libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

[KEYCLOAK-9361] Multiple changes:

Browse source 
* Move 'Example Deploying SSO' back from Tutorials to Get Started section to:
  * Align with the form this section has in RH-SSO 7.2 image doc,
  * Bring the getting_started.adoc changes from this commit:
    f61cfad51e (diff-74a6baa8904aeee687e9db2c263b9b47)
    back to the get_started.adoc file, which is now used instead
    of the getting_started.adoc one

* Drop duplicate 'Accessing the Administrator Console' section
from Advanced Concepts

* Comment out the Keystores, Secrets sections in Get Started
since it's covered in Advanced Concepts now

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
This commit is contained in:
Jan Lieskovsky 2019-01-21 20:04:00 +01:00 committed by Hynek Mlnařík
parent ec4403ddfa
commit 0661424bd3
4 changed files with 133 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
openshift/topics/advanced_concepts.adoc
View file

@ -20,7 +20,7 @@ $ oc new-project sso-app-demo
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
[[advanced-concepts-Configuring-Keystores]]
[[Configuring-Keystores]]
==== Creating HTTPS and JGroups Keystores, and Truststore for the {project_name} Server
The {project_name} application templates using xref:../introduction/introduction.adoc#passthrough-templates[passthrough TLS termination] require:
@ -227,43 +227,6 @@ $ oc new-app --template={project_templates_version}-https \
Run 'oc status' to view your app.
----
==== Accessing the Administrator Console of the {project_name} Pod
After the template got deployed, identify the available routes:
[source,bash,subs="attributes+,macros+"]
----
$ oc get routes
----
[cols="7",options="header"]
|===
|NAME |HOST/PORT |PATH |SERVICES |PORT |TERMINATION |WILDCARD
|secure-sso
|secure-sso-sso-app-demo.openshift.example.com
|
|secure-sso
|<all>
|passthrough
|None
|sso
|sso-sso-app-demo.openshift.example.com
|
|sso
|<all>
|
|None
|===
and access the {project_name} administrator console at:
* *\https://secure-sso-sso-app-demo.openshift.example.com/auth/admin*
* *\http://sso-sso-app-demo.openshift.example.com/auth/admin*
using the xref:sso-administrator-setup[administrator account].
[[advanced-concepts-sso-hostname-spi-setup]]
=== Customizing Hostname for the {project_name} Server

2
openshift/topics/before_you_begin.adoc
View file

@ -22,5 +22,5 @@ The Tutorials in this guide follow on from and assume an OpenShift instance simi
[IMPORTANT]
====
For information related to updating the existing database when migrating {project_openshift_product_name} image from previous versions to version {project_version}, see the xref:../tutorials/tutorials.adoc#upgrading-sso-db-from-previous-to-{project_version}[Updating Existing Database when Migrating {project_openshift_product_name} Image to a new version] section.
For information related to updating the existing database when migrating {project_openshift_product_name} image from previous versions to version {project_version}, see the xref:upgrading-sso-db-from-previous-version[Updating Existing Database when Migrating {project_openshift_product_name} Image to a new version] section.
====

124
openshift/topics/get_started.adoc
View file

@ -53,6 +53,123 @@ done
$ oc -n openshift import-image redhat-{project_templates_version}-openshift:{project_latest_image_tag}
----
[[Example-Deploying-SSO]]
=== Deploying the {project_name} Image
[[Preparing-SSO-Authentication-for-OpenShift-Deployment]]
==== Preparing the Deployment
Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project:
+
[source,bash,subs="attributes+,macros+"]
----
$ oc new-project sso-app-demo
----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.
+
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
==== Deploying the {project_name} Image using Application Template
===== Deploying the Template via OpenShift CLI
. List the available {project_name} application templates:
+
[source,bash,subs="attributes+,macros+"]
----
$ oc get templates -n openshift -o name | grep -o '{project_templates_version}.\+'
{project_templates_version}-https
{project_templates_version}-mysql
{project_templates_version}-mysql-persistent
{project_templates_version}-postgresql
{project_templates_version}-postgresql-persistent
{project_templates_version}-x509-https
{project_templates_version}-x509-mysql-persistent
{project_templates_version}-x509-postgresql-persistent
----
. Deploy the selected one:
+
[source,bash,subs="attributes+,macros+"]
----
$ oc new-app --template={project_templates_version}-x509-https
--> Deploying template "openshift/{project_templates_version}-x509-https" to project sso-app-demo
{project_name} {project_versionDoc} (Ephemeral)
---------
An example {project_name} 7 application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.
A new {project_name} service has been created in your project. The admin username/password for accessing the master realm via the {project_name} console is IACfQO8v/nR7llVSVb4Dye3TNRbXoXhRpAKTmiCRc. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing {project_name} requests were automatically created via OpenShift's service serving x509 certificate secrets.
* With parameters:
* Application Name=sso
* JGroups Cluster Password=jg0Rssom0gmHBnooDF3Ww7V4Mu5RymmB # generated
* Datasource Minimum Pool Size=
* Datasource Maximum Pool Size=
* Datasource Transaction Isolation=
* ImageStream Namespace=openshift
* {project_name} Administrator Username=IACfQO8v # generated
* {project_name} Administrator Password=nR7llVSVb4Dye3TNRbXoXhRpAKTmiCRc # generated
* {project_name} Realm=
* {project_name} Service Username=
* {project_name} Service Password=
* Container Memory Limit=1Gi
--> Creating resources ...
service "sso" created
service "secure-sso" created
service "sso-ping" created
route "sso" created
route "secure-sso" created
deploymentconfig "sso" created
--> Success
Run 'oc status' to view your app.
----
===== Deploying the Template via OpenShift Web Console
Alternatively, perform the following steps to deploy the {project_name} template via OpenShift web console:
. Log in to the OpenShift web console and select the _sso-app-demo_ project space.
. Click *Add to Project*, then *Browse Catalog* to list the default image streams and templates.
. Use the *Filter by Keyword* search bar to limit the list to those that match _sso_. You may need to click *Middleware*, then *Integration* to show the desired application template.
. Select an {project_name} application template. This example uses *_{project_name} {project_versionDoc} (Ephemeral)_*.
. Click *Next* in the *Information* step.
. From the *Add to Project* drop-down menu, select the _sso-app-demo_ project space. Then click *Next*.
. Select *Do not bind at this time* radio button in the *Binding* step. Click *Create* to continue.
. In the *Results* step, click the *Continue to the project overview* link to verify the status of the deployment.
==== Accessing the Administrator Console of the {project_name} Pod
After the template got deployed, identify the available routes:
[source,bash,subs="attributes+,macros+"]
----
$ oc get routes
----
[cols="7",options="header"]
|===
|NAME |HOST/PORT |PATH |SERVICES |PORT |TERMINATION |WILDCARD
|sso
|sso-sso-app-demo.openshift.example.com
|
|sso
|<all>
|reencrypt
|None
|===
and access the {project_name} administrator console at:
* *\https://sso-sso-app-demo.openshift.example.com/auth/admin*
using the xref:sso-administrator-setup[administrator account].
////
=== Preparing and Deploying the {project_openshift_product_name} Application Templates
[[Configuring-Keystores]]
@ -81,6 +198,7 @@ Use the SSL and JGroups keystore files to create secrets for the project:
$ oc secret new <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_ssl.jks_]>
$ oc secret new <pass:quotes[_sso-jgroups-secret_]> <pass:quotes[_jgroups.jceks_]>
----
////
////
==== Creating the Service Account
@ -107,7 +225,6 @@ $ oc policy add-role-to-user view system:serviceaccount:<pass:quotes[_project-na
----
$ oc secrets link <pass:quotes[_service-account-name_]> <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_sso-jgroups-secret_]>
----
////
==== Using the OpenShift Web Console
Log in to the OpenShift web console:
@ -175,6 +292,8 @@ The {project_openshift_product_name} templates use TLS passthrough termination f
For more information on OpenShift route types, see the link:https://docs.openshift.com/container-platform/3.7/architecture/networking/routes.html#route-types[Networking chapter] of the OpenShift Architecture Guide.
////
=== Binary Builds
To deploy existing applications on OpenShift, you can use the link:https://docs.openshift.com/container-platform/latest/dev_guide/builds/build_inputs.html#binary-source[binary source] capability.
@ -281,7 +400,8 @@ $ oc new-project eap-app-demo
+
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
$ oc policy add-role-to-user view \
system:serviceaccount:$(oc project -q):default
----
. The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores.
.. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore).

23
openshift/topics/tutorials.adoc
View file

@ -1,14 +1,7 @@
////
[[{project_name}-Binary-Builds-Tutorial]]
=== Example Workflow: Creating OpenShift Application from Existing Maven Binaries and Securing it Using Red Hat Single Sing-On
== Tutorials
[[Example-Deploying-SSO]]
=== Example Workflow: Preparing and Deploying the {project_openshift_product_name} image
[[Preparing-SSO-Authentication-for-OpenShift-Deployment]]
==== Preparing {project_name} Authentication for OpenShift Deployment
Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
To deploy existing applications on OpenShift, you can use the link:https://docs.openshift.com/container-platform/latest/dev_guide/builds/build_inputs.html#binary-source[binary source] capability.
==== Deploy Binary Build of EAP 6.4 / 7.1 JSP Service Invocation Application and Secure it Using Red Hat Single Sign-On
@ -43,9 +36,11 @@ Use the xref:sso-administrator-setup[credentials of the {project_name} administr
. Hover your cursor over the realm namespace (default is *Master*) at the top of the sidebar and click *Add Realm*.
. Enter a realm name (this example uses `demo`) and click *Create*.
////
== Tutorials
[[upgrading-sso-db-from-previous-to-{project_version}]]
[[upgrading-sso-db-from-previous-version]]
=== Example Workflow: Updating Existing Database when Migrating {project_openshift_product_name} Image to a new version
[IMPORTANT]
====
@ -586,10 +581,10 @@ $ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled
----
=== Example Workflow: Migrating Entire {project_name} Server Database Across The Environments
==== Migrating The Entire {project_name} Server Database Across The Environments
This tutorial focuses on migrating the Red Hat Single Sign-On server database from one environment to another or migrating to a different database. It assumes steps described in xref:Preparing-SSO-Authentication-for-OpenShift-Deployment[Preparing {project_name} Authentication for OpenShift Deployment] section have been performed already.
==== Deploying the {project_name} MySQL Application Template
===== Deploying the {project_name} MySQL Application Template
. Log in to the OpenShift web console and select the _sso-app-demo_ project space.
. Click *Add to project* to list the default image streams and templates.
@ -616,7 +611,7 @@ This example workflow uses a self-generated CA to provide an end-to-end workflow
For production environments, Red Hat recommends that you use an SSL certificate purchased from a verified Certificate Authority.
====
==== (Optional) Creating additional {project_name} link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#core_concepts_and_terms[realm and users] to be also exported
===== (Optional) Creating additional {project_name} link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#core_concepts_and_terms[realm and users] to be also exported
When performing link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#export_import[{project_name} {project_version} server database export] only {project_name} realms and users currently present in the database will be exported. If the exported JSON file should include also additional {project_name} realms and users, these need to be created first:
@ -626,7 +621,7 @@ When performing link:https://access.redhat.com/documentation/en-us/red_hat_singl
Upon their creation xref:sso-export-the-database[the database can be exported.]
[[sso-export-the-database]]
==== Export the {project_name} database as a JSON file on the OpenShift pod
===== Export the {project_name} database as a JSON file on the OpenShift pod
. Get the {project_name} deployment config and scale it down to zero.
+
@ -670,7 +665,7 @@ $ oc logs sso-4-ejr0k | grep 'Export'
09:24:59,998 INFO [org.keycloak.services] (ServerService Thread Pool -- 57) KC-SERVICES0035: Export finished successfully
----
==== Retrieve and import the exported JSON file
===== Retrieve and import the exported JSON file
. Retrieve the JSON file of the {project_name} database from the pod.
+