nicolas
/
demo-apimgmt
mirror of https://github.com/nmasse-itix/demo-apimgmt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

wip

gitops
Nicolas Massé 3 years ago
parent
f462522d75
commit
e66d1aa3ce
3 changed files with 415 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      infrastructure/templates/project.yaml
  2. 422
      infrastructure/templates/sso.yaml
  3. 6
      openshift-gitops.yaml

4
infrastructure/templates/project.yaml
View File

@ -29,5 +29,5 @@ metadata:
namespace: {{ .Values.projectName | quote }} namespace: {{ .Values.projectName | quote }}
type: Opaque type: Opaque
data: data:
sso-admin-password: {{ derivePassword 1 "long" .Values.masterKey "sso" "sso-admin-password" | b64enc | quote }} sso-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) | b64enc | quote }}
sso-database-password: {{ derivePassword 1 "long" .Values.masterKey "sso" "sso-database-password" | b64enc | quote }} sso-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) | b64enc | quote }}

422
infrastructure/templates/sso.yaml
View File

@ -1,31 +1,417 @@
apiVersion: operators.coreos.com/v1alpha1 kind: ImageStream
kind: Subscription apiVersion: image.openshift.io/v1
metadata: metadata:
name: postgresql13-for-sso76-openshift-rhel8
creationTimestamp: null
annotations: annotations:
argocd.argoproj.io/sync-wave: "10" openshift.io/display-name: PostgreSQL
name: rhsso-operator
namespace: {{ .Values.projectName | quote }} namespace: {{ .Values.projectName | quote }}
spec: spec:
channel: stable lookupPolicy:
name: rhsso-operator local: false
source: redhat-operators tags:
sourceNamespace: openshift-marketplace - name: 13-el8
annotations:
description: Provides a PostgreSQL 13 database on RHEL 8. For more information
about using this database image, including OpenShift considerations, see
https://github.com/sclorg/postgresql-container/blob/master/README.md.
iconClass: icon-postgresql
openshift.io/display-name: PostgreSQL 13 (RHEL 8)
openshift.io/provider-display-name: Red Hat, Inc.
tags: database,postgresql
version: '13'
from:
kind: DockerImage
name: registry.redhat.io/rhel8/postgresql-13:latest
generation: null
importPolicy: {}
referencePolicy:
type: Local
---
kind: ImageStream
apiVersion: image.openshift.io/v1
metadata:
name: sso76-openshift-rhel8
annotations:
description: Red Hat Single Sign-On 7.6 on OpenJDK
openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK
openshift.io/provider-display-name: Red Hat, Inc.
version: 7.6.0.GA
namespace: {{ .Values.projectName | quote }}
labels:
rhsso: 7.6.0.GA
spec:
tags:
- name: latest
from:
kind: ImageStreamTag
name: '7.6'
- name: '7.6'
annotations:
description: Red Hat Single Sign-On 7.6 on OpenJDK image
iconClass: icon-sso
tags: sso,keycloak,redhat,hidden
supports: sso:7.6
version: '1.0'
openshift.io/display-name: Red Hat Single Sign-On 7.6 on OpenJDK
referencePolicy:
type: Local
from:
kind: DockerImage
name: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6
--- ---
apiVersion: keycloak.org/v1alpha1 apiVersion: v1
kind: Keycloak kind: Service
metadata: metadata:
annotations: annotations:
argocd.argoproj.io/sync-wave: "10" description: The web server's https port.
service.alpha.openshift.io/dependencies: '[{"name": "sso-postgresql", "kind":
"Service"}]'
service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso name: sso
spec:
ports:
- port: 8443
targetPort: 8443
selector:
deploymentConfig: sso
---
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
labels: labels:
app: sso application: sso-postgresql-ssl
namespace: {{ .Values.projectName | quote }} rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso-postgresql-ssl
---
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
annotations:
description: Build config to extend the vanilla PostgreSQL SQL database server
container image with SSL/TLS support.
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso-postgresql-enable-ssl
spec:
output:
to:
kind: ImageStreamTag
name: sso-postgresql-ssl:latest
source:
contextDir: s2i/postgresql/enable-ssl
git:
ref: KEYCLOAK-15633
uri: https://github.com/iankko/redhat-sso-7-openshift-image
type: Git
strategy:
sourceStrategy:
env:
- name: ARTIFACT_DIR
value: ${ARTIFACT_DIR}
- name: MAVEN_ARGS_APPEND
value: ""
forcePull: true
from:
kind: ImageStreamTag
name: postgresql13-for-sso76-openshift-rhel8:13-el8
namespace: openshift
type: Source
triggers:
- imageChange: {}
type: ImageChange
- type: ConfigChange
---
apiVersion: v1
kind: Service
metadata:
annotations:
description: The database server's port.
service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl-secret
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso-postgresql
spec:
ports:
- port: 5432
targetPort: 5432
selector:
deploymentConfig: sso-postgresql
---
apiVersion: v1
kind: Service
metadata:
annotations:
description: The JGroups ping port for clustering.
service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso-ping
spec:
clusterIP: None
ports:
- name: ping
port: 8888
publishNotReadyAddresses: true
selector:
deploymentConfig: sso
---
apiVersion: route.openshift.io/v1
id: sso-https
kind: Route
metadata:
annotations:
description: Route for application's https service.
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso
spec: spec:
externalAccess:
enabled: true
host: {{ .Values.sso.hostname | quote }} host: {{ .Values.sso.hostname | quote }}
keycloakDeploymentSpec: tls:
termination: reencrypt
to:
name: sso
---
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso
spec:
replicas: 1
selector:
deploymentConfig: sso
strategy:
type: Recreate
template:
metadata:
labels:
application: sso
deploymentConfig: sso
name: sso
spec:
containers:
- env:
- name: SSO_HOSTNAME
value: {{ .Values.sso.hostname | quote }}
- name: DB_SERVICE_PREFIX_MAPPING
value: sso-postgresql=DB
- name: DB_JNDI
value: java:jboss/datasources/KeycloakDS
- name: DB_USERNAME
value: sso
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: demo-seed
key: sso-database-password
- name: DB_DATABASE
value: sso
- name: TX_DATABASE_PREFIX_MAPPING
value: sso-postgresql=DB
- name: DB_MIN_POOL_SIZE
value: ""
- name: DB_MAX_POOL_SIZE
value: ""
- name: DB_TX_ISOLATION
value: ""
- name: JGROUPS_PING_PROTOCOL
value: openshift.DNS_PING
- name: OPENSHIFT_DNS_PING_SERVICE_NAME
value: sso-ping
- name: OPENSHIFT_DNS_PING_SERVICE_PORT
value: "8888"
- name: X509_CA_BUNDLE
value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: JGROUPS_CLUSTER_PASSWORD
value: djqqleTNBaVqjl3nsA5Ku3LNCGYSAiB5
- name: SSO_ADMIN_USERNAME
value: admin
- name: SSO_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: demo-seed
key: sso-admin-password
- name: SSO_REALM
value: ""
- name: SSO_SERVICE_USERNAME
value: ""
- name: SSO_SERVICE_PASSWORD
value: ""
image: sso
imagePullPolicy: Always imagePullPolicy: Always
postgresDeploymentSpec: livenessProbe:
exec:
command:
- /bin/bash
- -c
- /opt/eap/bin/livenessProbe.sh
initialDelaySeconds: 60
name: sso
ports:
- containerPort: 8778
name: jolokia
protocol: TCP
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
- containerPort: 8888
name: ping
protocol: TCP
readinessProbe:
exec:
command:
- /bin/bash
- -c
- /opt/eap/bin/readinessProbe.sh
resources:
limits:
memory: 1Gi
volumeMounts:
- mountPath: /etc/x509/https
name: sso-x509-https-volume
readOnly: true
- mountPath: /etc/x509/jgroups
name: sso-x509-jgroups-volume
readOnly: true
terminationGracePeriodSeconds: 75
volumes:
- name: sso-x509-https-volume
secret:
secretName: sso-x509-https-secret
- name: sso-x509-jgroups-volume
secret:
secretName: sso-x509-jgroups-secret
triggers:
- imageChangeParams:
automatic: true
containerNames:
- sso
from:
kind: ImageStreamTag
name: sso76-openshift-rhel8:7.6
namespace: openshift
type: ImageChange
- type: ConfigChange
---
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso-postgresql
spec:
replicas: 1
selector:
deploymentConfig: sso-postgresql
strategy:
type: Recreate
template:
metadata:
labels:
application: sso
deploymentConfig: sso-postgresql
name: sso-postgresql
spec:
containers:
- env:
- name: POSTGRESQL_USER
value: sso
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: demo-seed
key: sso-database-password
- name: POSTGRESQL_DATABASE
value: sso
- name: POSTGRESQL_MAX_CONNECTIONS
value: ""
- name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS
value: ""
- name: POSTGRESQL_SHARED_BUFFERS
value: ""
image: postgresql
imagePullPolicy: Always imagePullPolicy: Always
instances: 1 livenessProbe:
failureThreshold: 3
initialDelaySeconds: 90
'successThreshold:': 1
tcpSocket:
port: 5432
timeoutSeconds: 10
name: sso-postgresql
ports:
- containerPort: 5432
protocol: TCP
readinessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE
-c 'SELECT 1'
failureThreshold: 3
initialDelaySeconds: 90
'successThreshold:': 1
timeoutSeconds: 10
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: sso-postgresql-pvol
- mountPath: /etc/pki/postgresql
name: postgresql-ssl-volume
readOnly: true
terminationGracePeriodSeconds: 60
volumes:
- name: sso-postgresql-pvol
persistentVolumeClaim:
claimName: sso-postgresql-claim
- name: postgresql-ssl-volume
secret:
secretName: postgresql-ssl-secret
triggers:
- imageChangeParams:
automatic: true
containerNames:
- sso-postgresql
from:
kind: ImageStreamTag
name: sso-postgresql-ssl:latest
type: ImageChange
- type: ConfigChange
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
application: sso
rhsso: 7.6.0.GA
template: sso76-x509-postgresql-persistent
name: sso-postgresql-claim
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

6
openshift-gitops.yaml
View File

@ -3,9 +3,15 @@ kind: ClusterRole
metadata: metadata:
name: demo-apimgmt-gitops name: demo-apimgmt-gitops
rules: rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
- apiGroups: ["project.openshift.io"] - apiGroups: ["project.openshift.io"]
resources: ["projects"] resources: ["projects"]
verbs: ["*"] verbs: ["*"]
- apiGroups: ["keycloak.org"]
resources: ["keycloaks"]
verbs: ["*"]
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

Write Preview
Loading…
Cancel
Save