[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products, * Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]' The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got expanded correctly, * Replace deprecated 'oc env' command with its new "oc set env" equivalent, * Replace deprecated 'oadm' command with its new "oc adm" equivalent, * Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...> Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
This commit is contained in:
parent
fa081f55fb
commit
dd445d5c2a
5 changed files with 166 additions and 158 deletions
|
@ -9,13 +9,13 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
|
|||
|
||||
. Create a new project:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-project sso-app-demo
|
||||
----
|
||||
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
|
||||
----
|
||||
|
@ -51,19 +51,19 @@ See the https://access.redhat.com/documentation/en-us/jboss_enterprise_applicati
|
|||
[[generate-ca-certificate]]
|
||||
.. Generate a CA certificate. Pick and remember the password. Provide identical password, when xref:signing-csr-with-ca-certificate[signing the certificate sign request with the CA certificate] below:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ openssl req -new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca"
|
||||
----
|
||||
.. Generate a CA certificate for the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks
|
||||
----
|
||||
.. Generate a certificate sign request for the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
|
||||
----
|
||||
|
@ -72,19 +72,19 @@ $ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
|
|||
[start=4]
|
||||
.. Sign the certificate sign request with the CA certificate. Provide the same password that was used to xref:generate-ca-certificate[generate the CA certificate]:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ openssl x509 -req -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial
|
||||
----
|
||||
.. Import the CA certificate into the HTTPS keystore. Provide `mykeystorepass` as the keystore password. Reply `yes` to `Trust this certificate? [no]:` question:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore keystore.jks
|
||||
----
|
||||
.. Import the signed certificate sign request into the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
|
||||
----
|
||||
|
@ -94,7 +94,7 @@ $ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
|
|||
|
||||
Provide `password` as the keystore password:
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks
|
||||
----
|
||||
|
@ -104,7 +104,7 @@ $ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks
|
|||
|
||||
Provide `mykeystorepass` as the truststore password. Reply `yes` to `Trust this certificate? [no]:` question:
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore truststore.jks
|
||||
----
|
||||
|
@ -116,13 +116,13 @@ OpenShift uses objects called link:https://docs.openshift.com/container-platform
|
|||
|
||||
. Create the secrets for the HTTPS and JGroups keystores, and {project_name} server truststore, generated in the xref:Configuring-Keystores[previous section].
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secret new sso-app-secret keystore.jks jgroups.jceks truststore.jks
|
||||
----
|
||||
. Link these secrets to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[default] service account, which is used to run {project_name} pods.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secrets link default sso-app-secret
|
||||
----
|
||||
|
@ -144,7 +144,7 @@ Be aware that *the passwords provided when provisioning the template need to mat
|
|||
====
|
||||
The following commands using the *_keytool_*, a package *included with the Java Development Kit*, can be used to determine the names associated with the certificate:
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -v -list -keystore keystore.jks | grep Alias
|
||||
Enter keystore password: mykeystorepass
|
||||
|
@ -152,7 +152,7 @@ Alias name: xpaas.ca
|
|||
Alias name: jboss
|
||||
----
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -v -list -keystore jgroups.jceks -storetype jceks | grep Alias
|
||||
Enter keystore password: password
|
||||
|
@ -163,7 +163,7 @@ Finally, the *_SSO_ADMIN_USERNAME_*, *_SSO_ADMIN_PASSWORD_*, and the *_SSO_REALM
|
|||
====
|
||||
|
||||
[[advanced-topics-deploy-{project_templates_version}-https-template]]
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-app --template={project_templates_version}-https \
|
||||
-p HTTPS_SECRET="sso-app-secret" \
|
||||
|
@ -184,7 +184,7 @@ $ oc new-app --template={project_templates_version}-https \
|
|||
|
||||
{project_name} {project_version} (Ephemeral with passthrough TLS)
|
||||
---------
|
||||
An example {project_name} 7 application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.
|
||||
An example {project_name} 7 application. For more information about using this template, see \https://github.com/jboss-openshift/application-templates.
|
||||
|
||||
A new {project_name} service has been created in your project. The admin username/password for accessing the master realm via the {project_name} console is admin/redhat. Please be sure to create the following secrets: "sso-app-secret" containing the keystore.jks file used for serving secure content; "sso-app-secret" containing the jgroups.jceks file used for securing JGroups communications; "sso-app-secret" containing the truststore.jks file used for securing {project_name} requests.
|
||||
|
||||
|
@ -231,7 +231,7 @@ $ oc new-app --template={project_templates_version}-https \
|
|||
|
||||
After the template got deployed, identify the available routes:
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get routes
|
||||
----
|
||||
|
@ -365,7 +365,7 @@ Run the following commands to prepare the previously created deployment config o
|
|||
|
||||
. Identify the deployment config of the {project_name} application.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get dc -o name
|
||||
deploymentconfig/sso
|
||||
|
@ -373,9 +373,11 @@ deploymentconfig/sso-mysql
|
|||
----
|
||||
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD=""
|
||||
$ oc set env dc/sso \
|
||||
-e SSO_ADMIN_USERNAME="" \
|
||||
-e SSO_ADMIN_PASSWORD=""
|
||||
----
|
||||
====
|
||||
|
||||
|
@ -386,7 +388,7 @@ Run following commands to create an administrator account for the `master` realm
|
|||
|
||||
. Identify the {project_name} application pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -395,14 +397,14 @@ sso-mysql-6-d97pf 1/1 Running 0 2m
|
|||
----
|
||||
. Open a remote shell session to the {project_openshift_product_name} container.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rsh sso-12-pt93n
|
||||
sh-4.2$
|
||||
----
|
||||
. Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
sh-4.2$ cd /opt/eap/bin/
|
||||
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
|
||||
|
@ -415,7 +417,7 @@ The `sso_admin`/`sso_password` credentials in the example above are for demonstr
|
|||
====
|
||||
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
sh-4.2$ ./jboss-cli.sh --connect ':reload'
|
||||
{
|
||||
|
@ -460,7 +462,7 @@ It is required to specify the client type in the *<auth-method>* key of the appl
|
|||
|
||||
The following is an example snippet for the application *web.xml* to configure an OIDC client:
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
...
|
||||
<login-config>
|
||||
|
@ -552,10 +554,10 @@ There are two methods for passing the {project_name} adapter configuration to th
|
|||
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client.
|
||||
|
||||
=== Limitations
|
||||
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oadm policy` command.
|
||||
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oc adm policy` command.
|
||||
|
||||
For example, to allow an {project_name}-created user to view a project namespace in OpenShift:
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
|
||||
$ oc adm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
|
||||
----
|
||||
|
|
|
@ -24,13 +24,13 @@ To update to the latest {project_openshift_product_name} images, run the followi
|
|||
|
||||
. On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc login -u system:admin
|
||||
----
|
||||
. Run the following commands to update the core set of {project_name} {project_version} resources for OpenShift in the `openshift` project:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ for resource in {project_templates_version}-image-stream.json \
|
||||
{project_templates_version}-https.json \
|
||||
|
@ -43,12 +43,12 @@ $ for resource in {project_templates_version}-image-stream.json \
|
|||
{project_templates_version}-x509-postgresql-persistent.json
|
||||
do
|
||||
oc replace -n openshift --force -f \
|
||||
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/{project_templates_version}-dev/templates/${resource}
|
||||
\https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/{project_templates_version}-dev/templates/${resource}
|
||||
done
|
||||
----
|
||||
. Run the following command to install the {project_name} {project_version} OpenShift image streams in the `openshift` project:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc -n openshift import-image redhat-{project_templates_version}-openshift:{project_latest_image_tag}
|
||||
----
|
||||
|
@ -76,7 +76,7 @@ OpenShift uses objects called `Secrets` to hold sensitive information, such as p
|
|||
The {project_openshift_product_name} image requires one or more secrets that hold the two keystores described earlier. This provides the necessary authorization to applications in the project.
|
||||
|
||||
Use the SSL and JGroups keystore files to create secrets for the project:
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secret new <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_ssl.jks_]>
|
||||
$ oc secret new <pass:quotes[_sso-jgroups-secret_]> <pass:quotes[_jgroups.jceks_]>
|
||||
|
@ -91,19 +91,19 @@ The service account that you create must be configured with the correct permissi
|
|||
|
||||
. Create a service account to be used for the SSO deployment:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc create serviceaccount <pass:quotes[_service-account-name_]>
|
||||
----
|
||||
. Add the *view* role to the service account. This enables the service account to view all the resources in the application namespace in OpenShift, which is necessary for managing the cluster.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc policy add-role-to-user view system:serviceaccount:<pass:quotes[_project-name_]>:<pass:quotes[_service-account-name_]> -n <pass:quotes[_project-name_]>
|
||||
----
|
||||
. Link the secrets created for the project to the service account:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secrets link <pass:quotes[_service-account-name_]> <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_sso-jgroups-secret_]>
|
||||
----
|
||||
|
@ -156,7 +156,7 @@ Run the following commands to prepare the previously created deployment config o
|
|||
|
||||
. Identify the deployment config of the {project_name} application.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get dc -o name
|
||||
deploymentconfig/sso
|
||||
|
@ -164,9 +164,11 @@ deploymentconfig/sso-mysql
|
|||
----
|
||||
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD=""
|
||||
$ oc set env dc/sso \
|
||||
-e SSO_ADMIN_USERNAME="" \
|
||||
-e SSO_ADMIN_PASSWORD=""
|
||||
----
|
||||
====
|
||||
|
||||
|
@ -177,7 +179,7 @@ Run following commands to create administrator account for the `master` realm of
|
|||
|
||||
. Identify the {project_name} application pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -186,14 +188,14 @@ sso-mysql-6-d97pf 1/1 Running 0 2m
|
|||
----
|
||||
. Open a remote shell session to {project_openshift_product_name} container.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rsh sso-12-pt93n
|
||||
sh-4.2$
|
||||
----
|
||||
. Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
sh-4.2$ cd /opt/eap/bin/
|
||||
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
|
||||
|
@ -206,7 +208,7 @@ The `sso_admin`/`sso_password` credentials in the example above are for demonstr
|
|||
====
|
||||
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
sh-4.2$ ./jboss-cli.sh --connect ':reload'
|
||||
{
|
||||
|
@ -317,7 +319,7 @@ It is required to specify the client type in the *<auth-method>* key of the appl
|
|||
|
||||
The following is an example snippet for the application *web.xml* to configure an OIDC client:
|
||||
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
...
|
||||
<login-config>
|
||||
|
@ -409,12 +411,12 @@ There are two methods for passing the {project_name} adapter configuration to th
|
|||
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client.
|
||||
|
||||
==== Limitations
|
||||
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oadm policy` command.
|
||||
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oc adm policy` command.
|
||||
|
||||
For example, to allow an {project_name}-created user to view a project namespace in OpenShift:
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
|
||||
$ oc adm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
|
||||
----
|
||||
|
||||
=== Binary Builds
|
||||
|
@ -515,20 +517,20 @@ You can select multiple items at once by holding the *Ctrl* key and simultaneous
|
|||
|
||||
. Create a new project for the EAP 6.4 / 7.1 JSP application.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-project eap-app-demo
|
||||
----
|
||||
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
|
||||
----
|
||||
. The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores.
|
||||
.. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore).
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genkeypair \
|
||||
-dname "CN=secure-eap-app-eap-app-demo.openshift.example.com" \
|
||||
|
@ -538,7 +540,7 @@ $ keytool -genkeypair \
|
|||
----
|
||||
.. Generate a secure key for the JGroups keystore (this example uses `password` as password for the keystore).
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genseckey \
|
||||
-alias jgroups \
|
||||
|
@ -547,18 +549,18 @@ $ keytool -genseckey \
|
|||
----
|
||||
.. Generate the EAP 6.4 / 7.1 for OpenShift secrets with the SSL and JGroup keystore files.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secret new eap-ssl-secret eapkeystore.jks
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secret new eap-jgroup-secret eapjgroups.jceks
|
||||
----
|
||||
.. Add the EAP application secret to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
|
||||
----
|
||||
|
@ -567,20 +569,20 @@ $ oc secrets link default eap-ssl-secret eap-jgroup-secret
|
|||
|
||||
. Clone the source code.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ git clone https://github.com/keycloak/keycloak-quickstarts.git
|
||||
$ git clone \https://github.com/keycloak/keycloak-quickstarts.git
|
||||
----
|
||||
. link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/development_guide/#use_the_maven_repository[Configure] the link:https://access.redhat.com/maven-repository[Red Hat JBoss Middleware Maven repository].
|
||||
. Build both the link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] applications.
|
||||
.. Build the `service-jee-jaxrs` application.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ cd keycloak-quickstarts/service-jee-jaxrs/
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ mvn clean package -DskipTests
|
||||
[INFO] Scanning for projects...
|
||||
|
@ -599,22 +601,22 @@ $ mvn clean package -DskipTests
|
|||
----
|
||||
.. *Comment out* the `app-jee-jsp/config/keycloak.json` requirement of the `maven-enforcer-plugin` plugin and build the `app-jee-jsp` application.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
service-jee-jaxrs]$ cd ../app-jee-jsp/
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ sed -i /\<executions\>/s/^/\<\!--/ pom.xml
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ sed -i '/\(<\/executions>\)/a\-->' pom.xml
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ mvn clean package -DskipTests
|
||||
[INFO] Scanning for projects...
|
||||
|
@ -646,28 +648,28 @@ Application archives in the *deployments/* subdirectory of the main binary build
|
|||
+
|
||||
Create main directory for the binary build on the local file system and *deployments/* subdirectory within it. Copy the previously built WAR archives of both the *service-jee-jaxrs* and *app-jee-jsp* quickstarts to the *deployments/* subdirectory:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ ls
|
||||
config pom.xml README.md src target
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ mkdir -p sso-eap7-bin-demo/deployments
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ cp target/app-jsp.war sso-eap7-bin-demo/deployments/
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ cp ../service-jee-jaxrs/target/service.war sso-eap7-bin-demo/deployments/
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ tree sso-eap7-bin-demo/
|
||||
sso-eap7-bin-demo/
|
||||
|
@ -699,7 +701,7 @@ Location of the standard deployments directory depends on the underlying base im
|
|||
====
|
||||
. Identify the image stream for EAP 6.4 / 7.1 image.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get is -n openshift | grep eap | cut -d ' ' -f 1
|
||||
jboss-eap64-openshift
|
||||
|
@ -715,7 +717,7 @@ jboss-eap71-openshift
|
|||
Replace `--image-stream=jboss-eap71-openshift` parameter with the `--image-stream=jboss-eap64-openshift` one in the following oc command to deploy the JSP application on top of JBoss EAP 6.4 for OpenShift image.
|
||||
====
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-build --binary=true \
|
||||
--image-stream=jboss-eap71-openshift \
|
||||
|
@ -739,7 +741,7 @@ $ oc new-build --binary=true \
|
|||
----
|
||||
. Start the binary build. Instruct `oc` executable to use main directory of the binary build we created xref:directory-structure-binary-builds[in previous step] as the directory containing binary input for the OpenShift build. In the working directory of *app-jee-jsp* issue the following command.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
app-jee-jsp]$ oc start-build eap-app \
|
||||
--from-dir=./sso-eap7-bin-demo/ \
|
||||
|
@ -764,7 +766,7 @@ Push successful
|
|||
----
|
||||
. Create a new OpenShift application based on the build.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-app eap-app
|
||||
--> Found image 6b13d36 (2 minutes old) in image stream "eap-app-demo/eap-app" under tag "latest" for "eap-app"
|
||||
|
@ -787,13 +789,13 @@ $ oc new-app eap-app
|
|||
----
|
||||
. Stop all running containers of the EAP 6.4 / 7.1 JSP application in the current namespace.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get dc -o name
|
||||
deploymentconfig/eap-app
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale dc/eap-app --replicas=0
|
||||
deploymentconfig "eap-app" scaled
|
||||
|
@ -807,7 +809,7 @@ deploymentconfig "eap-app" scaled
|
|||
Ensure to replace the value of *_SSO_PUBLIC_KEY_* variable below with the actual content of the RSA public key for the `demo` realm, that has been xref:copy-rsa-public-key[copied].
|
||||
====
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc set env dc/eap-app \
|
||||
-e HOSTNAME_HTTP="eap-app-eap-app-demo.openshift.example.com" \
|
||||
|
@ -823,7 +825,7 @@ deploymentconfig "eap-app" updated
|
|||
----
|
||||
.. Configure the application with details about both the SSL and JGroups keystore.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc set env dc/eap-app \
|
||||
-e HTTPS_KEYSTORE_DIR="/etc/eap-secret-volume" \
|
||||
|
@ -837,7 +839,7 @@ deploymentconfig "eap-app" updated
|
|||
----
|
||||
.. Define OpenShift volumes for both the SSL and JGroups secrets created earlier.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc volume dc/eap-app --add \
|
||||
--name="eap-keystore-volume" \
|
||||
|
@ -847,7 +849,7 @@ $ oc volume dc/eap-app --add \
|
|||
deploymentconfig "eap-app" updated
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc volume dc/eap-app --add \
|
||||
--name="eap-jgroups-keystore-volume" \
|
||||
|
@ -858,7 +860,7 @@ deploymentconfig "eap-app" updated
|
|||
----
|
||||
.. Configure the deployment config of the application to run application pods under the `default` OpenShift service account (default setting).
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc patch dc/eap-app --type=json \
|
||||
-p '[{"op": "add", "path": "/spec/template/spec/serviceAccountName", "value": "default"}]'
|
||||
|
@ -866,32 +868,32 @@ $ oc patch dc/eap-app --type=json \
|
|||
----
|
||||
. Deploy container of the EAP 6.4 / 7.1 JSP application using the modified deployment config.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale dc/eap-app --replicas=1
|
||||
deploymentconfig "eap-app" scaled
|
||||
----
|
||||
. Expose the service as route.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get svc -o name
|
||||
service/eap-app
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get route
|
||||
No resources found.
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc expose svc/eap-app
|
||||
route "eap-app" exposed
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get route
|
||||
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
|
||||
|
|
|
@ -30,23 +30,24 @@ build configuration of the application as follows:
|
|||
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
|
||||
variable against:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get bc -o name
|
||||
buildconfig/sso
|
||||
----
|
||||
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
|
||||
$ oc set env bc/sso \
|
||||
-e MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
|
||||
buildconfig "sso" updated
|
||||
----
|
||||
. Verify the setting
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc env bc/sso --list
|
||||
$ oc set env bc/sso --list
|
||||
# buildconfigs sso
|
||||
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
|
||||
----
|
||||
|
@ -83,23 +84,24 @@ build configuration of the application as follows:
|
|||
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
|
||||
variable against:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get bc -o name
|
||||
buildconfig/sso
|
||||
----
|
||||
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
|
||||
$ oc set env bc/sso \
|
||||
-e MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
|
||||
buildconfig "sso" updated
|
||||
----
|
||||
. Verify the setting
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc env bc/sso --list
|
||||
$ oc set env bc/sso --list
|
||||
# buildconfigs sso
|
||||
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
|
||||
----
|
||||
|
@ -110,10 +112,6 @@ pulled from the repository manager, instead of the default public repositories.
|
|||
Also, after the build is finished, you will see that the mirror is filled with
|
||||
all the dependencies that were retrieved and used during the build.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
[[env_vars]]
|
||||
=== Environment Variables
|
||||
|
||||
|
|
|
@ -74,7 +74,7 @@ Use the following steps to automatically migrate the database schema:
|
|||
|
||||
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get dc -o name --selector=application=sso
|
||||
deploymentconfig/sso
|
||||
|
@ -82,35 +82,35 @@ deploymentconfig/sso-postgresql
|
|||
----
|
||||
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale --replicas=0 dc/sso
|
||||
deploymentconfig "sso" scaled
|
||||
----
|
||||
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
|
||||
"sso" patched
|
||||
----
|
||||
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rollout latest dc/sso
|
||||
deploymentconfig "sso" rolled out
|
||||
----
|
||||
. Deploy {project_name} {project_version} containers using the modified deployment config.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale --replicas=1 dc/sso
|
||||
deploymentconfig "sso" scaled
|
||||
----
|
||||
. (Optional) Verify the database has been successfully updated.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods --selector=application=sso
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -118,7 +118,7 @@ sso-4-vg21r 1/1 Running 0 1h
|
|||
sso-postgresql-1-t871r 1/1 Running 0 2h
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc logs sso-4-vg21r | grep 'Updating'
|
||||
11:23:45,160 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xml
|
||||
|
@ -193,7 +193,7 @@ spec:
|
|||
restartPolicy: Never
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ cp job-to-migrate-db-to-{project_templates_version}.yaml.orig \
|
||||
job-to-migrate-db-to-{project_templates_version}.yaml
|
||||
|
@ -342,7 +342,7 @@ done
|
|||
[[get-db-credentials]]
|
||||
Run the script.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ chmod +x ./mirror_sso_dc_db_vars.sh
|
||||
$ ./mirror_sso_dc_db_vars.sh
|
||||
|
@ -355,13 +355,13 @@ Successfully updated TX_DATABASE_PREFIX_MAPPING to: sso-postgresql=DB
|
|||
----
|
||||
. Build the {project_name} {project_version} database migration image using the link:https://github.com/iankko/openshift-examples/tree/KEYCLOAK-8500/sso-manual-db-migration[pre-configured source] and wait for the build to finish.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get is -n openshift | grep {project_templates_version} | cut -d ' ' -f1
|
||||
redhat-{project_templates_version}-openshift
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-build redhat-{project_templates_version}-openshift:{project_latest_image_tag}~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \
|
||||
--context-dir=sso-manual-db-migration \
|
||||
|
@ -386,7 +386,7 @@ $ oc new-build redhat-{project_templates_version}-openshift:{project_latest_imag
|
|||
Run 'oc logs -f bc/{project_templates_version}-db-migration-image' to stream the build progress.
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc logs -f bc/{project_templates_version}-db-migration-image --follow
|
||||
Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ...
|
||||
|
@ -396,20 +396,20 @@ Push successful
|
|||
. Update the template of the database migration job (`job-to-migrate-db-to-{project_templates_version}.yaml`) with reference to the built `{project_templates_version}-db-migration-image` image.
|
||||
.. Get the docker pull reference for the image.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep {project_templates_version}-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)
|
||||
----
|
||||
.. Replace the pass:[<<SSO_IMAGE_VALUE>>] field in the job template with the pull specification.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ sed -i "s#pass:[<<SSO_IMAGE_VALUE>>]#$PULL_REF#g" job-to-migrate-db-to-{project_templates_version}.yaml
|
||||
----
|
||||
.. Verify that the field is updated.
|
||||
. Instantiate database migration job from the job template.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc create -f job-to-migrate-db-to-{project_templates_version}.yaml
|
||||
job "job-to-migrate-db-to-{project_templates_version}" created
|
||||
|
@ -422,7 +422,7 @@ The database migration process handles the data schema update and performs manip
|
|||
+
|
||||
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get dc -o name --selector=application=sso
|
||||
deploymentconfig/sso
|
||||
|
@ -430,27 +430,27 @@ deploymentconfig/sso-postgresql
|
|||
----
|
||||
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale --replicas=0 dc/sso
|
||||
deploymentconfig "sso" scaled
|
||||
----
|
||||
. Run the database migration job and wait for the pod to be running correctly.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get jobs
|
||||
NAME DESIRED SUCCESSFUL AGE
|
||||
job-to-migrate-db-to-{project_templates_version} 1 0 3m
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale --replicas=1 job/job-to-migrate-db-to-{project_templates_version}
|
||||
job "job-to-migrate-db-to-{project_templates_version}" scaled
|
||||
----
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -465,7 +465,7 @@ By default, the database migration job terminates automatically after `600 secon
|
|||
====
|
||||
. Get the dynamically generated SQL database migration file from the pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ mkdir -p ./db-update
|
||||
$ oc rsync job-to-migrate-db-to-{project_templates_version}-b87bb:/opt/eap/keycloak-database-update.sql ./db-update
|
||||
|
@ -480,7 +480,7 @@ total size is 29,621 speedup is 1.00
|
|||
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the PostgreSQL database deployed in ephemeral or persistent mode, running on a separate pod:
|
||||
... Copy the generated SQL migration file to the PostgreSQL pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp
|
||||
sending incremental file list
|
||||
|
@ -490,14 +490,14 @@ total size is 26,333 speedup is 299.24
|
|||
----
|
||||
... Start a shell session to the PostgreSQL pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rsh sso-postgresql-1-n5p16
|
||||
sh-4.2$
|
||||
----
|
||||
... Use the `psql` tool to apply database update manually.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql"
|
||||
sh-4.2$ psql --version
|
||||
|
@ -517,7 +517,7 @@ Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database cre
|
|||
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the MySQL database deployed in ephemeral or persistent mode, running on a separate pod:
|
||||
... Given the pod situation similar to the following:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -527,7 +527,7 @@ job-to-migrate-db-to-{project_templates_version}-m202t 1/1 Running 0
|
|||
----
|
||||
... Copy the generated SQL migration file to the MySQL pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rsync --no-perms=true ./db-update/ sso-mysql-1-zvhk3:/tmp
|
||||
sending incremental file list
|
||||
|
@ -538,14 +538,14 @@ total size is 24,594 speedup is 0.99
|
|||
----
|
||||
... Start a shell session to the MySQL pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rsh sso-mysql-1-zvhk3
|
||||
sh-4.2$
|
||||
----
|
||||
... Use the `mysql` tool to apply database update manually.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
sh-4.2$ alias mysql="/opt/rh/rh-mysql57/root/bin/mysql"
|
||||
sh-4.2$ mysql --version
|
||||
|
@ -566,21 +566,21 @@ Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database cre
|
|||
[start=12]
|
||||
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
|
||||
"sso" patched
|
||||
----
|
||||
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc rollout latest dc/sso
|
||||
deploymentconfig "sso" rolled out
|
||||
----
|
||||
. Deploy the {project_name} {project_version} containers using the modified deployment config.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale --replicas=1 dc/sso
|
||||
deploymentconfig "sso" scaled
|
||||
|
@ -630,7 +630,7 @@ Upon their creation xref:sso-export-the-database[the database can be exported.]
|
|||
|
||||
. Get the {project_name} deployment config and scale it down to zero.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get dc -o name
|
||||
deploymentconfig/sso
|
||||
|
@ -641,20 +641,24 @@ deploymentconfig "sso" scaled
|
|||
----
|
||||
. Instruct the {project_name} {project_version} server deployed on {project_openshift_product_name} image to perform database export at {project_name} server boot time.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
oc env dc/sso -e "JAVA_OPTS_APPEND=-Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/demorealm-export.json"
|
||||
$ oc set env dc/sso \
|
||||
-e "JAVA_OPTS_APPEND= \
|
||||
-Dkeycloak.migration.action=export \
|
||||
-Dkeycloak.migration.provider=singleFile \
|
||||
-Dkeycloak.migration.file=/tmp/demorealm-export.json"
|
||||
----
|
||||
. Scale the {project_name} deployment config back up. This will start the {project_name} server and export its database.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc scale --replicas=1 dc sso
|
||||
deploymentconfig "sso" scaled
|
||||
----
|
||||
. (Optional) Verify that the export was successful.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -670,7 +674,7 @@ $ oc logs sso-4-ejr0k | grep 'Export'
|
|||
|
||||
. Retrieve the JSON file of the {project_name} database from the pod.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
|
@ -768,7 +772,7 @@ Log in to the OpenShift master CLI. You must have the required permissions to ed
|
|||
|
||||
. Edit the */etc/origin/master/master-config.yaml* file and find the *identityProviders*. The OpenShift master, which was deployed using the OpenShift Primer, is configured with HTPassword and shows the following:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
identityProviders:
|
||||
- challenge: true
|
||||
|
@ -782,7 +786,7 @@ identityProviders:
|
|||
+
|
||||
Add {project_name} as a secondary identity provider with content similar to the following snippet:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
- name: rh_sso
|
||||
challenge: false
|
||||
|
@ -811,7 +815,7 @@ Add {project_name} as a secondary identity provider with content similar to the
|
|||
.. The {project_name} *Secret* hash for the *clientSecret* can be found in the {project_name} web console: *Clients* -> *_openshift-demo_* -> *Credentials*
|
||||
.. The endpoints for the *urls* can be found by making a request with the {project_name} application. For example:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
<pass:quotes[_curl -k https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/.well-known/openid-configuration | python -m json.tool_]>
|
||||
----
|
||||
|
@ -821,7 +825,7 @@ The response includes the *authorization_endpoint*, *token_endpoint*, and *useri
|
|||
.. This example workflow uses a self-generated CA to provide an end-to-end workflow for demonstration purposes. For this reason, the *ca* is provided as <pass:quotes[_ca: xpaas.crt_]>. This CA certificate must also be copied into the */etc/origin/master* folder. This is not necessary if using a certificate purchased from a verified Certificate Authority.
|
||||
. Save the configuration and restart the OpenShift master:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ systemctl restart atomic-openshift-master
|
||||
----
|
||||
|
@ -833,9 +837,9 @@ Navigate to the OpenShift web console, which in this example is _https://openshi
|
|||
Select *rh-sso* and log in to OpenShift with the _testuser_ user created earlier in {project_name}. No projects are visible to _testuser_ until they are added in the OpenShift CLI. This is the only way to provide user privileges in OpenShift because it currently does not accept external role mapping.
|
||||
|
||||
To provide _testuser_ `view` privileges for the _sso-app-demo_, use the OpenShift CLI:
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oadm policy add-role-to-user view testuser -n sso-app-demo
|
||||
$ oc adm policy add-role-to-user view testuser -n sso-app-demo
|
||||
----
|
||||
|
||||
[[Example-EAP-Auto]]
|
||||
|
@ -852,19 +856,19 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
|
|||
|
||||
. Create a new project:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-project eap-app-demo
|
||||
----
|
||||
//. Create a service account to be used for the {project_name} deployment:
|
||||
//+
|
||||
//[subs="verbatim,macros,attributes"]
|
||||
//[source,bash,subs="attributes+,macros+"]
|
||||
//----
|
||||
//$ oc create serviceaccount eap-service-account
|
||||
//----
|
||||
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
|
||||
----
|
||||
|
@ -872,26 +876,26 @@ $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
|
|||
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
|
||||
.. Generate a secure key for the SSL keystore:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
|
||||
----
|
||||
.. Generate a secure key for the JGroups keystore:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
|
||||
----
|
||||
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secret new eap-ssl-secret eapkeystore.jks
|
||||
$ oc secret new eap-jgroup-secret eapjgroups.jceks
|
||||
----
|
||||
. Add the EAP secret to the `default` service account:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
|
||||
----
|
||||
|
@ -1100,19 +1104,19 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
|
|||
|
||||
. Create a new project:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc new-project eap-app-demo
|
||||
----
|
||||
//. Create a service account to be used for the SSO deployment:
|
||||
//+
|
||||
//[subs="verbatim,macros,attributes"]
|
||||
//[source,bash,subs="attributes+,macros+"]
|
||||
//----
|
||||
//$ oc create serviceaccount app-service-account
|
||||
//----
|
||||
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
|
||||
----
|
||||
|
@ -1121,26 +1125,26 @@ $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
|
|||
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
|
||||
.. Generate a secure key for the SSL keystore:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
|
||||
----
|
||||
.. Generate a secure key for the JGroups keystore:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
|
||||
----
|
||||
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secret new eap-ssl-secret eapkeystore.jks
|
||||
$ oc secret new eap-jgroup-secret eapjgroups.jceks
|
||||
----
|
||||
. Add the EAP application secret to the EAP service account created earlier:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
|
||||
----
|
||||
|
@ -1155,7 +1159,7 @@ The *keycloak-saml-subsystem.xml*, exported from the {project_name} client in a
|
|||
. Replace the *SPECIFY YOUR LOGOUT PAGE!* value of the *logout page* tag with the url to redirect users when they log out of the application. This example uses */index.jsp*.
|
||||
. Delete the *<PrivateKeyPem>* and *<CertificatePem>* tags and keys and replace it with keystore information:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
...
|
||||
<Keys>
|
||||
|
@ -1172,7 +1176,7 @@ The mount path of the *keystore-saml.jks* (in this example *_/etc/eap-secret-vol
|
|||
The aliases and passwords for the *PrivateKey* and the *Certificate* were configured when the SAML Keys were exported from the {project_name} client.
|
||||
. Delete the second *<CertificatePem>* tag and key and replace it with the the realm certificate information:
|
||||
+
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
...
|
||||
<Keys>
|
||||
|
@ -1193,7 +1197,7 @@ The certificate alias and password were configured when the SAML Keys were expor
|
|||
The client type must also be specified by the *<auth-method>* key in the application *web.xml*. This file is read by the image at deployment.
|
||||
|
||||
Open the application *web.xml* file and ensure it includes the following:
|
||||
[subs="verbatim,macros,attributes"]
|
||||
[source,bash,subs="attributes+,macros+"]
|
||||
----
|
||||
...
|
||||
<login-config>
|
||||
|
|
|
@ -26,3 +26,5 @@ https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logo
|
|||
http://127.0.0.1:3000/oauth/callback
|
||||
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/*
|
||||
https://api.linkedin.com/v2/me
|
||||
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso-cd-dev/templates/${resource}
|
||||
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource}
|
||||
|
|
Loading…
Reference in a new issue