kind: Template apiVersion: v1 metadata: annotations: iconClass: icon-sso tags: 'sso,keycloak,jboss' version: 1.4.7 openshift.io/display-name: 'Single Sign-On 7.1 (development mode)' openshift.io/provider-display-name: 'Red Hat, Inc.' description: 'A self-containing Red Hat SSO application with a PostgreSQL database. For more information about using this template, see https://github.com/jboss-openshift/application-templates.' template.openshift.io/long-description: 'This template defines resources needed to develop Red Hat Single Sign-On 7.1 server based deployment and deployment configuration for PostgreSQL using persistence.' template.openshift.io/documentation-url: 'https://access.redhat.com/documentation/en/red-hat-single-sign-on/' template.openshift.io/support-url: 'https://access.redhat.com' name: sso71-allinone labels: template: sso71-allinone xpaas: 1.4.7 message: 'A new persistent SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database "${DB_DATABASE}" is ${DB_USERNAME}/${DB_PASSWORD}.' parameters: - displayName: 'Application Name' description: 'The name for the application.' name: APPLICATION_NAME value: sso required: true - displayName: 'Custom http Route Hostname' description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: ..' name: SSO_HOSTNAME value: "" required: false - displayName: 'The password that protects the Keystores' description: 'The password for the keystores and certificates (auto-generated)' name: SSO_KEYSTORE_PASSWORD generate: expression from: '[a-zA-Z0-9]{8}' required: true - displayName: 'Database JNDI Name' description: 'Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql' name: DB_JNDI value: 'java:jboss/datasources/KeycloakDS' required: false - displayName: 'Database Name' description: 'Database name' name: DB_DATABASE value: sso required: true - displayName: 'Datasource Minimum Pool Size' description: 'Sets xa-pool/min-pool-size for the configured datasource.' name: DB_MIN_POOL_SIZE required: false - displayName: 'Datasource Maximum Pool Size' description: 'Sets xa-pool/max-pool-size for the configured datasource.' name: DB_MAX_POOL_SIZE required: false - displayName: 'Datasource Transaction Isolation' description: 'Sets transaction-isolation for the configured datasource.' name: DB_TX_ISOLATION required: false - displayName: 'PostgreSQL Maximum number of connections' description: 'The maximum number of client connections allowed. This also sets the maximum number of prepared transactions.' name: POSTGRESQL_MAX_CONNECTIONS required: false - displayName: 'PostgreSQL Shared Buffers' description: 'Configures how much memory is dedicated to PostgreSQL for caching data.' name: POSTGRESQL_SHARED_BUFFERS required: false - displayName: 'Database Username' description: 'Database user name' name: DB_USERNAME value: sso required: true - displayName: 'Database Password' description: 'Database user password' name: DB_PASSWORD from: '[a-zA-Z0-9]{8}' generate: expression required: true - displayName: 'Database Volume Capacity' description: 'Size of persistent storage for database volume.' name: VOLUME_CAPACITY value: 1Gi required: true - displayName: 'JGroups Cluster Password' description: 'JGroups cluster password' name: JGROUPS_CLUSTER_PASSWORD from: '[a-zA-Z0-9]{8}' generate: expression required: true - displayName: 'ImageStream Namespace' description: 'Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you''ve installed the ImageStreams in a different namespace/project.' name: IMAGE_STREAM_NAMESPACE value: openshift required: true - displayName: 'SSO Admin Username' description: 'SSO Server admin username' name: SSO_ADMIN_USERNAME value: 'admin' required: true - displayName: 'SSO Admin Password' description: 'SSO Server admin password' name: SSO_ADMIN_PASSWORD from: '[a-zA-Z0-9]{8}' generate: expression required: true - displayName: 'SSO Realm' description: 'Realm to be created in the SSO server (e.g. demo).' name: SSO_REALM value: "" required: false - displayName: 'SSO Service Username' description: 'The username used to access the SSO service. This is used by clients to create the appliction client(s) within the specified SSO realm.' name: SSO_SERVICE_USERNAME value: "" required: false - displayName: 'SSO Service Password' description: 'The password for the SSO service user.' name: SSO_SERVICE_PASSWORD value: "" required: false - displayName: 'PostgreSQL Image Stream Tag' description: 'The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL.' name: POSTGRESQL_IMAGE_STREAM_TAG value: '9.5' required: true - description: 'Container memory limit' name: MEMORY_LIMIT value: 1Gi required: false objects: ## ## Route and Services ## - kind: Service apiVersion: v1 spec: ports: - name: http port: 8080 targetPort: 8080 - name: https port: 8443 targetPort: 8443 selector: deploymentConfig: '${APPLICATION_NAME}' metadata: name: '${APPLICATION_NAME}' labels: application: '${APPLICATION_NAME}' annotations: description: 'The web server''s http/https ports.' service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-postgresql", "kind": "Service"}]' service.alpha.openshift.io/serving-cert-secret-name: '${APPLICATION_NAME}-https-secret' - kind: Service apiVersion: v1 spec: ports: - name: postgresql port: 5432 targetPort: 5432 selector: deploymentConfig: '${APPLICATION_NAME}-postgresql' metadata: name: '${APPLICATION_NAME}-postgresql' labels: application: '${APPLICATION_NAME}' annotations: description: 'The database server''s port.' - kind: Route apiVersion: v1 id: '${APPLICATION_NAME}' metadata: name: '${APPLICATION_NAME}' labels: application: '${APPLICATION_NAME}' annotations: description: 'Route for application''s https service.' spec: host: '${SSO_HOSTNAME}' port: targetPort: https to: kind: Service name: '${APPLICATION_NAME}' port: tls: termination: reencrypt insecureEdgeTerminationPolicy: Redirect ## ## Persistence ## - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: '${APPLICATION_NAME}-database' labels: application: '${APPLICATION_NAME}' spec: accessModes: - ReadWriteOnce resources: requests: storage: '${VOLUME_CAPACITY}' ## ## Service Accounts, Secrets and Role Bindings ## - apiVersion: v1 kind: ServiceAccount metadata: name: '${APPLICATION_NAME}' labels: application: '${APPLICATION_NAME}' secrets: - name: '${APPLICATION_NAME}-https-secret' - apiVersion: v1 kind: RoleBinding metadata: name: '${APPLICATION_NAME}-can-read-project' labels: application: '${APPLICATION_NAME}' roleRef: name: view subjects: - kind: ServiceAccount name: '${APPLICATION_NAME}' ## ## Deploy RH-SSO ## - kind: DeploymentConfig apiVersion: v1 metadata: name: '${APPLICATION_NAME}' labels: application: '${APPLICATION_NAME}' spec: strategy: type: Recreate recreateParams: pre: failurePolicy: Abort execNewPod: containerName: '${APPLICATION_NAME}' command: - /usr/bin/keytool - -genseckey - -alias - jgroups - -keystore - /etc/eap-secret-volume/jgroups.jceks - -keyalg - Blowfish - -keysize - "56" - -storetype - JCEKS - -keypass - '${SSO_KEYSTORE_PASSWORD}' - -storepass - '${SSO_KEYSTORE_PASSWORD}' volumes: - '${APPLICATION_NAME}-eap-secrets' triggers: - type: ImageChange imageChangeParams: automatic: true containerNames: - '${APPLICATION_NAME}' from: kind: ImageStreamTag namespace: '${IMAGE_STREAM_NAMESPACE}' name: 'redhat-sso71-openshift:1.2' - type: ConfigChange replicas: 1 selector: deploymentConfig: '${APPLICATION_NAME}' template: metadata: name: '${APPLICATION_NAME}' labels: deploymentConfig: '${APPLICATION_NAME}' application: '${APPLICATION_NAME}' spec: serviceAccountName: '${APPLICATION_NAME}' terminationGracePeriodSeconds: 75 initContainers: - name: openshift-ca-pemtokeystore image: syndesis/pemtokeystore:v0.2.1 imagePullPolicy: IfNotPresent args: - -keystore - /etc/eap-secret-volume/keystore.jks - -ca-file - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - -ca-file - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - -cert-file - tls=/etc/openshift-secret-volume/tls.crt - -key-file - tls=/etc/openshift-secret-volume/tls.key - -keystore-password - '${SSO_KEYSTORE_PASSWORD}' volumeMounts: - name: "${APPLICATION_NAME}-openshift-secret" mountPath: "/etc/openshift-secret-volume" - name: '${APPLICATION_NAME}-eap-secrets' mountPath: "/etc/eap-secret-volume" resources: limits: memory: 255Mi requests: memory: 20Mi containers: - name: '${APPLICATION_NAME}' image: ' ' imagePullPolicy: Always resources: limits: memory: '${MEMORY_LIMIT}' volumeMounts: - name: '${APPLICATION_NAME}-eap-secrets' mountPath: /etc/eap-secret-volume # Workaround for a bug on overlayfs2 # See https://github.com/openshift/openshift-ansible/issues/2823 - name: '${APPLICATION_NAME}-eap-configuration' mountPath: /opt/eap/standalone/configuration/standalone_xml_history/ lifecycle: preStop: exec: command: - /opt/eap/bin/jboss-cli.sh - '-c' - ':shutdown(timeout=60)' livenessProbe: exec: command: - /bin/bash - '-c' - /opt/eap/bin/livenessProbe.sh initialDelaySeconds: 60 readinessProbe: exec: command: - /bin/bash - '-c' - /opt/eap/bin/readinessProbe.sh ports: - name: jolokia containerPort: 8778 protocol: TCP - name: http containerPort: 8080 protocol: TCP - name: https containerPort: 8443 protocol: TCP - name: ping containerPort: 8888 protocol: TCP env: - name: DB_SERVICE_PREFIX_MAPPING value: '${APPLICATION_NAME}-postgresql=DB' - name: DB_JNDI value: '${DB_JNDI}' - name: DB_USERNAME value: '${DB_USERNAME}' - name: DB_PASSWORD value: '${DB_PASSWORD}' - name: DB_DATABASE value: '${DB_DATABASE}' - name: TX_DATABASE_PREFIX_MAPPING value: '${APPLICATION_NAME}-postgresql=DB' - name: DB_MIN_POOL_SIZE value: '${DB_MIN_POOL_SIZE}' - name: DB_MAX_POOL_SIZE value: '${DB_MAX_POOL_SIZE}' - name: DB_TX_ISOLATION value: '${DB_TX_ISOLATION}' - name: OPENSHIFT_KUBE_PING_LABELS value: 'application=${APPLICATION_NAME}' - name: OPENSHIFT_KUBE_PING_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: HTTPS_KEYSTORE_DIR value: /etc/eap-secret-volume - name: HTTPS_KEYSTORE value: 'keystore.jks' - name: HTTPS_KEYSTORE_TYPE value: 'JKS' - name: HTTPS_NAME value: 'tls' - name: HTTPS_PASSWORD value: '${SSO_KEYSTORE_PASSWORD}' - name: JGROUPS_ENCRYPT_SECRET value: '${SSO_KEYSTORE_PASSWORD}' - name: JGROUPS_ENCRYPT_KEYSTORE_DIR value: /etc/eap-secret-volume - name: JGROUPS_ENCRYPT_KEYSTORE value: jgroups.jceks - name: JGROUPS_ENCRYPT_NAME value: jgroups - name: JGROUPS_ENCRYPT_KEYSTORE value: '${SSO_KEYSTORE_PASSWORD}' - name: JGROUPS_CLUSTER_PASSWORD value: '${JGROUPS_CLUSTER_PASSWORD}' - name: SSO_ADMIN_USERNAME value: '${SSO_ADMIN_USERNAME}' - name: SSO_ADMIN_PASSWORD value: '${SSO_ADMIN_PASSWORD}' - name: SSO_REALM value: '${SSO_REALM}' - name: SSO_SERVICE_USERNAME value: '${SSO_SERVICE_USERNAME}' - name: SSO_SERVICE_PASSWORD value: '${SSO_SERVICE_PASSWORD}' - name: SSO_TRUSTSTORE value: 'keystore.jks' - name: SSO_TRUSTSTORE_DIR value: /etc/eap-secret-volume - name: SSO_TRUSTSTORE_PASSWORD value: '${SSO_KEYSTORE_PASSWORD}' volumes: - name: '${APPLICATION_NAME}-openshift-secret' secret: secretName: '${APPLICATION_NAME}-https-secret' - name: '${APPLICATION_NAME}-eap-secrets' emptyDir: {} # Workaround for a bug on overlayfs2 # See https://github.com/openshift/openshift-ansible/issues/2823 - name: '${APPLICATION_NAME}-eap-configuration' emptyDir: {} ## ## Deploy PostgreSQL ## - kind: DeploymentConfig apiVersion: v1 metadata: name: '${APPLICATION_NAME}-postgresql' labels: application: '${APPLICATION_NAME}' spec: strategy: type: Recreate triggers: - type: ImageChange imageChangeParams: automatic: true containerNames: - '${APPLICATION_NAME}-postgresql' from: kind: ImageStreamTag namespace: '${IMAGE_STREAM_NAMESPACE}' name: 'postgresql:${POSTGRESQL_IMAGE_STREAM_TAG}' - type: ConfigChange replicas: 1 selector: deploymentConfig: '${APPLICATION_NAME}-postgresql' template: metadata: name: '${APPLICATION_NAME}-postgresql' labels: deploymentConfig: '${APPLICATION_NAME}-postgresql' application: '${APPLICATION_NAME}' spec: terminationGracePeriodSeconds: 60 containers: - name: '${APPLICATION_NAME}-postgresql' image: postgresql imagePullPolicy: Always ports: - name: postgresql containerPort: 5432 protocol: TCP volumeMounts: - mountPath: /var/lib/pgsql/data name: '${APPLICATION_NAME}-postgresql-pvol' env: - name: POSTGRESQL_USER value: '${DB_USERNAME}' - name: POSTGRESQL_PASSWORD value: '${DB_PASSWORD}' - name: POSTGRESQL_DATABASE value: '${DB_DATABASE}' - name: POSTGRESQL_MAX_CONNECTIONS value: '${POSTGRESQL_MAX_CONNECTIONS}' - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS value: '${POSTGRESQL_MAX_CONNECTIONS}' - name: POSTGRESQL_SHARED_BUFFERS value: '${POSTGRESQL_SHARED_BUFFERS}' volumes: - name: '${APPLICATION_NAME}-postgresql-pvol' persistentVolumeClaim: claimName: '${APPLICATION_NAME}-database'