Skip to content

Commit eb93529

Browse files
author
Jan Lieskovsky
committed
[KEYCLOAK-15633] Enable SSL/TLS by default for the PostgreSQL server
deployed by the "sso75-x509-postgresql-persistent.json" template Signed-off-by: Jan Lieskovsky <[email protected]>
1 parent 5472e76 commit eb93529

File tree

1 file changed

+117
-7
lines changed

1 file changed

+117
-7
lines changed

templates/sso75-x509-postgresql-persistent.json

Lines changed: 117 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@
66
"iconClass" : "icon-sso",
77
"tags" : "sso,keycloak,jboss",
88
"version": "7.5.0.GA",
9-
"openshift.io/display-name": "Red Hat Single Sign-On 7.5 on OpenJDK + PostgreSQL (Persistent)",
9+
"openshift.io/display-name": "Red Hat Single Sign-On 7.5 on OpenJDK + PostgreSQL SSL/TLS (Persistent)",
1010
"openshift.io/provider-display-name": "Red Hat, Inc.",
1111
"description": "An example application based on RH-SSO 7.5 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-cpaas-dev/docs.",
12-
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Single Sign-On 7.5 on OpenJDK server based deployment, deployment configuration for PostgreSQL using persistence, and securing RH-SSO communication using re-encrypt TLS.",
12+
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Single Sign-On 7.5 on OpenJDK server based deployment, deployment configuration for PostgreSQL using persistence and encrypted database connection, and securing RH-SSO communication using re-encrypt TLS.",
1313
"template.openshift.io/documentation-url": "https://access.redhat.com/documentation/en/red-hat-single-sign-on/",
1414
"template.openshift.io/support-url": "https://access.redhat.com"
1515
},
@@ -19,7 +19,7 @@
1919
"template": "sso75-x509-postgresql-persistent",
2020
"rhsso": "7.5.0.GA"
2121
},
22-
"message": "A new persistent RH-SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database \"${DB_DATABASE}\" is ${DB_USERNAME}/${DB_PASSWORD}. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing RH-SSO requests were automatically created via OpenShift's service serving x509 certificate secrets.",
22+
"message": "A new persistent RH-SSO service (using SSL/TLS secured PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database \"${DB_DATABASE}\" is ${DB_USERNAME}/${DB_PASSWORD}. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, the server truststore used for securing RH-SSO requests, and SSL/TLS certificate & private key used to run PostgreSQL server with SSL/TLS support were automatically created via OpenShift's service serving x509 certificate secrets.",
2323
"parameters": [
2424
{
2525
"displayName": "Application Name",
@@ -161,6 +161,24 @@
161161
"value": "10",
162162
"required": true
163163
},
164+
{
165+
"description": "Git source URI for the application extending PostgreSQL SQL server container image with SSL/TLS support.",
166+
"name": "POSTGRESQL_SOURCE_REPOSITORY_URL",
167+
"value": "https://github.com/iankko/redhat-sso-7-openshift-image",
168+
"required": true
169+
},
170+
{
171+
"description": "Git branch/tag reference for the application extending PostgreSQL SQL server container image with SSL/TLS support.",
172+
"name": "POSTGRESQL_SOURCE_REPOSITORY_REF",
173+
"value": "KEYCLOAK-15633",
174+
"required": true
175+
},
176+
{
177+
"description": "Path within the Git project to build the application extending PostgreSQL SQL server container image with SSL/TLS support.",
178+
"name": "POSTGRESQL_CONTEXT_DIR",
179+
"value": "s2i/postgresql/enable-ssl",
180+
"required": true
181+
},
164182
{
165183
"displayName": "Container Memory Limit",
166184
"description": "Container memory limit.",
@@ -196,6 +214,87 @@
196214
}
197215
}
198216
},
217+
{
218+
"kind": "ImageStream",
219+
"apiVersion": "image.openshift.io/v1",
220+
"metadata": {
221+
"name": "${APPLICATION_NAME}-postgresql-ssl",
222+
"labels": {
223+
"application": "${APPLICATION_NAME}-postgresql-ssl"
224+
}
225+
}
226+
},
227+
{
228+
"kind": "BuildConfig",
229+
"apiVersion": "build.openshift.io/v1",
230+
"metadata": {
231+
"name": "${APPLICATION_NAME}-postgresql-enable-ssl",
232+
"labels": {
233+
"application": "${APPLICATION_NAME}"
234+
},
235+
"annotations": {
236+
"description": "Build config to extend the vanilla PostgreSQL SQL database server container image with SSL/TLS support."
237+
}
238+
},
239+
"spec": {
240+
"source": {
241+
"type": "Git",
242+
"git": {
243+
"uri": "${POSTGRESQL_SOURCE_REPOSITORY_URL}",
244+
"ref": "${POSTGRESQL_SOURCE_REPOSITORY_REF}"
245+
},
246+
"contextDir": "${POSTGRESQL_CONTEXT_DIR}"
247+
},
248+
"strategy": {
249+
"type": "Source",
250+
"sourceStrategy": {
251+
"forcePull": true,
252+
"from": {
253+
"kind": "ImageStreamTag",
254+
"namespace": "${IMAGE_STREAM_NAMESPACE}",
255+
"name": "postgresql:${POSTGRESQL_IMAGE_STREAM_TAG}"
256+
},
257+
"env": [
258+
{
259+
"name": "ARTIFACT_DIR",
260+
"value": "${ARTIFACT_DIR}"
261+
},
262+
{
263+
"name": "MAVEN_ARGS_APPEND",
264+
"value": ""
265+
}
266+
]
267+
}
268+
},
269+
"output": {
270+
"to": {
271+
"kind": "ImageStreamTag",
272+
"name": "${APPLICATION_NAME}-postgresql-ssl:latest"
273+
}
274+
},
275+
"triggers": [
276+
{
277+
"type": "GitHub",
278+
"github": {
279+
"secret": "${GITHUB_WEBHOOK_SECRET}"
280+
}
281+
},
282+
{
283+
"type": "Generic",
284+
"generic": {
285+
"secret": "${GENERIC_WEBHOOK_SECRET}"
286+
}
287+
},
288+
{
289+
"type": "ImageChange",
290+
"imageChange": {}
291+
},
292+
{
293+
"type": "ConfigChange"
294+
}
295+
]
296+
}
297+
},
199298
{
200299
"kind": "Service",
201300
"apiVersion": "v1",
@@ -216,7 +315,8 @@
216315
"application": "${APPLICATION_NAME}"
217316
},
218317
"annotations": {
219-
"description": "The database server's port."
318+
"description": "The database server's port.",
319+
"service.alpha.openshift.io/serving-cert-secret-name": "postgresql-ssl-secret"
220320
}
221321
}
222322
},
@@ -503,8 +603,7 @@
503603
],
504604
"from": {
505605
"kind": "ImageStreamTag",
506-
"namespace": "${IMAGE_STREAM_NAMESPACE}",
507-
"name": "postgresql:${POSTGRESQL_IMAGE_STREAM_TAG}"
606+
"name": "${APPLICATION_NAME}-postgresql-ssl:latest"
508607
}
509608
}
510609
},
@@ -543,7 +642,7 @@
543642
"successThreshold:": 1,
544643
"failureThreshold": 3,
545644
"exec": {
546-
"command": [ "/bin/sh", "-i", "-c", "psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1'"]
645+
"command": [ "/bin/sh", "-i", "-c", "export PGSSLMODE=\"require\" && psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1'"]
547646
}
548647
},
549648
"livenessProbe": {
@@ -559,6 +658,11 @@
559658
{
560659
"mountPath": "/var/lib/pgsql/data",
561660
"name": "${APPLICATION_NAME}-postgresql-pvol"
661+
},
662+
{
663+
"name": "postgresql-ssl-volume",
664+
"mountPath": "/etc/pki/postgresql",
665+
"readOnly": true
562666
}
563667
],
564668
"env": [
@@ -595,6 +699,12 @@
595699
"persistentVolumeClaim": {
596700
"claimName": "${APPLICATION_NAME}-postgresql-claim"
597701
}
702+
},
703+
{
704+
"name": "postgresql-ssl-volume",
705+
"secret": {
706+
"secretName": "postgresql-ssl-secret"
707+
}
598708
}
599709
]
600710
}

0 commit comments

Comments
 (0)