How to Install Red Hat Single Sign-On on Openshift
This tutorial is divided into 3 parts to the better comprehension of each tool and how to install:
Part One: Installation of Red Hat Single Sign-On
Part Two: Installation of Jenkins
Part Three: Configuration of OpenID Connect to Access Jenkins
What is Red Hat Openshift?
Red Hat OpenShift is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud and multi-cloud deployments. Red Hat OpenShift is optimized to improve developer productivity and promote innovation.
Whether you want to know more and Learn, access the Interactive Learning Portal Learn Openshift.
What is Red hat Single Sign-On
Red Hat Single Sign-On is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.
How to Install Red Hat Single Sign-On on Openshift
Now we will follow steps to install the Red Hat Single Sign-On in the Openshift, you need to have the basic knowledge in Openshift to start this tutorial.
1. Run the following command to create your project:
$ oc new-project authetication \ --description='This project provide the single point to authetication applications and service using Red Hat Single Sign-On'
2. Run the following commands to update the core set of Red Hat Single Sign-On 7.3.2.GA resources for OpenShift:
$ for resource in sso73-image-stream.json \ sso73-https.json \ sso73-mysql.json \ sso73-mysql-persistent.json \ sso73-postgresql.json \ sso73-postgresql-persistent.json \ sso73-x509-https.json \ sso73-x509-mysql-persistent.json \ sso73-x509-postgresql-persistent.json do oc replace -n openshift --force -f \ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/$resource done
3. Run the following command to install the Red Hat Single Sign-On 7.3.2.GA OpenShift image streams in the openshift project:
When we did execute the previous step, did make the download of
imagestream.image.openshift.io/redhat-sso73-openshift.json. The reference of the SSO image is into the file if we have the installation of official Openshhift will not need to change the file, but are using the OKD is necessary to change the file to redirect to unauthenticated image registry of Red Hat.
- Unautheticated Registry of SSO:
- Authenticated Registry of SSO:
3.1. Execute the following command to edit the image stream and change the reference registry of the image SSO.
$ oc -n openshift edit imagestream redhat-sso73-openshift
3.2. Now we can import the image for the project Openshift using the following command:
$ oc -n openshift import-image redhat-sso73-openshift:1.0
4. We will need to import the image of
Postgresql to can execute the template
sso73-x509-postgresql-persistent.json, so execute the following command do pull the image to the project Openshift:
$ oc -n openshift import-image postgresql:9.5 \ --from=registry.access.redhat.com/rhscl/postgresql-95-rhel7:9.5 \ --confirm
5. Add the view role to the default service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
6. If you need to see the template, is possible to get a list the available Red Hat Single Sign-On application templates: In this tutorial, we will use the following template
$ oc get templates -n openshift -o name | grep -o 'sso73.\+'
7. A point very important in Openshift is to create Resource Quotas and Limits for your projects to avoid that the application consumes more than of desire. The following commands apply Quotas e Limits for the project:
7.1. The following command will create a Resource Quota to the project
The resource quota applies to the project the following limits:
$ oc create quota sso-authentication-quota \ --hard=cpu=4,memory=4G,pods=4,services=10,replicationcontrollers=5,resourcequotas=1
7.2. The following command will create a Limits to the project
authentication. Note in the command is send a file to execute through the command
oc using the shell command
The limits apply rules for the container and for the pod that will be existing inside the project authentication:
$ echo "apiVersion: "v1" kind: "LimitRange" metadata: name: "sso-resource-limits" spec: limits: - type: "Pod" max: cpu: "1" memory: "1Gi" min: cpu: "700m" memory: "500Mi" - type: "Container" max: cpu: "1" memory: "1Gi" min: cpu: "700m" memory: "500Mi" default: cpu: "700m" memory: "500Mi" defaultRequest: cpu: "700m" memory: "500Mi" " | oc create -f -
8. To see the parameters of the template and the basic values that each one has, we can execute the following command:
$ oc -n openshift describe template sso73-x509-postgresql-persistent
9.Now we can go to the last step, run the template of Red Hat Single Sign-On overrides the values of someone parameters.
- SSO_ADMIN_USERNAME: RH-SSO Server administrator username.
- SSO_ADMIN_PASSWORD: RH-SSO Server administrator password.
- DB_MIN_POOL_SIZE: Sets xa-pool/min-pool-size for the configured datasource.
- DB_MAX_POOL_SIZE: Sets xa-pool/max-pool-size for the configured datasource.
- DB_USERNAME: Database user name.
- DB_PASSWORD: Database user password.
- VOLUME_CAPACITY: Size of persistent storage for database volume.
- SSO_REALM: Realm to be created in the RH-SSO server (e.g. demorealm).
- MEMORY_LIMIT: Container memory limit.
$ oc new-app sso73-x509-postgresql-persistent \ -p SSO_ADMIN_USERNAME=redhat \ -p SSO_ADMIN_PASSWORD=redhat \ -p DB_MIN_POOL_SIZE=10 \ -p DB_MAX_POOL_SIZE=100 \ -p DB_USERNAME=redhat \ -p DB_PASSWORD=redhat \ -p VOLUME_CAPACITY=2Gi \ -p SSO_REALM=redhat \ -p MEMORY_LIMIT=1Gi
When the installation finish is possible to access the Red Hat Single Sign-On in the URL create by the process.
Note: We will need of the value of environments SSO_ADMIN_USERNAME, SSO_ADMIN_PASSWORD to access the SSO.