[CIAM-2881] Add a demo on how to rebuild the standard Red Hat Single Sign-On

7.5 container image to start using the latest version of IBM Semeru 11 Open
Edition JDK (OpenJ9 JVM) instead of the default Red Hat OpenJDK 11 one.

Also add a helper script to (re)generate the existing templates to start
using the newly built image stream

Signed-off-by: Jan Lieskovsky <[email protected]>

Author: Jan Lieskovsky

jdk/README.md

@@ -0,0 +1,162 @@
+## Using Red Hat Single Sign-On 7.5 container images with alternative JDK
+
+The Red Hat Single Sign-On 7.5 for OpenJDK container images use the [Red Hat OpenJDK 11](https://access.redhat.com/documentation/en-us/openjdk/11/html-single/getting_started_with_openjdk_11/index#openjdk-overview), a free and open source implementation of the Java Platform, Standard Edition (Java SE) by default.
+
+To provide an illustrative example on how to install an alternative JDK and instruct the Red Hat Single Sign-On 7.5 container images to use it, the 'ibm-semeru-open-11-jdk' subdirectory contains a definition of Red Hat Single Sign-On 7.5 container file switching the JDK runtime to the latest available release of [IBM Semeru Runtime Open Edition Java 11 (LTS)](https://github.com/ibmruntimes/semeru11-binaries/releases/latest).
+
+## Building the Red Hat Single Sign-On 7.5 container image with latest release of IBM Semeru 11 JDK Open Edition
+
+You can build this example by creating a new build using OpenShift CLI (oc) tool. Specify:
+* The vanilla `rh-sso-7/sso75-openshift-rhel8` image stream to use as the builder,
+* The Docker build strategy to use for build execution, and
+* The Git repository, branch name and particular context directory within the repository as the source of the build
+
+**Prerequisites**
+
+* Ensure you have [OpenShift CLI (oc) installed](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html#installing-openshift-cli)
+
+**Procedure**
+
+1. Ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project. Choose the following command based on your version of OpenShift Container Platform:
+
+   * If you are running an OpenShift Container Platform v3 based cluster instance on (some) of your master host(s), perform the following:
+
+      ```
+      $ oc login -u system:admin
+      ```
+
+   * If you are running an OpenShift Container Platform v4 based cluster instance, [log in to the CLI](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html#cli-logging-in_cli-developer-commands) as the [kubeadmin](https://docs.openshift.com/container-platform/latest/authentication/remove-kubeadmin.html#understanding-kubeadmin_removing-kubeadmin) user:
+
+      ```
+      $ oc login -u kubeadmin -p password https://openshift.example.com:6443
+      ```
+
+2. Execute the following command:
+
+   ```
+   $ oc new-build \
+     --context-dir=jdk/ibm-semeru-open-11-jdk \
+     --image-stream=sso75-openshift-rhel8 \
+     --name=sso75-openshift-rhel8-ibm-semeru-11-jdk \
+     --namespace=openshift \
+     --strategy=docker \
+     https://github.com/jboss-container-images/redhat-sso-7-openshift-image.git#sso75-dev
+   ```
+
+When submitted, this command creates a new `sso75-openshift-rhel8-ibm-semeru-11-jdk` BuildConfig definition in the global `openshift` project and launches a build from it. Moreover, a new `sso75-openshift-rhel8-ibm-semeru-11-jdk` ImageStream is also created in the global `openshift` project.
+
+## Acquiring OpenShift templates for the new Red Hat Single Sign-On 7.5 container `sso75-openshift-rhel8-ibm-semeru-11-jdk` image stream
+
+You can obtain OpenShift templates for the newly produced `sso75-openshift-rhel8-ibm-semeru-11-jdk` image stream by performing the following modifications [to the standard templates available for the Red Hat Single Sign-On 7.5 container image](https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/templates):
+
+   * Change the default image stream name and image tag from `"sso75-openshift-rhel8:7.5"` to `"sso75-openshift-rhel8-ibm-semeru-11-jdk"`,
+
+   * Optinally add a custom suffix to the name of the original template later better to distinguish the newly created templates for IBM Semeru 11 JDK Open Edition from the original one. Alternatively, if **you just want to modify** [**the default Red Hat Single Sign-On 7.5 container image OpenShift templates**](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html-single/red_hat_single_sign-on_for_openshift#sso-templates) to start using the new `sso75-openshift-rhel8-ibm-semeru-11-jdk` image stream, then **define the custom suffix to be empty string**.
+
+### Modifying the default Red Hat Single Sign-On 7.5 container image templates to use `"sso75-openshift-rhel8-ibm-semeru-11-jdk"` image stream
+
+Use this option if you want to continue using the [**the default Red Hat Single Sign-On 7.5 container image OpenShift templates**](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html-single/red_hat_single_sign-on_for_openshift#sso-templates) with the new `sso75-openshift-rhel8-ibm-semeru-11-jdk` image stream.
+
+**Prerequisites**
+
+* Ensure you have [the default OpenShift templates for Red Hat Single Sign-On 7.5 container image installed](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html-single/red_hat_single_sign-on_for_openshift/index#image-streams-applications-templates).
+
+**Procedure**
+
+1. Set TEMPLATE\_SUFFIX environment variable to empty string and run the `acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh` helper script as follows:
+
+   ```
+   $ TEMPLATE_SUFFIX="" ./ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh
+   ```
+
+   In this case the `./ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh` script will just change the image stream name from `"sso75-openshift-rhel8:7.5"` to `"sso75-openshift-rhel8-ibm-semeru-11-jdk"` for each of the default Red Hat Single Sign-On 7.5 container image templates.
+
+   As a result, the output of the script looks as follows:
+
+      ```
+      $ TEMPLATE_SUFFIX="" ./ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh
+      template.template.openshift.io "sso75-https" deleted
+      template.template.openshift.io/sso75-https replaced
+      template.template.openshift.io "sso75-postgresql" deleted
+      template.template.openshift.io/sso75-postgresql replaced
+      template.template.openshift.io "sso75-postgresql-persistent" deleted
+      template.template.openshift.io/sso75-postgresql-persistent replaced
+      template.template.openshift.io "sso75-x509-https" deleted
+      template.template.openshift.io/sso75-x509-https replaced
+      template.template.openshift.io "sso75-x509-postgresql" deleted
+      template.template.openshift.io/sso75-x509-postgresql-persistent replaced
+      ```
+
+### Generating IBM Semeru 11 JDK Open Edition specific Red Hat Single Sign-On 7.5 container image templates
+
+Use this option if you want a new template with custom suffix in its name to be created for each of the default RH-SSO templates using the `sso75-openshift-rhel8-ibm-semeru-11-jdk` image stream.
+
+**Prerequisites**
+
+* Ensure you have [the default OpenShift templates for Red Hat Single Sign-On 7.5 container image installed](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html-single/red_hat_single_sign-on_for_openshift/index#image-streams-applications-templates).
+
+
+**Procedure**
+
+1. Set TEMPLATE\_SUFFIX environment variable to contain the desired suffix for newly generated templates, for example `"-ibm-semeru-11-jdk"`. Then run the `acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh` helper script as follows:
+
+
+   ```
+   $ TEMPLATE_SUFFIX="-ibm-semeru-11-jdk" ./ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh
+   ```
+
+   In this case the `./ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh` script:
+
+   1. First creates a Semeru JDK 11 counterpart copy of the particular default template with specified template suffix appended to the file name of the original template,
+   2. Updates the `.metadata.name` field of that template copy to match the new name of the template,
+   3. Replaces the name of the default image stream in the `sso` DeploymentConfig definition of the template with `sso75-openshift-rhel8-ibm-semeru-11-jdk` image stream,
+   4. Finally, recreates the template with the new name using the updated image stream in the global `openshift` project.
+
+   As a result, the output of the script looks as follows:
+
+      ```
+      $ TEMPLATE_SUFFIX="-ibm-semeru-11-jdk" ./ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh
+      template.template.openshift.io "sso75-https-ibm-semeru-11-jdk" deleted
+      template.template.openshift.io/sso75-https-ibm-semeru-11-jdk replaced
+      template.template.openshift.io "sso75-postgresql-ibm-semeru-11-jdk" deleted
+      template.template.openshift.io/sso75-postgresql-ibm-semeru-11-jdk replaced
+      template.template.openshift.io "sso75-postgresql-persistent-ibm-semeru-11-jdk" deleted
+      template.template.openshift.io/sso75-postgresql-persistent-ibm-semeru-11-jdk replaced
+      template.template.openshift.io "sso75-x509-https-ibm-semeru-11-jdk" deleted
+      template.template.openshift.io/sso75-x509-https-ibm-semeru-11-jdk replaced
+      template.template.openshift.io "sso75-x509-postgresql-persistent-ibm-semeru-11-jdk" deleted
+      template.template.openshift.io/sso75-x509-postgresql-persistent-ibm-semeru-11-jdk replaced
+      ```
+
+## Deploying Red Hat Single Sign-On 7.5 container image with latest release of IBM Semeru 11 JDK Open Edition
+
+You can deploy Red Hat Single Sign-On 7.5 container image using latest IBM Semeru 11 JDK Open Edition as usual. The only differing step is the name of the template to use depending if default templates were overwritten, or new ones were generated.
+
+**Procedure**
+
+1. Create a `semeru-demo` project:
+
+   ```
+   $ oc new-project semeru-demo
+   ```
+
+2. Create a new application, using the Red Hat Single Sign-On 7.5 container image with latest release of IBM Semeru 11 JDK Open Edition as usual. For example, run:
+
+   ```
+   $ oc new-app --template=sso75-x509-https
+   ```
+
+   if you previously modified the default `sso75-x509-https` template to start using the `sso75-openshift-rhel8-ibm-semeru-11-jdk`, or run
+
+   ```
+   $ oc new-app --template=sso75-x509-https-ibm-semeru-11-jdk
+   ```
+
+   if you previously generated IBM Semeru 11 JDK Open Edition templates using the `-ibm-semeru-11-jdk` suffix and want to deploy the IBM Semeru counterpart of `sso75-x509-https` template.
+
+## References
+
+* [IBM Semeru Runtimes Open Edition for Java 11 binaries GitHub repository](https://github.com/ibmruntimes/semeru11-binaries)
+* [IBM Semeru Runtimes main GitHub repository](https://github.com/ibmruntimes/Semeru-Runtimes)
+* [IBM Semeru Runtimes website](https://developer.ibm.com/languages/java/semeru-runtimes)
+* [IBM Semeru Runtimes support page](https://www.ibm.com/support/pages/semeru-runtimes-support/)

jdk/ibm-semeru-open-11-jdk/Dockerfile

@@ -0,0 +1,15 @@
+FROM registry.redhat.io/rh-sso-7/sso75-openshift-rhel8:latest
+# Define the (buildtime) user
+USER root
+# Copy the helper container image script
+COPY scripts/image /tmp/scripts
+# Make IBM Semeru 11 JDK the default JDK
+RUN [ "sh", "-x", "/tmp/scripts/make-ibm-semeru-open-11-jdk-the-default-jdk.sh" ]
+# Remove helper scripts
+RUN [ ! -d "/tmp/scripts" ] || rm -rf "/tmp/scripts"
+# Define the (runtime) user
+USER jboss
+# Define the (runtime) working directory
+WORKDIR /home/jboss
+# Define the default run cmd
+CMD ["/opt/eap/bin/openshift-launch.sh"]

jdk/ibm-semeru-open-11-jdk/scripts/image/make-ibm-semeru-open-11-jdk-the-default-jdk.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# Install the 'dejavu-sans-fonts' IBM Semeru 11 JDK RPM dependency first
+# Moreover, install also 'jq' later to parse the release info JSON file of
+# latest IBM Semeru 11 JDK GitHub tag (release)
+microdnf -y install dejavu-sans-fonts jq && microdnf clean all
+
+# Given the architecture
+# shellcheck disable=SC2155
+readonly ARCH=$(uname -i)
+
+# Get the release info JSON file for latest IBM Semeru 11 JDK tag from GitHub
+# shellcheck disable=SC2155
+readonly LATEST_SEMERU_11_JDK_RELEASE_JSON=$(
+  curl --header "Accept: application/vnd.github.v3+json" --show-error --silent \
+  "https://api.github.com/repos/ibmruntimes/semeru11-binaries/releases/latest"
+)
+
+# Out of all assets published for latest IBM Semeru 11 JDK release select just
+# the download URL of RPM package specific for this architecture
+# shellcheck disable=SC2155
+readonly LATEST_SEMERU_11_JDK_RPM=$(
+  # Return URL of that asset from release info, having 'content_type' set to
+  # 'application/x-rpm', ending with '${ARCH}.rpm}' and not being a JRE RPM
+  jq '.assets[]
+      | select(.content_type == "application/x-rpm")
+      | .browser_download_url
+      | select(endswith("'"${ARCH}"'.rpm") and (contains("jre") | not))' \
+  <<< "${LATEST_SEMERU_11_JDK_RELEASE_JSON[@]}" | tr -d '"'
+)
+
+# Import the IBM Semeru Runtimes public GPG key
+# URL below from https://www.ibm.com/support/pages/semeru-runtimes-verification/
+# section "RPM Package Manager packages (.rpm)"
+rpm --import "https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/certificates/ibm-semeru-public-GPGkey.pgp"
+
+# Download the latest IBM Semeru 11 JDK Open Edition RPM
+curl -OLJ --show-error --silent "${LATEST_SEMERU_11_JDK_RPM}"
+
+# Verify the signatures & digests of the downloaded RPM are correct
+rpmkeys -Kv "./$(basename "${LATEST_SEMERU_11_JDK_RPM}")"
+
+# If so, install the RPM
+rpm -i "./$(basename "${LATEST_SEMERU_11_JDK_RPM}")"
+
+# Make latest IBM Semeru 11 JDK the default JDK
+alternatives --set java /usr/lib/jvm/ibm-semeru-open-11-jdk/bin/java
+alternatives --set javac /usr/lib/jvm/ibm-semeru-open-11-jdk/bin/javac
+export JAVA_SECURITY_FILE=/usr/lib/jvm/ibm-semeru-open-11-jdk/conf/security/java.security
+export JAVA_HOME=/usr/lib/jvm/ibm-semeru-open-11-jdk
+
+# Remove the (formerly default) OpenJDK 11 RPM packages
+microdnf remove java-11-openjdk{,-devel,-headless}

jdk/ibm-semeru-open-11-jdk/scripts/templates/acquire-ibm-semeru-open-11-jdk-rh-sso-templates.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# About:
+#
+# Helper script to generate OpenShift templates for Red Hat Single Sign-On 7.5
+# container image using non-default IBM Semeru 11 Open Edition JDK. It can:
+#
+# * Either modify the default RH-SSO templates to start using the newly created
+#   "sso75-openshift-rhel8-ibm-semeru-11-jdk" image stream,
+#
+# * Or keep the default RH-SSO templates unchanged, and for each of them
+#   generate a counterpart IBM Semeru 11 Open Edition JDK specific template
+#   with custom name depending on specified TEMPLATE_SUFFIX environment
+#   variable
+#
+# Run the script without arguments for additional usage details
+
+
+# Define constants to hold the default (original) and the new image stream
+# name for the RH-SSO templates
+readonly ORIGINAL_RH_SSO_IMAGE_STREAM_AND_TAG="sso75-openshift-rhel8:7.5"
+readonly UPDATED_RH_SSO_IMAGE_STREAM_AND_TAG="sso75-openshift-rhel8-ibm-semeru-11-jdk:latest"
+
+# Describe the two possible ways of using template suffix
+# shellcheck disable=SC2155
+readonly TEMPLATE_SUFFIX_HEREDOC=$(cat << EOTSHD
+  TEMPLATE_SUFFIX variable is not set. Please set it to:
+
+  a) The empty string, if you want to start using the default RH-SSO templates
+     with the new "sso75-openshift-rhel8-ibm-semeru-11-jdk" image stream:
+
+     $ TEMPLATE_SUFFIX="" $0
+
+     In this case each of the installed default RH-SSO templates will be
+     modified to start using the new "sso75-openshift-rhel8-ibm-semeru-11-jdk"
+     image stream.
+
+  b) The desired string, if you want to derive new OpenShift templates for the
+     "sso75-openshift-rhel8-ibm-semeru-11-jdk" image stream from the default
+     RH-SSO templates. For example:
+
+     $ TEMPLATE_SUFFIX="-ibm-semeru-11-jdk" $0
+
+     In this case the default RH-SSO templates will remain unchanged. Instead
+     for each of the installed default RH-SSO templates, a new template with a
+     name of '<original-template><template-suffix>' will be created for the
+     "sso75-openshift-rhel8-ibm-semeru-11-jdk" image stream.
+
+     For example, for TEMPLATE_SUFFIX matching "-ibm-semeru-11-jdk" the
+     counterpart IBM Semeru 11 JDK template of the default "sso75-x509-https"
+     RH-SSO template will have the name of "sso75-x509-https-ibm-semeru-11-jdk"
+     etc.
+EOTSHD
+)
+
+# TEMPLATE_SUFFIX environment variable has to be set. If not, that's an error
+if [ -z "${TEMPLATE_SUFFIX+set}" ]
+then
+  echo -e "\n${TEMPLATE_SUFFIX_HEREDOC}\n"
+  exit 1
+fi
+
+# Ensure OpenShift CLI (oc) tool is installed. If not, that's en error
+if ! oc version --client >& /dev/null
+then
+  # shellcheck disable=SC2155
+  readonly ocErrorMessage=$(cat << EOOCEM
+  Please ensure you have the OpenShift CLI (oc) tool installed:
+  * https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html#installing-openshift-cli
+EOOCEM
+)
+  echo -e "\n${ocErrorMessage}\n"
+  exit 1
+fi
+
+# Ensure the user is logged in
+if ! oc whoami >& /dev/null
+then
+  # shellcheck disable=SC2155
+  readonly ocLoginRequiredMessage=$(cat << EOOCLRM
+  Please log in as a cluster administrator or a user with project administrator access to the global "openshift" project.
+EOOCLRM
+)
+  echo -e "\n${ocLoginRequiredMessage}\n"
+  exit 1
+fi
+
+# Array of all RH-SSO templates existing in the OpenShift cluster. It's a sum
+# of the default ones together with those generated by previous runs of this
+# script
+mapfile -t ALL_RH_SSO_TEMPLATES< <(
+  oc get templates -n openshift | grep sso75 | cut -d ' ' -f 1
+)
+# Such array has to be non-empty. If not, that's an error
+if [ "${#ALL_RH_SSO_TEMPLATES[@]}" -eq "0" ]
+then
+  echo "Please install the standard OpenShift RH-SSO image templates first."
+  exit 1
+fi
+
+# Array of various template suffixes specified by previous runs of the script
+#
+# Since there can be multiple existing template suffixes thanks to multiple
+# previous runs of the script using the different suffix, identify these
+# suffixes by filtering all the templates for one specific default template
+# name and subsequently removing this default template name from them
+# shellcheck disable=SC2207
+declare -a PREVIOUSLY_USED_TEMPLATE_SUFFIXES=(
+  $(
+    echo "${ALL_RH_SSO_TEMPLATES[*]}" | tr $' ' $'\n' |
+    grep -P '^sso75-x509-https' | grep -Pv '^$' |
+    sed -e 's/^sso75-x509-https//g'
+  )
+)
+
+# Array of default RH-SSO template names is a subset of all RH-SSO templates
+declare -a DEFAULT_RH_SSO_TEMPLATES=( "${ALL_RH_SSO_TEMPLATES[@]}" )
+# Except those containing some of previously used suffixes in their name
+for previousSuffix in "${PREVIOUSLY_USED_TEMPLATE_SUFFIXES[@]}"
+do
+  # Globbing is actually intentional in the following statement
+  # shellcheck disable=SC2206
+  DEFAULT_RH_SSO_TEMPLATES=(
+    ${DEFAULT_RH_SSO_TEMPLATES[@]/*${previousSuffix}/}
+  )
+done
+
+# Generate the RH-SSO templates for the latest release of IBM Semeru 11 JDK
+# Open Edition based on specified template suffix -- either overwrite the
+# default ones, or generate new ones with custom names
+for tmplName in "${DEFAULT_RH_SSO_TEMPLATES[@]}"
+do
+  SEMERU_TEMPLATE_PATH="/tmp/${tmplName}${TEMPLATE_SUFFIX}.json"
+  # Get the code of particular template in JSON format
+  oc get template "${tmplName}" -n openshift -o json > "${SEMERU_TEMPLATE_PATH}"
+  # Update template name within template code
+  sed -i "s/${tmplName}/${tmplName}${TEMPLATE_SUFFIX}/g" "${SEMERU_TEMPLATE_PATH}"
+  # Update image stream name and tag within template code
+  sed -i "s/${ORIGINAL_RH_SSO_IMAGE_STREAM_AND_TAG}/${UPDATED_RH_SSO_IMAGE_STREAM_AND_TAG}/g" "${SEMERU_TEMPLATE_PATH}"
+  # Recreate the updated template with template suffix in global 'openshift' project
+  oc replace --force -f "${SEMERU_TEMPLATE_PATH}"
+  # Remove the intermediary template file
+  rm -f "${SEMERU_TEMPLATE_PATH}"
+done