diff --git a/infrastructure/templates/project.yaml b/infrastructure/templates/project.yaml index 1caf341..41c64f1 100644 --- a/infrastructure/templates/project.yaml +++ b/infrastructure/templates/project.yaml @@ -29,5 +29,5 @@ metadata: namespace: {{ .Values.projectName | quote }} type: Opaque data: - sso-admin-password: {{ derivePassword 1 "long" .Values.masterKey "sso" "sso-admin-password" | b64enc | quote }} - sso-database-password: {{ derivePassword 1 "long" .Values.masterKey "sso" "sso-database-password" | b64enc | quote }} + sso-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) | b64enc | quote }} + sso-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) | b64enc | quote }} diff --git a/infrastructure/templates/sso.yaml b/infrastructure/templates/sso.yaml index 2af4c65..1e04c15 100644 --- a/infrastructure/templates/sso.yaml +++ b/infrastructure/templates/sso.yaml @@ -1,31 +1,417 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription +kind: ImageStream +apiVersion: image.openshift.io/v1 metadata: + name: postgresql13-for-sso76-openshift-rhel8 + creationTimestamp: null annotations: - argocd.argoproj.io/sync-wave: "10" - name: rhsso-operator + openshift.io/display-name: PostgreSQL namespace: {{ .Values.projectName | quote }} spec: - channel: stable - name: rhsso-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + lookupPolicy: + local: false + tags: + - name: 13-el8 + annotations: + description: Provides a PostgreSQL 13 database on RHEL 8. For more information + about using this database image, including OpenShift considerations, see + https://github.com/sclorg/postgresql-container/blob/master/README.md. + iconClass: icon-postgresql + openshift.io/display-name: PostgreSQL 13 (RHEL 8) + openshift.io/provider-display-name: Red Hat, Inc. + tags: database,postgresql + version: '13' + from: + kind: DockerImage + name: registry.redhat.io/rhel8/postgresql-13:latest + generation: null + importPolicy: {} + referencePolicy: + type: Local --- -apiVersion: keycloak.org/v1alpha1 -kind: Keycloak +kind: ImageStream +apiVersion: image.openshift.io/v1 metadata: + name: sso76-openshift-rhel8 annotations: - argocd.argoproj.io/sync-wave: "10" + description: Red Hat Single Sign-On 7.6 on OpenJDK + openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK + openshift.io/provider-display-name: Red Hat, Inc. + version: 7.6.0.GA + namespace: {{ .Values.projectName | quote }} +labels: + rhsso: 7.6.0.GA +spec: + tags: + - name: latest + from: + kind: ImageStreamTag + name: '7.6' + - name: '7.6' + annotations: + description: Red Hat Single Sign-On 7.6 on OpenJDK image + iconClass: icon-sso + tags: sso,keycloak,redhat,hidden + supports: sso:7.6 + version: '1.0' + openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK + referencePolicy: + type: Local + from: + kind: DockerImage + name: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + description: The web server's https port. + service.alpha.openshift.io/dependencies: '[{"name": "sso-postgresql", "kind": + "Service"}]' + service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent name: sso +spec: + ports: + - port: 8443 + targetPort: 8443 + selector: + deploymentConfig: sso +--- +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: labels: - app: sso - namespace: {{ .Values.projectName | quote }} + application: sso-postgresql-ssl + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso-postgresql-ssl +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + annotations: + description: Build config to extend the vanilla PostgreSQL SQL database server + container image with SSL/TLS support. + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso-postgresql-enable-ssl +spec: + output: + to: + kind: ImageStreamTag + name: sso-postgresql-ssl:latest + source: + contextDir: s2i/postgresql/enable-ssl + git: + ref: KEYCLOAK-15633 + uri: https://github.com/iankko/redhat-sso-7-openshift-image + type: Git + strategy: + sourceStrategy: + env: + - name: ARTIFACT_DIR + value: ${ARTIFACT_DIR} + - name: MAVEN_ARGS_APPEND + value: "" + forcePull: true + from: + kind: ImageStreamTag + name: postgresql13-for-sso76-openshift-rhel8:13-el8 + namespace: openshift + type: Source + triggers: + - imageChange: {} + type: ImageChange + - type: ConfigChange +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + description: The database server's port. + service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl-secret + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso-postgresql +spec: + ports: + - port: 5432 + targetPort: 5432 + selector: + deploymentConfig: sso-postgresql +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + description: The JGroups ping port for clustering. + service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso-ping +spec: + clusterIP: None + ports: + - name: ping + port: 8888 + publishNotReadyAddresses: true + selector: + deploymentConfig: sso +--- +apiVersion: route.openshift.io/v1 +id: sso-https +kind: Route +metadata: + annotations: + description: Route for application's https service. + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso +spec: + host: {{ .Values.sso.hostname | quote }} + tls: + termination: reencrypt + to: + name: sso +--- +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso +spec: + replicas: 1 + selector: + deploymentConfig: sso + strategy: + type: Recreate + template: + metadata: + labels: + application: sso + deploymentConfig: sso + name: sso + spec: + containers: + - env: + - name: SSO_HOSTNAME + value: {{ .Values.sso.hostname | quote }} + - name: DB_SERVICE_PREFIX_MAPPING + value: sso-postgresql=DB + - name: DB_JNDI + value: java:jboss/datasources/KeycloakDS + - name: DB_USERNAME + value: sso + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: demo-seed + key: sso-database-password + - name: DB_DATABASE + value: sso + - name: TX_DATABASE_PREFIX_MAPPING + value: sso-postgresql=DB + - name: DB_MIN_POOL_SIZE + value: "" + - name: DB_MAX_POOL_SIZE + value: "" + - name: DB_TX_ISOLATION + value: "" + - name: JGROUPS_PING_PROTOCOL + value: openshift.DNS_PING + - name: OPENSHIFT_DNS_PING_SERVICE_NAME + value: sso-ping + - name: OPENSHIFT_DNS_PING_SERVICE_PORT + value: "8888" + - name: X509_CA_BUNDLE + value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - name: JGROUPS_CLUSTER_PASSWORD + value: djqqleTNBaVqjl3nsA5Ku3LNCGYSAiB5 + - name: SSO_ADMIN_USERNAME + value: admin + - name: SSO_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: demo-seed + key: sso-admin-password + - name: SSO_REALM + value: "" + - name: SSO_SERVICE_USERNAME + value: "" + - name: SSO_SERVICE_PASSWORD + value: "" + image: sso + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/eap/bin/livenessProbe.sh + initialDelaySeconds: 60 + name: sso + ports: + - containerPort: 8778 + name: jolokia + protocol: TCP + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + - containerPort: 8888 + name: ping + protocol: TCP + readinessProbe: + exec: + command: + - /bin/bash + - -c + - /opt/eap/bin/readinessProbe.sh + resources: + limits: + memory: 1Gi + volumeMounts: + - mountPath: /etc/x509/https + name: sso-x509-https-volume + readOnly: true + - mountPath: /etc/x509/jgroups + name: sso-x509-jgroups-volume + readOnly: true + terminationGracePeriodSeconds: 75 + volumes: + - name: sso-x509-https-volume + secret: + secretName: sso-x509-https-secret + - name: sso-x509-jgroups-volume + secret: + secretName: sso-x509-jgroups-secret + triggers: + - imageChangeParams: + automatic: true + containerNames: + - sso + from: + kind: ImageStreamTag + name: sso76-openshift-rhel8:7.6 + namespace: openshift + type: ImageChange + - type: ConfigChange +--- +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso-postgresql +spec: + replicas: 1 + selector: + deploymentConfig: sso-postgresql + strategy: + type: Recreate + template: + metadata: + labels: + application: sso + deploymentConfig: sso-postgresql + name: sso-postgresql + spec: + containers: + - env: + - name: POSTGRESQL_USER + value: sso + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: demo-seed + key: sso-database-password + - name: POSTGRESQL_DATABASE + value: sso + - name: POSTGRESQL_MAX_CONNECTIONS + value: "" + - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS + value: "" + - name: POSTGRESQL_SHARED_BUFFERS + value: "" + image: postgresql + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 90 + 'successThreshold:': 1 + tcpSocket: + port: 5432 + timeoutSeconds: 10 + name: sso-postgresql + ports: + - containerPort: 5432 + protocol: TCP + readinessProbe: + exec: + command: + - /bin/sh + - -i + - -c + - PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE + -c 'SELECT 1' + failureThreshold: 3 + initialDelaySeconds: 90 + 'successThreshold:': 1 + timeoutSeconds: 10 + volumeMounts: + - mountPath: /var/lib/pgsql/data + name: sso-postgresql-pvol + - mountPath: /etc/pki/postgresql + name: postgresql-ssl-volume + readOnly: true + terminationGracePeriodSeconds: 60 + volumes: + - name: sso-postgresql-pvol + persistentVolumeClaim: + claimName: sso-postgresql-claim + - name: postgresql-ssl-volume + secret: + secretName: postgresql-ssl-secret + triggers: + - imageChangeParams: + automatic: true + containerNames: + - sso-postgresql + from: + kind: ImageStreamTag + name: sso-postgresql-ssl:latest + type: ImageChange + - type: ConfigChange +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + application: sso + rhsso: 7.6.0.GA + template: sso76-x509-postgresql-persistent + name: sso-postgresql-claim spec: - externalAccess: - enabled: true - host: {{ .Values.sso.hostname | quote }} - keycloakDeploymentSpec: - imagePullPolicy: Always - postgresDeploymentSpec: - imagePullPolicy: Always - instances: 1 + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/openshift-gitops.yaml b/openshift-gitops.yaml index 7832770..e93a7c7 100644 --- a/openshift-gitops.yaml +++ b/openshift-gitops.yaml @@ -3,9 +3,15 @@ kind: ClusterRole metadata: name: demo-apimgmt-gitops rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] - apiGroups: ["project.openshift.io"] resources: ["projects"] verbs: ["*"] +- apiGroups: ["keycloak.org"] + resources: ["keycloaks"] + verbs: ["*"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1