How to Integrate Jenkins with Red Hat Single Sign-On – Part Two

How to Install Jenkins on Openshift

Hello everyone, this is the second part of our tutorial about how to integrate Red Hat Single Sign-On with Jenkins, this part is specific to the installation of Jenkins on Red Hat Openshift. Let’s go!

What is Jenkins?

Jenkins is an open-source automation tool written in Java with plugins built for Continuous Integration purpose. Jenkins is used to building and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. it also allows you to continuously deliver your software by integrating with a large number of testing and deployment technologies.

What is Continuous Integration?

Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is verified by an automated build, allowing teams to detect problems early.

With CI, you can detect errors more quickly, and solve them to improve the quality of software constantly.

What is Continuous Delivery?

Continuous Delivery is the ability to get changes of all types, including new features, configuration changes, bug fix corrections and experiments into production, or into the hands of users, safely and quickly in a sustainable way, continuous delivery needs the human interactions to accept the changes and apply to the production environment.

What is Continuous Deployment?

Is very similar to Continuous Delivery, but the Continuous Deployment eliminates the human interactions against unproven conde in live software. It should only be implemented when the development and IT teams rigorously adhere to production-ready development practices and through testing, and when they apply sophisticated, real-time monitoring in production to discover any issues with new releases.

The Continuous Deployment is more hard to apply because the company needs of sophisticated automated process in your software.

Why use Jenkins on Openshift?

With Jenkins, organizations can accelerate the software development process through automation. Jenkins integrates development life-cycle process of all kinds, including build, document, test, package, stage, deploy, static analysis. In Openshift we have Jenkins Slaves to Java and DotNet Core applications, the Jenkins Slave has the ability to Scale Up and Scale Down automatically, to improving the consuming of the cluster hardware.

For example, each pipeline started in Jenkins Master, start a Jenkins Slave to execute the process and when finished, the Jenkins Slave Down.

How to Install Jenkins On Openshift

Now we know a little more about Jenkins, we can install into Openshift.

1. Run the following command to create your project

$ oc new-project jenkins \
--description=' This project provide the automated tool to build, test and deploy applications.'

2. A point very important in Openshift is to create Resource Quotas and Limits for your projects to avoid that the application consumes more than of desire. The following commands apply Quotas e Limits for the project:

The following command will create a Resource Quota to the project jenkins:

$ oc create quota jenkins-quota \
--hard=cpu=2,memory=3G,pods=10,services=5,replicationcontrollers=2,resourcequotas=1

The following command will create a Limits to the project jenkins. Note in the command is send a file to execute through the command oc using the shell command echo.

The limits apply rules for the container and for the pods into the project jenkins.

$ echo "apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "jenkins-limits"
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "1"
        memory: "1Gi"
      min:
        cpu: "700m"
        memory: "512Mi"
    - type: "Container"
      max:
        cpu: "1"
        memory: "1Gi"
      min:
        cpu: "700m"
        memory: "512Mi"
      default:
        cpu: "700m"
        memory: "512Mi"
      defaultRequest:
        cpu: "700m"
        memory: "512Mi" " | oc -n jenkins create -f -

3. Run the following command to update the template of Jenkins into Openshift:

$ oc -n openshift \
create -f https://raw.githubusercontent.com/lhsribas/openshift-templates/master/openshift3/jenkins/jenkins-persistent-template.yaml

4. Whether you have the official installation of Openshift, can execute the following command:

This command installs the ImageStream definition for Jenkins of Jenkins into the project Openshift!

$ oc -n openshift create -f \
https://raw.githubusercontent.com/lhsribas/openshift-templates/master/openshift3/jenkins/image-stream/v3.11/jenkins-image-stream.yaml

The previous command import the ImageStream with the authenticated repository, If you using the OKD, needs the unauthenticated repository execute the following command to get it:

$ oc -n openshift create -f \
https://raw.githubusercontent.com/lhsribas/openshift-templates/master/openshift3/jenkins/image-stream/v3.11/unauthenticated-jenkins-image-stream.yaml

5. To import the image into the project openshift, execute the following command:

$ oc -n openshift import-image jenkins-openshift:v3.11 --confirm

6. The next step is to install Jenkins into the project Jenkins, execute the following command:

$ oc -n openshift new-app --template=jenkins-persistent

To access the Jenkins you can use the same username and password of the Openshift, for example, user: admin, pwd: admin in OKD.

Below, we have the parameters that the template accept to execute the deploy of Jenkins into of project Jenkins.

Each parameter has a basic value to start the template without need pass some parameter.

  • JENKINS_SERVICE_NAME: The name of the OpenShift Service exposed for the Jenkins container.
  • JNLP_SERVICE_NAME: The name of the service used for master/slave communication.
  • ENABLE_OAUTH: Whether to enable OAuth OpenShift integration. If false, the static account ‘admin’ will be initialized with the password ‘password’.
  • VOLUME_CAPACITY: Volume space available for data, e.g. 512Mi, 2Gi.
  • NAMESPACE: The OpenShift Namespace where the Jenkins ImageStream resides.
  • DISABLE_ADMINISTRATIVE_MONITORS: Whether to perform memory intensive, possibly slow, synchronization with the Jenkins Update Center on start. If true, the Jenkins core update monitor and site warnings monitor are disabled.
  • JENKINS_IMAGE_STREAM_TAG: Name of the ImageStreamTag to be used for the Jenkins image.
  • ENABLE_FATAL_ERROR_LOG_FILE: When a fatal error occurs, an error log is created with information and the state obtained at the time of the fatal error.
  • CPU_REQUEST: The amount of CPU to request.
  • MEMORY_REQUEST: The amount of memory required for the container to run.
  • CPU_LIMIT: The amount of CPU the container is limited to use.
  • MEMORY_LIMIT: Maximum amount of memory the container can use.
  • TZ: The Time Zone of Country

7. Jenkins pod run’s into Openshift.

8. Redirect Login Page with Openshift

When you click in the hostname of Jenkins, you redirect to the page below.

9. Login Page Openshift.

After you click on the button Login with Openshift, you are sent to the page login of Openshift.

10. Authorization Page for Jenkins.

When you pass the username and password correct, you are sent to a page to request authorization to access the Jenkins Application.

11. Jenkins Home Page.

After all pass you redirect to the home page of Jenkins, finish now you can start to use the tool.

How to Integrate Jenkins with Red Hat Single Sign-On – Part One

How to Install Red Hat Single Sign-On on Openshift

This tutorial is divided into 3 parts to the better comprehension of each tool and how to install:

Part One: Installation of Red Hat Single Sign-On
Part Two: Installation of Jenkins
Part Three: Configuration of OpenID Connect to Access Jenkins

What is Red Hat Openshift?

Red Hat OpenShift is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud and multi-cloud deployments. Red Hat OpenShift is optimized to improve developer productivity and promote innovation.

Whether you want to know more and Learn, access the Interactive Learning Portal Learn Openshift.

What is Red hat Single Sign-On

Red Hat Single Sign-On is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.

How to Install Red Hat Single Sign-On on Openshift

Now we will follow steps to install the Red Hat Single Sign-On in the Openshift, you need to have the basic knowledge in Openshift to start this tutorial.

1. Run the following command to create your project: 

$ oc new-project authetication \
--description='This project provide the single point to authetication applications and service using Red Hat Single Sign-On'

2. Run the following commands to update the core set of Red Hat Single Sign-On 7.3.2.GA resources for OpenShift:

$ for resource in sso73-image-stream.json \
  sso73-https.json \
  sso73-mysql.json \
  sso73-mysql-persistent.json \
  sso73-postgresql.json \
  sso73-postgresql-persistent.json \
  sso73-x509-https.json \
  sso73-x509-mysql-persistent.json \
  sso73-x509-postgresql-persistent.json
do
  oc replace -n openshift --force -f \
  https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/$resource
done

3. Run the following command to install the Red Hat Single Sign-On 7.3.2.GA OpenShift image streams in the openshift project:

When we did execute the previous step, did make the download of imagestream.image.openshift.io/redhat-sso73-openshift.json. The reference of the SSO image is into the file if we have the installation of official Openshhift will not need to change the file, but are using the OKD is necessary to change the file to redirect to unauthenticated image registry of Red Hat.

  • Unautheticated Registry of SSO:
  • registry.access.redhat.com/redhat-sso-7/sso73-openshift:1.0
  • Authenticated Registry of SSO:
  • registry.redhat.io/redhat-sso-7/sso73-openshift:1.0

3.1. Execute the following command to edit the image stream and change the reference registry of the image SSO.

$ oc -n openshift edit imagestream redhat-sso73-openshift

3.2. Now we can import the image for the project Openshift using the following command: 

$ oc -n openshift import-image redhat-sso73-openshift:1.0

4. We will need to import the image of Postgresql to can execute the template sso73-x509-postgresql-persistent.json, so execute the following command do pull the image to the project Openshift:

$ oc -n openshift import-image postgresql:9.5 \
 --from=registry.access.redhat.com/rhscl/postgresql-95-rhel7:9.5 \
 --confirm

5. Add the view role to the default service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.

$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default

6. If you need to see the template, is possible to get a list the available Red Hat Single Sign-On application templates: In this tutorial, we will use the following template sso73-x509-postgresql-persistent

$ oc get templates -n openshift -o name | grep -o 'sso73.\+'

7. A point very important in Openshift is to create Resource Quotas and Limits for your projects to avoid that the application consumes more than of desire. The following commands apply Quotas e Limits for the project:

7.1. The following command will create a Resource Quota to the project authentication

The resource quota applies to the project the following limits:

$ oc create quota sso-authentication-quota \
--hard=cpu=4,memory=4G,pods=4,services=10,replicationcontrollers=5,resourcequotas=1

7.2. The following command will create a Limits to the project authentication. Note in the command is send a file to execute through the command oc using the shell command echo

The limits apply rules for the container and for the pod that will be existing inside the project authentication:

$ echo "apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "sso-resource-limits" 
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "1"
        memory: "1Gi"
      min:
        cpu: "700m"
        memory: "500Mi" 
    - type: "Container"
      max:
        cpu: "1"
        memory: "1Gi"
      min:
        cpu: "700m"
        memory: "500Mi"
      default:
        cpu: "700m"
        memory: "500Mi"
      defaultRequest:
        cpu: "700m"
        memory: "500Mi" " | oc create -f -

8. To see the parameters of the template and the basic values that each one has, we can execute the following command:

$ oc -n openshift describe template  sso73-x509-postgresql-persistent

9.Now we can go to the last step, run the template of Red Hat Single Sign-On overrides the values of someone parameters.

  • SSO_ADMIN_USERNAME: RH-SSO Server administrator username.
  • SSO_ADMIN_PASSWORD: RH-SSO Server administrator password.
  • DB_MIN_POOL_SIZE: Sets xa-pool/min-pool-size for the configured datasource.
  • DB_MAX_POOL_SIZE: Sets xa-pool/max-pool-size for the configured datasource.
  • DB_USERNAME: Database user name.
  • DB_PASSWORD: Database user password.
  • VOLUME_CAPACITY: Size of persistent storage for database volume.
  • SSO_REALM: Realm to be created in the RH-SSO server (e.g. demorealm).
  • MEMORY_LIMIT: Container memory limit.
$ oc new-app sso73-x509-postgresql-persistent \
-p SSO_ADMIN_USERNAME=redhat \
-p SSO_ADMIN_PASSWORD=redhat \
-p DB_MIN_POOL_SIZE=10 \
-p DB_MAX_POOL_SIZE=100 \
-p DB_USERNAME=redhat \
-p DB_PASSWORD=redhat \
-p VOLUME_CAPACITY=2Gi \
-p SSO_REALM=redhat \
-p MEMORY_LIMIT=1Gi

When the installation finish is possible to access the Red Hat Single Sign-On in the URL create by the process.

Note: We will need of the value of environments SSO_ADMIN_USERNAME, SSO_ADMIN_PASSWORD to access the SSO.

Openshift Project Authentication

Welcome Page to Red Hat Single Sign-On

Login Page to Red Hat Single Sign-On

Home Page to Red Hat Single Sign-On