Chapter 2. Preparing to deploy AMQ Interconnect on OpenShift Container Platform
Before deploying AMQ Interconnect on OpenShift Container Platform, you must complete several preparatory tasks.
2.1. Verifying the availability of AMQ Interconnect templates
You must verify that the AMQ Interconnect application templates are available in the OpenShift Container Platform Catalog. Some versions of OpenShift Container Platform include the templates, so you must check to verify that they are available in your environment. If they are not available, you must install them.
Procedure
Log in to OpenShift as a cluster administrator:
$ oc login -u system:admin
Switch to the
openshift
project.$ oc project openshift
Verify that the latest version of the AMQ Interconnect image stream is available:
$ oc get imagestreamtag -n openshift | grep amq-interconnect:latest
If the latest version of the image stream is available in your environment, you should see
amq-interconnect:latest
in the command output.Is the latest version of AMQ Interconnect image stream available?
- If yes, proceed to the next step.
If no, install the latest version of the image stream.
This command imports the latest AMQ Interconnect image stream into the
openshift
namespace:$ oc import-image amq-interconnect:latest -n openshift --from=registry.access.redhat.com/amq7/amq-interconnect --confirm
Install the AMQ Interconnect application templates:
$ curl https://raw.githubusercontent.com/jboss-container-images/amq-interconnect-1-openshift-image/amq-interconnect-1.3/templates/amq-interconnect-1-basic.yaml | oc create -f - $ curl https://raw.githubusercontent.com/jboss-container-images/amq-interconnect-1-openshift-image/amq-interconnect-1.3/templates/amq-interconnect-1-tls-auth.yaml | oc create -f - $ curl https://raw.githubusercontent.com/jboss-container-images/amq-interconnect-1-openshift-image/amq-interconnect-1.3/templates/amq-interconnect-1-sasldb-auth.yaml | oc create -f -
This creates three AMQ Interconnect application templates, which you can use to deploy AMQ Interconnect on OpenShift Container Platform:
amq-interconnect-1-basic.yaml
- Deploys a router with a basic, default configuration and no security.
amq-interconnect-1-tls-auth.yaml
- Deploys a router with both inter-router and client traffic secured by TLS authentication.
amq-interconnect-1-sasldb-auth.yaml
- Deploys a router with inter-router traffic secured by TLS authentication and client traffic secured by SASL user name and password authentication.
2.2. Creating secrets for SSL/TLS authentication
OpenShift uses objects called Secrets
to hold sensitive information such as SSL/TLS certificates. If you want to secure inter-router traffic, client traffic, or both, then you must create the SSL/TLS certificates and private keys and provide them to OpenShift as secrets.
Procedure
If you do not have an existing certificate authority (CA) certificate for inter-router connections, create one.
These commands create a self-signed CA certificate for inter-router connections:
# Create a new directory for the inter-router certificates. $ mkdir internal-certs # Create a private key for the CA. $ openssl genrsa -out internal-certs/ca-key.pem 2048 # Create a certificate for the CA. $ openssl req -new -batch -key internal-certs/ca-key.pem -out internal-certs/ca-csr.pem # Self sign the certificate. $ openssl x509 -req -in internal-certs/ca-csr.pem -signkey internal-certs/ca-key.pem -out internal-certs/ca.crt
Create a certificate for the router signed by the CA.
These commands create a private key and a certificate, and sign the certificate using the CA created in the previous step:
# Create a private key. $ openssl genrsa -out internal-certs/tls.key 2048 # Create a certificate for the router. $ openssl req -new -batch -subj "/CN=amq-interconnect.myproject.svc.cluster.local" -key internal-certs/tls.key -out internal-certs/server-csr.pem # Sign the certificate using the CA. $ openssl x509 -req -in internal-certs/server-csr.pem -CA internal-certs/ca.crt -CAkey internal-certs/ca-key.pem -out internal-certs/tls.crt -CAcreateserial
Create a secret containing the private key, router certificate, and CA certificate.
This command creates the secret using the key and certificates that were created in the previous steps:
$ oc create secret generic inter-router-certs --from-file=tls.crt=internal-certs/tls.crt --from-file=tls.key=internal-certs/tls.key --from-file=ca.crt=internal-certs/ca.crt
If you want to use SSL/TLS to authenticate client connections (as opposed to authenticating clients using SASL), create a CA certificate for client connections.
These commands create a self-signed CA certificate for client connections:
# Create a new directory for the client certificates. $ mkdir client-certs # Create a private key for the CA. $ openssl genrsa -out client-certs/ca-key.pem 2048 # Create a certificate for the CA. $ openssl req -new -batch -key client-certs/ca-key.pem -out client-certs/ca-csr.pem # Self sign the certificate. $ openssl x509 -req -in client-certs/ca-csr.pem -signkey client-certs/ca-key.pem -out client-certs/ca.crt
Create a certificate for client connections signed by the CA.
These commands create a private key and a certificate, and then sign the certificate using the CA created in the previous step:
# Create a private key. $ openssl genrsa -out client-certs/tls.key 2048 # Create a certificate for the client connections. $ openssl req -new -batch -subj "/CN=myclient" -key client-certs/tls.key -out client-certs/client-csr.pem # Sign the certificate using the CA. $ openssl x509 -req -in client-certs/client-csr.pem -CA client-certs/ca.crt -CAkey client-certs/ca-key.pem -out client-certs/tls.crt -CAcreateserial
Create a secret containing the CA certificate used to sign client certificates.
This command creates the secret using the certificate that was created in the previous steps:
$ oc create secret generic client-ca --from-file=ca.crt=client-certs/ca.crt
2.3. Creating secrets for SASL authentication
To authenticate clients against user name and password pairs stored in a SASL database, you must create a list containing the user names and passwords, and provide it to OpenShift as a secret.
When using SASL user name and password authentication to connect to a router, you must provide the user name qualified with the domain. For a router running in OpenShift, the domain is the application name (amq-interconnect
by default).
Procedure
Create a text file containing the client user names and passwords.
Use the following syntax: <username>=<password>.
In this example, the user names and passwords are defined for three users:
users.txt
guest=guest admin=admin123 dev=dev123
Create a secret containing the user names and passwords.
This command creates a secret (
users
) containing theusers.txt
file created in the previous step.$ oc create secret generic users --from-env-file=./users.txt --dry-run=true -o yaml | oc apply -f -