运行早期版本的 OpenShift 镜像,由运行在独立 pod 中的 PostgreSQL 数据库(以临时或永久模式部署)为 OpenShift 镜像提供支持。
先决条件
- 执行 为 OpenShift 部署准备红帽单点登录身份验证 中介绍的步骤。
流程
使用以下步骤自动迁移数据库模式:
识别用于部署容器的部署配置,这些配置在 OpenShift 镜像的红帽单点登录之前版本上运行。
oc get dc -o name --selector=application=sso
$ oc get dc -o name --selector=application=sso deploymentconfig/sso deploymentconfig/sso-postgresqlCopy to Clipboard Copied! 在当前命名空间中停止运行之前版本的红帽单点登录的所有 Pod。它们不能针对同一数据库同时运行。
oc scale --replicas=0 dc/sso
$ oc scale --replicas=0 dc/sso deploymentconfig "sso" scaledCopy to Clipboard Copied! 更新现有部署配置中的镜像更改触发器,以引用 Red Hat Single Sign-On 7.6.11 镜像。
oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]'$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]' "sso" patchedCopy to Clipboard Copied! 根据镜像更改触发器中定义的最新镜像开始推出新的 Red Hat Single Sign-On 7.6.11 镜像。
oc rollout latest dc/sso
$ oc rollout latest dc/sso deploymentconfig "sso" rolled outCopy to Clipboard Copied! 使用修改后的部署配置部署 Red Hat Single Sign-On 7.6.11 容器。
oc scale --replicas=1 dc/sso
$ oc scale --replicas=1 dc/sso deploymentconfig "sso" scaledCopy to Clipboard Copied! (可选)验证数据库是否已成功更新。
oc get pods --selector=application=sso
$ oc get pods --selector=application=sso NAME READY STATUS RESTARTS AGE sso-4-vg21r 1/1 Running 0 1h sso-postgresql-1-t871r 1/1 Running 0 2hCopy to Clipboard Copied! oc logs sso-4-vg21r | grep 'Updating'
$ oc logs sso-4-vg21r | grep 'Updating' 11:23:45,160 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xmlCopy to Clipboard Copied!
4.1.3. 手动数据库迁移
数据库迁移过程更新了数据架构,并执行数据的操作。此过程还会停止所有运行之前为 OpenShift 镜像的 Red Hat Single Sign-On 版本的所有 Pod,然后再动态生成 SQL 迁移文件。
注意
此过程假设您正在为由 PostgreSQL 数据库(以临时或永久模式部署)支持的 OpenShift 镜像运行早期版本,并在单独的 pod 上运行。
流程
为脚本生成准备环境。
- 使用正确的数据源配置 Red Hat Single Sign-On 7.6.11,
在
standalone-openshift.xml文件中设置以下配置选项:-
initializeEmpty=false, -
migrationStrategy=manual,以及 -
migrationExport到 pod 的文件系统的位置,输出 SQL 迁移文件应存储在这里(例如migrationExport="${jboss.home.dir}/keycloak-database-update.sql")。
-
流程
执行以下步骤为数据库生成 SQL 迁移文件:
准备 OpenShift 数据库迁移作业模板,以生成 SQL 文件。
$ cat job-to-migrate-db-to-sso76.yaml.orig apiVersion: batch/v1 kind: Job metadata: name: job-to-migrate-db-to-sso76 spec: autoSelector: true parallelism: 0 completions: 1 template: metadata: name: job-to-migrate-db-to-sso76 spec: containers: - env: - name: DB_SERVICE_PREFIX_MAPPING value: <<DB_SERVICE_PREFIX_MAPPING_VALUE>> - name: <<PREFIX>>_JNDI value: <<PREFIX_JNDI_VALUE>> - name: <<PREFIX>>_USERNAME value: <<PREFIX_USERNAME_VALUE>> - name: <<PREFIX>>_PASSWORD value: <<PREFIX_PASSWORD_VALUE>> - name: <<PREFIX>>_DATABASE value: <<PREFIX_DATABASE_VALUE>> - name: TX_DATABASE_PREFIX_MAPPING value: <<TX_DATABASE_PREFIX_MAPPING_VALUE>> - name: <<SERVICE_HOST>> value: <<SERVICE_HOST_VALUE>> - name: <<SERVICE_PORT>> value: <<SERVICE_PORT_VALUE>> image: <<SSO_IMAGE_VALUE>> imagePullPolicy: Always name: job-to-migrate-db-to-sso76 # Keep the pod running after the SQL migration # file was generated, so we can retrieve it command: - "/bin/bash" - "-c" - "/opt/eap/bin/openshift-launch.sh || sleep 600" restartPolicy: Never$ cat job-to-migrate-db-to-sso76.yaml.orig apiVersion: batch/v1 kind: Job metadata: name: job-to-migrate-db-to-sso76 spec: autoSelector: true parallelism: 0 completions: 1 template: metadata: name: job-to-migrate-db-to-sso76 spec: containers: - env: - name: DB_SERVICE_PREFIX_MAPPING value: <<DB_SERVICE_PREFIX_MAPPING_VALUE>> - name: <<PREFIX>>_JNDI value: <<PREFIX_JNDI_VALUE>> - name: <<PREFIX>>_USERNAME value: <<PREFIX_USERNAME_VALUE>> - name: <<PREFIX>>_PASSWORD value: <<PREFIX_PASSWORD_VALUE>> - name: <<PREFIX>>_DATABASE value: <<PREFIX_DATABASE_VALUE>> - name: TX_DATABASE_PREFIX_MAPPING value: <<TX_DATABASE_PREFIX_MAPPING_VALUE>> - name: <<SERVICE_HOST>> value: <<SERVICE_HOST_VALUE>> - name: <<SERVICE_PORT>> value: <<SERVICE_PORT_VALUE>> image: <<SSO_IMAGE_VALUE>> imagePullPolicy: Always name: job-to-migrate-db-to-sso76 # Keep the pod running after the SQL migration # file was generated, so we can retrieve it command: - "/bin/bash" - "-c" - "/opt/eap/bin/openshift-launch.sh || sleep 600" restartPolicy: NeverCopy to Clipboard Copied! cp job-to-migrate-db-to-sso76.yaml.orig \ job-to-migrate-db-to-sso76.yaml$ cp job-to-migrate-db-to-sso76.yaml.orig \ job-to-migrate-db-to-sso76.yamlCopy to Clipboard Copied! 从用于运行 OpenShift 镜像的 Red Hat Single Sign-On 的早期版本的部署配置,将数据源定义和数据库访问凭证复制到适合数据库迁移作业模板的位置。
使用以下脚本,将
DB_SERVICE_PREFIX_MAPPING和TX_DATABASE_PREFIX_MAPPING变量值,以及特定于特定数据源(<PREFIX>_JNDI,<PREFIX>_USERNAME,<PREFIX>_PASSWORD, 和<PREFIX>_DATABASE) 的环境变量从名为sso的部署配置复制到名为job-to-migrate-db-to-sso76.yaml的数据库作业迁移模板。注意虽然
DB_SERVICE_PREFIX_MAPPING环境变量允许 用逗号分开 < name>-<database_type>=<PREFIX > triplets 列表,但本例脚本只接受一个用于演示目的的数据源 triplet 定义。您可以修改用于处理多个数据源定义脚本。cat mirror_sso_dc_db_vars.sh #!/bin/bash IMPORTANT: # If the name of the SSO deployment config differs from 'sso' or if the file name of the YAML definition of the migration job is different, update the following two variables SSO_DC_NAME="sso" JOB_MIGRATION_YAML="job-to-migrate-db-to-sso76.yaml" Get existing variables of the $SSO_DC_NAME deployment config in an array declare -a SSO_DC_VARS=( \ $(oc set env dc/${SSO_DC_NAME} --list \ $(oc set env dc/${SSO_DC_NAME} --list \ | sed '/^#/d') \ | sed '/^#/d') \ ) ) Get the PREFIX used in the names of environment variables PREFIX=$( \ grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]+' \ grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]+' \ <<< "${SSO_DC_VARS[@]}" \ <<< "${SSO_DC_VARS[@]}" \ ) ) PREFIX=${PREFIX##*=} Substitute: * <<PREFIX>> with actual $PREFIX value and * <<PREFIX with "<<$PREFIX" value The order in which these replacements are made is important! sed -i "s#<<PREFIX>>#${PREFIX}#g" ${JOB_MIGRATION_YAML} sed -i "s#<<PREFIX#<<${PREFIX}#g" ${JOB_MIGRATION_YAML} Construct the array of environment variables specific to the datasource declare -a DB_VARS=(JNDI USERNAME PASSWORD DATABASE) Prepend $PREFIX to each item of the datasource array DB_VARS=( "${DB_VARS[@]/#/${PREFIX}_}" ) Add DB_SERVICE_PREFIX_MAPPING and TX_DATABASE_PREFIX_MAPPING variables to datasource array DB_VARS=( \ "${DB_VARS[@]}" \ "${DB_VARS[@]}" \ DB_SERVICE_PREFIX_MAPPING \ DB_SERVICE_PREFIX_MAPPING \ TX_DATABASE_PREFIX_MAPPING \ TX_DATABASE_PREFIX_MAPPING \ ) ) Construct the SERVICE from DB_SERVICE_PREFIX_MAPPING SERVICE=$( \ grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]' \ grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]' \ <<< "${SSO_DC_VARS[@]}" \ <<< "${SSO_DC_VARS[@]}" \ ) ) SERVICE=${SERVICE#*=} SERVICE=${SERVICE%=*} SERVICE=${SERVICE^^} SERVICE=${SERVICE//-/_} If the deployment config contains <<SERVICE>>_SERVICE_HOST and <<SERVICE>>_SERVICE_PORT variables, add them to the datasource array. Their values also need to be propagated into yaml definition of the migration job. HOST_PATTERN="${SERVICE}_SERVICE_HOST=[^ ]" PORT_PATTERN="${SERVICE}_SERVICE_PORT=[^ ]" if grep -Pq "${HOST_PATTERN}" <<< "${SSO_DC_VARS[@]}" && grep -Pq "${PORT_PATTERN}" <<< "${SSO_DC_VARS[@]}" then DB_VARS=( \ "${DB_VARS[@]}" \ "${DB_VARS[@]}" \ "${SERVICE}_SERVICE_HOST" \ "${SERVICE}_SERVICE_HOST" \ "${SERVICE}_SERVICE_PORT" \ "${SERVICE}_SERVICE_PORT" \ ) ) If they are not defined, delete their placeholder rows in yaml definition file (since if not defined they are not expanded which make the yaml definition invalid). else for KEY in "HOST" "PORT" do sed -i "/SERVICE_${KEY}/d" ${JOB_MIGRATION_YAML} done fi Substitute: * <<SERVICE_HOST>> with ${SERVICE}_SERVICE_HOST and * <<SERVICE_HOST_VALUE>> with <<${SERVICE}_SERVICE_HOST_VALUE>> The order in which replacements are made is important! Do this for both "HOST" and "PORT" for KEY in "HOST" "PORT" do PATTERN_1="<<SERVICE_${KEY}>>" REPL_1="${SERVICE}_SERVICE_${KEY}" sed -i "s#${PATTERN_1}#${REPL_1}#g" ${JOB_MIGRATION_YAML} PATTERN_2="<<SERVICE_${KEY}_VALUE>>" REPL_2="<<${SERVICE}_SERVICE_${KEY}_VALUE>>" sed -i "s#${PATTERN_2}#${REPL_2}#g" ${JOB_MIGRATION_YAML} done Propagate the values of the datasource array items into yaml definition of the migration job for VAR in "${SSO_DC_VARS[@]}" do IFS=$'=' read KEY VALUE <<< $VAR if grep -q $KEY <<< ${DB_VARS[@]} then KEY+="_VALUE" # Enwrap integer port value with double quotes if [[ ${KEY} =~ ${SERVICE}_SERVICE_PORT_VALUE ]] then sed -i "s#<<${KEY}>>#\"${VALUE}\"#g" ${JOB_MIGRATION_YAML} # Character values do not need quotes else sed -i "s#<<${KEY}>>#${VALUE}#g" ${JOB_MIGRATION_YAML} fi # Verify that the value has been successfully propagated. if grep -q '(JNDI|USERNAME|PASSWORD|DATABASE)' <<< "${KEY}" && grep -q "<<PREFIX${KEY#${PREFIX}}" ${JOB_MIGRATION_YAML} || grep -q "<<${KEY}>>" ${JOB_MIGRATION_YAML} then echo "Failed to update value of ${KEY%_VALUE}! Aborting." exit 1 else printf '%-60s%-40s\n' \ "Successfully updated ${KEY%_VALUE} to:" \ "Successfully updated ${KEY%_VALUE} to:" \ "$VALUE" "$VALUE" fi fi done$ cat mirror_sso_dc_db_vars.sh #!/bin/bash # IMPORTANT: # # If the name of the SSO deployment config differs from 'sso' # or if the file name of the YAML definition of the migration # job is different, update the following two variables SSO_DC_NAME="sso" JOB_MIGRATION_YAML="job-to-migrate-db-to-sso76.yaml" # Get existing variables of the $SSO_DC_NAME deployment config # in an array declare -a SSO_DC_VARS=( \ $(oc set env dc/${SSO_DC_NAME} --list \ | sed '/^#/d') \ ) # Get the PREFIX used in the names of environment variables PREFIX=$( \ grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]+' \ <<< "${SSO_DC_VARS[@]}" \ ) PREFIX=${PREFIX##*=} # Substitute: # * <<PREFIX>> with actual $PREFIX value and # * <<PREFIX with "<<$PREFIX" value # The order in which these replacements are made is important! sed -i "s#<<PREFIX>>#${PREFIX}#g" ${JOB_MIGRATION_YAML} sed -i "s#<<PREFIX#<<${PREFIX}#g" ${JOB_MIGRATION_YAML} # Construct the array of environment variables # specific to the datasource declare -a DB_VARS=(JNDI USERNAME PASSWORD DATABASE) # Prepend $PREFIX to each item of the datasource array DB_VARS=( "${DB_VARS[@]/#/${PREFIX}_}" ) # Add DB_SERVICE_PREFIX_MAPPING and TX_DATABASE_PREFIX_MAPPING # variables to datasource array DB_VARS=( \ "${DB_VARS[@]}" \ DB_SERVICE_PREFIX_MAPPING \ TX_DATABASE_PREFIX_MAPPING \ ) # Construct the SERVICE from DB_SERVICE_PREFIX_MAPPING SERVICE=$( \ grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]' \ <<< "${SSO_DC_VARS[@]}" \ ) SERVICE=${SERVICE#*=} SERVICE=${SERVICE%=*} SERVICE=${SERVICE^^} SERVICE=${SERVICE//-/_} # If the deployment config contains <<SERVICE>>_SERVICE_HOST # and <<SERVICE>>_SERVICE_PORT variables, add them to the # datasource array. Their values also need to be propagated into # yaml definition of the migration job. HOST_PATTERN="${SERVICE}_SERVICE_HOST=[^ ]" PORT_PATTERN="${SERVICE}_SERVICE_PORT=[^ ]" if grep -Pq "${HOST_PATTERN}" <<< "${SSO_DC_VARS[@]}" && grep -Pq "${PORT_PATTERN}" <<< "${SSO_DC_VARS[@]}" then DB_VARS=( \ "${DB_VARS[@]}" \ "${SERVICE}_SERVICE_HOST" \ "${SERVICE}_SERVICE_PORT" \ ) # If they are not defined, delete their placeholder rows in # yaml definition file (since if not defined they are not # expanded which make the yaml definition invalid). else for KEY in "HOST" "PORT" do sed -i "/SERVICE_${KEY}/d" ${JOB_MIGRATION_YAML} done fi # Substitute: # * <<SERVICE_HOST>> with ${SERVICE}_SERVICE_HOST and # * <<SERVICE_HOST_VALUE>> with <<${SERVICE}_SERVICE_HOST_VALUE>> # The order in which replacements are made is important! # Do this for both "HOST" and "PORT" for KEY in "HOST" "PORT" do PATTERN_1="<<SERVICE_${KEY}>>" REPL_1="${SERVICE}_SERVICE_${KEY}" sed -i "s#${PATTERN_1}#${REPL_1}#g" ${JOB_MIGRATION_YAML} PATTERN_2="<<SERVICE_${KEY}_VALUE>>" REPL_2="<<${SERVICE}_SERVICE_${KEY}_VALUE>>" sed -i "s#${PATTERN_2}#${REPL_2}#g" ${JOB_MIGRATION_YAML} done # Propagate the values of the datasource array items into # yaml definition of the migration job for VAR in "${SSO_DC_VARS[@]}" do IFS=$'=' read KEY VALUE <<< $VAR if grep -q $KEY <<< ${DB_VARS[@]} then KEY+="_VALUE" # Enwrap integer port value with double quotes if [[ ${KEY} =~ ${SERVICE}_SERVICE_PORT_VALUE ]] then sed -i "s#<<${KEY}>>#\"${VALUE}\"#g" ${JOB_MIGRATION_YAML} # Character values do not need quotes else sed -i "s#<<${KEY}>>#${VALUE}#g" ${JOB_MIGRATION_YAML} fi # Verify that the value has been successfully propagated. if grep -q '(JNDI|USERNAME|PASSWORD|DATABASE)' <<< "${KEY}" && grep -q "<<PREFIX${KEY#${PREFIX}}" ${JOB_MIGRATION_YAML} || grep -q "<<${KEY}>>" ${JOB_MIGRATION_YAML} then echo "Failed to update value of ${KEY%_VALUE}! Aborting." exit 1 else printf '%-60s%-40s\n' \ "Successfully updated ${KEY%_VALUE} to:" \ "$VALUE" fi fi doneCopy to Clipboard Copied! 运行脚本。
chmod +x ./mirror_sso_dc_db_vars.sh ./mirror_sso_dc_db_vars.sh
$ chmod +x ./mirror_sso_dc_db_vars.sh $ ./mirror_sso_dc_db_vars.sh Successfully updated DB_SERVICE_PREFIX_MAPPING to: sso-postgresql=DB Successfully updated DB_JNDI to: java:jboss/datasources/KeycloakDS Successfully updated DB_USERNAME to: userxOp Successfully updated DB_PASSWORD to: tsWNhQHK Successfully updated DB_DATABASE to: root Successfully updated TX_DATABASE_PREFIX_MAPPING to: sso-postgresql=DBCopy to Clipboard Copied! 使用 预先配置的源构建 Red Hat Single Sign-On 7.6.11 数据库迁移镜像,并等待构建完成。
oc get is -n openshift | grep sso76 | cut -d ' ' -f1
$ oc get is -n openshift | grep sso76 | cut -d ' ' -f1 sso76-openshift-rhel8Copy to Clipboard Copied! oc new-build sso76-openshift-rhel8:7.6~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \ --context-dir=sso-manual-db-migration \ --name=sso76-db-migration-image
$ oc new-build sso76-openshift-rhel8:7.6~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \ --context-dir=sso-manual-db-migration \ --name=sso76-db-migration-image --> Found image bf45ac2 (7 days old) in image stream "openshift/sso76-openshift-rhel8" under tag "7.6" for "sso76-openshift-rhel8:7.6" Red Hat SSO 7.6.11 --------------- Platform for running Red Hat SSO Tags: sso, sso7, keycloak * A source build using source code from https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 will be created * The resulting image will be pushed to image stream "sso76-db-migration-image:latest" * Use 'start-build' to trigger a new build --> Creating resources with label build=sso76-db-migration-image ... imagestream "sso76-db-migration-image" created buildconfig "sso76-db-migration-image" created --> Success Build configuration "sso76-db-migration-image" created and build triggered. Run 'oc logs -f bc/sso76-db-migration-image' to stream the build progress.Copy to Clipboard Copied! oc logs -f bc/sso76-db-migration-image --follow
$ oc logs -f bc/sso76-db-migration-image --follow Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ... ... Push successfulCopy to Clipboard Copied! 更新数据库迁移作业(
job-to-migrate-db-to-sso76.yaml)的模板并引用构建的sso76-db-migration-image镜像。获取镜像的 docker pull 参考。
PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep sso76-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)
$ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep sso76-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)Copy to Clipboard Copied! 将作业模板中的 <<SSO_IMAGE_VALUE> 字段替换为 pull 规格。
sed -i "s#<<SSO_IMAGE_VALUE>>#$PULL_REF#g" job-to-migrate-db-to-sso76.yaml
$ sed -i "s#<<SSO_IMAGE_VALUE>>#$PULL_REF#g" job-to-migrate-db-to-sso76.yamlCopy to Clipboard Copied! - 验证该字段是否已更新。
从作业模板实例化数据库迁移作业。
oc create -f job-to-migrate-db-to-sso76.yaml
$ oc create -f job-to-migrate-db-to-sso76.yaml job "job-to-migrate-db-to-sso76" createdCopy to Clipboard Copied! 重要数据库迁移过程处理数据架构更新并执行数据操作,因此停止为 OpenShift 镜像运行之前版本的 Red Hat Single Sign-On 的所有 pod,然后再动态生成 SQL 迁移文件。
识别用于部署容器的部署配置,这些配置在 OpenShift 镜像的红帽单点登录之前版本上运行。
oc get dc -o name --selector=application=sso
$ oc get dc -o name --selector=application=sso deploymentconfig/sso deploymentconfig/sso-postgresqlCopy to Clipboard Copied! 在当前命名空间中停止运行之前版本的红帽单点登录的所有 Pod。
oc scale --replicas=0 dc/sso
$ oc scale --replicas=0 dc/sso deploymentconfig "sso" scaledCopy to Clipboard Copied! 运行数据库迁移作业并等待 pod 正确运行。
oc get jobs
$ oc get jobs NAME DESIRED SUCCESSFUL AGE job-to-migrate-db-to-sso76 1 0 3mCopy to Clipboard Copied! oc scale --replicas=1 job/job-to-migrate-db-to-sso76
$ oc scale --replicas=1 job/job-to-migrate-db-to-sso76 job "job-to-migrate-db-to-sso76" scaledCopy to Clipboard Copied! oc get pods
$ oc get pods NAME READY STATUS RESTARTS AGE sso-postgresql-1-n5p16 1/1 Running 1 19h job-to-migrate-db-to-sso76-b87bb 1/1 Running 0 1m sso76-db-migration-image-1-build 0/1 Completed 0 27mCopy to Clipboard Copied! 注意默认情况下,在生成迁移文件后数据库迁移作业会在
600 秒后自动终止。您可以调整这个时间。从 pod 获取动态生成的 SQL 数据库迁移文件。
mkdir -p ./db-update oc rsync job-to-migrate-db-to-sso76-b87bb:/opt/eap/keycloak-database-update.sql ./db-update
$ mkdir -p ./db-update $ oc rsync job-to-migrate-db-to-sso76-b87bb:/opt/eap/keycloak-database-update.sql ./db-update receiving incremental file list keycloak-database-update.sql sent 30 bytes received 29,726 bytes 59,512.00 bytes/sec total size is 29,621 speedup is 1.00Copy to Clipboard Copied! -
检查
keycloak-database-update.sql文件,以便在手动数据库更新到 Red Hat Single Sign-On 7.6.11 版本中执行更改。 手动应用数据库更新。
运行以下命令,如果为 OpenShift 镜像运行一些早期版本的 Red Hat Single Sign-On,则由以临时或持久模式部署的 PostgreSQL 数据库提供支持,并在单独的 pod 上运行:
将生成的 SQL 迁移文件复制到 PostgreSQL pod。
oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp
$ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp sending incremental file list sent 77 bytes received 11 bytes 176.00 bytes/sec total size is 26,333 speedup is 299.24Copy to Clipboard Copied! 启动与 PostgreSQL pod 的 shell 会话。
oc rsh sso-postgresql-1-n5p16
$ oc rsh sso-postgresql-1-n5p16 sh-4.2$Copy to Clipboard Copied! 使用
psql工具手动应用数据库更新。alias psql="/opt/rh/rh-postgresql95/root/bin/psql" psql --version psql -U <PREFIX>_USERNAME -d <PREFIX>_DATABASE -W -f /tmp/keycloak-database-update.sql
sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql" sh-4.2$ psql --version psql (PostgreSQL) 9.5.4 sh-4.2$ psql -U <PREFIX>_USERNAME -d <PREFIX>_DATABASE -W -f /tmp/keycloak-database-update.sql Password for user <PREFIX>_USERNAME: INSERT 0 1 INSERT 0 1 ...Copy to Clipboard Copied! 重要将
<PREFIX>_USERNAME和<PREFIX>_DATABASE替换为 上一节中 检索的实际数据库凭证。在提示时,使用<PREFIX>_PASSWORD作为数据库的密码。- 关闭与 PostgreSQL pod 的 shell 会话。继续 更新镜像更改触发器步骤。
更新现有部署配置中的镜像更改触发器,以引用 Red Hat Single Sign-On 7.6.11 镜像。
oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]'$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]' "sso" patchedCopy to Clipboard Copied! 根据镜像更改触发器中定义的最新镜像开始推出新的 Red Hat Single Sign-On 7.6.11 镜像。
oc rollout latest dc/sso
$ oc rollout latest dc/sso deploymentconfig "sso" rolled outCopy to Clipboard Copied! 使用修改后的部署配置部署 Red Hat Single Sign-On 7.6.11 容器。
oc scale --replicas=1 dc/sso
$ oc scale --replicas=1 dc/sso deploymentconfig "sso" scaledCopy to Clipboard Copied!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}