libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

[KEYCLOAK-8234] Address multiple issues:

Browse source 
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'

  The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
  expanded correctly,

* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
This commit is contained in:
Jan Lieskovsky 2018-12-14 13:19:38 +01:00 committed by Stian Thorgersen
parent fa081f55fb
commit dd445d5c2a
5 changed files with 166 additions and 158 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
openshift/topics/advanced_concepts.adoc
View file

@ -9,13 +9,13 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-project sso-app-demo
----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
@ -51,19 +51,19 @@ See the https://access.redhat.com/documentation/en-us/jboss_enterprise_applicati
[[generate-ca-certificate]]
.. Generate a CA certificate. Pick and remember the password. Provide identical password, when xref:signing-csr-with-ca-certificate[signing the certificate sign request with the CA certificate] below:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ openssl req -new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca"
----
.. Generate a CA certificate for the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks
----
.. Generate a certificate sign request for the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
----
@ -72,19 +72,19 @@ $ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
[start=4]
.. Sign the certificate sign request with the CA certificate. Provide the same password that was used to xref:generate-ca-certificate[generate the CA certificate]:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ openssl x509 -req -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial
----
.. Import the CA certificate into the HTTPS keystore. Provide `mykeystorepass` as the keystore password. Reply `yes` to `Trust this certificate? [no]:` question:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore keystore.jks
----
.. Import the signed certificate sign request into the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
----
@ -94,7 +94,7 @@ $ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
Provide `password` as the keystore password:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks
----
@ -104,7 +104,7 @@ $ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks
Provide `mykeystorepass` as the truststore password. Reply `yes` to `Trust this certificate? [no]:` question:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore truststore.jks
----
@ -116,13 +116,13 @@ OpenShift uses objects called link:https://docs.openshift.com/container-platform
. Create the secrets for the HTTPS and JGroups keystores, and {project_name} server truststore, generated in the xref:Configuring-Keystores[previous section].
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secret new sso-app-secret keystore.jks jgroups.jceks truststore.jks
----
. Link these secrets to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[default] service account, which is used to run {project_name} pods.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secrets link default sso-app-secret
----
@ -144,7 +144,7 @@ Be aware that *the passwords provided when provisioning the template need to mat
====
The following commands using the *_keytool_*, a package *included with the Java Development Kit*, can be used to determine the names associated with the certificate:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -v -list -keystore keystore.jks | grep Alias
Enter keystore password: mykeystorepass
@ -152,7 +152,7 @@ Alias name: xpaas.ca
Alias name: jboss
----
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -v -list -keystore jgroups.jceks -storetype jceks | grep Alias
Enter keystore password: password
@ -163,7 +163,7 @@ Finally, the *_SSO_ADMIN_USERNAME_*, *_SSO_ADMIN_PASSWORD_*, and the *_SSO_REALM
====
[[advanced-topics-deploy-{project_templates_version}-https-template]]
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-app --template={project_templates_version}-https \
-p HTTPS_SECRET="sso-app-secret" \
@ -184,7 +184,7 @@ $ oc new-app --template={project_templates_version}-https \
{project_name} {project_version} (Ephemeral with passthrough TLS)
---------
An example {project_name} 7 application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.
An example {project_name} 7 application. For more information about using this template, see \https://github.com/jboss-openshift/application-templates.
A new {project_name} service has been created in your project. The admin username/password for accessing the master realm via the {project_name} console is admin/redhat. Please be sure to create the following secrets: "sso-app-secret" containing the keystore.jks file used for serving secure content; "sso-app-secret" containing the jgroups.jceks file used for securing JGroups communications; "sso-app-secret" containing the truststore.jks file used for securing {project_name} requests.
@ -231,7 +231,7 @@ $ oc new-app --template={project_templates_version}-https \
After the template got deployed, identify the available routes:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get routes
----
@ -365,7 +365,7 @@ Run the following commands to prepare the previously created deployment config o
. Identify the deployment config of the {project_name} application.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get dc -o name
deploymentconfig/sso
@ -373,9 +373,11 @@ deploymentconfig/sso-mysql
----
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD=""
$ oc set env dc/sso \
-e SSO_ADMIN_USERNAME="" \
-e SSO_ADMIN_PASSWORD=""
----
====
@ -386,7 +388,7 @@ Run following commands to create an administrator account for the `master` realm
. Identify the {project_name} application pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
@ -395,14 +397,14 @@ sso-mysql-6-d97pf 1/1 Running 0 2m
----
. Open a remote shell session to the {project_openshift_product_name} container.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rsh sso-12-pt93n
sh-4.2$
----
. Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
sh-4.2$ cd /opt/eap/bin/
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
@ -415,7 +417,7 @@ The `sso_admin`/`sso_password` credentials in the example above are for demonstr
====
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
sh-4.2$ ./jboss-cli.sh --connect ':reload'
{
@ -460,7 +462,7 @@ It is required to specify the client type in the *<auth-method>* key of the appl
The following is an example snippet for the application *web.xml* to configure an OIDC client:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
...
<login-config>
@ -552,10 +554,10 @@ There are two methods for passing the {project_name} adapter configuration to th
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client.
=== Limitations
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oadm policy` command.
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oc adm policy` command.
For example, to allow an {project_name}-created user to view a project namespace in OpenShift:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
$ oc adm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
----

112
openshift/topics/get_started.adoc
View file

@ -24,13 +24,13 @@ To update to the latest {project_openshift_product_name} images, run the followi
. On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc login -u system:admin
----
. Run the following commands to update the core set of {project_name} {project_version} resources for OpenShift in the `openshift` project:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ for resource in {project_templates_version}-image-stream.json \
{project_templates_version}-https.json \
@ -43,12 +43,12 @@ $ for resource in {project_templates_version}-image-stream.json \
{project_templates_version}-x509-postgresql-persistent.json
do
oc replace -n openshift --force -f \
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/{project_templates_version}-dev/templates/${resource}
\https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/{project_templates_version}-dev/templates/${resource}
done
----
. Run the following command to install the {project_name} {project_version} OpenShift image streams in the `openshift` project:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc -n openshift import-image redhat-{project_templates_version}-openshift:{project_latest_image_tag}
----
@ -76,7 +76,7 @@ OpenShift uses objects called `Secrets` to hold sensitive information, such as p
The {project_openshift_product_name} image requires one or more secrets that hold the two keystores described earlier. This provides the necessary authorization to applications in the project.
Use the SSL and JGroups keystore files to create secrets for the project:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secret new <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_ssl.jks_]>
$ oc secret new <pass:quotes[_sso-jgroups-secret_]> <pass:quotes[_jgroups.jceks_]>
@ -91,19 +91,19 @@ The service account that you create must be configured with the correct permissi
. Create a service account to be used for the SSO deployment:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc create serviceaccount <pass:quotes[_service-account-name_]>
----
. Add the *view* role to the service account. This enables the service account to view all the resources in the application namespace in OpenShift, which is necessary for managing the cluster.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:<pass:quotes[_project-name_]>:<pass:quotes[_service-account-name_]> -n <pass:quotes[_project-name_]>
----
. Link the secrets created for the project to the service account:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secrets link <pass:quotes[_service-account-name_]> <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_sso-jgroups-secret_]>
----
@ -156,7 +156,7 @@ Run the following commands to prepare the previously created deployment config o
. Identify the deployment config of the {project_name} application.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get dc -o name
deploymentconfig/sso
@ -164,9 +164,11 @@ deploymentconfig/sso-mysql
----
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD=""
$ oc set env dc/sso \
-e SSO_ADMIN_USERNAME="" \
-e SSO_ADMIN_PASSWORD=""
----
====
@ -177,7 +179,7 @@ Run following commands to create administrator account for the `master` realm of
. Identify the {project_name} application pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
@ -186,14 +188,14 @@ sso-mysql-6-d97pf 1/1 Running 0 2m
----
. Open a remote shell session to {project_openshift_product_name} container.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rsh sso-12-pt93n
sh-4.2$
----
. Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
sh-4.2$ cd /opt/eap/bin/
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
@ -206,7 +208,7 @@ The `sso_admin`/`sso_password` credentials in the example above are for demonstr
====
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
sh-4.2$ ./jboss-cli.sh --connect ':reload'
{
@ -317,7 +319,7 @@ It is required to specify the client type in the *<auth-method>* key of the appl
The following is an example snippet for the application *web.xml* to configure an OIDC client:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
...
<login-config>
@ -409,12 +411,12 @@ There are two methods for passing the {project_name} adapter configuration to th
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client.
==== Limitations
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oadm policy` command.
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oc adm policy` command.
For example, to allow an {project_name}-created user to view a project namespace in OpenShift:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
$ oc adm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
----
=== Binary Builds
@ -515,20 +517,20 @@ You can select multiple items at once by holding the *Ctrl* key and simultaneous
. Create a new project for the EAP 6.4 / 7.1 JSP application.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-project eap-app-demo
----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
. The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores.
.. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore).
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genkeypair \
-dname "CN=secure-eap-app-eap-app-demo.openshift.example.com" \
@ -538,7 +540,7 @@ $ keytool -genkeypair \
----
.. Generate a secure key for the JGroups keystore (this example uses `password` as password for the keystore).
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genseckey \
-alias jgroups \
@ -547,18 +549,18 @@ $ keytool -genseckey \
----
.. Generate the EAP 6.4 / 7.1 for OpenShift secrets with the SSL and JGroup keystore files.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secret new eap-ssl-secret eapkeystore.jks
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
.. Add the EAP application secret to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
@ -567,20 +569,20 @@ $ oc secrets link default eap-ssl-secret eap-jgroup-secret
. Clone the source code.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ git clone https://github.com/keycloak/keycloak-quickstarts.git
$ git clone \https://github.com/keycloak/keycloak-quickstarts.git
----
. link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/development_guide/#use_the_maven_repository[Configure] the link:https://access.redhat.com/maven-repository[Red Hat JBoss Middleware Maven repository].
. Build both the link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] applications.
.. Build the `service-jee-jaxrs` application.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ cd keycloak-quickstarts/service-jee-jaxrs/
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ mvn clean package -DskipTests
[INFO] Scanning for projects...
@ -599,22 +601,22 @@ $ mvn clean package -DskipTests
----
.. *Comment out* the `app-jee-jsp/config/keycloak.json` requirement of the `maven-enforcer-plugin` plugin and build the `app-jee-jsp` application.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
service-jee-jaxrs]$ cd ../app-jee-jsp/
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ sed -i /\<executions\>/s/^/\<\!--/ pom.xml
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ sed -i '/\(<\/executions>\)/a\-->' pom.xml
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ mvn clean package -DskipTests
[INFO] Scanning for projects...
@ -646,28 +648,28 @@ Application archives in the *deployments/* subdirectory of the main binary build
+
Create main directory for the binary build on the local file system and *deployments/* subdirectory within it. Copy the previously built WAR archives of both the *service-jee-jaxrs* and *app-jee-jsp* quickstarts to the *deployments/* subdirectory:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ ls
config pom.xml README.md src target
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ mkdir -p sso-eap7-bin-demo/deployments
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ cp target/app-jsp.war sso-eap7-bin-demo/deployments/
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ cp ../service-jee-jaxrs/target/service.war sso-eap7-bin-demo/deployments/
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ tree sso-eap7-bin-demo/
sso-eap7-bin-demo/
@ -699,7 +701,7 @@ Location of the standard deployments directory depends on the underlying base im
====
. Identify the image stream for EAP 6.4 / 7.1 image.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get is -n openshift | grep eap | cut -d ' ' -f 1
jboss-eap64-openshift
@ -715,7 +717,7 @@ jboss-eap71-openshift
Replace `--image-stream=jboss-eap71-openshift` parameter with the `--image-stream=jboss-eap64-openshift` one in the following oc command to deploy the JSP application on top of JBoss EAP 6.4 for OpenShift image.
====
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-build --binary=true \
--image-stream=jboss-eap71-openshift \
@ -739,7 +741,7 @@ $ oc new-build --binary=true \
----
. Start the binary build. Instruct `oc` executable to use main directory of the binary build we created xref:directory-structure-binary-builds[in previous step] as the directory containing binary input for the OpenShift build. In the working directory of *app-jee-jsp* issue the following command.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
app-jee-jsp]$ oc start-build eap-app \
--from-dir=./sso-eap7-bin-demo/ \
@ -764,7 +766,7 @@ Push successful
----
. Create a new OpenShift application based on the build.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-app eap-app
--> Found image 6b13d36 (2 minutes old) in image stream "eap-app-demo/eap-app" under tag "latest" for "eap-app"
@ -787,13 +789,13 @@ $ oc new-app eap-app
----
. Stop all running containers of the EAP 6.4 / 7.1 JSP application in the current namespace.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get dc -o name
deploymentconfig/eap-app
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale dc/eap-app --replicas=0
deploymentconfig "eap-app" scaled
@ -807,7 +809,7 @@ deploymentconfig "eap-app" scaled
Ensure to replace the value of *_SSO_PUBLIC_KEY_* variable below with the actual content of the RSA public key for the `demo` realm, that has been xref:copy-rsa-public-key[copied].
====
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc set env dc/eap-app \
-e HOSTNAME_HTTP="eap-app-eap-app-demo.openshift.example.com" \
@ -823,7 +825,7 @@ deploymentconfig "eap-app" updated
----
.. Configure the application with details about both the SSL and JGroups keystore.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc set env dc/eap-app \
-e HTTPS_KEYSTORE_DIR="/etc/eap-secret-volume" \
@ -837,7 +839,7 @@ deploymentconfig "eap-app" updated
----
.. Define OpenShift volumes for both the SSL and JGroups secrets created earlier.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc volume dc/eap-app --add \
--name="eap-keystore-volume" \
@ -847,7 +849,7 @@ $ oc volume dc/eap-app --add \
deploymentconfig "eap-app" updated
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc volume dc/eap-app --add \
--name="eap-jgroups-keystore-volume" \
@ -858,7 +860,7 @@ deploymentconfig "eap-app" updated
----
.. Configure the deployment config of the application to run application pods under the `default` OpenShift service account (default setting).
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc patch dc/eap-app --type=json \
-p '[{"op": "add", "path": "/spec/template/spec/serviceAccountName", "value": "default"}]'
@ -866,32 +868,32 @@ $ oc patch dc/eap-app --type=json \
----
. Deploy container of the EAP 6.4 / 7.1 JSP application using the modified deployment config.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale dc/eap-app --replicas=1
deploymentconfig "eap-app" scaled
----
. Expose the service as route.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get svc -o name
service/eap-app
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get route
No resources found.
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc expose svc/eap-app
route "eap-app" exposed
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD

26
openshift/topics/reference.adoc
View file

@ -30,23 +30,24 @@ build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get bc -o name
buildconfig/sso
----
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
$ oc set env bc/sso \
-e MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "sso" updated
----
. Verify the setting
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc env bc/sso --list
$ oc set env bc/sso --list
# buildconfigs sso
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
----
@ -83,23 +84,24 @@ build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get bc -o name
buildconfig/sso
----
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
$ oc set env bc/sso \
-e MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "sso" updated
----
. Verify the setting
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc env bc/sso --list
$ oc set env bc/sso --list
# buildconfigs sso
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
----
@ -110,10 +112,6 @@ pulled from the repository manager, instead of the default public repositories.
Also, after the build is finished, you will see that the mirror is filled with
all the dependencies that were retrieved and used during the build.
[[env_vars]]
=== Environment Variables

124
openshift/topics/tutorials.adoc
View file

@ -74,7 +74,7 @@ Use the following steps to automatically migrate the database schema:
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get dc -o name --selector=application=sso
deploymentconfig/sso
@ -82,35 +82,35 @@ deploymentconfig/sso-postgresql
----
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale --replicas=0 dc/sso
deploymentconfig "sso" scaled
----
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
"sso" patched
----
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rollout latest dc/sso
deploymentconfig "sso" rolled out
----
. Deploy {project_name} {project_version} containers using the modified deployment config.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled
----
. (Optional) Verify the database has been successfully updated.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods --selector=application=sso
NAME READY STATUS RESTARTS AGE
@ -118,7 +118,7 @@ sso-4-vg21r 1/1 Running 0 1h
sso-postgresql-1-t871r 1/1 Running 0 2h
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc logs sso-4-vg21r | grep 'Updating'
11:23:45,160 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xml
@ -193,7 +193,7 @@ spec:
restartPolicy: Never
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ cp job-to-migrate-db-to-{project_templates_version}.yaml.orig \
job-to-migrate-db-to-{project_templates_version}.yaml
@ -342,7 +342,7 @@ done
[[get-db-credentials]]
Run the script.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ chmod +x ./mirror_sso_dc_db_vars.sh
$ ./mirror_sso_dc_db_vars.sh
@ -355,13 +355,13 @@ Successfully updated TX_DATABASE_PREFIX_MAPPING to: sso-postgresql=DB
----
. Build the {project_name} {project_version} database migration image using the link:https://github.com/iankko/openshift-examples/tree/KEYCLOAK-8500/sso-manual-db-migration[pre-configured source] and wait for the build to finish.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get is -n openshift | grep {project_templates_version} | cut -d ' ' -f1
redhat-{project_templates_version}-openshift
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-build redhat-{project_templates_version}-openshift:{project_latest_image_tag}~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \
--context-dir=sso-manual-db-migration \
@ -386,7 +386,7 @@ $ oc new-build redhat-{project_templates_version}-openshift:{project_latest_imag
Run 'oc logs -f bc/{project_templates_version}-db-migration-image' to stream the build progress.
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc logs -f bc/{project_templates_version}-db-migration-image --follow
Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ...
@ -396,20 +396,20 @@ Push successful
. Update the template of the database migration job (`job-to-migrate-db-to-{project_templates_version}.yaml`) with reference to the built `{project_templates_version}-db-migration-image` image.
.. Get the docker pull reference for the image.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep {project_templates_version}-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)
----
.. Replace the pass:[&lt;&lt;SSO_IMAGE_VALUE&gt;&gt;] field in the job template with the pull specification.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ sed -i "s#pass:[&lt;&lt;SSO_IMAGE_VALUE&gt;&gt;]#$PULL_REF#g" job-to-migrate-db-to-{project_templates_version}.yaml
----
.. Verify that the field is updated.
. Instantiate database migration job from the job template.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc create -f job-to-migrate-db-to-{project_templates_version}.yaml
job "job-to-migrate-db-to-{project_templates_version}" created
@ -422,7 +422,7 @@ The database migration process handles the data schema update and performs manip
+
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get dc -o name --selector=application=sso
deploymentconfig/sso
@ -430,27 +430,27 @@ deploymentconfig/sso-postgresql
----
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale --replicas=0 dc/sso
deploymentconfig "sso" scaled
----
. Run the database migration job and wait for the pod to be running correctly.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get jobs
NAME DESIRED SUCCESSFUL AGE
job-to-migrate-db-to-{project_templates_version} 1 0 3m
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale --replicas=1 job/job-to-migrate-db-to-{project_templates_version}
job "job-to-migrate-db-to-{project_templates_version}" scaled
----
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
@ -465,7 +465,7 @@ By default, the database migration job terminates automatically after `600 secon
====
. Get the dynamically generated SQL database migration file from the pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ mkdir -p ./db-update
$ oc rsync job-to-migrate-db-to-{project_templates_version}-b87bb:/opt/eap/keycloak-database-update.sql ./db-update
@ -480,7 +480,7 @@ total size is 29,621 speedup is 1.00
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the PostgreSQL database deployed in ephemeral or persistent mode, running on a separate pod:
... Copy the generated SQL migration file to the PostgreSQL pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp
sending incremental file list
@ -490,14 +490,14 @@ total size is 26,333 speedup is 299.24
----
... Start a shell session to the PostgreSQL pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rsh sso-postgresql-1-n5p16
sh-4.2$
----
... Use the `psql` tool to apply database update manually.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql"
sh-4.2$ psql --version
@ -517,7 +517,7 @@ Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database cre
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the MySQL database deployed in ephemeral or persistent mode, running on a separate pod:
... Given the pod situation similar to the following:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
@ -527,7 +527,7 @@ job-to-migrate-db-to-{project_templates_version}-m202t 1/1 Running 0
----
... Copy the generated SQL migration file to the MySQL pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rsync --no-perms=true ./db-update/ sso-mysql-1-zvhk3:/tmp
sending incremental file list
@ -538,14 +538,14 @@ total size is 24,594 speedup is 0.99
----
... Start a shell session to the MySQL pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rsh sso-mysql-1-zvhk3
sh-4.2$
----
... Use the `mysql` tool to apply database update manually.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
sh-4.2$ alias mysql="/opt/rh/rh-mysql57/root/bin/mysql"
sh-4.2$ mysql --version
@ -566,21 +566,21 @@ Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database cre
[start=12]
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
"sso" patched
----
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc rollout latest dc/sso
deploymentconfig "sso" rolled out
----
. Deploy the {project_name} {project_version} containers using the modified deployment config.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled
@ -630,7 +630,7 @@ Upon their creation xref:sso-export-the-database[the database can be exported.]
. Get the {project_name} deployment config and scale it down to zero.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get dc -o name
deploymentconfig/sso
@ -641,20 +641,24 @@ deploymentconfig "sso" scaled
----
. Instruct the {project_name} {project_version} server deployed on {project_openshift_product_name} image to perform database export at {project_name} server boot time.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
oc env dc/sso -e "JAVA_OPTS_APPEND=-Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/demorealm-export.json"
$ oc set env dc/sso \
-e "JAVA_OPTS_APPEND= \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=/tmp/demorealm-export.json"
----
. Scale the {project_name} deployment config back up. This will start the {project_name} server and export its database.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc scale --replicas=1 dc sso
deploymentconfig "sso" scaled
----
. (Optional) Verify that the export was successful.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
@ -670,7 +674,7 @@ $ oc logs sso-4-ejr0k | grep 'Export'
. Retrieve the JSON file of the {project_name} database from the pod.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
@ -768,7 +772,7 @@ Log in to the OpenShift master CLI. You must have the required permissions to ed
. Edit the */etc/origin/master/master-config.yaml* file and find the *identityProviders*. The OpenShift master, which was deployed using the OpenShift Primer, is configured with HTPassword and shows the following:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
identityProviders:
- challenge: true
@ -782,7 +786,7 @@ identityProviders:
+
Add {project_name} as a secondary identity provider with content similar to the following snippet:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
- name: rh_sso
challenge: false
@ -811,7 +815,7 @@ Add {project_name} as a secondary identity provider with content similar to the
.. The {project_name} *Secret* hash for the *clientSecret* can be found in the {project_name} web console: *Clients* -> *_openshift-demo_* -> *Credentials*
.. The endpoints for the *urls* can be found by making a request with the {project_name} application. For example:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
<pass:quotes[_curl -k https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/.well-known/openid-configuration | python -m json.tool_]>
----
@ -821,7 +825,7 @@ The response includes the *authorization_endpoint*, *token_endpoint*, and *useri
.. This example workflow uses a self-generated CA to provide an end-to-end workflow for demonstration purposes. For this reason, the *ca* is provided as <pass:quotes[_ca: xpaas.crt_]>. This CA certificate must also be copied into the */etc/origin/master* folder. This is not necessary if using a certificate purchased from a verified Certificate Authority.
. Save the configuration and restart the OpenShift master:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ systemctl restart atomic-openshift-master
----
@ -833,9 +837,9 @@ Navigate to the OpenShift web console, which in this example is _https://openshi
Select *rh-sso* and log in to OpenShift with the _testuser_ user created earlier in {project_name}. No projects are visible to _testuser_ until they are added in the OpenShift CLI. This is the only way to provide user privileges in OpenShift because it currently does not accept external role mapping.
To provide _testuser_ `view` privileges for the _sso-app-demo_, use the OpenShift CLI:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oadm policy add-role-to-user view testuser -n sso-app-demo
$ oc adm policy add-role-to-user view testuser -n sso-app-demo
----
[[Example-EAP-Auto]]
@ -852,19 +856,19 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-project eap-app-demo
----
//. Create a service account to be used for the {project_name} deployment:
//+
//[subs="verbatim,macros,attributes"]
//[source,bash,subs="attributes+,macros+"]
//----
//$ oc create serviceaccount eap-service-account
//----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
@ -872,26 +876,26 @@ $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
.. Generate a secure key for the SSL keystore:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
----
.. Generate a secure key for the JGroups keystore:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
----
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secret new eap-ssl-secret eapkeystore.jks
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
. Add the EAP secret to the `default` service account:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
@ -1100,19 +1104,19 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc new-project eap-app-demo
----
//. Create a service account to be used for the SSO deployment:
//+
//[subs="verbatim,macros,attributes"]
//[source,bash,subs="attributes+,macros+"]
//----
//$ oc create serviceaccount app-service-account
//----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
@ -1121,26 +1125,26 @@ $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
.. Generate a secure key for the SSL keystore:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
----
.. Generate a secure key for the JGroups keystore:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
----
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secret new eap-ssl-secret eapkeystore.jks
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
. Add the EAP application secret to the EAP service account created earlier:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
@ -1155,7 +1159,7 @@ The *keycloak-saml-subsystem.xml*, exported from the {project_name} client in a
. Replace the *SPECIFY YOUR LOGOUT PAGE!* value of the *logout page* tag with the url to redirect users when they log out of the application. This example uses */index.jsp*.
. Delete the *<PrivateKeyPem>* and *<CertificatePem>* tags and keys and replace it with keystore information:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
...
<Keys>
@ -1172,7 +1176,7 @@ The mount path of the *keystore-saml.jks* (in this example *_/etc/eap-secret-vol
The aliases and passwords for the *PrivateKey* and the *Certificate* were configured when the SAML Keys were exported from the {project_name} client.
. Delete the second *<CertificatePem>* tag and key and replace it with the the realm certificate information:
+
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
...
<Keys>
@ -1193,7 +1197,7 @@ The certificate alias and password were configured when the SAML Keys were expor
The client type must also be specified by the *<auth-method>* key in the application *web.xml*. This file is read by the image at deployment.
Open the application *web.xml* file and ensure it includes the following:
[subs="verbatim,macros,attributes"]
[source,bash,subs="attributes+,macros+"]
----
...
<login-config>

4
tests/src/test/resources/ignored-links
View file

@ -25,4 +25,6 @@ https://accounts.google.com/o/oauth2/revoke
https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout
http://127.0.0.1:3000/oauth/callback
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/*
https://api.linkedin.com/v2/me
https://api.linkedin.com/v2/me
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso-cd-dev/templates/${resource}
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource}