├── .DS_Store ├── .github └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.adoc ├── README.adoc.in ├── docs ├── README.adoc └── templates │ ├── passthrough │ ├── ocp-3.x │ │ ├── sso76-ocp3-https.adoc │ │ ├── sso76-ocp3-postgresql-persistent.adoc │ │ └── sso76-ocp3-postgresql.adoc │ ├── ocp-4.x │ │ ├── sso76-ocp4-https.adoc │ │ ├── sso76-ocp4-postgresql-persistent.adoc │ │ └── sso76-ocp4-postgresql.adoc │ ├── sso76-https.adoc │ ├── sso76-postgresql-persistent.adoc │ └── sso76-postgresql.adoc │ └── reencrypt │ ├── ocp-3.x │ ├── sso76-ocp3-x509-https.adoc │ └── sso76-ocp3-x509-postgresql-persistent.adoc │ └── ocp-4.x │ ├── sso76-ocp4-x509-https.adoc │ └── sso76-ocp4-x509-postgresql-persistent.adoc ├── release-notes.adoc.in ├── sso.adoc.in ├── template.adoc.in └── templates ├── passthrough ├── ocp-3.x │ ├── sso76-ocp3-https.json │ ├── sso76-ocp3-postgresql-persistent.json │ └── sso76-ocp3-postgresql.json └── ocp-4.x │ ├── sso76-ocp4-https.json │ ├── sso76-ocp4-postgresql-persistent.json │ └── sso76-ocp4-postgresql.json ├── reencrypt ├── ocp-3.x │ ├── sso76-ocp3-x509-https.json │ └── sso76-ocp3-x509-postgresql-persistent.json └── ocp-4.x │ ├── sso76-ocp4-x509-https.json │ └── sso76-ocp4-x509-postgresql-persistent.json ├── scripts ├── README.adoc ├── gen_template_docs.py └── requirements.txt └── sso76-image-stream.json /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/61499e06365be37ca51c01553ae3208c0fc7f1e7/.DS_Store -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Thanks for submitting your Pull Request! 2 | 3 | Please make sure your PR meets the following requirements: 4 | 5 | - [ ] Pull Request title is properly formatted: `[CLOUD-XYA] Subject` 6 | - [ ] Pull Request contains link to the JIRA issue 7 | - [ ] Pull Request contains description of the issue 8 | - [ ] Pull Request does not include fixes for issues other than the main ticket 9 | - [ ] Attached commits represent units of work and are properly formatted 10 | - [ ] You have read and agreed to the Developer Certificate of Origin (DCO) (see `CONTRIBUTING.md`) 11 | - [ ] Every commit contains `Signed-off-by: Your Name ` - use `git commit -s` 12 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.iml 2 | .idea 3 | target 4 | /.project 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | This project requires the Developer Certificate of Origin (DCO) process to be 2 | followed. The DCO is an attestation attached to every contribution made by every 3 | developer, signifying that the developer licenses their contribution under the 4 | open source license governing the file(s) being modified. In the commit message 5 | of the contribution, simply add a Signed-off-by statement, which signifies 6 | agreement to the text at http://developercertificate.org, reproduced below: 7 | 8 | Developer Certificate of Origin 9 | Version 1.1 10 | 11 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 12 | 1 Letterman Drive 13 | Suite D4700 14 | San Francisco, CA, 94129 15 | 16 | Everyone is permitted to copy and distribute verbatim copies of this 17 | license document, but changing it is not allowed. 18 | 19 | Developer's Certificate of Origin 1.1 20 | 21 | By making a contribution to this project, I certify that: 22 | 23 | (a) The contribution was created in whole or in part by me and I 24 | have the right to submit it under the open source license 25 | indicated in the file; or 26 | 27 | (b) The contribution is based upon previous work that, to the best 28 | of my knowledge, is covered under an appropriate open source 29 | license and I have the right under that license to submit that 30 | work with modifications, whether created in whole or in part 31 | by me, under the same open source license (unless I am 32 | permitted to submit under a different license), as indicated 33 | in the file; or 34 | 35 | (c) The contribution was provided directly to me by some other 36 | person who certified (a), (b) or (c) and I have not modified 37 | it. 38 | 39 | (d) I understand and agree that this project and the contribution 40 | are public and that a record of the contribution (including all 41 | personal information I submit with it, including my sign-off) is 42 | maintained indefinitely and may be redistributed consistent with 43 | this project or the open source license(s) involved. 44 | 45 | The DCO requires a signoff message in the following format to appear on each 46 | commit: 47 | 48 | Signed-off-by: Your Name 49 | 50 | If you set your user.name and user.email git configs, you can sign your commit 51 | automatically with git commit -s. 52 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | # Red Hat Single Sign-On 7.6 for OpenJDK 2 | 3 | == License 4 | 5 | See link:LICENSE[LICENSE] file. 6 | 7 | 8 | -------------------------------------------------------------------------------- /README.adoc.in: -------------------------------------------------------------------------------- 1 | = Application Templates for Red Hat Single Sign-On 7.6 on OpenShift container images 2 | 3 | This project contains OpenShift v3 / v4 application templates which support applications based on JBoss Middleware products. 4 | Source can be found https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev[here]. 5 | 6 | :icons: font 7 | :toc: macro 8 | 9 | toc::[levels=1] 10 | -------------------------------------------------------------------------------- /docs/README.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = Application Templates for Red Hat Single Sign-On 7.6 on OpenShift container images 8 | 9 | This project contains OpenShift v3 / v4 application templates which support applications based on JBoss Middleware products. 10 | Source can be found https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev[here]. 11 | 12 | :icons: font 13 | :toc: macro 14 | 15 | toc::[levels=1] 16 | 17 | == templates/passthrough/ocp-3.x 18 | 19 | * link:./templates/passthrough/ocp-3.x/sso76-ocp3-https.adoc[sso76-ocp3-https] 20 | * link:./templates/passthrough/ocp-3.x/sso76-ocp3-postgresql-persistent.adoc[sso76-ocp3-postgresql-persistent] 21 | * link:./templates/passthrough/ocp-3.x/sso76-ocp3-postgresql.adoc[sso76-ocp3-postgresql] 22 | 23 | == templates/passthrough/ocp-4.x 24 | 25 | * link:./templates/passthrough/ocp-4.x/sso76-ocp4-https.adoc[sso76-ocp4-https] 26 | * link:./templates/passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.adoc[sso76-ocp4-postgresql-persistent] 27 | * link:./templates/passthrough/ocp-4.x/sso76-ocp4-postgresql.adoc[sso76-ocp4-postgresql] 28 | 29 | == templates/reencrypt/ocp-3.x 30 | 31 | * link:./templates/reencrypt/ocp-3.x/sso76-ocp3-x509-https.adoc[sso76-ocp3-x509-https] 32 | * link:./templates/reencrypt/ocp-3.x/sso76-ocp3-x509-postgresql-persistent.adoc[sso76-ocp3-x509-postgresql-persistent] 33 | 34 | == templates/reencrypt/ocp-4.x 35 | 36 | * link:./templates/reencrypt/ocp-4.x/sso76-ocp4-x509-https.adoc[sso76-ocp4-x509-https] 37 | * link:./templates/reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.adoc[sso76-ocp4-x509-postgresql-persistent] 38 | 39 | //// 40 | the source for the release notes part of this page is in the file 41 | ./release-notes.adoc.in 42 | //// 43 | 44 | == Release Notes 45 | 46 | -------------------------------------------------------------------------------- /docs/templates/passthrough/ocp-3.x/sso76-ocp3-https.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp3-https 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 31 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 32 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 33 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 34 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 35 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 36 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 37 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 38 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 39 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 40 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 41 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 42 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 43 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 44 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 45 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 46 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 47 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 48 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 49 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 50 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 51 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 52 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 53 | |======================================================================= 54 | 55 | 56 | 57 | == Objects 58 | 59 | The CLI supports various object types. A list of these object types as well as their abbreviations 60 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 61 | 62 | 63 | === Services 64 | 65 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 66 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 67 | 68 | |============= 69 | |Service |Port |Name | Description 70 | 71 | .1+| `${APPLICATION_NAME}` 72 | |8080 | -- 73 | .1+| The web server's http port. 74 | .1+| `secure-${APPLICATION_NAME}` 75 | |8443 | -- 76 | .1+| The web server's https port. 77 | .1+| `${APPLICATION_NAME}-ping` 78 | |8888 | ping 79 | .1+| The JGroups ping port for clustering. 80 | |============= 81 | 82 | 83 | 84 | === Routes 85 | 86 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 87 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 88 | of a route name, service selector, and (optionally) security configuration. Refer to the 89 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 90 | 91 | |============= 92 | | Service | Security | Hostname 93 | 94 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 95 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 96 | |============= 97 | 98 | 99 | 100 | 101 | === Deployment Configurations 102 | 103 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 104 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 105 | 106 | 107 | ==== Triggers 108 | 109 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 110 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 111 | 112 | |============ 113 | |Deployment | Triggers 114 | 115 | |`${APPLICATION_NAME}` | ImageChange 116 | |============ 117 | 118 | 119 | 120 | ==== Replicas 121 | 122 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 123 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 124 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 125 | for more information. 126 | 127 | |============ 128 | |Deployment | Replicas 129 | 130 | |`${APPLICATION_NAME}` | 1 131 | |============ 132 | 133 | 134 | ==== Pod Template 135 | 136 | 137 | 138 | 139 | ===== Image 140 | 141 | |============ 142 | |Deployment | Image 143 | 144 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 145 | |============ 146 | 147 | 148 | 149 | ===== Readiness Probe 150 | 151 | 152 | .${APPLICATION_NAME} 153 | ---- 154 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 155 | ---- 156 | 157 | 158 | 159 | 160 | ===== Exposed Ports 161 | 162 | |============= 163 | |Deployments | Name | Port | Protocol 164 | 165 | .4+| `${APPLICATION_NAME}` 166 | |jolokia | 8778 | `TCP` 167 | |http | 8080 | `TCP` 168 | |https | 8443 | `TCP` 169 | |ping | 8888 | `TCP` 170 | |============= 171 | 172 | 173 | 174 | ===== Image Environment Variables 175 | 176 | |======================================================================= 177 | |Deployment |Variable name |Description |Example value 178 | 179 | .26+| `${APPLICATION_NAME}` 180 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 181 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 182 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 183 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 184 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 185 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 186 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 187 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 188 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 189 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 190 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 191 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 192 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 193 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 194 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 195 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 196 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 197 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 198 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 199 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 200 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 201 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 202 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 203 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 204 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 205 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 206 | |======================================================================= 207 | 208 | 209 | 210 | ===== Volumes 211 | 212 | |============= 213 | |Deployment |Name | mountPath | Purpose | readOnly 214 | 215 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 216 | |============= 217 | 218 | 219 | === External Dependencies 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | [[tls]] 229 | == TLS/SSL configuration 230 | 231 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 232 | 233 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 234 | 235 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 236 | 237 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 238 | -------------------------------------------------------------------------------- /docs/templates/passthrough/ocp-3.x/sso76-ocp3-postgresql-persistent.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp3-postgresql-persistent 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 31 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 32 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 33 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 34 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 35 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 36 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 37 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 38 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 39 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 40 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 41 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 42 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 43 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 44 | |`VOLUME_CAPACITY` | -- | Size of persistent storage for database volume. | 1Gi | True 45 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 46 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 47 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 48 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 49 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 50 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 51 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 52 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 53 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 54 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 55 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 56 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 57 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 58 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 59 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 60 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 61 | |======================================================================= 62 | 63 | 64 | 65 | == Objects 66 | 67 | The CLI supports various object types. A list of these object types as well as their abbreviations 68 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 69 | 70 | 71 | === Services 72 | 73 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 74 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 75 | 76 | |============= 77 | |Service |Port |Name | Description 78 | 79 | .1+| `${APPLICATION_NAME}` 80 | |8080 | -- 81 | .1+| The web server's http port. 82 | .1+| `secure-${APPLICATION_NAME}` 83 | |8443 | -- 84 | .1+| The web server's https port. 85 | .1+| `${APPLICATION_NAME}-postgresql` 86 | |5432 | -- 87 | .1+| The database server's port. 88 | .1+| `${APPLICATION_NAME}-ping` 89 | |8888 | ping 90 | .1+| The JGroups ping port for clustering. 91 | |============= 92 | 93 | 94 | 95 | === Routes 96 | 97 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 98 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 99 | of a route name, service selector, and (optionally) security configuration. Refer to the 100 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 101 | 102 | |============= 103 | | Service | Security | Hostname 104 | 105 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 106 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 107 | |============= 108 | 109 | 110 | 111 | 112 | === Deployment Configurations 113 | 114 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 115 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 116 | 117 | 118 | ==== Triggers 119 | 120 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 121 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 122 | 123 | |============ 124 | |Deployment | Triggers 125 | 126 | |`${APPLICATION_NAME}` | ImageChange 127 | |`${APPLICATION_NAME}-postgresql` | ImageChange 128 | |============ 129 | 130 | 131 | 132 | ==== Replicas 133 | 134 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 135 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 136 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 137 | for more information. 138 | 139 | |============ 140 | |Deployment | Replicas 141 | 142 | |`${APPLICATION_NAME}` | 1 143 | |`${APPLICATION_NAME}-postgresql` | 1 144 | |============ 145 | 146 | 147 | ==== Pod Template 148 | 149 | 150 | 151 | 152 | ===== Image 153 | 154 | |============ 155 | |Deployment | Image 156 | 157 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 158 | |`${APPLICATION_NAME}-postgresql` | postgresql 159 | |============ 160 | 161 | 162 | 163 | ===== Readiness Probe 164 | 165 | 166 | .${APPLICATION_NAME} 167 | ---- 168 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 169 | ---- 170 | 171 | .${APPLICATION_NAME}-postgresql 172 | ---- 173 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 174 | ---- 175 | 176 | 177 | 178 | 179 | ===== Exposed Ports 180 | 181 | |============= 182 | |Deployments | Name | Port | Protocol 183 | 184 | .4+| `${APPLICATION_NAME}` 185 | |jolokia | 8778 | `TCP` 186 | |http | 8080 | `TCP` 187 | |https | 8443 | `TCP` 188 | |ping | 8888 | `TCP` 189 | .1+| `${APPLICATION_NAME}-postgresql` 190 | |-- | 5432 | `TCP` 191 | |============= 192 | 193 | 194 | 195 | ===== Image Environment Variables 196 | 197 | |======================================================================= 198 | |Deployment |Variable name |Description |Example value 199 | 200 | .32+| `${APPLICATION_NAME}` 201 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 202 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 203 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 204 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 205 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 206 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 207 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 208 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 209 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 210 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 211 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 212 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 213 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 214 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 215 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 216 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 217 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 218 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 219 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 220 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 221 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 222 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 223 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 224 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 225 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 226 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 227 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 228 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 229 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 230 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 231 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 232 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 233 | .6+| `${APPLICATION_NAME}-postgresql` 234 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 235 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 236 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 237 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 238 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 239 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 240 | |======================================================================= 241 | 242 | 243 | 244 | ===== Volumes 245 | 246 | |============= 247 | |Deployment |Name | mountPath | Purpose | readOnly 248 | 249 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 250 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-postgresql-pvol` | `/var/lib/pgsql/data` | postgresql | false 251 | |============= 252 | 253 | 254 | === External Dependencies 255 | 256 | 257 | ==== Volume Claims 258 | 259 | A `PersistentVolume` object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator 260 | by creating `PersistentVolume` objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. 261 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/persistent_volumes.html#overview[Openshift documentation] for 262 | more information. 263 | 264 | |============= 265 | |Name | Access Mode 266 | 267 | |`${APPLICATION_NAME}-postgresql-claim` | ReadWriteOnce 268 | |============= 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | [[tls]] 278 | == TLS/SSL configuration 279 | 280 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 281 | 282 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 283 | 284 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 285 | 286 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 287 | -------------------------------------------------------------------------------- /docs/templates/passthrough/ocp-3.x/sso76-ocp3-postgresql.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp3-postgresql 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 31 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 32 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 33 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 34 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 35 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 36 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 37 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 38 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 39 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 40 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 41 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 42 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 43 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 44 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 45 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 46 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 47 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 48 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 49 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 50 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 51 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 52 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 53 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 54 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 55 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 56 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 57 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 58 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 59 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 60 | |======================================================================= 61 | 62 | 63 | 64 | == Objects 65 | 66 | The CLI supports various object types. A list of these object types as well as their abbreviations 67 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 68 | 69 | 70 | === Services 71 | 72 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 73 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 74 | 75 | |============= 76 | |Service |Port |Name | Description 77 | 78 | .1+| `${APPLICATION_NAME}` 79 | |8080 | -- 80 | .1+| The web server's http port. 81 | .1+| `secure-${APPLICATION_NAME}` 82 | |8443 | -- 83 | .1+| The web server's https port. 84 | .1+| `${APPLICATION_NAME}-postgresql` 85 | |5432 | -- 86 | .1+| The database server's port. 87 | .1+| `${APPLICATION_NAME}-ping` 88 | |8888 | ping 89 | .1+| The JGroups ping port for clustering. 90 | |============= 91 | 92 | 93 | 94 | === Routes 95 | 96 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 97 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 98 | of a route name, service selector, and (optionally) security configuration. Refer to the 99 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 100 | 101 | |============= 102 | | Service | Security | Hostname 103 | 104 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 105 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 106 | |============= 107 | 108 | 109 | 110 | 111 | === Deployment Configurations 112 | 113 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 114 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 115 | 116 | 117 | ==== Triggers 118 | 119 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 120 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 121 | 122 | |============ 123 | |Deployment | Triggers 124 | 125 | |`${APPLICATION_NAME}` | ImageChange 126 | |`${APPLICATION_NAME}-postgresql` | ImageChange 127 | |============ 128 | 129 | 130 | 131 | ==== Replicas 132 | 133 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 134 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 135 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 136 | for more information. 137 | 138 | |============ 139 | |Deployment | Replicas 140 | 141 | |`${APPLICATION_NAME}` | 1 142 | |`${APPLICATION_NAME}-postgresql` | 1 143 | |============ 144 | 145 | 146 | ==== Pod Template 147 | 148 | 149 | 150 | 151 | ===== Image 152 | 153 | |============ 154 | |Deployment | Image 155 | 156 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 157 | |`${APPLICATION_NAME}-postgresql` | postgresql 158 | |============ 159 | 160 | 161 | 162 | ===== Readiness Probe 163 | 164 | 165 | .${APPLICATION_NAME} 166 | ---- 167 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 168 | ---- 169 | 170 | .${APPLICATION_NAME}-postgresql 171 | ---- 172 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 173 | ---- 174 | 175 | 176 | 177 | 178 | ===== Exposed Ports 179 | 180 | |============= 181 | |Deployments | Name | Port | Protocol 182 | 183 | .4+| `${APPLICATION_NAME}` 184 | |jolokia | 8778 | `TCP` 185 | |http | 8080 | `TCP` 186 | |https | 8443 | `TCP` 187 | |ping | 8888 | `TCP` 188 | .1+| `${APPLICATION_NAME}-postgresql` 189 | |-- | 5432 | `TCP` 190 | |============= 191 | 192 | 193 | 194 | ===== Image Environment Variables 195 | 196 | |======================================================================= 197 | |Deployment |Variable name |Description |Example value 198 | 199 | .32+| `${APPLICATION_NAME}` 200 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 201 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 202 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 203 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 204 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 205 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 206 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 207 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 208 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 209 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 210 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 211 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 212 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 213 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 214 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 215 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 216 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 217 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 218 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 219 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 220 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 221 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 222 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 223 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 224 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 225 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 226 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 227 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 228 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 229 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 230 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 231 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 232 | .6+| `${APPLICATION_NAME}-postgresql` 233 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 234 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 235 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 236 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 237 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 238 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 239 | |======================================================================= 240 | 241 | 242 | 243 | ===== Volumes 244 | 245 | |============= 246 | |Deployment |Name | mountPath | Purpose | readOnly 247 | 248 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 249 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-data` | `/var/lib/pgsql/data` | -- | false 250 | |============= 251 | 252 | 253 | === External Dependencies 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | [[tls]] 263 | == TLS/SSL configuration 264 | 265 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 266 | 267 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 268 | 269 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 270 | 271 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 272 | -------------------------------------------------------------------------------- /docs/templates/passthrough/ocp-4.x/sso76-ocp4-https.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp4-https 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 31 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 32 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 33 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 34 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 35 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 36 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 37 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 38 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 39 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 40 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 41 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 42 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 43 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 44 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 45 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 46 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 47 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 48 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 49 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 50 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 51 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 52 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 53 | |======================================================================= 54 | 55 | 56 | 57 | == Objects 58 | 59 | The CLI supports various object types. A list of these object types as well as their abbreviations 60 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 61 | 62 | 63 | === Services 64 | 65 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 66 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 67 | 68 | |============= 69 | |Service |Port |Name | Description 70 | 71 | .1+| `${APPLICATION_NAME}` 72 | |8080 | -- 73 | .1+| The web server's http port. 74 | .1+| `secure-${APPLICATION_NAME}` 75 | |8443 | -- 76 | .1+| The web server's https port. 77 | .1+| `${APPLICATION_NAME}-ping` 78 | |8888 | ping 79 | .1+| The JGroups ping port for clustering. 80 | |============= 81 | 82 | 83 | 84 | === Routes 85 | 86 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 87 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 88 | of a route name, service selector, and (optionally) security configuration. Refer to the 89 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 90 | 91 | |============= 92 | | Service | Security | Hostname 93 | 94 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 95 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 96 | |============= 97 | 98 | 99 | 100 | 101 | === Deployment Configurations 102 | 103 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 104 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 105 | 106 | 107 | ==== Triggers 108 | 109 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 110 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 111 | 112 | |============ 113 | |Deployment | Triggers 114 | 115 | |`${APPLICATION_NAME}` | ImageChange 116 | |============ 117 | 118 | 119 | 120 | ==== Replicas 121 | 122 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 123 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 124 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 125 | for more information. 126 | 127 | |============ 128 | |Deployment | Replicas 129 | 130 | |`${APPLICATION_NAME}` | 1 131 | |============ 132 | 133 | 134 | ==== Pod Template 135 | 136 | 137 | 138 | 139 | ===== Image 140 | 141 | |============ 142 | |Deployment | Image 143 | 144 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 145 | |============ 146 | 147 | 148 | 149 | ===== Readiness Probe 150 | 151 | 152 | .${APPLICATION_NAME} 153 | ---- 154 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 155 | ---- 156 | 157 | 158 | 159 | 160 | ===== Exposed Ports 161 | 162 | |============= 163 | |Deployments | Name | Port | Protocol 164 | 165 | .4+| `${APPLICATION_NAME}` 166 | |jolokia | 8778 | `TCP` 167 | |http | 8080 | `TCP` 168 | |https | 8443 | `TCP` 169 | |ping | 8888 | `TCP` 170 | |============= 171 | 172 | 173 | 174 | ===== Image Environment Variables 175 | 176 | |======================================================================= 177 | |Deployment |Variable name |Description |Example value 178 | 179 | .26+| `${APPLICATION_NAME}` 180 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 181 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 182 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 183 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 184 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 185 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 186 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 187 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 188 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 189 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 190 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 191 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 192 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 193 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 194 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 195 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 196 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 197 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 198 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 199 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 200 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 201 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 202 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 203 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 204 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 205 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 206 | |======================================================================= 207 | 208 | 209 | 210 | ===== Volumes 211 | 212 | |============= 213 | |Deployment |Name | mountPath | Purpose | readOnly 214 | 215 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 216 | |============= 217 | 218 | 219 | === External Dependencies 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | [[tls]] 229 | == TLS/SSL configuration 230 | 231 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 232 | 233 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 234 | 235 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 236 | 237 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 238 | -------------------------------------------------------------------------------- /docs/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp4-postgresql-persistent 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 31 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 32 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 33 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 34 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 35 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 36 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 37 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 38 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 39 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 40 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 41 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 42 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 43 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 44 | |`VOLUME_CAPACITY` | -- | Size of persistent storage for database volume. | 1Gi | True 45 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 46 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 47 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 48 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 49 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 50 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 51 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 52 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 53 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 54 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 55 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 56 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 57 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 58 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 59 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 60 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 61 | |======================================================================= 62 | 63 | 64 | 65 | == Objects 66 | 67 | The CLI supports various object types. A list of these object types as well as their abbreviations 68 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 69 | 70 | 71 | === Services 72 | 73 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 74 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 75 | 76 | |============= 77 | |Service |Port |Name | Description 78 | 79 | .1+| `${APPLICATION_NAME}` 80 | |8080 | -- 81 | .1+| The web server's http port. 82 | .1+| `secure-${APPLICATION_NAME}` 83 | |8443 | -- 84 | .1+| The web server's https port. 85 | .1+| `${APPLICATION_NAME}-postgresql` 86 | |5432 | -- 87 | .1+| The database server's port. 88 | .1+| `${APPLICATION_NAME}-ping` 89 | |8888 | ping 90 | .1+| The JGroups ping port for clustering. 91 | |============= 92 | 93 | 94 | 95 | === Routes 96 | 97 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 98 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 99 | of a route name, service selector, and (optionally) security configuration. Refer to the 100 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 101 | 102 | |============= 103 | | Service | Security | Hostname 104 | 105 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 106 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 107 | |============= 108 | 109 | 110 | 111 | 112 | === Deployment Configurations 113 | 114 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 115 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 116 | 117 | 118 | ==== Triggers 119 | 120 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 121 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 122 | 123 | |============ 124 | |Deployment | Triggers 125 | 126 | |`${APPLICATION_NAME}` | ImageChange 127 | |`${APPLICATION_NAME}-postgresql` | ImageChange 128 | |============ 129 | 130 | 131 | 132 | ==== Replicas 133 | 134 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 135 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 136 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 137 | for more information. 138 | 139 | |============ 140 | |Deployment | Replicas 141 | 142 | |`${APPLICATION_NAME}` | 1 143 | |`${APPLICATION_NAME}-postgresql` | 1 144 | |============ 145 | 146 | 147 | ==== Pod Template 148 | 149 | 150 | 151 | 152 | ===== Image 153 | 154 | |============ 155 | |Deployment | Image 156 | 157 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 158 | |`${APPLICATION_NAME}-postgresql` | postgresql 159 | |============ 160 | 161 | 162 | 163 | ===== Readiness Probe 164 | 165 | 166 | .${APPLICATION_NAME} 167 | ---- 168 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 169 | ---- 170 | 171 | .${APPLICATION_NAME}-postgresql 172 | ---- 173 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 174 | ---- 175 | 176 | 177 | 178 | 179 | ===== Exposed Ports 180 | 181 | |============= 182 | |Deployments | Name | Port | Protocol 183 | 184 | .4+| `${APPLICATION_NAME}` 185 | |jolokia | 8778 | `TCP` 186 | |http | 8080 | `TCP` 187 | |https | 8443 | `TCP` 188 | |ping | 8888 | `TCP` 189 | .1+| `${APPLICATION_NAME}-postgresql` 190 | |-- | 5432 | `TCP` 191 | |============= 192 | 193 | 194 | 195 | ===== Image Environment Variables 196 | 197 | |======================================================================= 198 | |Deployment |Variable name |Description |Example value 199 | 200 | .32+| `${APPLICATION_NAME}` 201 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 202 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 203 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 204 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 205 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 206 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 207 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 208 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 209 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 210 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 211 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 212 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 213 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 214 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 215 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 216 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 217 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 218 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 219 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 220 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 221 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 222 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 223 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 224 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 225 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 226 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 227 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 228 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 229 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 230 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 231 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 232 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 233 | .6+| `${APPLICATION_NAME}-postgresql` 234 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 235 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 236 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 237 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 238 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 239 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 240 | |======================================================================= 241 | 242 | 243 | 244 | ===== Volumes 245 | 246 | |============= 247 | |Deployment |Name | mountPath | Purpose | readOnly 248 | 249 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 250 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-postgresql-pvol` | `/var/lib/pgsql/data` | postgresql | false 251 | |============= 252 | 253 | 254 | === External Dependencies 255 | 256 | 257 | ==== Volume Claims 258 | 259 | A `PersistentVolume` object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator 260 | by creating `PersistentVolume` objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. 261 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/persistent_volumes.html#overview[Openshift documentation] for 262 | more information. 263 | 264 | |============= 265 | |Name | Access Mode 266 | 267 | |`${APPLICATION_NAME}-postgresql-claim` | ReadWriteOnce 268 | |============= 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | [[tls]] 278 | == TLS/SSL configuration 279 | 280 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 281 | 282 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 283 | 284 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 285 | 286 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 287 | -------------------------------------------------------------------------------- /docs/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp4-postgresql 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 31 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 32 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 33 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 34 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 35 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 36 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 37 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 38 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 39 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 40 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 41 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 42 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 43 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 44 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 45 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 46 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 47 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 48 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 49 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 50 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 51 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 52 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 53 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 54 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 55 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 56 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 57 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 58 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 59 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 60 | |======================================================================= 61 | 62 | 63 | 64 | == Objects 65 | 66 | The CLI supports various object types. A list of these object types as well as their abbreviations 67 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 68 | 69 | 70 | === Services 71 | 72 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 73 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 74 | 75 | |============= 76 | |Service |Port |Name | Description 77 | 78 | .1+| `${APPLICATION_NAME}` 79 | |8080 | -- 80 | .1+| The web server's http port. 81 | .1+| `secure-${APPLICATION_NAME}` 82 | |8443 | -- 83 | .1+| The web server's https port. 84 | .1+| `${APPLICATION_NAME}-postgresql` 85 | |5432 | -- 86 | .1+| The database server's port. 87 | .1+| `${APPLICATION_NAME}-ping` 88 | |8888 | ping 89 | .1+| The JGroups ping port for clustering. 90 | |============= 91 | 92 | 93 | 94 | === Routes 95 | 96 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 97 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 98 | of a route name, service selector, and (optionally) security configuration. Refer to the 99 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 100 | 101 | |============= 102 | | Service | Security | Hostname 103 | 104 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 105 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 106 | |============= 107 | 108 | 109 | 110 | 111 | === Deployment Configurations 112 | 113 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 114 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 115 | 116 | 117 | ==== Triggers 118 | 119 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 120 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 121 | 122 | |============ 123 | |Deployment | Triggers 124 | 125 | |`${APPLICATION_NAME}` | ImageChange 126 | |`${APPLICATION_NAME}-postgresql` | ImageChange 127 | |============ 128 | 129 | 130 | 131 | ==== Replicas 132 | 133 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 134 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 135 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 136 | for more information. 137 | 138 | |============ 139 | |Deployment | Replicas 140 | 141 | |`${APPLICATION_NAME}` | 1 142 | |`${APPLICATION_NAME}-postgresql` | 1 143 | |============ 144 | 145 | 146 | ==== Pod Template 147 | 148 | 149 | 150 | 151 | ===== Image 152 | 153 | |============ 154 | |Deployment | Image 155 | 156 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 157 | |`${APPLICATION_NAME}-postgresql` | postgresql 158 | |============ 159 | 160 | 161 | 162 | ===== Readiness Probe 163 | 164 | 165 | .${APPLICATION_NAME} 166 | ---- 167 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 168 | ---- 169 | 170 | .${APPLICATION_NAME}-postgresql 171 | ---- 172 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 173 | ---- 174 | 175 | 176 | 177 | 178 | ===== Exposed Ports 179 | 180 | |============= 181 | |Deployments | Name | Port | Protocol 182 | 183 | .4+| `${APPLICATION_NAME}` 184 | |jolokia | 8778 | `TCP` 185 | |http | 8080 | `TCP` 186 | |https | 8443 | `TCP` 187 | |ping | 8888 | `TCP` 188 | .1+| `${APPLICATION_NAME}-postgresql` 189 | |-- | 5432 | `TCP` 190 | |============= 191 | 192 | 193 | 194 | ===== Image Environment Variables 195 | 196 | |======================================================================= 197 | |Deployment |Variable name |Description |Example value 198 | 199 | .32+| `${APPLICATION_NAME}` 200 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 201 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 202 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 203 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 204 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 205 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 206 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 207 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 208 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 209 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 210 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 211 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 212 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 213 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 214 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 215 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 216 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 217 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 218 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 219 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 220 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 221 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 222 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 223 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 224 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 225 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 226 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 227 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 228 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 229 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 230 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 231 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 232 | .6+| `${APPLICATION_NAME}-postgresql` 233 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 234 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 235 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 236 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 237 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 238 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 239 | |======================================================================= 240 | 241 | 242 | 243 | ===== Volumes 244 | 245 | |============= 246 | |Deployment |Name | mountPath | Purpose | readOnly 247 | 248 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 249 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-data` | `/var/lib/pgsql/data` | -- | false 250 | |============= 251 | 252 | 253 | === External Dependencies 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | [[tls]] 263 | == TLS/SSL configuration 264 | 265 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 266 | 267 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 268 | 269 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 270 | 271 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 272 | -------------------------------------------------------------------------------- /docs/templates/passthrough/sso76-https.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-https 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 31 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 32 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 33 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 34 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 35 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 36 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 37 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 38 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 39 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 40 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 41 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 42 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 43 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 44 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 45 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 46 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 47 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 48 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 49 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 50 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 51 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 52 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 53 | |======================================================================= 54 | 55 | 56 | 57 | == Objects 58 | 59 | The CLI supports various object types. A list of these object types as well as their abbreviations 60 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 61 | 62 | 63 | === Services 64 | 65 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 66 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 67 | 68 | |============= 69 | |Service |Port |Name | Description 70 | 71 | .1+| `${APPLICATION_NAME}` 72 | |8080 | -- 73 | .1+| The web server's http port. 74 | .1+| `secure-${APPLICATION_NAME}` 75 | |8443 | -- 76 | .1+| The web server's https port. 77 | .1+| `${APPLICATION_NAME}-ping` 78 | |8888 | ping 79 | .1+| The JGroups ping port for clustering. 80 | |============= 81 | 82 | 83 | 84 | === Routes 85 | 86 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 87 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 88 | of a route name, service selector, and (optionally) security configuration. Refer to the 89 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 90 | 91 | |============= 92 | | Service | Security | Hostname 93 | 94 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 95 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 96 | |============= 97 | 98 | 99 | 100 | 101 | === Deployment Configurations 102 | 103 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 104 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 105 | 106 | 107 | ==== Triggers 108 | 109 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 110 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 111 | 112 | |============ 113 | |Deployment | Triggers 114 | 115 | |`${APPLICATION_NAME}` | ImageChange 116 | |============ 117 | 118 | 119 | 120 | ==== Replicas 121 | 122 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 123 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 124 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 125 | for more information. 126 | 127 | |============ 128 | |Deployment | Replicas 129 | 130 | |`${APPLICATION_NAME}` | 1 131 | |============ 132 | 133 | 134 | ==== Pod Template 135 | 136 | 137 | 138 | 139 | ===== Image 140 | 141 | |============ 142 | |Deployment | Image 143 | 144 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 145 | |============ 146 | 147 | 148 | 149 | ===== Readiness Probe 150 | 151 | 152 | .${APPLICATION_NAME} 153 | ---- 154 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 155 | ---- 156 | 157 | 158 | 159 | 160 | ===== Exposed Ports 161 | 162 | |============= 163 | |Deployments | Name | Port | Protocol 164 | 165 | .4+| `${APPLICATION_NAME}` 166 | |jolokia | 8778 | `TCP` 167 | |http | 8080 | `TCP` 168 | |https | 8443 | `TCP` 169 | |ping | 8888 | `TCP` 170 | |============= 171 | 172 | 173 | 174 | ===== Image Environment Variables 175 | 176 | |======================================================================= 177 | |Deployment |Variable name |Description |Example value 178 | 179 | .26+| `${APPLICATION_NAME}` 180 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 181 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 182 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 183 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 184 | |`JGROUPS_PING_PROTOCOL` | -- | openshift.DNS_PING 185 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 186 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 187 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 188 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 189 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 190 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 191 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 192 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 193 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 194 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 195 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 196 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 197 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 198 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 199 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 200 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 201 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 202 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 203 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 204 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 205 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 206 | |======================================================================= 207 | 208 | 209 | 210 | ===== Volumes 211 | 212 | |============= 213 | |Deployment |Name | mountPath | Purpose | readOnly 214 | 215 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 216 | |============= 217 | 218 | 219 | === External Dependencies 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | [[tls]] 229 | == TLS/SSL configuration 230 | 231 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 232 | 233 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 234 | 235 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 236 | 237 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 238 | -------------------------------------------------------------------------------- /docs/templates/passthrough/sso76-postgresql-persistent.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-postgresql-persistent 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 31 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 32 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 33 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 34 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 35 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 36 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 37 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 38 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 39 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 40 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 41 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 42 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 43 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 44 | |`VOLUME_CAPACITY` | -- | Size of persistent storage for database volume. | 1Gi | True 45 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 46 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 47 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 48 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 49 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 50 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 51 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 52 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 53 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 54 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 55 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 56 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 57 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 58 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 59 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 60 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 61 | |======================================================================= 62 | 63 | 64 | 65 | == Objects 66 | 67 | The CLI supports various object types. A list of these object types as well as their abbreviations 68 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 69 | 70 | 71 | === Services 72 | 73 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 74 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 75 | 76 | |============= 77 | |Service |Port |Name | Description 78 | 79 | .1+| `${APPLICATION_NAME}` 80 | |8080 | -- 81 | .1+| The web server's http port. 82 | .1+| `secure-${APPLICATION_NAME}` 83 | |8443 | -- 84 | .1+| The web server's https port. 85 | .1+| `${APPLICATION_NAME}-postgresql` 86 | |5432 | -- 87 | .1+| The database server's port. 88 | .1+| `${APPLICATION_NAME}-ping` 89 | |8888 | ping 90 | .1+| The JGroups ping port for clustering. 91 | |============= 92 | 93 | 94 | 95 | === Routes 96 | 97 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 98 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 99 | of a route name, service selector, and (optionally) security configuration. Refer to the 100 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 101 | 102 | |============= 103 | | Service | Security | Hostname 104 | 105 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 106 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 107 | |============= 108 | 109 | 110 | 111 | 112 | === Deployment Configurations 113 | 114 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 115 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 116 | 117 | 118 | ==== Triggers 119 | 120 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 121 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 122 | 123 | |============ 124 | |Deployment | Triggers 125 | 126 | |`${APPLICATION_NAME}` | ImageChange 127 | |`${APPLICATION_NAME}-postgresql` | ImageChange 128 | |============ 129 | 130 | 131 | 132 | ==== Replicas 133 | 134 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 135 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 136 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 137 | for more information. 138 | 139 | |============ 140 | |Deployment | Replicas 141 | 142 | |`${APPLICATION_NAME}` | 1 143 | |`${APPLICATION_NAME}-postgresql` | 1 144 | |============ 145 | 146 | 147 | ==== Pod Template 148 | 149 | 150 | 151 | 152 | ===== Image 153 | 154 | |============ 155 | |Deployment | Image 156 | 157 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 158 | |`${APPLICATION_NAME}-postgresql` | postgresql 159 | |============ 160 | 161 | 162 | 163 | ===== Readiness Probe 164 | 165 | 166 | .${APPLICATION_NAME} 167 | ---- 168 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 169 | ---- 170 | 171 | .${APPLICATION_NAME}-postgresql 172 | ---- 173 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 174 | ---- 175 | 176 | 177 | 178 | 179 | ===== Exposed Ports 180 | 181 | |============= 182 | |Deployments | Name | Port | Protocol 183 | 184 | .4+| `${APPLICATION_NAME}` 185 | |jolokia | 8778 | `TCP` 186 | |http | 8080 | `TCP` 187 | |https | 8443 | `TCP` 188 | |ping | 8888 | `TCP` 189 | .1+| `${APPLICATION_NAME}-postgresql` 190 | |-- | 5432 | `TCP` 191 | |============= 192 | 193 | 194 | 195 | ===== Image Environment Variables 196 | 197 | |======================================================================= 198 | |Deployment |Variable name |Description |Example value 199 | 200 | .32+| `${APPLICATION_NAME}` 201 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 202 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 203 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 204 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 205 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 206 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 207 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 208 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 209 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 210 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 211 | |`JGROUPS_PING_PROTOCOL` | -- | openshift.DNS_PING 212 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 213 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 214 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 215 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 216 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 217 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 218 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 219 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 220 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 221 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 222 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 223 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 224 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 225 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 226 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 227 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 228 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 229 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 230 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 231 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 232 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 233 | .6+| `${APPLICATION_NAME}-postgresql` 234 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 235 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 236 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 237 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 238 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 239 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 240 | |======================================================================= 241 | 242 | 243 | 244 | ===== Volumes 245 | 246 | |============= 247 | |Deployment |Name | mountPath | Purpose | readOnly 248 | 249 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 250 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-postgresql-pvol` | `/var/lib/pgsql/data` | postgresql | false 251 | |============= 252 | 253 | 254 | === External Dependencies 255 | 256 | 257 | ==== Volume Claims 258 | 259 | A `PersistentVolume` object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator 260 | by creating `PersistentVolume` objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. 261 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/persistent_volumes.html#overview[Openshift documentation] for 262 | more information. 263 | 264 | |============= 265 | |Name | Access Mode 266 | 267 | |`${APPLICATION_NAME}-postgresql-claim` | ReadWriteOnce 268 | |============= 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | [[tls]] 278 | == TLS/SSL configuration 279 | 280 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 281 | 282 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 283 | 284 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 285 | 286 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 287 | -------------------------------------------------------------------------------- /docs/templates/passthrough/sso76-postgresql.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-postgresql 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`HOSTNAME_HTTP` | -- | Custom hostname for http service route. Leave blank for default hostname, e.g.: .. | -- | False 28 | |`HOSTNAME_HTTPS` | -- | Custom hostname for https service route. Leave blank for default hostname, e.g.: .. | -- | False 29 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 30 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 31 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 32 | |`HTTPS_SECRET` | -- | The name of the secret containing the keystore file | sso-app-secret | False 33 | |`HTTPS_KEYSTORE` | `HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | keystore.jks | False 34 | |`HTTPS_KEYSTORE_TYPE` | `HTTPS_KEYSTORE` | The type of the keystore file (JKS or JCEKS) | `${HTTPS_KEYSTORE}` | False 35 | |`HTTPS_NAME` | `HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` | False 36 | |`HTTPS_PASSWORD` | `HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` | False 37 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 38 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 39 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 40 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 41 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 42 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 43 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 44 | |`JGROUPS_ENCRYPT_SECRET` | `JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | sso-app-secret | False 45 | |`JGROUPS_ENCRYPT_KEYSTORE` | `JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | jgroups.jceks | False 46 | |`JGROUPS_ENCRYPT_NAME` | `JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` | False 47 | |`JGROUPS_ENCRYPT_PASSWORD` | `JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` | False 48 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` | True 49 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 50 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 51 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 52 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 53 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 54 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 55 | |`SSO_TRUSTSTORE` | `SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` | False 56 | |`SSO_TRUSTSTORE_PASSWORD` | `SSO_TRUSTSTORE` | The password for the truststore and certificate (e.g. mykeystorepass) | `${SSO_TRUSTSTORE}` | False 57 | |`SSO_TRUSTSTORE_SECRET` | `SSO_TRUSTSTORE` | The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName | sso-app-secret | False 58 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 59 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 60 | |======================================================================= 61 | 62 | 63 | 64 | == Objects 65 | 66 | The CLI supports various object types. A list of these object types as well as their abbreviations 67 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 68 | 69 | 70 | === Services 71 | 72 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 73 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 74 | 75 | |============= 76 | |Service |Port |Name | Description 77 | 78 | .1+| `${APPLICATION_NAME}` 79 | |8080 | -- 80 | .1+| The web server's http port. 81 | .1+| `secure-${APPLICATION_NAME}` 82 | |8443 | -- 83 | .1+| The web server's https port. 84 | .1+| `${APPLICATION_NAME}-postgresql` 85 | |5432 | -- 86 | .1+| The database server's port. 87 | .1+| `${APPLICATION_NAME}-ping` 88 | |8888 | ping 89 | .1+| The JGroups ping port for clustering. 90 | |============= 91 | 92 | 93 | 94 | === Routes 95 | 96 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 97 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 98 | of a route name, service selector, and (optionally) security configuration. Refer to the 99 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 100 | 101 | |============= 102 | | Service | Security | Hostname 103 | 104 | |`${APPLICATION_NAME}-http` | none | `${HOSTNAME_HTTP}` 105 | |`${APPLICATION_NAME}-https` | TLS passthrough | `${HOSTNAME_HTTPS}` 106 | |============= 107 | 108 | 109 | 110 | 111 | === Deployment Configurations 112 | 113 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 114 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 115 | 116 | 117 | ==== Triggers 118 | 119 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 120 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 121 | 122 | |============ 123 | |Deployment | Triggers 124 | 125 | |`${APPLICATION_NAME}` | ImageChange 126 | |`${APPLICATION_NAME}-postgresql` | ImageChange 127 | |============ 128 | 129 | 130 | 131 | ==== Replicas 132 | 133 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 134 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 135 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 136 | for more information. 137 | 138 | |============ 139 | |Deployment | Replicas 140 | 141 | |`${APPLICATION_NAME}` | 1 142 | |`${APPLICATION_NAME}-postgresql` | 1 143 | |============ 144 | 145 | 146 | ==== Pod Template 147 | 148 | 149 | 150 | 151 | ===== Image 152 | 153 | |============ 154 | |Deployment | Image 155 | 156 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 157 | |`${APPLICATION_NAME}-postgresql` | postgresql 158 | |============ 159 | 160 | 161 | 162 | ===== Readiness Probe 163 | 164 | 165 | .${APPLICATION_NAME} 166 | ---- 167 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 168 | ---- 169 | 170 | .${APPLICATION_NAME}-postgresql 171 | ---- 172 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 173 | ---- 174 | 175 | 176 | 177 | 178 | ===== Exposed Ports 179 | 180 | |============= 181 | |Deployments | Name | Port | Protocol 182 | 183 | .4+| `${APPLICATION_NAME}` 184 | |jolokia | 8778 | `TCP` 185 | |http | 8080 | `TCP` 186 | |https | 8443 | `TCP` 187 | |ping | 8888 | `TCP` 188 | .1+| `${APPLICATION_NAME}-postgresql` 189 | |-- | 5432 | `TCP` 190 | |============= 191 | 192 | 193 | 194 | ===== Image Environment Variables 195 | 196 | |======================================================================= 197 | |Deployment |Variable name |Description |Example value 198 | 199 | .32+| `${APPLICATION_NAME}` 200 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 201 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 202 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 203 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 204 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 205 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 206 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 207 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 208 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 209 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 210 | |`JGROUPS_PING_PROTOCOL` | -- | openshift.DNS_PING 211 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 212 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 213 | |`HTTPS_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/eap-secret-volume` 214 | |`HTTPS_KEYSTORE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE}` 215 | |`HTTPS_KEYSTORE_TYPE` | The name of the keystore file within the secret | `${HTTPS_KEYSTORE_TYPE}` 216 | |`HTTPS_NAME` | The name associated with the server certificate (e.g. jboss) | `${HTTPS_NAME}` 217 | |`HTTPS_PASSWORD` | The password for the keystore and certificate (e.g. mykeystorepass) | `${HTTPS_PASSWORD}` 218 | |`JGROUPS_ENCRYPT_SECRET` | The name of the secret containing the keystore file | `${JGROUPS_ENCRYPT_SECRET}` 219 | |`JGROUPS_ENCRYPT_KEYSTORE_DIR` | The name of the keystore file within the secret | `/etc/jgroups-encrypt-secret-volume` 220 | |`JGROUPS_ENCRYPT_KEYSTORE` | The name of the keystore file within the secret | `${JGROUPS_ENCRYPT_KEYSTORE}` 221 | |`JGROUPS_ENCRYPT_NAME` | The name associated with the server certificate (e.g. secret-key) | `${JGROUPS_ENCRYPT_NAME}` 222 | |`JGROUPS_ENCRYPT_PASSWORD` | The password for the keystore and certificate (e.g. password) | `${JGROUPS_ENCRYPT_PASSWORD}` 223 | |`JGROUPS_CLUSTER_PASSWORD` | JGroups cluster password | `${JGROUPS_CLUSTER_PASSWORD}` 224 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 225 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 226 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 227 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 228 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 229 | |`SSO_TRUSTSTORE` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE}` 230 | |`SSO_TRUSTSTORE_DIR` | The name of the truststore file within the secret (e.g. truststore.jks) | `/etc/sso-secret-volume` 231 | |`SSO_TRUSTSTORE_PASSWORD` | The name of the truststore file within the secret (e.g. truststore.jks) | `${SSO_TRUSTSTORE_PASSWORD}` 232 | .6+| `${APPLICATION_NAME}-postgresql` 233 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 234 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 235 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 236 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 237 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 238 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 239 | |======================================================================= 240 | 241 | 242 | 243 | ===== Volumes 244 | 245 | |============= 246 | |Deployment |Name | mountPath | Purpose | readOnly 247 | 248 | |`${APPLICATION_NAME}` | eap-keystore-volume | `/etc/eap-secret-volume` | ssl certs | True 249 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-data` | `/var/lib/pgsql/data` | -- | false 250 | |============= 251 | 252 | 253 | === External Dependencies 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | [[tls]] 263 | == TLS/SSL configuration 264 | 265 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 266 | 267 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 268 | 269 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 270 | 271 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 272 | -------------------------------------------------------------------------------- /docs/templates/reencrypt/ocp-3.x/sso76-ocp3-x509-https.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp3-x509-https 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 28 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` | True 29 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 30 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 31 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 32 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 33 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 34 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server admininistrator password | `${SSO_ADMIN_PASSWORD}` | True 35 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 36 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 37 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 38 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 39 | |======================================================================= 40 | 41 | 42 | 43 | == Objects 44 | 45 | The CLI supports various object types. A list of these object types as well as their abbreviations 46 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 47 | 48 | 49 | === Services 50 | 51 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 52 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 53 | 54 | |============= 55 | |Service |Port |Name | Description 56 | 57 | .1+| `${APPLICATION_NAME}` 58 | |8443 | -- 59 | .1+| The web server's https port. 60 | .1+| `${APPLICATION_NAME}-ping` 61 | |8888 | ping 62 | .1+| The JGroups ping port for clustering. 63 | |============= 64 | 65 | 66 | 67 | === Routes 68 | 69 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 70 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 71 | of a route name, service selector, and (optionally) security configuration. Refer to the 72 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 73 | 74 | |============= 75 | | Service | Security | Hostname 76 | 77 | |`${APPLICATION_NAME}-https` | TLS reencrypt | 78 | |============= 79 | 80 | 81 | 82 | 83 | === Deployment Configurations 84 | 85 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 86 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 87 | 88 | 89 | ==== Triggers 90 | 91 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 92 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 93 | 94 | |============ 95 | |Deployment | Triggers 96 | 97 | |`${APPLICATION_NAME}` | ImageChange 98 | |============ 99 | 100 | 101 | 102 | ==== Replicas 103 | 104 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 105 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 106 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 107 | for more information. 108 | 109 | |============ 110 | |Deployment | Replicas 111 | 112 | |`${APPLICATION_NAME}` | 1 113 | |============ 114 | 115 | 116 | ==== Pod Template 117 | 118 | 119 | 120 | 121 | ===== Image 122 | 123 | |============ 124 | |Deployment | Image 125 | 126 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 127 | |============ 128 | 129 | 130 | 131 | ===== Readiness Probe 132 | 133 | 134 | .${APPLICATION_NAME} 135 | ---- 136 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 137 | ---- 138 | 139 | 140 | 141 | 142 | ===== Exposed Ports 143 | 144 | |============= 145 | |Deployments | Name | Port | Protocol 146 | 147 | .4+| `${APPLICATION_NAME}` 148 | |jolokia | 8778 | `TCP` 149 | |http | 8080 | `TCP` 150 | |https | 8443 | `TCP` 151 | |ping | 8888 | `TCP` 152 | |============= 153 | 154 | 155 | 156 | ===== Image Environment Variables 157 | 158 | |======================================================================= 159 | |Deployment |Variable name |Description |Example value 160 | 161 | .14+| `${APPLICATION_NAME}` 162 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 163 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 164 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 165 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 166 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 167 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 168 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 169 | |X509_CA_BUNDLE | -- | `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt` 170 | |`JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` 171 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 172 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server admininistrator password | `${SSO_ADMIN_PASSWORD}` 173 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 174 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 175 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 176 | |======================================================================= 177 | 178 | 179 | 180 | ===== Volumes 181 | 182 | |============= 183 | |Deployment |Name | mountPath | Purpose | readOnly 184 | 185 | |`${APPLICATION_NAME}` | sso-x509-https-volume | `/etc/x509/https` | -- | True 186 | |============= 187 | 188 | 189 | === External Dependencies 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | [[tls]] 199 | == TLS/SSL configuration 200 | 201 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 202 | 203 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 204 | 205 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 206 | 207 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 208 | -------------------------------------------------------------------------------- /docs/templates/reencrypt/ocp-3.x/sso76-ocp3-x509-postgresql-persistent.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp3-x509-postgresql-persistent 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 28 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` | True 29 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 30 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 31 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 32 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 33 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 34 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 35 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 36 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 37 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 38 | |`VOLUME_CAPACITY` | -- | Size of persistent storage for database volume. | 1Gi | True 39 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 40 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 41 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 42 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 43 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 44 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 45 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 46 | |`POSTGRESQL_SOURCE_REPOSITORY_URL` | -- | Git source URI for the application extending PostgreSQL SQL server container image with SSL/TLS support. | https://github.com/iankko/redhat-sso-7-openshift-image | True 47 | |`POSTGRESQL_SOURCE_REPOSITORY_REF` | -- | Git branch/tag reference for the application extending PostgreSQL SQL server container image with SSL/TLS support. | KEYCLOAK-15633 | True 48 | |`POSTGRESQL_CONTEXT_DIR` | -- | Path within the Git project to build the application extending PostgreSQL SQL server container image with SSL/TLS support. | s2i/postgresql/enable-ssl | True 49 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 50 | |======================================================================= 51 | 52 | 53 | 54 | == Objects 55 | 56 | The CLI supports various object types. A list of these object types as well as their abbreviations 57 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 58 | 59 | 60 | === Services 61 | 62 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 63 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 64 | 65 | |============= 66 | |Service |Port |Name | Description 67 | 68 | .1+| `${APPLICATION_NAME}` 69 | |8443 | -- 70 | .1+| The web server's https port. 71 | .1+| `${APPLICATION_NAME}-postgresql` 72 | |5432 | -- 73 | .1+| The database server's port. 74 | .1+| `${APPLICATION_NAME}-ping` 75 | |8888 | ping 76 | .1+| The JGroups ping port for clustering. 77 | |============= 78 | 79 | 80 | 81 | === Routes 82 | 83 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 84 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 85 | of a route name, service selector, and (optionally) security configuration. Refer to the 86 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 87 | 88 | |============= 89 | | Service | Security | Hostname 90 | 91 | |`${APPLICATION_NAME}-https` | TLS reencrypt | 92 | |============= 93 | 94 | 95 | 96 | === Build Configurations 97 | 98 | A `buildConfig` describes a single build definition and a set of triggers for when a new build should be created. 99 | A `buildConfig` is a REST object, which can be used in a POST to the API server to create a new instance. Refer to 100 | the https://docs.openshift.com/enterprise/3.0/dev_guide/builds.html#defining-a-buildconfig[Openshift documentation] 101 | for more information. 102 | 103 | |============= 104 | | S2I image | link | Build output | BuildTriggers and Settings 105 | 106 | |`postgresql13-for-sso76-openshift-rhel8:${POSTGRESQL_IMAGE_STREAM_TAG}` | link:../../templates/postgresql13-for-sso76-openshift-rhel8{outfilesuffix}['rhel8/postgresql-13'] | `${APPLICATION_NAME}-postgresql-ssl:latest` | GitHub, Generic, ImageChange, ConfigChange 107 | |============= 108 | 109 | 110 | === Deployment Configurations 111 | 112 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 113 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 114 | 115 | 116 | ==== Triggers 117 | 118 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 119 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 120 | 121 | |============ 122 | |Deployment | Triggers 123 | 124 | |`${APPLICATION_NAME}` | ImageChange 125 | |`${APPLICATION_NAME}-postgresql` | ImageChange 126 | |============ 127 | 128 | 129 | 130 | ==== Replicas 131 | 132 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 133 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 134 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 135 | for more information. 136 | 137 | |============ 138 | |Deployment | Replicas 139 | 140 | |`${APPLICATION_NAME}` | 1 141 | |`${APPLICATION_NAME}-postgresql` | 1 142 | |============ 143 | 144 | 145 | ==== Pod Template 146 | 147 | 148 | 149 | 150 | ===== Image 151 | 152 | |============ 153 | |Deployment | Image 154 | 155 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 156 | |`${APPLICATION_NAME}-postgresql` | postgresql 157 | |============ 158 | 159 | 160 | 161 | ===== Readiness Probe 162 | 163 | 164 | .${APPLICATION_NAME} 165 | ---- 166 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 167 | ---- 168 | 169 | .${APPLICATION_NAME}-postgresql 170 | ---- 171 | /bin/sh -i -c PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 172 | ---- 173 | 174 | 175 | 176 | 177 | ===== Exposed Ports 178 | 179 | |============= 180 | |Deployments | Name | Port | Protocol 181 | 182 | .4+| `${APPLICATION_NAME}` 183 | |jolokia | 8778 | `TCP` 184 | |http | 8080 | `TCP` 185 | |https | 8443 | `TCP` 186 | |ping | 8888 | `TCP` 187 | .1+| `${APPLICATION_NAME}-postgresql` 188 | |-- | 5432 | `TCP` 189 | |============= 190 | 191 | 192 | 193 | ===== Image Environment Variables 194 | 195 | |======================================================================= 196 | |Deployment |Variable name |Description |Example value 197 | 198 | .20+| `${APPLICATION_NAME}` 199 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 200 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 201 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 202 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 203 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 204 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 205 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 206 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 207 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 208 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 209 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 210 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 211 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 212 | |X509_CA_BUNDLE | -- | `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt` 213 | |`JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` 214 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 215 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 216 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 217 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 218 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 219 | .6+| `${APPLICATION_NAME}-postgresql` 220 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 221 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 222 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 223 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 224 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 225 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 226 | |======================================================================= 227 | 228 | 229 | 230 | ===== Volumes 231 | 232 | |============= 233 | |Deployment |Name | mountPath | Purpose | readOnly 234 | 235 | |`${APPLICATION_NAME}` | sso-x509-https-volume | `/etc/x509/https` | -- | True 236 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-postgresql-pvol` | `/var/lib/pgsql/data` | postgresql | false 237 | |============= 238 | 239 | 240 | === External Dependencies 241 | 242 | 243 | ==== Volume Claims 244 | 245 | A `PersistentVolume` object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator 246 | by creating `PersistentVolume` objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. 247 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/persistent_volumes.html#overview[Openshift documentation] for 248 | more information. 249 | 250 | |============= 251 | |Name | Access Mode 252 | 253 | |`${APPLICATION_NAME}-postgresql-claim` | ReadWriteOnce 254 | |============= 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | [[tls]] 264 | == TLS/SSL configuration 265 | 266 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 267 | 268 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 269 | 270 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 271 | 272 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 273 | -------------------------------------------------------------------------------- /docs/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-https.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp4-x509-https 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 28 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` | True 29 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 30 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 31 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 32 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 33 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 34 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server admininistrator password | `${SSO_ADMIN_PASSWORD}` | True 35 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 36 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 37 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 38 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 39 | |======================================================================= 40 | 41 | 42 | 43 | == Objects 44 | 45 | The CLI supports various object types. A list of these object types as well as their abbreviations 46 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 47 | 48 | 49 | === Services 50 | 51 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 52 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 53 | 54 | |============= 55 | |Service |Port |Name | Description 56 | 57 | .1+| `${APPLICATION_NAME}` 58 | |8443 | -- 59 | .1+| The web server's https port. 60 | .1+| `${APPLICATION_NAME}-ping` 61 | |8888 | ping 62 | .1+| The JGroups ping port for clustering. 63 | |============= 64 | 65 | 66 | 67 | === Routes 68 | 69 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 70 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 71 | of a route name, service selector, and (optionally) security configuration. Refer to the 72 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 73 | 74 | |============= 75 | | Service | Security | Hostname 76 | 77 | |`${APPLICATION_NAME}-https` | TLS reencrypt | 78 | |============= 79 | 80 | 81 | 82 | 83 | === Deployment Configurations 84 | 85 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 86 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 87 | 88 | 89 | ==== Triggers 90 | 91 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 92 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 93 | 94 | |============ 95 | |Deployment | Triggers 96 | 97 | |`${APPLICATION_NAME}` | ImageChange 98 | |============ 99 | 100 | 101 | 102 | ==== Replicas 103 | 104 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 105 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 106 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 107 | for more information. 108 | 109 | |============ 110 | |Deployment | Replicas 111 | 112 | |`${APPLICATION_NAME}` | 1 113 | |============ 114 | 115 | 116 | ==== Pod Template 117 | 118 | 119 | 120 | 121 | ===== Image 122 | 123 | |============ 124 | |Deployment | Image 125 | 126 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 127 | |============ 128 | 129 | 130 | 131 | ===== Readiness Probe 132 | 133 | 134 | .${APPLICATION_NAME} 135 | ---- 136 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 137 | ---- 138 | 139 | 140 | 141 | 142 | ===== Exposed Ports 143 | 144 | |============= 145 | |Deployments | Name | Port | Protocol 146 | 147 | .4+| `${APPLICATION_NAME}` 148 | |jolokia | 8778 | `TCP` 149 | |http | 8080 | `TCP` 150 | |https | 8443 | `TCP` 151 | |ping | 8888 | `TCP` 152 | |============= 153 | 154 | 155 | 156 | ===== Image Environment Variables 157 | 158 | |======================================================================= 159 | |Deployment |Variable name |Description |Example value 160 | 161 | .14+| `${APPLICATION_NAME}` 162 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 163 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 164 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 165 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 166 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 167 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 168 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 169 | |X509_CA_BUNDLE | -- | `/var/run/configmaps/service-ca/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt` 170 | |`JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` 171 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 172 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server admininistrator password | `${SSO_ADMIN_PASSWORD}` 173 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 174 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 175 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 176 | |======================================================================= 177 | 178 | 179 | 180 | ===== Volumes 181 | 182 | |============= 183 | |Deployment |Name | mountPath | Purpose | readOnly 184 | 185 | |`${APPLICATION_NAME}` | sso-x509-https-volume | `/etc/x509/https` | -- | True 186 | |============= 187 | 188 | 189 | === External Dependencies 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | [[tls]] 199 | == TLS/SSL configuration 200 | 201 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 202 | 203 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 204 | 205 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 206 | 207 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 208 | -------------------------------------------------------------------------------- /docs/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.adoc: -------------------------------------------------------------------------------- 1 | //// 2 | AUTOGENERATED FILE - this file was generated via ./gen_template_docs.py. 3 | Changes to .adoc or HTML files may be overwritten! Please change the 4 | generator or the input template (./*.in) 5 | //// 6 | 7 | = sso76-ocp4-x509-postgresql-persistent 8 | :toc: 9 | :toc-placement!: 10 | :toclevels: 5 11 | 12 | An example application based on RH-SSO 7.6 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso76-dev/docs. 13 | 14 | toc::[] 15 | 16 | 17 | == Parameters 18 | 19 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 20 | References can be defined in any text field in the objects list field. Refer to the 21 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 22 | 23 | |======================================================================= 24 | |Variable name |Image Environment Variable |Description |Example value |Required 25 | 26 | |`APPLICATION_NAME` | -- | The name for the application. | sso | True 27 | |`SSO_HOSTNAME` | `SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` | False 28 | |`JGROUPS_CLUSTER_PASSWORD` | `JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` | True 29 | |`DB_JNDI` | `DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | java:jboss/datasources/KeycloakDS | False 30 | |`DB_DATABASE` | `DB_DATABASE` | Database name | root | True 31 | |`DB_MIN_POOL_SIZE` | `DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` | False 32 | |`DB_MAX_POOL_SIZE` | `DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` | False 33 | |`DB_TX_ISOLATION` | `DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` | False 34 | |`POSTGRESQL_MAX_CONNECTIONS` | `POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` | False 35 | |`POSTGRESQL_SHARED_BUFFERS` | `POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` | False 36 | |`DB_USERNAME` | `DB_USERNAME` | Database user name | `${DB_USERNAME}` | True 37 | |`DB_PASSWORD` | `DB_PASSWORD` | Database user password | `${DB_PASSWORD}` | True 38 | |`VOLUME_CAPACITY` | -- | Size of persistent storage for database volume. | 1Gi | True 39 | |`IMAGE_STREAM_NAMESPACE` | -- | Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. | openshift | True 40 | |`SSO_ADMIN_USERNAME` | `SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` | True 41 | |`SSO_ADMIN_PASSWORD` | `SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` | True 42 | |`SSO_REALM` | `SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` | False 43 | |`SSO_SERVICE_USERNAME` | `SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` | False 44 | |`SSO_SERVICE_PASSWORD` | `SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` | False 45 | |`POSTGRESQL_IMAGE_STREAM_TAG` | -- | The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. | 13-el8 | True 46 | |`MEMORY_LIMIT` | -- | Container memory limit. | 1Gi | False 47 | |======================================================================= 48 | 49 | 50 | 51 | == Objects 52 | 53 | The CLI supports various object types. A list of these object types as well as their abbreviations 54 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 55 | 56 | 57 | === Services 58 | 59 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 60 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 61 | 62 | |============= 63 | |Service |Port |Name | Description 64 | 65 | .1+| `${APPLICATION_NAME}` 66 | |8443 | -- 67 | .1+| The web server's https port. 68 | .1+| `${APPLICATION_NAME}-postgresql` 69 | |5432 | -- 70 | .1+| The database server's port. 71 | .1+| `${APPLICATION_NAME}-ping` 72 | |8888 | ping 73 | .1+| The JGroups ping port for clustering. 74 | |============= 75 | 76 | 77 | 78 | === Routes 79 | 80 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 81 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 82 | of a route name, service selector, and (optionally) security configuration. Refer to the 83 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 84 | 85 | |============= 86 | | Service | Security | Hostname 87 | 88 | |`${APPLICATION_NAME}-https` | TLS reencrypt | 89 | |============= 90 | 91 | 92 | 93 | 94 | === Deployment Configurations 95 | 96 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 97 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 98 | 99 | 100 | ==== Triggers 101 | 102 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 103 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 104 | 105 | |============ 106 | |Deployment | Triggers 107 | 108 | |`${APPLICATION_NAME}` | ImageChange 109 | |`${APPLICATION_NAME}-postgresql` | ImageChange 110 | |============ 111 | 112 | 113 | 114 | ==== Replicas 115 | 116 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 117 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 118 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 119 | for more information. 120 | 121 | |============ 122 | |Deployment | Replicas 123 | 124 | |`${APPLICATION_NAME}` | 1 125 | |`${APPLICATION_NAME}-postgresql` | 1 126 | |============ 127 | 128 | 129 | ==== Pod Template 130 | 131 | 132 | 133 | 134 | ===== Image 135 | 136 | |============ 137 | |Deployment | Image 138 | 139 | |`${APPLICATION_NAME}` | `${APPLICATION_NAME}` 140 | |`${APPLICATION_NAME}-postgresql` | postgresql 141 | |============ 142 | 143 | 144 | 145 | ===== Readiness Probe 146 | 147 | 148 | .${APPLICATION_NAME} 149 | ---- 150 | /bin/bash -c /opt/eap/bin/readinessProbe.sh 151 | ---- 152 | 153 | .${APPLICATION_NAME}-postgresql 154 | ---- 155 | /bin/sh -i -c psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' 156 | ---- 157 | 158 | 159 | 160 | 161 | ===== Exposed Ports 162 | 163 | |============= 164 | |Deployments | Name | Port | Protocol 165 | 166 | .4+| `${APPLICATION_NAME}` 167 | |jolokia | 8778 | `TCP` 168 | |http | 8080 | `TCP` 169 | |https | 8443 | `TCP` 170 | |ping | 8888 | `TCP` 171 | .1+| `${APPLICATION_NAME}-postgresql` 172 | |-- | 5432 | `TCP` 173 | |============= 174 | 175 | 176 | 177 | ===== Image Environment Variables 178 | 179 | |======================================================================= 180 | |Deployment |Variable name |Description |Example value 181 | 182 | .20+| `${APPLICATION_NAME}` 183 | |`SSO_HOSTNAME` | Custom hostname for the RH-SSO server. | `${SSO_HOSTNAME}` 184 | |`DB_SERVICE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 185 | |`DB_JNDI` | Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql | `${DB_JNDI}` 186 | |`DB_USERNAME` | Database user name | `${DB_USERNAME}` 187 | |`DB_PASSWORD` | Database user password | `${DB_PASSWORD}` 188 | |`DB_DATABASE` | Database name | `${DB_DATABASE}` 189 | |`TX_DATABASE_PREFIX_MAPPING` | -- | `${APPLICATION_NAME}-postgresql=DB` 190 | |`DB_MIN_POOL_SIZE` | Sets xa-pool/min-pool-size for the configured datasource. | `${DB_MIN_POOL_SIZE}` 191 | |`DB_MAX_POOL_SIZE` | Sets xa-pool/max-pool-size for the configured datasource. | `${DB_MAX_POOL_SIZE}` 192 | |`DB_TX_ISOLATION` | Sets transaction-isolation for the configured datasource. | `${DB_TX_ISOLATION}` 193 | |`JGROUPS_PING_PROTOCOL` | -- | dns.DNS_PING 194 | |`OPENSHIFT_DNS_PING_SERVICE_NAME` | -- | `${APPLICATION_NAME}-ping` 195 | |`OPENSHIFT_DNS_PING_SERVICE_PORT` | -- | 8888 196 | |X509_CA_BUNDLE | -- | `/var/run/configmaps/service-ca/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt` 197 | |`JGROUPS_CLUSTER_PASSWORD` | The password for the JGroups cluster. | `${JGROUPS_CLUSTER_PASSWORD}` 198 | |`SSO_ADMIN_USERNAME` | RH-SSO Server administrator username | `${SSO_ADMIN_USERNAME}` 199 | |`SSO_ADMIN_PASSWORD` | RH-SSO Server administrator password | `${SSO_ADMIN_PASSWORD}` 200 | |`SSO_REALM` | Realm to be created in the RH-SSO server (e.g. demorealm). | `${SSO_REALM}` 201 | |`SSO_SERVICE_USERNAME` | The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. | `${SSO_SERVICE_USERNAME}` 202 | |`SSO_SERVICE_PASSWORD` | The password for the RH-SSO service user. | `${SSO_SERVICE_PASSWORD}` 203 | .6+| `${APPLICATION_NAME}-postgresql` 204 | |`POSTGRESQL_USER` | -- | `${DB_USERNAME}` 205 | |`POSTGRESQL_PASSWORD` | -- | `${DB_PASSWORD}` 206 | |`POSTGRESQL_DATABASE` | -- | `${DB_DATABASE}` 207 | |`POSTGRESQL_MAX_CONNECTIONS` | The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. | `${POSTGRESQL_MAX_CONNECTIONS}` 208 | |`POSTGRESQL_MAX_PREPARED_TRANSACTIONS` | -- | `${POSTGRESQL_MAX_CONNECTIONS}` 209 | |`POSTGRESQL_SHARED_BUFFERS` | Configures how much memory is dedicated to PostgreSQL for caching data. | `${POSTGRESQL_SHARED_BUFFERS}` 210 | |======================================================================= 211 | 212 | 213 | 214 | ===== Volumes 215 | 216 | |============= 217 | |Deployment |Name | mountPath | Purpose | readOnly 218 | 219 | |`${APPLICATION_NAME}` | sso-x509-https-volume | `/etc/x509/https` | -- | True 220 | |`${APPLICATION_NAME}-postgresql` | `${APPLICATION_NAME}-postgresql-pvol` | `/var/lib/pgsql/data` | postgresql | false 221 | |============= 222 | 223 | 224 | === External Dependencies 225 | 226 | 227 | ==== Volume Claims 228 | 229 | A `PersistentVolume` object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator 230 | by creating `PersistentVolume` objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. 231 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/persistent_volumes.html#overview[Openshift documentation] for 232 | more information. 233 | 234 | |============= 235 | |Name | Access Mode 236 | 237 | |`${APPLICATION_NAME}-postgresql-claim` | ReadWriteOnce 238 | |============= 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | [[tls]] 248 | == TLS/SSL configuration 249 | 250 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 251 | 252 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 253 | 254 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 255 | 256 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 257 | -------------------------------------------------------------------------------- /release-notes.adoc.in: -------------------------------------------------------------------------------- 1 | 2 | //// 3 | the source for the release notes part of this page is in the file 4 | ./release-notes.adoc.in 5 | //// 6 | 7 | == Release Notes 8 | 9 | -------------------------------------------------------------------------------- /sso.adoc.in: -------------------------------------------------------------------------------- 1 | When deploying RH-SSO application template, *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* parameters denote the user name and password of the Red Hat Single Sign-On server’s administrator account to be created for the _master_ realm. 2 | 3 | *Both of these parameters are required.* If not specified, they are auto generated and displayed as an OpenShift Instructional message when the template is instantiated. 4 | -------------------------------------------------------------------------------- /template.adoc.in: -------------------------------------------------------------------------------- 1 | = {template} 2 | :toc: 3 | :toc-placement!: 4 | :toclevels: 5 5 | 6 | {description} 7 | 8 | toc::[] 9 | 10 | {#parameters} 11 | == Parameters 12 | 13 | Templates allow you to define parameters which take on a value. That value is then substituted wherever the parameter is referenced. 14 | References can be defined in any text field in the objects list field. Refer to the 15 | https://docs.openshift.org/latest/architecture/core_concepts/templates.html#parameters[Openshift documentation] for more information. 16 | 17 | |======================================================================= 18 | |Variable name |Image Environment Variable |Description |Example value |Required 19 | {parametertable} 20 | |======================================================================= 21 | {/parameters} 22 | 23 | {#objects} 24 | == Objects 25 | 26 | The CLI supports various object types. A list of these object types as well as their abbreviations 27 | can be found in the https://docs.openshift.org/latest/cli_reference/basic_cli_operations.html#object-types[Openshift documentation]. 28 | 29 | {#Service} 30 | === Services 31 | 32 | A service is an abstraction which defines a logical set of pods and a policy by which to access them. Refer to the 33 | https://cloud.google.com/container-engine/docs/services/[container-engine documentation] for more information. 34 | 35 | |============= 36 | |Service |Port |Name | Description 37 | {table} 38 | |============= 39 | {/Service} 40 | 41 | {#Route} 42 | === Routes 43 | 44 | A route is a way to expose a service by giving it an externally-reachable hostname such as `www.example.com`. A defined route and the endpoints 45 | identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists 46 | of a route name, service selector, and (optionally) security configuration. Refer to the 47 | https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html[Openshift documentation] for more information. 48 | 49 | |============= 50 | | Service | Security | Hostname 51 | {table} 52 | |============= 53 | {/Route} 54 | 55 | {#BuildConfig} 56 | === Build Configurations 57 | 58 | A `buildConfig` describes a single build definition and a set of triggers for when a new build should be created. 59 | A `buildConfig` is a REST object, which can be used in a POST to the API server to create a new instance. Refer to 60 | the https://docs.openshift.com/enterprise/3.0/dev_guide/builds.html#defining-a-buildconfig[Openshift documentation] 61 | for more information. 62 | 63 | |============= 64 | | S2I image | link | Build output | BuildTriggers and Settings 65 | {table} 66 | |============= 67 | {/BuildConfig} 68 | 69 | === Deployment Configurations 70 | 71 | A deployment in OpenShift is a replication controller based on a user defined template called a deployment configuration. Deployments are created manually or in response to triggered events. 72 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/deployments.html#creating-a-deployment-configuration[Openshift documentation] for more information. 73 | 74 | {#triggers} 75 | ==== Triggers 76 | 77 | A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. Refer to the 78 | https://access.redhat.com/beta/documentation/en/openshift-enterprise-30-developer-guide#triggers[Openshift documentation] for more information. 79 | 80 | |============ 81 | |Deployment | Triggers 82 | {table} 83 | |============ 84 | {/triggers} 85 | 86 | {#replicas} 87 | ==== Replicas 88 | 89 | A replication controller ensures that a specified number of pod "replicas" are running at any one time. 90 | If there are too many, the replication controller kills some pods. If there are too few, it starts more. 91 | Refer to the https://cloud.google.com/container-engine/docs/replicationcontrollers/[container-engine documentation] 92 | for more information. 93 | 94 | |============ 95 | |Deployment | Replicas 96 | {table} 97 | |============ 98 | {/replicas} 99 | 100 | ==== Pod Template 101 | 102 | {#serviceAccountName} 103 | ===== Service Accounts 104 | 105 | Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. Refer to the 106 | https://docs.openshift.com/enterprise/3.0/dev_guide/service_accounts.html#managing-service-accounts[Openshift documentation] for more 107 | information. 108 | 109 | |============ 110 | |Deployment | Service Account 111 | {table} 112 | |============ 113 | {/serviceAccountName} 114 | 115 | {#image} 116 | ===== Image 117 | 118 | |============ 119 | |Deployment | Image 120 | {table} 121 | |============ 122 | {/image} 123 | 124 | {#readinessProbe} 125 | ===== Readiness Probe 126 | 127 | {table} 128 | {/readinessProbe} 129 | 130 | {#ports} 131 | ===== Exposed Ports 132 | 133 | |============= 134 | |Deployments | Name | Port | Protocol 135 | {table} 136 | |============= 137 | {/ports} 138 | 139 | {#env} 140 | ===== Image Environment Variables 141 | 142 | |======================================================================= 143 | |Deployment |Variable name |Description |Example value 144 | {table} 145 | |======================================================================= 146 | {/env} 147 | 148 | {#volumes} 149 | ===== Volumes 150 | 151 | |============= 152 | |Deployment |Name | mountPath | Purpose | readOnly 153 | {table} 154 | |============= 155 | {/volumes} 156 | 157 | === External Dependencies 158 | 159 | {#PersistentVolumeClaim} 160 | ==== Volume Claims 161 | 162 | A `PersistentVolume` object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator 163 | by creating `PersistentVolume` objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. 164 | Refer to the https://docs.openshift.com/enterprise/3.0/dev_guide/persistent_volumes.html#overview[Openshift documentation] for 165 | more information. 166 | 167 | |============= 168 | |Name | Access Mode 169 | {table} 170 | |============= 171 | 172 | {/PersistentVolumeClaim} 173 | 174 | {#secrets} 175 | ==== Secrets 176 | 177 | This template requires link:../secrets/{secretName}.adoc[{secretFile}] 178 | to be installed for the application to run. 179 | {/secrets} 180 | 181 | {#clustering} 182 | [[clustering]] 183 | ==== Clustering 184 | 185 | Clustering in OpenShift is achieved through one of two discovery mechanisms: 186 | Kubernetes or DNS. This is done by configuring the JGroups protocol stack in 187 | standalone-openshift.xml with either the `` or `` 188 | elements. The templates are configured to use `DNS_PING`, however `KUBE_PING`is 189 | the default used by the image. 190 | 191 | The discovery mechanism used is specified by the `JGROUPS_PING_PROTOCOL` environment 192 | variable which can be set to either `dns.DNS_PING` or `kubernetes.KUBE_PING`. 193 | `kubernetes.KUBE_PING` is the default used by the image if no value is specified 194 | for `JGROUPS_PING_PROTOCOL`. 195 | 196 | For `DNS_PING` to work on `IPv4 or IPv6 single-stack cluster`, the following steps must be taken: 197 | 198 | . The `OPENSHIFT_DNS_PING_SERVICE_NAME` environment variable must be set to the 199 | name of the ping service for the cluster (see table above). If not set, the 200 | server will act as if it is a single-node cluster (a "cluster of one"). 201 | . The `OPENSHIFT_DNS_PING_SERVICE_PORT` environment variables should be set to 202 | the port number on which the ping service is exposed (see table above). The 203 | `DNS_PING` protocol will attempt to discern the port from the SRV records, if 204 | it can, otherwise it will default to 8888. 205 | . A ping service which exposes the ping port must be defined. This service 206 | should be "headless" (ClusterIP=None) and must have the following: 207 | .. The port must be named for port discovery to work. 208 | .. The `spec.publishNotReadyAddresses` field of this service must be set to 209 | `"true"`. Omitting the setting of this boolean will result in each node 210 | forming their own "cluster of one" during startup, then merging their 211 | cluster into the other nodes' clusters after startup (as the other nodes are 212 | not detected until after they have started). 213 | 214 | .Example definition of a ping service for use with DNS_PING on a single-stack (IPv4 or IPv6) cluster 215 | [source,yaml] 216 | ---- 217 | kind: Service 218 | apiVersion: v1 219 | spec: 220 | clusterIP: None 221 | ipFamilyPolicy: SingleStack 222 | ports: 223 | - name: ping 224 | port: 8888 225 | publishNotReadyAddresses: true 226 | selector: 227 | deploymentConfig: sso 228 | metadata: 229 | name: sso-ping 230 | annotations: 231 | description: "The JGroups ping port for clustering." 232 | ---- 233 | 234 | *Moreover, the `DNS_PING` to work also on dual-network clusters* that support both IPv4 and IPv6 235 | address families, the `spec.ipFamilyPolicy` field of the ping service for the cluster (see table 236 | above) must be set to `PreferDualStack` or `RequireDualStack`. This ensures the control plane 237 | assigns both IPv4 and IPv6 cluster IP addresses for the ping service on clusters that have dual-stack 238 | configured, enabling reverse DNS lookups for both IPv4 and IPv6 IP addresses to work properly, 239 | and creating corresponding DNS SRV records for the ping headless service: 240 | 241 | .Example of ping service DNS SRV records on a dual-stack configured cluster with `spec.ipFamilyPolicy` matching `PreferDualStack` 242 | [source,bash] 243 | ---- 244 | $ host -t SRV "${OPENSHIFT_DNS_PING_SERVICE_NAME}" 245 | sso-ping.dual-stack-demo.svc.cluster.local has SRV record 0 50 8888 10-128-0-239.sso-ping.dual-stack-demo.svc.cluster.local. 246 | sso-ping.dual-stack-demo.svc.cluster.local has SRV record 0 50 8888 fd01-0-0-1--b8.sso-ping.dual-stack-demo.svc.cluster.local. 247 | ---- 248 | 249 | .Example definition of a ping service for use with DNS_PING on dual-stack (IPv4 and IPv6) cluster 250 | [source,yaml] 251 | ---- 252 | kind: Service 253 | apiVersion: v1 254 | spec: 255 | clusterIP: None 256 | ipFamilyPolicy: PreferDualStack 257 | ports: 258 | - name: ping 259 | port: 8888 260 | publishNotReadyAddresses: true 261 | selector: 262 | deploymentConfig: sso 263 | metadata: 264 | name: sso-ping 265 | annotations: 266 | description: "The JGroups ping port for clustering." 267 | ---- 268 | 269 | For `KUBE_PING` to work, the following steps must be taken: 270 | 271 | . The `KUBERNETES_NAMESPACE` environment variable must be set (see table above). 272 | If not set, the server will act as if it is a single-node cluster (a "cluster of one"). 273 | . The `KUBERNETES_LABELS` environment variables should be set (see table above). 274 | If not set, pods outside of your application (albeit in your namespace) will try to join. 275 | . Authorization must be granted to the service account the pod is running under to be 276 | allowed to access Kubernetes' REST api. This is done on the command line. 277 | 278 | .Policy commands 279 | ==== 280 | Using the default service account in the myproject namespace: 281 | .... 282 | oc policy add-role-to-user view system:serviceaccount:myproject:default -n myproject 283 | .... 284 | Using the sso-service-account in the myproject namespace: 285 | .... 286 | oc policy add-role-to-user view system:serviceaccount:myproject:sso-service-account -n myproject 287 | .... 288 | ==== 289 | {/clustering} 290 | {/objects} 291 | 292 | [[tls]] 293 | == TLS/SSL configuration 294 | 295 | Red Hat Single Sign-On server can be configured to use TLS for handling incoming connections (also known as Key Store) and outgoing connections (also known as Trust Store). The configuration uses an automated script to convert a key or a certificate from PEM format into JKS, which is then consumed by Red Hat Single Sign-On. 296 | 297 | The Key Store configuration requires a secret (or a volume), containing the key in PEM format, mounted at `/etc/x509/https`. The name of the file that holds the key is `tls.key` by default. Typically, a key is link:https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets[created by OpenShift and mounted as a secret.] The `sso-*-x509-https.json` template contains a example of such a configuration. 298 | 299 | The Trust Store configuration uses certificates in PEM format. They should be mounted somewhere in the Pod and `X509_CA_BUNDLE` variable should point to them. A typical example is using the CA bundle provided by OpenShift - `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. The `X509_CA_BUNDLE` variable might be configured to point to a custom file system path within the Pod, containing the set of CA certificates to use. The space (` `) character is used as a separator for specifying multiple CA bundles. 300 | 301 | TIP: With the current implementation it is possible to use `X509_CA_BUNDLE` along with `SSO_TRUSTSTORE_*`. However, the current implementation favors the `X509_CA_BUNDLE` variable and in some cases, `SSO_TRUSTSTORE_*` might be ignored. This behavior is implementation dependent and may change in the future. 302 | -------------------------------------------------------------------------------- /templates/scripts/README.adoc: -------------------------------------------------------------------------------- 1 | # gen_template_doc.py 2 | 3 | Original Authors: Kyle Liberti , Jonathan Dowland 4 | Description: Generates application-template documentation by cloning application-template 5 | repository, then translating information from template JSON files into 6 | template asciidoctor files, and stores them in the a directory(Specified by 7 | TEMPLATE_DOCS variable). 8 | 9 | # Recreating the templates documentation 10 | 11 | ## Python 2.X required 12 | Requires: Python 2.X is required for now. Python 3.X isn't supported yet (patches welcome) 13 | 14 | ## Install the required modules 15 | [source, bash] 16 | ---- 17 | $ pip2 install -r requirements.txt 18 | ---- 19 | 20 | ## To recreate the templates documentation run the script 21 | [source, bash] 22 | ---- 23 | $ ./gen_template_docs.py 24 | ---- 25 | 26 | A successful run of the script should produce an output similar to the following one: 27 | [source,bash] 28 | ---- 29 | $ ./gen_template_docs.py 30 | Generating docs/templates/passthrough/sso76-https.adoc... 31 | Generating docs/templates/passthrough/sso76-postgresql-persistent.adoc... 32 | Generating docs/templates/passthrough/sso76-postgresql.adoc... 33 | Generating docs/templates/reencrypt/ocp-3.x/sso76-ocp3-x509-https.adoc... 34 | Generating docs/templates/reencrypt/ocp-3.x/sso76-ocp3-x509-postgresql-persistent.adoc... 35 | Generating docs/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-https.adoc... 36 | Generating docs/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.adoc... 37 | ---- 38 | 39 | ## Then add the produced templates docs/templates/*.adoc files to git index and commit the change 40 | -------------------------------------------------------------------------------- /templates/scripts/requirements.txt: -------------------------------------------------------------------------------- 1 | ptemplate==0.1.2 2 | -------------------------------------------------------------------------------- /templates/sso76-image-stream.json: -------------------------------------------------------------------------------- 1 | { 2 | "kind": "List", 3 | "apiVersion": "v1", 4 | "metadata": { 5 | "name": "sso76-image-streams", 6 | "annotations": { 7 | "description": "ImageStream definitions for Red Hat Single Sign-On 7.6 on OpenJDK.", 8 | "openshift.io/provider-display-name": "Red Hat, Inc." 9 | } 10 | }, 11 | "items": [ 12 | { 13 | "kind": "ImageStream", 14 | "apiVersion": "image.openshift.io/v1", 15 | "metadata": { 16 | "name": "postgresql13-for-sso76-openshift-rhel8", 17 | "creationTimestamp": null, 18 | "annotations": { 19 | "openshift.io/display-name": "PostgreSQL" 20 | } 21 | }, 22 | "spec": { 23 | "lookupPolicy": { 24 | "local": false 25 | }, 26 | "tags": [ 27 | { 28 | "name": "13-el8", 29 | "annotations": { 30 | "description": "Provides a PostgreSQL 13 database on RHEL 8. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/blob/master/README.md.", 31 | "iconClass": "icon-postgresql", 32 | "openshift.io/display-name": "PostgreSQL 13 (RHEL 8)", 33 | "openshift.io/provider-display-name": "Red Hat, Inc.", 34 | "tags": "database,postgresql", 35 | "version": "13" 36 | }, 37 | "from": { 38 | "kind": "DockerImage", 39 | "name": "registry.redhat.io/rhel8/postgresql-13:latest" 40 | }, 41 | "generation": null, 42 | "importPolicy": {}, 43 | "referencePolicy": { 44 | "type": "Local" 45 | } 46 | } 47 | ] 48 | } 49 | }, 50 | { 51 | "kind": "ImageStream", 52 | "apiVersion": "image.openshift.io/v1", 53 | "metadata": { 54 | "name": "sso76-openshift-rhel8", 55 | "annotations": { 56 | "description": "Red Hat Single Sign-On 7.6 on OpenJDK", 57 | "openshift.io/display-name": "Red Hat Single Sign-On 7.6 on OpenJDK", 58 | "openshift.io/provider-display-name": "Red Hat, Inc.", 59 | "version": "7.6.7.GA" 60 | } 61 | }, 62 | "labels": { 63 | "rhsso": "7.6.7.GA" 64 | }, 65 | "spec": { 66 | "tags": [ 67 | { 68 | "name": "latest", 69 | "from": { 70 | "kind": "ImageStreamTag", 71 | "name": "7.6" 72 | } 73 | }, 74 | { 75 | "name": "7.6", 76 | "annotations": { 77 | "description": "Red Hat Single Sign-On 7.6 on OpenJDK image", 78 | "iconClass": "icon-sso", 79 | "tags": "sso,keycloak,redhat,hidden", 80 | "supports": "sso:7.6", 81 | "version": "1.0", 82 | "openshift.io/display-name": "Red Hat Single Sign-On 7.6 on OpenJDK" 83 | }, 84 | "referencePolicy": { 85 | "type": "Local" 86 | }, 87 | "from": { 88 | "kind": "DockerImage", 89 | "name": "registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6" 90 | } 91 | } 92 | ] 93 | } 94 | } 95 | ] 96 | } 97 | --------------------------------------------------------------------------------