nicolas
/
OpenShift-Implementation-at-ITIX
mirror of https://github.com/nmasse-itix/OpenShift-Implementation-at-ITIX.git
1
0
Fork 0
Code Issues Releases Wiki Activity
OpenShift Origin Implementation at ITIX (mostly Ansible Playbooks)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39 Commits
1 Branch
0 Tags
102 KiB
 
Tree: 1188a7ced5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1188a7ced5'
${ noResults }
OpenShift-Implementation-at.../roles/openshift-templates/files/sso71-allinone.yaml

520 lines
17 KiB
Raw Blame History

kind: Template
apiVersion: v1
metadata:
annotations:
iconClass: icon-sso
tags: 'sso,keycloak,jboss'
version: 1.4.7
openshift.io/display-name: 'Single Sign-On 7.1 (development mode)'
openshift.io/provider-display-name: 'Red Hat, Inc.'
description: 'A self-containing Red Hat SSO application with a PostgreSQL database. For more information about using this template, see https://github.com/jboss-openshift/application-templates.'
template.openshift.io/long-description: 'This template defines resources needed to develop Red Hat Single Sign-On 7.1 server based deployment and deployment configuration for PostgreSQL using persistence.'
template.openshift.io/documentation-url: 'https://access.redhat.com/documentation/en/red-hat-single-sign-on/'
template.openshift.io/support-url: 'https://access.redhat.com'
name: sso71-allinone
labels:
template: sso71-allinone
xpaas: 1.4.7
message: 'A new persistent SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database "${DB_DATABASE}" is ${DB_USERNAME}/${DB_PASSWORD}.'
parameters:
- displayName: 'Application Name'
description: 'The name for the application.'
name: APPLICATION_NAME
value: sso
required: true
- displayName: 'Custom http Route Hostname'
description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>.<project>.<default-domain-suffix>'
name: SSO_HOSTNAME
value: ""
required: false
- displayName: 'The password that protects the Keystores'
description: 'The password for the keystores and certificates (auto-generated)'
name: SSO_KEYSTORE_PASSWORD
generate: expression
from: '[a-zA-Z0-9]{8}'
required: true
- displayName: 'Database JNDI Name'
description: 'Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql'
name: DB_JNDI
value: 'java:jboss/datasources/KeycloakDS'
required: false
- displayName: 'Database Name'
description: 'Database name'
name: DB_DATABASE
value: sso
required: true
- displayName: 'Datasource Minimum Pool Size'
description: 'Sets xa-pool/min-pool-size for the configured datasource.'
name: DB_MIN_POOL_SIZE
required: false
- displayName: 'Datasource Maximum Pool Size'
description: 'Sets xa-pool/max-pool-size for the configured datasource.'
name: DB_MAX_POOL_SIZE
required: false
- displayName: 'Datasource Transaction Isolation'
description: 'Sets transaction-isolation for the configured datasource.'
name: DB_TX_ISOLATION
required: false
- displayName: 'PostgreSQL Maximum number of connections'
description: 'The maximum number of client connections allowed. This also sets the maximum number of prepared transactions.'
name: POSTGRESQL_MAX_CONNECTIONS
required: false
- displayName: 'PostgreSQL Shared Buffers'
description: 'Configures how much memory is dedicated to PostgreSQL for caching data.'
name: POSTGRESQL_SHARED_BUFFERS
required: false
- displayName: 'Database Username'
description: 'Database user name'
name: DB_USERNAME
value: sso
required: true
- displayName: 'Database Password'
description: 'Database user password'
name: DB_PASSWORD
from: '[a-zA-Z0-9]{8}'
generate: expression
required: true
- displayName: 'Database Volume Capacity'
description: 'Size of persistent storage for database volume.'
name: VOLUME_CAPACITY
value: 1Gi
required: true
- displayName: 'JGroups Cluster Password'
description: 'JGroups cluster password'
name: JGROUPS_CLUSTER_PASSWORD
from: '[a-zA-Z0-9]{8}'
generate: expression
required: true
- displayName: 'ImageStream Namespace'
description: 'Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you''ve installed the ImageStreams in a different namespace/project.'
name: IMAGE_STREAM_NAMESPACE
value: openshift
required: true
- displayName: 'SSO Admin Username'
description: 'SSO Server admin username'
name: SSO_ADMIN_USERNAME
value: 'admin'
required: true
- displayName: 'SSO Admin Password'
description: 'SSO Server admin password'
name: SSO_ADMIN_PASSWORD
from: '[a-zA-Z0-9]{8}'
generate: expression
required: true
- displayName: 'SSO Realm'
description: 'Realm to be created in the SSO server (e.g. demo).'
name: SSO_REALM
value: ""
required: false
- displayName: 'SSO Service Username'
description: 'The username used to access the SSO service. This is used by clients to create the appliction client(s) within the specified SSO realm.'
name: SSO_SERVICE_USERNAME
value: ""
required: false
- displayName: 'SSO Service Password'
description: 'The password for the SSO service user.'
name: SSO_SERVICE_PASSWORD
value: ""
required: false
- displayName: 'PostgreSQL Image Stream Tag'
description: 'The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL.'
name: POSTGRESQL_IMAGE_STREAM_TAG
value: '9.5'
required: true
- description: 'Container memory limit'
name: MEMORY_LIMIT
value: 1Gi
required: false
objects:
##
## Route and Services
##
- kind: Service
apiVersion: v1
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
deploymentConfig: '${APPLICATION_NAME}'
metadata:
name: '${APPLICATION_NAME}'
labels:
application: '${APPLICATION_NAME}'
annotations:
description: 'The web server''s http/https ports.'
service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-postgresql", "kind": "Service"}]'
service.alpha.openshift.io/serving-cert-secret-name: '${APPLICATION_NAME}-https-secret'
- kind: Service
apiVersion: v1
spec:
ports:
- name: postgresql
port: 5432
targetPort: 5432
selector:
deploymentConfig: '${APPLICATION_NAME}-postgresql'
metadata:
name: '${APPLICATION_NAME}-postgresql'
labels:
application: '${APPLICATION_NAME}'
annotations:
description: 'The database server''s port.'
- kind: Route
apiVersion: v1
id: '${APPLICATION_NAME}'
metadata:
name: '${APPLICATION_NAME}'
labels:
application: '${APPLICATION_NAME}'
annotations:
description: 'Route for application''s https service.'
spec:
host: '${SSO_HOSTNAME}'
port:
targetPort: https
to:
kind: Service
name: '${APPLICATION_NAME}'
port:
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
##
## Persistence
##
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: '${APPLICATION_NAME}-database'
labels:
application: '${APPLICATION_NAME}'
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: '${VOLUME_CAPACITY}'
##
## Service Accounts, Secrets and Role Bindings
##
- apiVersion: v1
kind: ServiceAccount
metadata:
name: '${APPLICATION_NAME}'
labels:
application: '${APPLICATION_NAME}'
secrets:
- name: '${APPLICATION_NAME}-https-secret'
- apiVersion: v1
kind: RoleBinding
metadata:
name: '${APPLICATION_NAME}-can-read-project'
labels:
application: '${APPLICATION_NAME}'
roleRef:
name: view
subjects:
- kind: ServiceAccount
name: '${APPLICATION_NAME}'
##
## Deploy RH-SSO
##
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: '${APPLICATION_NAME}'
labels:
application: '${APPLICATION_NAME}'
spec:
strategy:
type: Recreate
recreateParams:
pre:
failurePolicy: Abort
execNewPod:
containerName: '${APPLICATION_NAME}'
command:
- /usr/bin/keytool
- -genseckey
- -alias
- jgroups
- -keystore
- /etc/eap-secret-volume/jgroups.jceks
- -keyalg
- Blowfish
- -keysize
- "56"
- -storetype
- JCEKS
- -keypass
- '${SSO_KEYSTORE_PASSWORD}'
- -storepass
- '${SSO_KEYSTORE_PASSWORD}'
volumes:
- '${APPLICATION_NAME}-eap-secrets'
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- '${APPLICATION_NAME}'
from:
kind: ImageStreamTag
namespace: '${IMAGE_STREAM_NAMESPACE}'
name: 'redhat-sso71-openshift:1.2'
- type: ConfigChange
replicas: 1
selector:
deploymentConfig: '${APPLICATION_NAME}'
template:
metadata:
name: '${APPLICATION_NAME}'
labels:
deploymentConfig: '${APPLICATION_NAME}'
application: '${APPLICATION_NAME}'
spec:
serviceAccountName: '${APPLICATION_NAME}'
terminationGracePeriodSeconds: 75
initContainers:
- name: openshift-ca-pemtokeystore
image: syndesis/pemtokeystore:v0.2.1
imagePullPolicy: IfNotPresent
args:
- -keystore
- /etc/eap-secret-volume/keystore.jks
- -ca-file
- /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- -ca-file
- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- -cert-file
- tls=/etc/openshift-secret-volume/tls.crt
- -key-file
- tls=/etc/openshift-secret-volume/tls.key
- -keystore-password
- '${SSO_KEYSTORE_PASSWORD}'
volumeMounts:
- name: "${APPLICATION_NAME}-openshift-secret"
mountPath: "/etc/openshift-secret-volume"
- name: '${APPLICATION_NAME}-eap-secrets'
mountPath: "/etc/eap-secret-volume"
resources:
limits:
memory: 255Mi
requests:
memory: 20Mi
containers:
- name: '${APPLICATION_NAME}'
image: ' '
imagePullPolicy: Always
resources:
limits:
memory: '${MEMORY_LIMIT}'
volumeMounts:
- name: '${APPLICATION_NAME}-eap-secrets'
mountPath: /etc/eap-secret-volume
# Workaround for a bug on overlayfs2
# See https://github.com/openshift/openshift-ansible/issues/2823
- name: '${APPLICATION_NAME}-eap-configuration'
mountPath: /opt/eap/standalone/configuration/standalone_xml_history/
lifecycle:
preStop:
exec:
command:
- /opt/eap/bin/jboss-cli.sh
- '-c'
- ':shutdown(timeout=60)'
livenessProbe:
exec:
command:
- /bin/bash
- '-c'
- /opt/eap/bin/livenessProbe.sh
initialDelaySeconds: 60
readinessProbe:
exec:
command:
- /bin/bash
- '-c'
- /opt/eap/bin/readinessProbe.sh
ports:
- name: jolokia
containerPort: 8778
protocol: TCP
- name: http
containerPort: 8080
protocol: TCP
- name: https
containerPort: 8443
protocol: TCP
- name: ping
containerPort: 8888
protocol: TCP
env:
- name: DB_SERVICE_PREFIX_MAPPING
value: '${APPLICATION_NAME}-postgresql=DB'
- name: DB_JNDI
value: '${DB_JNDI}'
- name: DB_USERNAME
value: '${DB_USERNAME}'
- name: DB_PASSWORD
value: '${DB_PASSWORD}'
- name: DB_DATABASE
value: '${DB_DATABASE}'
- name: TX_DATABASE_PREFIX_MAPPING
value: '${APPLICATION_NAME}-postgresql=DB'
- name: DB_MIN_POOL_SIZE
value: '${DB_MIN_POOL_SIZE}'
- name: DB_MAX_POOL_SIZE
value: '${DB_MAX_POOL_SIZE}'
- name: DB_TX_ISOLATION
value: '${DB_TX_ISOLATION}'
- name: OPENSHIFT_KUBE_PING_LABELS
value: 'application=${APPLICATION_NAME}'
- name: OPENSHIFT_KUBE_PING_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: HTTPS_KEYSTORE_DIR
value: /etc/eap-secret-volume
- name: HTTPS_KEYSTORE
value: 'keystore.jks'
- name: HTTPS_KEYSTORE_TYPE
value: 'JKS'
- name: HTTPS_NAME
value: 'tls'
- name: HTTPS_PASSWORD
value: '${SSO_KEYSTORE_PASSWORD}'
- name: JGROUPS_ENCRYPT_SECRET
value: '${SSO_KEYSTORE_PASSWORD}'
- name: JGROUPS_ENCRYPT_KEYSTORE_DIR
value: /etc/eap-secret-volume
- name: JGROUPS_ENCRYPT_KEYSTORE
value: jgroups.jceks
- name: JGROUPS_ENCRYPT_NAME
value: jgroups
- name: JGROUPS_ENCRYPT_KEYSTORE
value: '${SSO_KEYSTORE_PASSWORD}'
- name: JGROUPS_CLUSTER_PASSWORD
value: '${JGROUPS_CLUSTER_PASSWORD}'
- name: SSO_ADMIN_USERNAME
value: '${SSO_ADMIN_USERNAME}'
- name: SSO_ADMIN_PASSWORD
value: '${SSO_ADMIN_PASSWORD}'
- name: SSO_REALM
value: '${SSO_REALM}'
- name: SSO_SERVICE_USERNAME
value: '${SSO_SERVICE_USERNAME}'
- name: SSO_SERVICE_PASSWORD
value: '${SSO_SERVICE_PASSWORD}'
- name: SSO_TRUSTSTORE
value: 'keystore.jks'
- name: SSO_TRUSTSTORE_DIR
value: /etc/eap-secret-volume
- name: SSO_TRUSTSTORE_PASSWORD
value: '${SSO_KEYSTORE_PASSWORD}'
volumes:
- name: '${APPLICATION_NAME}-openshift-secret'
secret:
secretName: '${APPLICATION_NAME}-https-secret'
- name: '${APPLICATION_NAME}-eap-secrets'
emptyDir: {}
# Workaround for a bug on overlayfs2
# See https://github.com/openshift/openshift-ansible/issues/2823
- name: '${APPLICATION_NAME}-eap-configuration'
emptyDir: {}
##
## Deploy PostgreSQL
##
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: '${APPLICATION_NAME}-postgresql'
labels:
application: '${APPLICATION_NAME}'
spec:
strategy:
type: Recreate
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- '${APPLICATION_NAME}-postgresql'
from:
kind: ImageStreamTag
namespace: '${IMAGE_STREAM_NAMESPACE}'
name: 'postgresql:${POSTGRESQL_IMAGE_STREAM_TAG}'
- type: ConfigChange
replicas: 1
selector:
deploymentConfig: '${APPLICATION_NAME}-postgresql'
template:
metadata:
name: '${APPLICATION_NAME}-postgresql'
labels:
deploymentConfig: '${APPLICATION_NAME}-postgresql'
application: '${APPLICATION_NAME}'
spec:
terminationGracePeriodSeconds: 60
containers:
- name: '${APPLICATION_NAME}-postgresql'
image: postgresql
imagePullPolicy: Always
ports:
- name: postgresql
containerPort: 5432
protocol: TCP
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: '${APPLICATION_NAME}-postgresql-pvol'
env:
- name: POSTGRESQL_USER
value: '${DB_USERNAME}'
- name: POSTGRESQL_PASSWORD
value: '${DB_PASSWORD}'
- name: POSTGRESQL_DATABASE
value: '${DB_DATABASE}'
- name: POSTGRESQL_MAX_CONNECTIONS
value: '${POSTGRESQL_MAX_CONNECTIONS}'
- name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS
value: '${POSTGRESQL_MAX_CONNECTIONS}'
- name: POSTGRESQL_SHARED_BUFFERS
value: '${POSTGRESQL_SHARED_BUFFERS}'
volumes:
- name: '${APPLICATION_NAME}-postgresql-pvol'
persistentVolumeClaim:
claimName: '${APPLICATION_NAME}-database'