-
Notifications
You must be signed in to change notification settings - Fork 5
/
template.yaml
432 lines (432 loc) · 16.3 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: sso74-oracle
message: >-
A new RH-SSO service (using Oracle DB) has been created in your
project. The admin username/password for accessing the master realm via the
RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The
username/password for accessing the Oracle database "${ORACLE_SERVICE_NAME}" is
${ORACLE_USERNAME}/${ORACLE_PASSWORD}. Please be sure to create the following secrets:
"${HTTPS_SECRET}" containing the ${HTTPS_KEYSTORE} file used for serving
secure content; "${JGROUPS_ENCRYPT_SECRET}" containing the
${JGROUPS_ENCRYPT_KEYSTORE} file used for securing JGroups communications;
"${SSO_TRUSTSTORE_SECRET}" containing the ${SSO_TRUSTSTORE} file used for
securing RH-SSO requests.
metadata:
annotations:
description: >-
An example RH-SSO 7 application with an external Oracle database. For more
information about using this template, see
https://github.com/schen1/rh-sso-oracledb.
iconClass: icon-sso
openshift.io/display-name: Red Hat Single Sign-On 7.4 + Oracle DB (External)
openshift.io/provider-display-name: 'Red Hat, Inc.'
tags: 'sso,keycloak,jboss'
template.openshift.io/documentation-url: 'https://access.redhat.com/documentation/en/red-hat-single-sign-on/'
template.openshift.io/long-description: >-
This template defines resources needed to develop Red Hat Single Sign-On
7.4 server based deployment, deployment configuration for Oracle DB, and securing RH-SSO communication using edge TLS.
template.openshift.io/support-url: 'https://access.redhat.com'
name: sso74-oracle
objects:
- apiVersion: v1
kind: Service
metadata:
annotations:
description: The web server's http port.
service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-oracle", "kind": "Service"}]'
labels:
application: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
ports:
- port: 8080
targetPort: 8080
selector:
deploymentConfig: '${APPLICATION_NAME}'
- apiVersion: v1
kind: Service
metadata:
annotations:
description: The web server's https port.
service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-oracle", "kind": "Service"}]'
labels:
application: '${APPLICATION_NAME}'
name: 'secure-${APPLICATION_NAME}'
spec:
ports:
- port: 8443
targetPort: 8443
selector:
deploymentConfig: '${APPLICATION_NAME}'
- apiVersion: v1
id: '${APPLICATION_NAME}-http'
kind: Route
metadata:
annotations:
description: Route for application's http service.
labels:
application: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
host: '${HOSTNAME_HTTP}'
to:
name: '${APPLICATION_NAME}'
- apiVersion: v1
id: '${APPLICATION_NAME}-https'
kind: Route
metadata:
annotations:
description: Route for application's https service.
labels:
application: '${APPLICATION_NAME}'
name: 'secure-${APPLICATION_NAME}'
spec:
host: '${HOSTNAME_HTTPS}'
tls:
termination: edge
to:
name: '${APPLICATION_NAME}'
- apiVersion: v1
kind: DeploymentConfig
metadata:
labels:
application: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
replicas: 1
selector:
deploymentConfig: '${APPLICATION_NAME}'
strategy:
type: Recreate
template:
metadata:
labels:
application: '${APPLICATION_NAME}'
deploymentConfig: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
containers:
- env:
- name: DB_SERVICE_PREFIX_MAPPING
value: ''
- name: DB_JNDI
value: '${DB_JNDI}'
- name: TX_DATABASE_PREFIX_MAPPING
value: ''
- name: DB_MIN_POOL_SIZE
value: '${DB_MIN_POOL_SIZE}'
- name: DB_MAX_POOL_SIZE
value: '${DB_MAX_POOL_SIZE}'
- name: DB_TX_ISOLATION
value: '${DB_TX_ISOLATION}'
- name: JGROUPS_PING_PROTOCOL
value: openshift.KUBE_PING
- name: KUBERNETES_NAMESPACE
value: '${KUBERNETES_NAMESPACE}'
- name: KUBERNETES_LABELS
value: '${KUBERNETES_LABELS}'
- name: HTTPS_KEYSTORE_DIR
value: /etc/eap-secret-volume
- name: HTTPS_KEYSTORE
value: '${HTTPS_KEYSTORE}'
- name: HTTPS_KEYSTORE_TYPE
value: '${HTTPS_KEYSTORE_TYPE}'
- name: HTTPS_NAME
value: '${HTTPS_NAME}'
- name: HTTPS_PASSWORD
value: '${HTTPS_PASSWORD}'
- name: JGROUPS_ENCRYPT_SECRET
value: '${JGROUPS_ENCRYPT_SECRET}'
- name: JGROUPS_ENCRYPT_KEYSTORE_DIR
value: /etc/jgroups-encrypt-secret-volume
- name: JGROUPS_ENCRYPT_KEYSTORE
value: '${JGROUPS_ENCRYPT_KEYSTORE}'
- name: JGROUPS_ENCRYPT_NAME
value: '${JGROUPS_ENCRYPT_NAME}'
- name: JGROUPS_ENCRYPT_PASSWORD
value: '${JGROUPS_ENCRYPT_PASSWORD}'
- name: JGROUPS_CLUSTER_PASSWORD
value: '${JGROUPS_CLUSTER_PASSWORD}'
- name: SSO_ADMIN_USERNAME
valueFrom:
secretKeyRef:
key: username
name: ${APPLICATION_NAME}-admin-secret
- name: SSO_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: ${APPLICATION_NAME}-admin-secret
- name: SSO_REALM
value: '${SSO_REALM}'
- name: SSO_SERVICE_USERNAME
value: '${SSO_SERVICE_USERNAME}'
- name: SSO_SERVICE_PASSWORD
value: '${SSO_SERVICE_PASSWORD}'
- name: SSO_TRUSTSTORE
value: '${SSO_TRUSTSTORE}'
- name: SSO_TRUSTSTORE_DIR
value: /etc/sso-secret-volume
- name: SSO_TRUSTSTORE_PASSWORD
value: '${SSO_TRUSTSTORE_PASSWORD}'
- name: ORACLE_USERNAME
valueFrom:
secretKeyRef:
key: username
name: ${APPLICATION_NAME}-oracle-secret
- name: ORACLE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: ${APPLICATION_NAME}-oracle-secret
- name: ORACLE_SERVICE_HOST
value: '${ORACLE_SERVICE_HOST}'
- name: ORACLE_SERVICE_PORT
value: '${ORACLE_SERVICE_PORT}'
- name: ORACLE_SERVICE_HOST_2
value: '${ORACLE_SERVICE_HOST_2}'
- name: ORACLE_SERVICE_PORT_2
value: '${ORACLE_SERVICE_PORT_2}'
- name: ORACLE_SERVICE_NAME
value: '${ORACLE_SERVICE_NAME}'
image: '${IMAGE}'
imagePullPolicy: Always
livenessProbe:
exec:
command:
- /bin/bash
- '-c'
- /opt/eap/bin/livenessProbe.sh
initialDelaySeconds: 60
name: '${APPLICATION_NAME}'
ports:
- containerPort: 8778
name: jolokia
protocol: TCP
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
- containerPort: 8888
name: ping
protocol: TCP
readinessProbe:
exec:
command:
- /bin/bash
- '-c'
- /opt/eap/bin/readinessProbe.sh
resources:
limits:
cpu: '${CPU_LIMIT}'
memory: '${MEMORY_LIMIT}'
volumeMounts:
- mountPath: /etc/eap-secret-volume
name: eap-keystore-volume
readOnly: true
- mountPath: /etc/jgroups-encrypt-secret-volume
name: eap-jgroups-keystore-volume
readOnly: true
- mountPath: /etc/sso-secret-volume
name: sso-truststore-volume
readOnly: true
terminationGracePeriodSeconds: 75
volumes:
- name: eap-keystore-volume
secret:
secretName: '${HTTPS_SECRET}'
- name: eap-jgroups-keystore-volume
secret:
secretName: '${JGROUPS_ENCRYPT_SECRET}'
- name: sso-truststore-volume
secret:
secretName: '${SSO_TRUSTSTORE_SECRET}'
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Secret
metadata:
annotations:
template.openshift.io/base64-expose-password: '{.data[''password'']}'
name: '${APPLICATION_NAME}-admin-secret'
stringData:
password: '${SSO_ADMIN_PASSWORD}'
username: '${SSO_ADMIN_USERNAME}'
- apiVersion: v1
kind: Secret
metadata:
annotations:
template.openshift.io/base64-expose-password: '{.data[''password'']}'
name: '${APPLICATION_NAME}-oracle-secret'
stringData:
password: '${ORACLE_PASSWORD}'
username: '${ORACLE_USERNAME}'
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: default
parameters:
- description: The name for the application.
displayName: Application Name
name: APPLICATION_NAME
required: true
value: sso
- description: The image
displayName: 'The Image (e.g.: quay.io/abc/xyz:latest)'
name: IMAGE
required: true
- description: >-
Custom hostname for http service route. Leave blank for default hostname,
e.g.: <application-name>.<project>.<default-domain-suffix>
displayName: Custom http Route Hostname
name: HOSTNAME_HTTP
- description: >-
Custom hostname for https service route. Leave blank for default hostname,
e.g.: <application-name>.<project>.<default-domain-suffix>
displayName: Custom https Route Hostname
name: HOSTNAME_HTTPS
- description: >-
Database JNDI name used by application to resolve the datasource, e.g.
java:/jboss/datasources/postgresql
displayName: Database JNDI Name
name: DB_JNDI
value: 'java:jboss/datasources/KeycloakDS'
- description: Database username
displayName: Database Username
name: ORACLE_USERNAME
required: true
- description: Database password
displayName: Database Password
name: ORACLE_PASSWORD
required: true
- description: Database service host 1
displayName: Database Service Host 1
name: ORACLE_SERVICE_HOST
required: true
- description: Database service port 1
displayName: Database Service Port 1
name: ORACLE_SERVICE_PORT
required: true
value: "1521"
- description: Database service host 2
displayName: Database Service Host 2
name: ORACLE_SERVICE_HOST_2
required: true
- description: Database service port 2
displayName: Database Service Port 2
name: ORACLE_SERVICE_PORT_2
required: true
value: "1521"
- description: Database service name
displayName: Database Service Name
name: ORACLE_SERVICE_NAME
required: true
value: "XXX_PRIMARY.WORLD"
- description: The name of the secret containing the keystore file
displayName: Server Keystore Secret Name
name: HTTPS_SECRET
value: sso-truststore
- description: The name of the keystore file within the secret
displayName: Server Keystore Filename
name: HTTPS_KEYSTORE
value: keystore.jks
- description: The type of the keystore file (JKS or JCEKS)
displayName: Server Keystore Type
name: HTTPS_KEYSTORE_TYPE
- description: The name associated with the server certificate (e.g. jboss)
displayName: Server Certificate Name
name: HTTPS_NAME
- description: The password for the keystore and certificate (e.g. mykeystorepass)
displayName: Server Keystore Password
name: HTTPS_PASSWORD
- description: Sets xa-pool/min-pool-size for the configured datasource.
displayName: Datasource Minimum Pool Size
name: DB_MIN_POOL_SIZE
- description: Sets xa-pool/max-pool-size for the configured datasource.
displayName: Datasource Maximum Pool Size
name: DB_MAX_POOL_SIZE
- description: Sets transaction-isolation for the configured datasource.
displayName: Datasource Transaction Isolation
name: DB_TX_ISOLATION
- description: The name of the secret containing the keystore file
displayName: JGroups Secret Name
name: JGROUPS_ENCRYPT_SECRET
value: sso-truststore
- description: The name of the keystore file within the secret
displayName: JGroups Keystore Filename
name: JGROUPS_ENCRYPT_KEYSTORE
value: jgroups.jceks
- description: The name associated with the server certificate (e.g. secret-key)
displayName: JGroups Certificate Name
name: JGROUPS_ENCRYPT_NAME
- description: The password for the keystore and certificate (e.g. password)
displayName: JGroups Keystore Password
name: JGROUPS_ENCRYPT_PASSWORD
- description: JGroups cluster password
displayName: JGroups Cluster Password
from: '[a-zA-Z0-9]{8}'
generate: expression
name: JGROUPS_CLUSTER_PASSWORD
required: true
- description: RH-SSO Server administrator username
displayName: RH-SSO Administrator Username
from: '[a-zA-Z0-9]{8}'
generate: expression
name: SSO_ADMIN_USERNAME
required: true
- description: RH-SSO Server administrator password
displayName: RH-SSO Administrator Password
from: '[a-zA-Z0-9]{8}'
generate: expression
name: SSO_ADMIN_PASSWORD
required: true
- description: Realm to be created in the RH-SSO server (e.g. demorealm).
displayName: RH-SSO Realm
name: SSO_REALM
- description: >-
The username used to access the RH-SSO service. This is used by clients to
create the appliction client(s) within the specified RH-SSO realm.
displayName: RH-SSO Service Username
name: SSO_SERVICE_USERNAME
- description: The password for the RH-SSO service user.
displayName: RH-SSO Service Password
name: SSO_SERVICE_PASSWORD
- description: The name of the truststore file within the secret (e.g. truststore.jks)
displayName: RH-SSO Trust Store
name: SSO_TRUSTSTORE
- description: The password for the truststore and certificate (e.g. mykeystorepass)
displayName: RH-SSO Trust Store Password
name: SSO_TRUSTSTORE_PASSWORD
- description: >-
The name of the secret containing the truststore file (e.g.
truststore-secret). Used for volume secretName
displayName: RH-SSO Trust Store Secret
name: SSO_TRUSTSTORE_SECRET
value: sso-truststore
- description: Container memory limit.
displayName: Container Memory Limit
name: MEMORY_LIMIT
value: 2Gi
- description: Container cpu limit.
displayName: Container cpu Limit
name: CPU_LIMIT
value: '1'
- description: >-
The SSO namespace to set up for clustering
displayName: SSO namespace to set up for clustering
name: KUBERNETES_NAMESPACE
- description: SSO pods labels (eg application=sso).
displayName: SSO pods labels to set up for clustering
name: KUBERNETES_LABELS
value: application=sso