stackoom
  简体   繁体   中英

How to enable mutual SSL verification mode in Redhat-SSO image for OpenShift

 原文  2019-01-28 13:24:22       openshift/ redhat-sso

Question

I am using the template sso72-x509-postgresql-persistent, which is based on Redhat-SSO and Keycloak, to create an application in OpenShift.

I am going to enable its mutual SSL mode, so that a user has to only provide his certificate instead of user name and password in his request. The document ( https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/index#x509 ) told me to edit the standalone.xml file to add configuration sections. It worked fine.

But the template image sso72-x509-postgresql-persistent had problem with this procedure, because after it was deployed on the OpenShift, any changes on the files within the docker have been lost after restart of the docker.

Is there anyway to enable the mutual SSL mode through another level matter like commandline or API instead of editting a configuration file, except making my own docker image?

1 answers

solution1
 0  2019-01-28 22:39:57

Ok, I'm including this anyway. I wasn't able to get this working due to permissions issues (the mounted files didn't persist the same permissions as before, so the container continued to fail. But a lot of work went into this answer, so hopefully it points you in the right direction!

You can add a Persistent Volume (PV) to ensure your configuration changes survive a restart. You can add a PV to your deployment via:

DON'T DO THIS 

oc set volume deploymentconfig sso --add -t pvc --name=sso-config --mount-path=/opt/eap/standalone/configuration --claim-mode=ReadWriteOnce --claim-size=1Gi

This will bring up your RH-SSO image with a blank configuration directory, causing the pod to get stuck in Back-off restarting failed container . What you should do instead is:

  1. Backup the existing configuration files 

     oc rsync <rhsso_pod_name>:/opt/eap/standalone/configuration ~/

  2. Create a temporary, busybox deployment that can act as an intermediary for uploading the configuration files. Wait for deployment to complete 

     oc run busybox --image=busybox --wait --command -- /bin/sh -c "while true; do sleep 10; done"

  3. Mount a new PV to the busybox deployment. Wait for deployment to complete 

     oc set volume deploymentconfig busybox --add -t pvc --name=sso-volume --claim-name=sso-config --mount-path=/configuration --claim-mode=ReadWriteOnce --claim-size=1Gi

  4. Edit your configuration files now

  5. Upload the configuration files to your new PV via the busybox pod 

     oc rsync ~/configuration/ <busybox_pod_name>:/configuration/

  6. Destroy the busybox deployment 

     oc delete all -l run=busybox --force --grace-period=0

  7. Finally , you attach your already created and ready-to-go persistent configuration to the RH SSO deployment 

     oc set volume deploymentconfig sso --add -t pvc --name=sso-volume --claim-name=sso-config --mount-path=/opt/eap/standalone/configuration

Once your new deployment is...still failing because of permission issues :/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to implement sso for openshift pgAdmin on OpenShift using RedHat base image Unable to get registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift image error in OpenShift deployment Failed to pull builder image - Redhat Openshift DotNet Core Starter project Certs and Redhat Openshift Problens quotes redhat openshift How to compile node.js module canvas on RedHat OpenShift servers? How to install bower on openshift.redhat? “No compatible version found” how to delete project in redhat openshift web ui without permissions? phabricator on redhat's openshift
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM