第 4 章 教程

流程

1. 首先执行数据库级别备份。

   $ oc rsh <POSTGRE-SQL-POD> pg_dump -C <DATABASE> rhsso_db.bak

2. 缩减 sso 容器集。

   $ oc scale dc/sso --replicas=0

3. 编辑 dc/sso-postgresql.

   $ oc edit dc/sso-postgresql

   将 ImageStreamTag 切换到 :postgresql:13-el8。

   - imageChangeParams:
         automatic: true
         containerNames:
         - sso-postgresql
         from:
           kind: ImageStreamTag
           name: postgresql:13-el8
           namespace: openshift

4. 等待 sso-postgresql pod 正在运行并稳定。

5. 确保 pod sso-postgresql 具有正确的版本。

   $ oc rsh dc/sso-postgresql /bin/bash -c "psql --version"
   psql (PostgreSQL) 13.5

6. 取消设置变量 POSTGRESQL_UPGRADE，并再次部署 sso-postgresql pod。

   $ oc set env dc/sso-postgresql POSTGRESQL_UPGRADE-

7. 再次等待 sso-posgresql pod 正在运行并稳定。

8. 运行以下命令，为 openshift 项目中的 OpenShift 更新 Red Hat Single Sign-On 7.6.11 资源的核心集合：

   如果使用 OpenShift 3.x 集群，请使用以下命令：

   $ for resource in sso76-image-stream.json \
     passthrough/ocp-3.x/sso76-ocp3-https.json \
     passthrough/ocp-3.x/sso76-ocp3-postgresql.json \
     passthrough/ocp-3.x/sso76-ocp3-postgresql-persistent.json \
     reencrypt/ocp-3.x/sso76-ocp3-x509-https.json \
     reencrypt/ocp-3.x/sso76-ocp3-x509-postgresql-persistent.json
   do
     oc replace -n openshift --force -f \
     https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/${resource}
   done

   如果使用 OpenShift 4.x 集群，请使用下列命令：

   $ for resource in sso76-image-stream.json \
     passthrough/ocp-4.x/sso76-ocp4-https.json \
     passthrough/ocp-4.x/sso76-ocp4-postgresql.json \
     passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.json \
     reencrypt/ocp-4.x/sso76-ocp4-x509-https.json \
     reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.json
   do
     oc replace -n openshift --force -f \
     https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/${resource}
   done

9. 运行以下命令，以在 openshift 项目中安装 Red Hat Single Sign-On 7.6.11 OpenShift 镜像流：

   $ oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm

10. 更新现有部署配置中的镜像更改触发器，以引用 Red Hat Single Sign-On 7.6.11 镜像。

    $ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]'
    "sso" patched

11. 根据镜像更改触发器中定义的最新镜像开始推出新的 Red Hat Single Sign-On 7.6.11 镜像。

    $ oc rollout latest dc/sso

12. 将 sso pod 扩展至一个副本。

    注意

    您可能希望从 dc/sso 中暂时增加存活和就绪度探测阈值和值（以秒为单位）。此步骤在第一次引导时执行数据库升级，这可能需要一些时间。

    $ oc scale --replicas=1 dc/sso

    注意

    如果您有多个副本，请考虑扩展至一个副本。在 Red Hat Single Sign-On 启动后，您可以将 缩减回原始副本数。

1. 识别用于部署容器的部署配置，这些配置在 OpenShift 镜像的红帽单点登录之前版本上运行。

   $ oc get dc -o name --selector=application=sso
   deploymentconfig/sso
   deploymentconfig/sso-postgresql

2. 在当前命名空间中停止运行之前版本的红帽单点登录的所有 Pod。它们不能针对同一数据库同时运行。

   $ oc scale --replicas=0 dc/sso
   deploymentconfig "sso" scaled

3. 更新现有部署配置中的镜像更改触发器，以引用 Red Hat Single Sign-On 7.6.11 镜像。

   $ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]'
   "sso" patched

4. 根据镜像更改触发器中定义的最新镜像开始推出新的 Red Hat Single Sign-On 7.6.11 镜像。

   $ oc rollout latest dc/sso
   deploymentconfig "sso" rolled out

5. 使用修改后的部署配置部署 Red Hat Single Sign-On 7.6.11 容器。

   $ oc scale --replicas=1 dc/sso
   deploymentconfig "sso" scaled

6. （可选）验证数据库是否已成功更新。

   $ oc get pods --selector=application=sso
   NAME                     READY     STATUS    RESTARTS   AGE
   sso-4-vg21r              1/1       Running   0          1h
   sso-postgresql-1-t871r   1/1       Running   0          2h

   $ oc logs sso-4-vg21r | grep 'Updating'
   11:23:45,160 INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xml

1. 使用正确的数据源配置 Red Hat Single Sign-On 7.6.11，

2. 在 standalone-openshift.xml 文件中设置以下配置选项：

   1. initializeEmpty=false,
   2. migrationStrategy=manual，以及
   3. migrationExport 到 pod 的文件系统的位置，输出 SQL 迁移文件应存储在这里（例如 migrationExport="${jboss.home.dir}/keycloak-database-update.sql"）。

1. 准备 OpenShift 数据库迁移作业模板，以生成 SQL 文件。

   $ cat job-to-migrate-db-to-sso76.yaml.orig
   apiVersion: batch/v1
   kind: Job
   metadata:
     name: job-to-migrate-db-to-sso76
   spec:
     autoSelector: true
     parallelism: 0
     completions: 1
     template:
       metadata:
         name: job-to-migrate-db-to-sso76
       spec:
         containers:
         - env:
           - name: DB_SERVICE_PREFIX_MAPPING
             value: <<DB_SERVICE_PREFIX_MAPPING_VALUE>>
           - name: <<PREFIX>>_JNDI
             value: <<PREFIX_JNDI_VALUE>>
           - name: <<PREFIX>>_USERNAME
             value: <<PREFIX_USERNAME_VALUE>>
           - name: <<PREFIX>>_PASSWORD
             value: <<PREFIX_PASSWORD_VALUE>>
           - name: <<PREFIX>>_DATABASE
             value: <<PREFIX_DATABASE_VALUE>>
           - name: TX_DATABASE_PREFIX_MAPPING
             value: <<TX_DATABASE_PREFIX_MAPPING_VALUE>>
           - name: <<SERVICE_HOST>>
             value: <<SERVICE_HOST_VALUE>>
           - name: <<SERVICE_PORT>>
             value: <<SERVICE_PORT_VALUE>>
           image: <<SSO_IMAGE_VALUE>>
           imagePullPolicy: Always
           name: job-to-migrate-db-to-sso76
           # Keep the pod running after the SQL migration
           # file was generated, so we can retrieve it
           command:
             - "/bin/bash"
             - "-c"
             - "/opt/eap/bin/openshift-launch.sh || sleep 600"
         restartPolicy: Never

   $ cp job-to-migrate-db-to-sso76.yaml.orig \
        job-to-migrate-db-to-sso76.yaml

2. 从用于运行 OpenShift 镜像的 Red Hat Single Sign-On 的早期版本的部署配置，将数据源定义和数据库访问凭证复制到适合数据库迁移作业模板的位置。

   使用以下脚本，将 DB_SERVICE_PREFIX_MAPPING 和 TX_DATABASE_PREFIX_MAPPING 变量值，以及特定于特定数据源（<PREFIX>_JNDI, <PREFIX>_USERNAME, <PREFIX>_PASSWORD, 和 <PREFIX>_DATABASE) 的环境变量从名为 sso 的部署配置复制到名为 job-to-migrate-db-to-sso76.yaml 的数据库作业迁移模板。

   注意

   虽然 DB_SERVICE_PREFIX_MAPPING 环境变量允许 用逗号分开 < name>-<database_type>=<PREFIX > triplets 列表，但本例脚本只接受一个用于演示目的的数据源 triplet 定义。您可以修改用于处理多个数据源定义脚本。

   $ cat mirror_sso_dc_db_vars.sh
   #!/bin/bash
   
   # IMPORTANT:
   #
   # If the name of the SSO deployment config differs from 'sso'
   # or if the file name of the YAML definition of the migration
   # job is different, update the following two variables
   SSO_DC_NAME="sso"
   JOB_MIGRATION_YAML="job-to-migrate-db-to-sso76.yaml"
   
   # Get existing variables of the $SSO_DC_NAME deployment config
   # in an array
   declare -a SSO_DC_VARS=( \
     $(oc set env dc/${SSO_DC_NAME} --list \
     | sed '/^#/d') \
   )
   
   # Get the PREFIX used in the names of environment variables
   PREFIX=$( \
     grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]+' \
     <<< "${SSO_DC_VARS[@]}" \
   )
   PREFIX=${PREFIX##*=}
   
   # Substitute:
   # * <<PREFIX>> with actual $PREFIX value and
   # * <<PREFIX with "<<$PREFIX" value
   # The order in which these replacements are made is important!
   sed -i "s#<<PREFIX>>#${PREFIX}#g" ${JOB_MIGRATION_YAML}
   sed -i "s#<<PREFIX#<<${PREFIX}#g" ${JOB_MIGRATION_YAML}
   
   # Construct the array of environment variables
   # specific to the datasource
   declare -a DB_VARS=(JNDI USERNAME PASSWORD DATABASE)
   
   # Prepend $PREFIX to each item of the datasource array
   DB_VARS=( "${DB_VARS[@]/#/${PREFIX}_}" )
   
   # Add DB_SERVICE_PREFIX_MAPPING and TX_DATABASE_PREFIX_MAPPING
   # variables to datasource array
   DB_VARS=( \
     "${DB_VARS[@]}" \
     DB_SERVICE_PREFIX_MAPPING \
     TX_DATABASE_PREFIX_MAPPING \
   )
   
   # Construct the SERVICE from DB_SERVICE_PREFIX_MAPPING
   SERVICE=$( \
     grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]' \
     <<< "${SSO_DC_VARS[@]}" \
   )
   SERVICE=${SERVICE#*=}
   SERVICE=${SERVICE%=*}
   SERVICE=${SERVICE^^}
   SERVICE=${SERVICE//-/_}
   
   # If the deployment config contains <<SERVICE>>_SERVICE_HOST
   # and <<SERVICE>>_SERVICE_PORT variables, add them to the
   # datasource array. Their values also need to be propagated into
   # yaml definition of the migration job.
   HOST_PATTERN="${SERVICE}_SERVICE_HOST=[^ ]"
   PORT_PATTERN="${SERVICE}_SERVICE_PORT=[^ ]"
   if
     grep -Pq "${HOST_PATTERN}" <<< "${SSO_DC_VARS[@]}" &&
     grep -Pq "${PORT_PATTERN}" <<< "${SSO_DC_VARS[@]}"
   then
     DB_VARS=( \
       "${DB_VARS[@]}" \
       "${SERVICE}_SERVICE_HOST" \
       "${SERVICE}_SERVICE_PORT" \
     )
   # If they are not defined, delete their placeholder rows in
   # yaml definition file (since if not defined they are not
   # expanded which make the yaml definition invalid).
   else
     for KEY in "HOST" "PORT"
     do
       sed -i "/SERVICE_${KEY}/d" ${JOB_MIGRATION_YAML}
     done
   fi
   
   # Substitute:
   # * <<SERVICE_HOST>> with ${SERVICE}_SERVICE_HOST and
   # * <<SERVICE_HOST_VALUE>> with <<${SERVICE}_SERVICE_HOST_VALUE>>
   # The order in which replacements are made is important!
   # Do this for both "HOST" and "PORT"
   for KEY in "HOST" "PORT"
   do
     PATTERN_1="<<SERVICE_${KEY}>>"
     REPL_1="${SERVICE}_SERVICE_${KEY}"
     sed -i "s#${PATTERN_1}#${REPL_1}#g" ${JOB_MIGRATION_YAML}
     PATTERN_2="<<SERVICE_${KEY}_VALUE>>"
     REPL_2="<<${SERVICE}_SERVICE_${KEY}_VALUE>>"
     sed -i "s#${PATTERN_2}#${REPL_2}#g" ${JOB_MIGRATION_YAML}
   done
   
   # Propagate the values of the datasource array items into
   # yaml definition of the migration job
   for VAR in "${SSO_DC_VARS[@]}"
   do
     IFS=$'=' read KEY VALUE <<< $VAR
     if grep -q $KEY <<< ${DB_VARS[@]}
     then
       KEY+="_VALUE"
       # Enwrap integer port value with double quotes
       if [[ ${KEY} =~ ${SERVICE}_SERVICE_PORT_VALUE ]]
       then
         sed -i "s#<<${KEY}>>#\"${VALUE}\"#g" ${JOB_MIGRATION_YAML}
       # Character values do not need quotes
       else
         sed -i "s#<<${KEY}>>#${VALUE}#g" ${JOB_MIGRATION_YAML}
       fi
       # Verify that the value has been successfully propagated.
       if
         grep -q '(JNDI|USERNAME|PASSWORD|DATABASE)' <<< "${KEY}" &&
         grep -q "<<PREFIX${KEY#${PREFIX}}" ${JOB_MIGRATION_YAML} ||
         grep -q "<<${KEY}>>" ${JOB_MIGRATION_YAML}
       then
         echo "Failed to update value of ${KEY%_VALUE}! Aborting."
         exit 1
       else
         printf '%-60s%-40s\n' \
                "Successfully updated ${KEY%_VALUE} to:" \
                "$VALUE"
       fi
     fi
   done

   运行脚本。

   $ chmod +x ./mirror_sso_dc_db_vars.sh
   $ ./mirror_sso_dc_db_vars.sh
   Successfully updated DB_SERVICE_PREFIX_MAPPING to:          sso-postgresql=DB
   Successfully updated DB_JNDI to:                            java:jboss/datasources/KeycloakDS
   Successfully updated DB_USERNAME to:                        userxOp
   Successfully updated DB_PASSWORD to:                        tsWNhQHK
   Successfully updated DB_DATABASE to:                        root
   Successfully updated TX_DATABASE_PREFIX_MAPPING to:         sso-postgresql=DB

3. 使用 预先配置的源构建 Red Hat Single Sign-On 7.6.11 数据库迁移镜像，并等待构建完成。

   $ oc get is -n openshift | grep sso76 | cut -d ' ' -f1
   sso76-openshift-rhel8

   $ oc new-build sso76-openshift-rhel8:7.6~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \
     --context-dir=sso-manual-db-migration \
     --name=sso76-db-migration-image
   --> Found image bf45ac2 (7 days old) in image stream "openshift/sso76-openshift-rhel8" under tag "7.6" for "sso76-openshift-rhel8:7.6"
   
       Red Hat SSO 7.6.11
       ---------------
       Platform for running Red Hat SSO
   
       Tags: sso, sso7, keycloak
   
       * A source build using source code from https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 will be created
         * The resulting image will be pushed to image stream "sso76-db-migration-image:latest"
         * Use 'start-build' to trigger a new build
   
   --> Creating resources with label build=sso76-db-migration-image ...
       imagestream "sso76-db-migration-image" created
       buildconfig "sso76-db-migration-image" created
   --> Success
       Build configuration "sso76-db-migration-image" created and build triggered.
       Run 'oc logs -f bc/sso76-db-migration-image' to stream the build progress.

   $ oc logs -f bc/sso76-db-migration-image --follow
   Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ...
   ...
   Push successful

4. 更新数据库迁移作业(job-to-migrate-db-to-sso76.yaml)的模板并引用构建的 sso76-db-migration-image 镜像。

   1. 获取镜像的 docker pull 参考。

      $ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep sso76-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)

   2. 将作业模板中的 <<SSO_IMAGE_VALUE> 字段替换为 pull 规格。

      $ sed -i "s#<<SSO_IMAGE_VALUE>>#$PULL_REF#g" job-to-migrate-db-to-sso76.yaml

   3. 验证该字段是否已更新。

5. 从作业模板实例化数据库迁移作业。

   $ oc create -f job-to-migrate-db-to-sso76.yaml
   job "job-to-migrate-db-to-sso76" created

   重要

   数据库迁移过程处理数据架构更新并执行数据操作，因此停止为 OpenShift 镜像运行之前版本的 Red Hat Single Sign-On 的所有 pod，然后再动态生成 SQL 迁移文件。

6. 识别用于部署容器的部署配置，这些配置在 OpenShift 镜像的红帽单点登录之前版本上运行。

   $ oc get dc -o name --selector=application=sso
   deploymentconfig/sso
   deploymentconfig/sso-postgresql

7. 在当前命名空间中停止运行之前版本的红帽单点登录的所有 Pod。

   $ oc scale --replicas=0 dc/sso
   deploymentconfig "sso" scaled

8. 运行数据库迁移作业并等待 pod 正确运行。

   $ oc get jobs
   NAME                            DESIRED   SUCCESSFUL   AGE
   job-to-migrate-db-to-sso76   1         0            3m

   $ oc scale --replicas=1 job/job-to-migrate-db-to-sso76
   job "job-to-migrate-db-to-sso76" scaled

   $ oc get pods
   NAME                                  READY     STATUS      RESTARTS   AGE
   sso-postgresql-1-n5p16                1/1       Running     1          19h
   job-to-migrate-db-to-sso76-b87bb   1/1       Running     0          1m
   sso76-db-migration-image-1-build      0/1       Completed   0          27m

   注意

   默认情况下，在生成迁移文件后数据库迁移作业会在 600 秒后自动 终止。您可以调整这个时间。

9. 从 pod 获取动态生成的 SQL 数据库迁移文件。

   $ mkdir -p ./db-update
   $ oc rsync job-to-migrate-db-to-sso76-b87bb:/opt/eap/keycloak-database-update.sql ./db-update
   receiving incremental file list
   keycloak-database-update.sql
   
   sent 30 bytes  received 29,726 bytes  59,512.00 bytes/sec
   total size is 29,621  speedup is 1.00

10. 检查 keycloak-database-update.sql 文件，以便在手动数据库更新到 Red Hat Single Sign-On 7.6.11 版本中执行更改。

11. 手动应用数据库更新。

    • 运行以下命令，如果为 OpenShift 镜像运行一些早期版本的 Red Hat Single Sign-On，则由以临时或持久模式部署的 PostgreSQL 数据库提供支持，并在单独的 pod 上运行：

      1. 将生成的 SQL 迁移文件复制到 PostgreSQL pod。

         $ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp
         sending incremental file list
         
         sent 77 bytes  received 11 bytes  176.00 bytes/sec
         total size is 26,333  speedup is 299.24

      2. 启动与 PostgreSQL pod 的 shell 会话。

         $ oc rsh sso-postgresql-1-n5p16
         sh-4.2$

      3. 使用 psql 工具手动应用数据库更新。

         sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql"
         sh-4.2$ psql --version
         psql (PostgreSQL) 9.5.4
         sh-4.2$ psql -U <PREFIX>_USERNAME -d <PREFIX>_DATABASE -W -f /tmp/keycloak-database-update.sql
         Password for user <PREFIX>_USERNAME:
         INSERT 0 1
         INSERT 0 1
         ...

         重要

         将 <PREFIX>_USERNAME 和 <PREFIX>_DATABASE 替换为 上一节中 检索的实际数据库凭证。在提示时，使用 <PREFIX>_PASSWORD 作为数据库的密码。

      4. 关闭与 PostgreSQL pod 的 shell 会话。继续 更新镜像更改触发器步骤。

12. 更新现有部署配置中的镜像更改触发器，以引用 Red Hat Single Sign-On 7.6.11 镜像。

    $ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "sso76-openshift-rhel8:7.6"}]'
    "sso" patched

13. 根据镜像更改触发器中定义的最新镜像开始推出新的 Red Hat Single Sign-On 7.6.11 镜像。

    $ oc rollout latest dc/sso
    deploymentconfig "sso" rolled out

14. 使用修改后的部署配置部署 Red Hat Single Sign-On 7.6.11 容器。

    $ oc scale --replicas=1 dc/sso
    deploymentconfig "sso" scaled