diff --git a/infrastructure/templates/apicurio.yaml b/infrastructure/templates/apicurio.yaml index 759a92b..8780b80 100644 --- a/infrastructure/templates/apicurio.yaml +++ b/infrastructure/templates/apicurio.yaml @@ -1,180 +1,16 @@ apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - labels: - app: apicurio - name: apicurio-postgresql-data - namespace: {{ .Values.projectName | quote }} -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - labels: - app: apicurio - name: apicurio-postgresql - namespace: {{ .Values.projectName | quote }} -spec: - ports: - - name: postgresql - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - name: apicurio-postgresql - sessionAffinity: None - type: ClusterIP ---- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - labels: - app: apicurio - name: apicurio-postgresql - namespace: {{ .Values.projectName | quote }} -spec: - replicas: 1 - selector: - name: apicurio-postgresql - strategy: - activeDeadlineSeconds: 21600 - recreateParams: - timeoutSeconds: 600 - resources: {} - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - name: apicurio-postgresql - spec: - containers: - - env: - - name: POSTGRESQL_USER - value: apicurio - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: demo-seed - key: apicurio-database-password - - name: POSTGRESQL_DATABASE - value: apicurio - image: centos/postgresql-95-centos7 - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: 5432 - timeoutSeconds: 1 - name: postgresql - ports: - - containerPort: 5432 - protocol: TCP - readinessProbe: - exec: - command: - - /bin/sh - - -i - - -c - - psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c - 'SELECT 1' - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - memory: 512Mi - securityContext: - capabilities: {} - privileged: false - terminationMessagePath: /dev/termination-log - volumeMounts: - - mountPath: /var/lib/pgsql/data - name: postgresql-data - dnsPolicy: ClusterFirst - restartPolicy: Always - securityContext: {} - terminationGracePeriodSeconds: 30 - volumes: - - name: postgresql-data - persistentVolumeClaim: - claimName: apicurio-postgresql-data - test: false ---- -apiVersion: image.openshift.io/v1 -kind: ImageStream metadata: annotations: argocd.argoproj.io/sync-wave: "10" - name: apicurio-api - namespace: {{ .Values.projectName | quote }} -spec: - tags: - - from: - kind: DockerImage - name: apicurio/apicurio-studio-api:latest-release - importPolicy: - scheduled: true - name: latest-release ---- -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - name: apicurio-ws - namespace: {{ .Values.projectName | quote }} -spec: - tags: - - from: - kind: DockerImage - name: apicurio/apicurio-studio-ws:latest-release - importPolicy: - scheduled: true - name: latest-release ---- -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - name: apicurio-ui - namespace: {{ .Values.projectName | quote }} -spec: - tags: - - from: - kind: DockerImage - name: apicurio/apicurio-studio-ui:latest-release - importPolicy: - scheduled: true - name: latest-release ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" annotations: prometheus.io/path: /system/metrics prometheus.io/scrape: "true" labels: - app: apicurio-studio-api + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-api + app.kubernetes.io/instance: apicurio-studio-api name: apicurio-studio-api namespace: {{ .Values.projectName | quote }} spec: @@ -191,12 +27,15 @@ apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "10" annotations: prometheus.io/path: /metrics prometheus.io/scrape: "true" labels: - app: apicurio-studio-ws + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-ws + app.kubernetes.io/instance: apicurio-studio-ws name: apicurio-studio-ws namespace: {{ .Values.projectName | quote }} spec: @@ -213,9 +52,12 @@ apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-ui + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-ui + app.kubernetes.io/instance: apicurio-studio-ui name: apicurio-studio-ui namespace: {{ .Values.projectName | quote }} spec: @@ -228,31 +70,31 @@ spec: sessionAffinity: None type: ClusterIP --- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig +apiVersion: apps/v1 +kind: Deployment metadata: annotations: argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-api + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-api + app.kubernetes.io/instance: apicurio-studio-api name: apicurio-studio-api namespace: {{ .Values.projectName | quote }} spec: replicas: 1 selector: - app: apicurio-studio-api - deploymentconfig: apicurio-studio-api - strategy: - activeDeadlineSeconds: 21600 - recreateParams: - timeoutSeconds: 600 - resources: {} - type: Recreate + matchLabels: + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-api + app.kubernetes.io/instance: apicurio-studio-api template: metadata: labels: - app: apicurio-studio-api - deploymentconfig: apicurio-studio-api + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-api + app.kubernetes.io/instance: apicurio-studio-api spec: containers: - env: @@ -263,7 +105,7 @@ spec: - name: APICURIO_DB_DRIVER_NAME value: postgresql - name: APICURIO_DB_CONNECTION_URL - value: jdbc:postgresql://apicurio-postgresql:5432/apicurio + value: jdbc:postgresql://postgresql-server:5432/apicurio - name: APICURIO_DB_TYPE value: postgresql9 - name: APICURIO_DB_USER_NAME @@ -277,7 +119,7 @@ spec: value: 512m - name: APICURIO_MAX_HEAP value: 1400m - image: api:latest-release + image: apicurio/apicurio-studio-api:latest-release imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -311,52 +153,40 @@ spec: cpu: 100m memory: 800Mi terminationMessagePath: /dev/termination-log - dnsPolicy: ClusterFirst - restartPolicy: Always terminationGracePeriodSeconds: 30 - triggers: - - imageChangeParams: - automatic: true - containerNames: - - apicurio-studio-api - from: - kind: ImageStreamTag - name: apicurio-api:latest-release - type: ImageChange - - type: ConfigChange --- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig +apiVersion: apps/v1 +kind: Deployment metadata: annotations: argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-ws + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-ws + app.kubernetes.io/instance: apicurio-studio-ws name: apicurio-studio-ws namespace: {{ .Values.projectName | quote }} spec: replicas: 1 selector: - app: apicurio-studio-ws - deploymentconfig: apicurio-studio-ws - strategy: - activeDeadlineSeconds: 21600 - recreateParams: - timeoutSeconds: 600 - resources: {} - type: Recreate + matchLabels: + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-ws + app.kubernetes.io/instance: apicurio-studio-ws template: metadata: labels: - app: apicurio-studio-ws - deploymentconfig: apicurio-studio-ws + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-ws + app.kubernetes.io/instance: apicurio-studio-ws spec: containers: - env: - name: APICURIO_DB_DRIVER_NAME value: postgresql - name: APICURIO_DB_CONNECTION_URL - value: jdbc:postgresql://apicurio-postgresql:5432/apicurio + value: jdbc:postgresql://postgresql-server:5432/apicurio - name: APICURIO_DB_TYPE value: postgresql9 - name: APICURIO_DB_USER_NAME @@ -370,7 +200,7 @@ spec: value: 512m - name: APICURIO_MAX_HEAP value: 1400m - image: ws:latest-release + image: apicurio/apicurio-studio-ws:latest-release imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -404,45 +234,33 @@ spec: cpu: 100m memory: 900Mi terminationMessagePath: /dev/termination-log - dnsPolicy: ClusterFirst - restartPolicy: Always terminationGracePeriodSeconds: 30 - triggers: - - imageChangeParams: - automatic: true - containerNames: - - apicurio-studio-ws - from: - kind: ImageStreamTag - name: apicurio-ws:latest-release - type: ImageChange - - type: ConfigChange --- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig +apiVersion: apps/v1 +kind: Deployment metadata: annotations: argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-ui + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-ui + app.kubernetes.io/instance: apicurio-studio-ui name: apicurio-studio-ui namespace: {{ .Values.projectName | quote }} spec: replicas: 1 selector: - app: apicurio-studio-ui - deploymentconfig: apicurio-studio-ui - strategy: - activeDeadlineSeconds: 21600 - recreateParams: - timeoutSeconds: 600 - resources: {} - type: Recreate + matchLabels: + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-ui + app.kubernetes.io/instance: apicurio-studio-ui template: metadata: labels: - app: apicurio-studio-ui - deploymentconfig: apicurio-studio-ui + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-ui + app.kubernetes.io/instance: apicurio-studio-ui spec: containers: - env: @@ -460,7 +278,7 @@ spec: value: 512m - name: APICURIO_MAX_HEAP value: 1200m - image: ui:latest-release + image: apicurio/apicurio-studio-ui:latest-release imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -494,27 +312,18 @@ spec: cpu: 100m memory: 700Mi terminationMessagePath: /dev/termination-log - dnsPolicy: ClusterFirst - restartPolicy: Always terminationGracePeriodSeconds: 30 - triggers: - - imageChangeParams: - automatic: true - containerNames: - - apicurio-studio-ui - from: - kind: ImageStreamTag - name: apicurio-ui:latest-release - type: ImageChange - - type: ConfigChange --- apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-api + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-api + app.kubernetes.io/instance: apicurio-studio-api name: apicurio-studio-api namespace: {{ .Values.projectName | quote }} spec: @@ -532,9 +341,13 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-ws + labels: + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-ws + app.kubernetes.io/instance: apicurio-studio-ws name: apicurio-studio-ws namespace: {{ .Values.projectName | quote }} spec: @@ -552,9 +365,12 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "10" labels: - app: apicurio-studio-ui + app.kubernetes.io/name: apicurio + app.kubernetes.io/version: latest + app.kubernetes.io/component: apicurio-studio-ui + app.kubernetes.io/instance: apicurio-studio-ui name: apicurio-studio-ui namespace: {{ .Values.projectName | quote }} spec: diff --git a/infrastructure/templates/postgresql.yaml b/infrastructure/templates/postgresql.yaml new file mode 100644 index 0000000..7f5f4c2 --- /dev/null +++ b/infrastructure/templates/postgresql.yaml @@ -0,0 +1,267 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql-config + namespace: {{ .Values.projectName | quote }} +data: + ssl.conf: | + ssl = on + # The TLS certificate & key are generated using the OpenShift's service serving + # certificate secrets via corresponding annotation of the PostgreSQL service + # and stored into a read-only persistent volume, corresponding to the OpenShift + # secret. + # + # Later the 'postgresql-pre-start/enable_ssl.sh' script, present in this + # repository, copies the generated TLS certificate & key to by current UID + # writable "/var/run/postgresql/pki" directory, so it's possible to correct + # the permissions of the TLS private key to mode required by PostgreSQL server + ssl_cert_file = '/var/run/postgresql/pki/tls.crt' # PostgreSQL server certificate + ssl_key_file = '/var/run/postgresql/pki/tls.key' # PostgreSQL server private key + ssl_ca_file = '/run/secrets/kubernetes.io/serviceaccount/ca.crt' # OpenShift CA +--- +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql-prestart-hook + namespace: {{ .Values.projectName | quote }} +data: + enable_ssl.sh: | + #!/usr/bin/env bash + + set -eu + + # Copy the TLS certificate & key generated by the OpenShift's service serving + # certificate secrets from "/etc/pki/postgresql" (which is mounted read-only, + # since coming from secret) to "/var/run/postgresql/pki", so it's possible to + # correct the permissions of the TLS private key as required below + SOURCE_DIR="/etc/pki/postgresql" + DESTINATION_DIR="/var/run/postgresql/pki" + if [ ! -d "${DESTINATION_DIR}" ]; then + mkdir -p "${DESTINATION_DIR}" + fi + cp "${SOURCE_DIR}"/tls.{crt,key} "${DESTINATION_DIR}" + + # PostgreSQL will fail to start and throw an error like: + # + # FATAL: private key file "/path/to/key" has group or world access + # File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root. + # + # if the permissions of the TLS private key are incorrect. + # + # Thus correct the permissions so PostgreSQL server can start successfully + chmod 0600 "${DESTINATION_DIR}/tls.key" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql-start-hook + namespace: {{ .Values.projectName | quote }} +data: + create_db_user.sh: | + #!/usr/bin/env bash + + for file in /var/run/demo-seed/*-database-password; do + filename="$(basename $file)" + user="${filename%-database-password}" + echo "Creating user $user..." + psql -q -c "CREATE USER \"$user\" WITH ENCRYPTED PASSWORD '$(cat $file)';" || true + echo "Creating database $user..." + psql -q -c "CREATE DATABASE \"$user\" OWNER \"$user\";" || true + done +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql-server + namespace: {{ .Values.projectName | quote }} +spec: + ports: + - port: 5432 + targetPort: 5432 + selector: + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql + namespace: {{ .Values.projectName | quote }} +spec: + clusterIP: None # Headless service + ports: + - port: 5432 + targetPort: 5432 + selector: + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql + namespace: {{ .Values.projectName | quote }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + serviceName: "postgresql" + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + spec: + terminationGracePeriodSeconds: 10 + containers: + - env: + - name: POSTGRESQL_USER + value: admin + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: demo-seed + key: postgresql-admin-password + - name: POSTGRESQL_DATABASE + value: admin + - name: POSTGRESQL_MAX_CONNECTIONS + - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS + - name: POSTGRESQL_SHARED_BUFFERS + image: registry.redhat.io/rhel8/postgresql-13:latest + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 90 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 5432 + timeoutSeconds: 10 + name: postgresql-server + ports: + - containerPort: 5432 + protocol: TCP + readinessProbe: + exec: + command: + - /bin/sh + - -i + - -c + - PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE + -c 'SELECT 1' + failureThreshold: 3 + periodSeconds: 10 + initialDelaySeconds: 90 + successThreshold: 1 + timeoutSeconds: 10 + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/lib/pgsql/data + name: postgresql-data + - mountPath: /etc/pki/postgresql + name: postgresql-ssl + readOnly: true + - mountPath: /opt/app-root/src/postgresql-cfg + name: postgresql-config + readOnly: true + - mountPath: /opt/app-root/src/postgresql-pre-start + name: postgresql-prestart-hook + readOnly: true + - mountPath: /opt/app-root/src/postgresql-start + name: postgresql-start-hook + readOnly: true + - mountPath: /var/run/demo-seed + name: demo-seed + readOnly: true + volumes: + - name: postgresql-data + persistentVolumeClaim: + claimName: postgresql-data + - name: postgresql-ssl + secret: + secretName: postgresql-ssl + - name: postgresql-config + configMap: + name: postgresql-config + - name: postgresql-prestart-hook + configMap: + name: postgresql-prestart-hook + defaultMode: 0755 + - name: postgresql-start-hook + configMap: + name: postgresql-start-hook + defaultMode: 0755 + - name: demo-seed + secret: + secretName: demo-seed +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + argocd.argoproj.io/sync-wave: "5" + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: '13' + app.kubernetes.io/component: postgresql-server + app.kubernetes.io/instance: postgresql-server + name: postgresql-data + namespace: {{ .Values.projectName | quote }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/infrastructure/templates/project.yaml b/infrastructure/templates/project.yaml index 34866fc..633b12a 100644 --- a/infrastructure/templates/project.yaml +++ b/infrastructure/templates/project.yaml @@ -29,6 +29,7 @@ metadata: namespace: {{ .Values.projectName | quote }} type: Opaque data: + postgresql-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "postgresql-admin-password")) | b64enc | quote }} sso-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) | b64enc | quote }} sso-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) | b64enc | quote }} apicurio-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-apicurio-password")) | b64enc | quote }} diff --git a/infrastructure/templates/sso.yaml b/infrastructure/templates/sso.yaml index e102bca..710a2cc 100644 --- a/infrastructure/templates/sso.yaml +++ b/infrastructure/templates/sso.yaml @@ -1,85 +1,14 @@ -kind: ImageStream -apiVersion: image.openshift.io/v1 -metadata: - name: postgresql13-for-sso76-openshift-rhel8 - creationTimestamp: null - annotations: - argocd.argoproj.io/sync-wave: "5" - openshift.io/display-name: PostgreSQL - namespace: {{ .Values.projectName | quote }} -spec: - lookupPolicy: - local: false - tags: - - name: 13-el8 - annotations: - description: Provides a PostgreSQL 13 database on RHEL 8. For more information - about using this database image, including OpenShift considerations, see - https://github.com/sclorg/postgresql-container/blob/master/README.md. - iconClass: icon-postgresql - openshift.io/display-name: PostgreSQL 13 (RHEL 8) - openshift.io/provider-display-name: Red Hat, Inc. - tags: database,postgresql - version: '13' - from: - kind: DockerImage - name: registry.redhat.io/rhel8/postgresql-13:latest - generation: null - importPolicy: {} - referencePolicy: - type: Local ---- -kind: ImageStream -apiVersion: image.openshift.io/v1 -metadata: - name: sso76-openshift-rhel8 - annotations: - argocd.argoproj.io/sync-wave: "5" - description: Red Hat Single Sign-On 7.6 on OpenJDK - openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK - openshift.io/provider-display-name: Red Hat, Inc. - version: 7.6.0.GA - namespace: {{ .Values.projectName | quote }} - labels: - rhsso: 7.6.0.GA -spec: - tags: - - name: '7.6' - annotations: - description: Red Hat Single Sign-On 7.6 on OpenJDK image - iconClass: icon-sso - tags: sso,keycloak,redhat,hidden - supports: sso:7.6 - version: '1.0' - openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK - referencePolicy: - type: Local - from: - kind: DockerImage - name: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 - importPolicy: {} - - annotations: null - importPolicy: {} - name: latest - from: - kind: ImageStreamTag - name: '7.6' - referencePolicy: - type: Source ---- apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: "5" - description: The web server's https port. - service.alpha.openshift.io/dependencies: '[{"name": "sso-postgresql", "kind": - "Service"}]' + argocd.argoproj.io/sync-wave: "10" service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: keycloak + app.kubernetes.io/instance: keycloak name: sso namespace: {{ .Values.projectName | quote }} spec: @@ -89,89 +18,17 @@ spec: selector: deploymentConfig: sso --- -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: sso-postgresql-ssl - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent - name: sso-postgresql-ssl - namespace: {{ .Values.projectName | quote }} - annotations: - argocd.argoproj.io/sync-wave: "5" ---- -apiVersion: build.openshift.io/v1 -kind: BuildConfig -metadata: - annotations: - description: Build config to extend the vanilla PostgreSQL SQL database server - container image with SSL/TLS support. - argocd.argoproj.io/sync-wave: "5" - labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent - name: sso-postgresql-enable-ssl - namespace: {{ .Values.projectName | quote }} -spec: - output: - to: - kind: ImageStreamTag - name: sso-postgresql-ssl:latest - source: - contextDir: s2i/postgresql/enable-ssl - git: - ref: KEYCLOAK-15633 - uri: https://github.com/iankko/redhat-sso-7-openshift-image - type: Git - strategy: - sourceStrategy: - env: - - name: ARTIFACT_DIR - value: ${ARTIFACT_DIR} - - name: MAVEN_ARGS_APPEND - forcePull: true - from: - kind: ImageStreamTag - name: postgresql13-for-sso76-openshift-rhel8:13-el8 - type: Source - triggers: - - imageChange: {} - type: ImageChange - - type: ConfigChange ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - description: The database server's port. - service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl-secret - labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent - name: sso-postgresql - namespace: {{ .Values.projectName | quote }} -spec: - ports: - - port: 5432 - targetPort: 5432 - selector: - deploymentConfig: sso-postgresql ---- apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: "5" - description: The JGroups ping port for clustering. + argocd.argoproj.io/sync-wave: "10" service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: keycloak + app.kubernetes.io/instance: keycloak name: sso-ping namespace: {{ .Values.projectName | quote }} spec: @@ -187,12 +44,12 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: - argocd.argoproj.io/sync-wave: "5" - description: Route for application's https service. + argocd.argoproj.io/sync-wave: "10" labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: keycloak + app.kubernetes.io/instance: keycloak name: sso namespace: {{ .Values.projectName | quote }} spec: @@ -203,29 +60,31 @@ spec: kind: Service name: sso --- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig +apiVersion: apps/v1 +kind: Deployment metadata: annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "10" labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: keycloak + app.kubernetes.io/instance: keycloak name: sso namespace: {{ .Values.projectName | quote }} spec: replicas: 1 selector: - deploymentConfig: sso - strategy: - type: Recreate + matchLabels: + app.kubernetes.io/name: sso + app.kubernetes.io/component: keycloak + app.kubernetes.io/instance: keycloak template: metadata: labels: - application: sso - deploymentConfig: sso - name: sso + app.kubernetes.io/name: sso + app.kubernetes.io/component: keycloak + app.kubernetes.io/instance: keycloak spec: containers: - env: @@ -233,6 +92,10 @@ spec: value: {{ .Values.sso.hostname | quote }} - name: DB_SERVICE_PREFIX_MAPPING value: sso-postgresql=DB + - name: SSO_POSTGRESQL_SERVICE_HOST + value: postgresql-server + - name: SSO_POSTGRESQL_SERVICE_PORT + value: "5432" - name: DB_JNDI value: java:jboss/datasources/KeycloakDS - name: DB_USERNAME @@ -269,7 +132,7 @@ spec: - name: SSO_REALM - name: SSO_SERVICE_USERNAME - name: SSO_SERVICE_PASSWORD - image: sso + image: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -318,7 +181,7 @@ spec: - mountPath: /etc/x509/jgroups name: sso-x509-jgroups-volume readOnly: true - terminationGracePeriodSeconds: 75 + terminationGracePeriodSeconds: 30 volumes: - name: sso-x509-https-volume secret: @@ -326,124 +189,3 @@ spec: - name: sso-x509-jgroups-volume secret: secretName: sso-x509-jgroups-secret - triggers: - - imageChangeParams: - automatic: true - containerNames: - - sso - from: - kind: ImageStreamTag - name: sso76-openshift-rhel8:7.6 - type: ImageChange - - type: ConfigChange ---- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent - name: sso-postgresql - namespace: {{ .Values.projectName | quote }} -spec: - replicas: 1 - selector: - deploymentConfig: sso-postgresql - strategy: - type: Recreate - template: - metadata: - labels: - application: sso - deploymentConfig: sso-postgresql - name: sso-postgresql - spec: - containers: - - env: - - name: POSTGRESQL_USER - value: sso - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: demo-seed - key: sso-database-password - - name: POSTGRESQL_DATABASE - value: sso - - name: POSTGRESQL_MAX_CONNECTIONS - - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS - - name: POSTGRESQL_SHARED_BUFFERS - image: postgresql - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 90 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: 5432 - timeoutSeconds: 10 - name: sso-postgresql - ports: - - containerPort: 5432 - protocol: TCP - readinessProbe: - exec: - command: - - /bin/sh - - -i - - -c - - PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE - -c 'SELECT 1' - failureThreshold: 3 - periodSeconds: 10 - initialDelaySeconds: 90 - successThreshold: 1 - timeoutSeconds: 10 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/pgsql/data - name: sso-postgresql-pvol - - mountPath: /etc/pki/postgresql - name: postgresql-ssl-volume - readOnly: true - terminationGracePeriodSeconds: 60 - volumes: - - name: sso-postgresql-pvol - persistentVolumeClaim: - claimName: sso-postgresql-claim - - name: postgresql-ssl-volume - secret: - secretName: postgresql-ssl-secret - triggers: - - imageChangeParams: - automatic: true - containerNames: - - sso-postgresql - from: - kind: ImageStreamTag - name: sso-postgresql-ssl:latest - type: ImageChange - - type: ConfigChange ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - annotations: - argocd.argoproj.io/sync-wave: "5" - labels: - application: sso - rhsso: 7.6.0.GA - template: sso76-x509-postgresql-persistent - name: sso-postgresql-claim - namespace: {{ .Values.projectName | quote }} -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi