Chapter 8. Reference
8.1. Custom Resource configuration reference
A Custom Resource Definition (CRD) is a schema of configuration items for a custom OpenShift object deployed with an Operator. By deploying a corresponding Custom Resource (CR) instance, you specify values for configuration items shown in the CRD.
The following sub-sections detail the configuration items that you can set in Custom Resource instances based on the main broker CRD.
8.1.1. Broker Custom Resource configuration reference
A CR instance based on the main broker CRD enables you to configure brokers for deployment in an OpenShift project. The following table describes the items that you can configure in the CR instance.
Configuration items marked with an asterisk (*) are required in any corresponding Custom Resource (CR) that you deploy. If you do not explicitly specify a value for a non-required item, the configuration uses the default value.
Entry | Sub-entry | Description and usage |
---|---|---|
| Administrator user name required for connecting to the broker and management console.
If you do not specify a value, the value is automatically generated and stored in a secret. The default secret name has a format of Type: string Example: my-user Default value: Automatically-generated, random value | |
| Administrator password required for connecting to the broker and management console.
If you do not specify a value, the value is automatically generated and stored in a secret. The default secret name has a format of Type: string Example: my-password Default value: Automatically-generated, random value | |
| Append a custom domain to the host name in routes and ingresses that are created for acceptors, connectors and the management console. Type: string Example: mydomain.com | |
| Broker deployment configuration | |
| Full path of the broker container image used for each broker in the deployment.
You do not need to explicitly specify a value for To learn how the Operator chooses a broker container image to use, see Section 2.7, “How the Operator chooses container images”. Type: string Example: registry.redhat.io/amq7/amq-broker-rhel8@sha256:55ae4e28b100534d63c34ab86f69230d274c999d46d1493f26fe3e75ba7a0cec Default value: placeholder | |
| Number of broker Pods to create in the deployment.
If you specify a value of 2 or greater, your broker deployment is clustered by default. The cluster user name and password are automatically generated and stored in the same secret as Type: int Example: 1 Default value: 1 | |
| Specify whether login credentials are required to connect to the broker. Type: Boolean Example: false Default value: true | |
|
Specify whether to use journal storage for each broker Pod in the deployment. If set to Type: Boolean Example: false Default value: true | |
| Init Container image used to configure the broker.
You do not need to explicitly specify a value for To learn how the Operator chooses a built-in Init Container image to use, see Section 2.7, “How the Operator chooses container images”. To learn how to specify a custom Init Container image, see Section 4.11, “Specifying a custom Init Container image”. Type: string Example: registry.redhat.io/amq7/amq-broker-init-rhel8@sha256:442339c33549f2be9fe3b5c71184a753a3cf10b000b2ecc5bc9a062dd91c8def Default value: Not specified | |
| Specify whether to use asynchronous I/O (AIO) or non-blocking I/O (NIO). Type: string Example: aio Default value: nio | |
| When a broker Pod shuts down due to an intentional scaledown of the broker deployment, specify whether to migrate messages to another broker Pod that is still running in the broker cluster. Type: Boolean Example: false Default value: true | |
| Maximum amount of host-node CPU, in millicores, that each broker container running in a Pod in a deployment can consume. Type: string Example: "500m" Default value: Uses the same default value that your version of OpenShift Container Platform uses. Consult a cluster administrator. | |
| Maximum amount of host-node memory, in bytes, that each broker container running in a Pod in a deployment can consume. Supports byte notation (for example, K, M, G), or the binary equivalents (Ki, Mi, Gi). Type: string Example: "1024M" Default value: Uses the same default value that your version of OpenShift Container Platform uses. Consult a cluster administrator. | |
| Amount of host-node CPU, in millicores, that each broker container running in a Pod in a deployment explicitly requests. Type: string Example: "250m" Default value: Uses the same default value that your version of OpenShift Container Platform uses. Consult a cluster administrator. | |
| Amount of host-node memory, in bytes, that each broker container running in a Pod in a deployment explicitly requests. Supports byte notation (for example, K, M, G), or the binary equivalents (Ki, Mi, Gi). Type: string Example: "512M" Default value: Uses the same default value that your version of OpenShift Container Platform uses. Consult a cluster administrator. | |
|
Size, in bytes, of the Persistent Volume Claim (PVC) that each broker in a deployment requires for persistent storage. This property applies only when Type: string Example: 4Gi Default value: 2Gi | |
|
Specifies whether the Jolokia JVM Agent is enabled for the brokers in the deployment. If the value of this property is set to Type: Boolean Example: true Default value: false | |
|
Specifies whether role-based access control (RBAC) is enabled for the brokers in the deployment. To use Fuse Console, you must set the value to Type: Boolean Example: false Default value: true | |
| Specifies scheduling constraints for pods. For information about affinity properties, see the properties in the OpenShift Container Platform documentation. | |
| Specifies the pod’s tolerations. For information about tolerations properties, see the properties in the OpenShift Container Platform documentation. | |
| Specify a label that matches a node’s labels for the pod to be scheduled on that node. | |
| Specifies the name of the storage class to use for the Persistent Volume Claim (PVC). Storage classes provide a way for administrators to describe and classify the available storage. For example, a storage class might have specific quality-of-service levels, backup policies, or other administrative policies associated with it. Type: string Example: gp3 Default value: Not specified | |
| Configure a startup probe to check if the AMQ Broker application within the broker container has started. For information about startup probe properties, see the properties in the OpenShift Container Platform documentation. | |
| Configures a periodic health check on a running broker container to check that the broker is running. For information about liveness probe properties, see the properties in the OpenShift Container Platform documentation. | |
| Configures a periodic health check on a running broker container to check that the broker is accepting network traffic. For information about readiness probe properties, see the properties in the OpenShift Container Platform documentation. | |
| Mounts a secret or configMAP, that contains configuration information, as a file on a broker Pod. For example, you can mount a secret that contains customized logging configuration for AMQ Broker. Type: object Example See Section 4.18, “Configuring logging for brokers” Default value: Not specified | |
| Assign labels to a broker pod. Type: string Example: location: "production" Default value: Not specified | |
| Defines the security options used to run the broker pods. The following default security values allow the broker pods to run on a OpenShift Container Platform restricted security context constraint (SCC):
If you want the broker to run on a custom SCC, you can configure the following
For information on the | |
| Defines the security options used to run the broker containers in the pods. With the following default values, the containers run on a OpenShift Container Platform restricted security context constraint (SCC):
If you want the broker to run on a custom SCC, you can configure the following
For information on the | |
| Specify a service account name for the broker pod. Type: string Example: amq-broker-controller-manager Default value: default | |
| Configuration of broker management console. | |
| Specify whether to expose the management console to clients outside OpenShift Container Platform. Type: Boolean Example: true Default value: false | |
| Specify whether to expose the management console by using a route or an ingress. By default, the management console is exposed by using a route only. Type: String Example: ingress Default value: route
If you expose the console by using an ingress, you must specify an | |
| Specify a custom host value for routes and ingresses exposed for the management console. You can include any the following variables in the host value:
* $(CR_NAME) - The value of the * $(CR_NAMESPACE) - The namespace of the custom resource. * $(BROKER_ORDINAL) - The ordinal number assigned to the broker pod by the StatefulSet.
* $(ITEM_NAME) - The name of the console. The default name is
* $(RES_TYPE) - The resource type. A route has a resource type of
* $(INGRESS_DOMAIN) - The value of the Type: string Example: console-$(CR_NAME)-$(ITEM_NAME)-$(BROKER_ORDINAL).mydomain.com | |
| Specify whether to use SSL on the management console port. Type: Boolean Example: true Default value: false | |
|
Secret where broker key store, trust store, and their corresponding passwords (all Base64-encoded) are stored. If you do not specify a value for Type: string Example: my-broker-deployment-console-secret Default value: Not specified | |
| Specify whether the management console requires client authorization. Type: Boolean Example: true Default value: false | |
| A single acceptor configuration instance. | |
| Name of acceptor. Type: string Example: my-acceptor Default value: Not applicable | |
| Port number to use for the acceptor instance. Type: int Example: 5672 Default value: 61626 for the first acceptor that you define. The default value then increments by 10 for every subsequent acceptor that you define. | |
| Messaging protocols to be enabled on the acceptor instance. Type: string Example: amqp,core Default value: all | |
|
Specify whether SSL is enabled on the acceptor port. If set to Type: Boolean Example: true Default value: false | |
| Secret where broker key store, trust store, and their corresponding passwords (all Base64-encoded) are stored.
If you do not specify a custom secret name for You must always create this secret yourself, even when the acceptor assumes a default name. Type: string Example: my-broker-deployment-my-acceptor-secret Default value: <custom_resource_name>-<acceptor_name>-secret | |
| Comma-separated list of cipher suites to use for TLS communication.
Specify the most secure cipher suite(s) supported by your client application. If you specify a comma-separated list of cipher suites that are common to both the broker and the client, or you do not specify any cipher suites, the broker and client mutually negotiate a cipher suite to use. If you do not know which cipher suites to specify, you can first establish a broker-client connection with your client running in debug mode to verify the cipher suites that are common to both the broker and the client. Then, configure
The cipher suites available depend on the TLS protocol versions used by the broker and clients. If the default TLS protocol version changes after you upgrade the broker, you might need to select an earlier TLS protocol version to ensure that the broker and the clients can use a common cipher suite. For more information, see Type: string Default value: Not specified | |
| Comma-separated list of protocols to use for TLS communication. Type: string Example: TLSv1,TLSv1.1,TLSv1.2 Default value: Not specified
If you don’t specify a TLS protocol version, the broker uses the JVM’s default version. If the broker uses the JVM’s default TLS protocol version and that version changes after you upgrade the broker, the TLS protocol versions used by the broker and clients might be incompatible. While it is recommended that you use the later TLS protocol version, you can specify an earlier version in | |
| The name of the provider of the keystore that the broker uses. Type: string Example: SunJCE Default value: Not specified | |
| The name of the provider of the truststore that the broker uses. Type: string Example: SunJCE Default value: Not specified | |
| The type of truststore that the broker uses. Type: string Example: JCEKS Default value: JKS | |
|
Specify whether the broker informs clients that two-way TLS is required on the acceptor. This property overrides Type: Boolean Example: true Default value: Not specified | |
|
Specify whether the broker informs clients that two-way TLS is requested on the acceptor, but not required. This property is overridden by Type: Boolean Example: true Default value: Not specified | |
| Specify whether to compare the Common Name (CN) of a client’s certificate to its host name, to verify that they match. This option applies only when two-way TLS is used. Type: Boolean Example: true Default value: Not specified | |
| Specify whether the SSL provider is JDK or OPENSSL. Type: string Example: OPENSSL Default value: JDK | |
|
Regular expression to match against the Type: string Example: some_regular_expression Default value: Not specified | |
| Specify whether to expose the acceptor to clients outside OpenShift Container Platform. Type: Boolean Example: true Default value: false | |
| Specify whether to expose the acceptor by using a route or an ingress. By default, an acceptor is exposed using a route only. Type: String Example: ingress Default value: route
If you expose a connector by using an ingress, you must include the | |
| Specify a custom host value for routes and ingress exposed for the acceptor. You can include any of the following variables for the host:
* $(CR_NAME) - The value of the * $(CR_NAMESPACE) - The namespace of the custom resource. * $(BROKER_ORDINAL) - The ordinal number assigned to the broker pod by the StatefulSet. * $(ITEM_NAME) - The name of the acceptor.
* $(RES_TYPE) - The resource type. A route has a resource type of
* $(INGRESS_DOMAIN) - The value of the Type: string Example: my-acceptor-$(CR_NAME)-$(ITEM_NAME)-$(BROKER_ORDINAL).mydomain.com | |
|
Prefix used by a client to specify that the Type: string Example: jms.queue Default value: Not specified | |
|
Prefix used by a client to specify that the Type: string Example: /topic/ Default value: Not specified | |
| Number of connections allowed on the acceptor. When this limit is reached, a DEBUG message is issued to the log, and the connection is refused. The type of client in use determines what happens when the connection is refused. Type: integer Example: 2 Default value: 0 (unlimited connections) | |
|
Minimum message size, in bytes, required for the broker to handle an AMQP message as a large message. If the size of an AMQP message is equal or greater to this value, the broker stores the message in a large messages directory ( Type: integer Example: 204800 Default value: 102400 (100 KB) | |
| If set to true, configures the broker acceptors with a 0.0.0.0 IP address instead of the internal IP address of the pod. When the broker acceptors have a 0.0.0.0 IP address, they bind to all interfaces configured for the pod and clients can direct traffic to the broker by using OpenShift Container Platform port-forwarding. Normally, you use this configuration to debug a service. For more information about port-forwarding, see Using port-forwarding to access applications in a container in the OpenShift Container Platform documentation. Note If port-forwarding is used incorrectly, it can create a security risk for your environment. Where possible, do not use port-forwarding in a production environment. Type: Boolean Example: true Default value: false | |
| A single connector configuration instance. | |
| Name of connector. Type: string Example: my-connector Default value: Not applicable | |
|
The type of connector to create; Type: string Example: vm Default value: tcp | |
| Host name or IP address to connect to. Type: string Example: 192.168.0.58 Default value: Not specified | |
| Port number to be used for the connector instance. Type: int Example: 22222 Default value: Not specified | |
|
Specify whether SSL is enabled on the connector port. If set to Type: Boolean Example: true Default value: false | |
| Secret where broker key store, trust store, and their corresponding passwords (all Base64-encoded) are stored.
If you do not specify a custom secret name for You must always create this secret yourself, even when the connector assumes a default name. Type: string Example: my-broker-deployment-my-connector-secret Default value: <custom_resource_name>-<connector_name>-secret | |
| Comma-separated list of cipher suites to use for TLS communication. Type: string NOTE: For a connector, it is recommended that you do not specify a list of cipher suites. Default value: Not specified | |
| The name of the provider of the keystore that the broker uses. Type: string Example: SunJCE Default value: Not specified | |
| The name of the provider of the truststore that the broker uses. Type: string Example: SunJCE Default value: Not specified | |
| The type of truststore that the broker uses. Type: string Example: JCEKS Default value: JKS | |
| Comma-separated list of protocols to use for TLS communication. Type: string Example: TLSv1,TLSv1.1,TLSv1.2 Default value: Not specified | |
|
Specify whether the broker informs clients that two-way TLS is required on the connector. This property overrides Type: Boolean Example: true Default value: Not specified | |
|
Specify whether the broker informs clients that two-way TLS is requested on the connector, but not required. This property is overridden by Type: Boolean Example: true Default value: Not specified | |
| Specify whether to compare the Common Name (CN) of client’s certificate to its host name, to verify that they match. This option applies only when two-way TLS is used. Type: Boolean Example: true Default value: Not specified | |
|
Specify whether the SSL provider is Type: string Example: OPENSSL Default value: JDK | |
|
Regular expression to match against the Type: string Example: some_regular_expression Default value: Not specified | |
| Specify whether to expose the connector to clients outside OpenShift Container Platform. Type: Boolean Example: true Default value: false | |
| Specify whether to expose the connector by using a route or an ingress. By default, a connector is exposed using a route only. Type: string Example: ingress Default value: route
If you expose a connector by using an ingress, you must include the | |
| Specify a custom host value for routes and ingresses exposed for the connector. You can include any the following variables in the host value:
* $(CR_NAME) - The value of the * $(CR_NAMESPACE) - The namespace of the custom resource. * $(BROKER_ORDINAL) - The ordinal number assigned to the broker pod by the StatefulSet. * $(ITEM_NAME) - The name of the connector.
* $(RES_TYPE) - The resource type. A route has a resource type of
* $(INGRESS_DOMAIN) - The value of the Type: string Example: my-connector-$(CR_NAME)-$(ITEM_NAME)-$(BROKER_ORDINAL).$(INGRESS_DOMAIN).mydomain.com | |
| Specifies how the Operator applies the configuration that you add to the CR for each matching address or set of addresses. The values that you can specify are:
Type: string Example: replace_all Default value: merge_all | |
| Address settings for a matching address or set of addresses. | |
|
Specify what happens when an address configured with
Type: string Example: DROP Default value: PAGE | |
| Specify whether the broker automatically creates an address when a client sends a message to, or attempts to consume a message from, a queue that is bound to an address that does not exist. Type: Boolean Example: false Default value: true | |
| Specify whether the broker automatically creates a dead letter address and queue to receive undelivered messages.
If the parameter is set to Type: Boolean Example: true Default value: false | |
| Specify whether the broker automatically creates an address and queue to receive expired messages.
If the parameter is set to Type: Boolean Example: true Default value: false | |
|
This property is deprecated. Use | |
|
This property is deprecated. Use | |
| Specify whether the broker automatically creates a queue when a client sends a message to, or attempts to consume a message from, a queue that does not yet exist. Type: Boolean Example: false Default value: true | |
| Specify whether the broker automatically deletes automatically-created addresses when the broker no longer has any queues. Type: Boolean Example: false Default value: true | |
| Time, in milliseconds, that the broker waits before automatically deleting an automatically-created address when the address has no queues. Type: integer Example: 100 Default value: 0 | |
|
This property is deprecated. Use | |
|
This property is deprecated. Use | |
| Specify whether the broker automatically deletes an automatically-created queue when the queue has no consumers and no messages. Type: Boolean Example: false Default value: true | |
| Specify whether the broker automatically deletes a manually-created queue when the queue has no consumers and no messages. Type: Boolean Example: true Default value: false | |
| Time, in milliseconds, that the broker waits before automatically deleting an automatically-created queue when the queue has no consumers. Type: integer Example: 10 Default value: 0 | |
| Maximum number of messages that can be in a queue before the broker evaluates whether the queue can be automatically deleted. Type: integer Example: 5 Default value: 0 | |
| When the configuration file is reloaded, this parameter specifies how to handle an address (and its queues) that has been deleted from the configuration file. You can specify the following values:
Type: string Example: FORCE Default value: OFF | |
| When the configuration file is reloaded, this setting specifies how the broker handles queues that have been deleted from the configuration file. You can specify the following values:
Type: string Example: FORCE Default value: OFF | |
| The address to which the broker sends dead (that is, undelivered) messages. Type: string Example: DLA Default value: None | |
| Prefix that the broker applies to the name of an automatically-created dead letter queue. Type: string Example: myDLQ. Default value: DLQ. | |
| Suffix that the broker applies to an automatically-created dead letter queue. Type: string Example: .DLQ Default value: None | |
| Routing type used on automatically-created addresses. Type: string Example: ANYCAST Default value: MULTICAST | |
| Number of consumers needed before message dispatch can begin for queues on an address. Type: integer Example: 5 Default value: 0 | |
| Default window size, in bytes, for a consumer. Type: integer Example: 300000 Default value: 1048576 (1024*1024) | |
|
Default time, in milliseconds, that the broker waits before dispatching messages if the value specified for Type: integer Example: 5 Default value: -1 (no delay) | |
| Specifies whether all queues on an address are exclusive queues by default. Type: Boolean Example: true Default value: false | |
| Number of buckets to use for message grouping. Type: integer Example: 0 (message grouping disabled) Default value: -1 (no limit) | |
| Key used to indicate to a consumer which message in a group is first. Type: string Example: firstMessageKey Default value: None | |
| Specifies whether to rebalance groups when a new consumer connects to the broker. Type: Boolean Example: true Default value: false | |
| Specifies whether to pause message dispatch while the broker is rebalancing groups. Type: Boolean Example: true Default value: false | |
| Specifies whether all queues on an address are last value queues by default. Type: Boolean Example: true Default value: false | |
| Default key to use for a last value queue. Type: string Example: stock_ticker Default value: None | |
| Maximum number of consumers allowed on a queue at any time. Type: integer Example: 100 Default value: -1 (no limit) | |
| Specifies whether all queues on an address are non-destructive by default. Type: Boolean Example: true Default value: false | |
| Specifies whether the broker purges the contents of a queue once there are no consumers. Type: Boolean Example: true Default value: false | |
|
Routing type used on automatically-created queues. The default value is Type: string Example: ANYCAST Default value: MULTICAST | |
| Default ring size for a matching queue that does not have a ring size explicitly set. Type: integer Example: 3 Default value: -1 (no size limit) | |
| Specifies whether a configured metrics plugin such as the Prometheus plugin collects metrics for a matching address or set of addresses. Type: Boolean Example: false Default value: true | |
| Address that receives expired messages. Type: string Example: myExpiryAddress Default value: None | |
| Expiration time, in milliseconds, applied to messages that are using the default expiration time. Type: integer Example: 100 Default value: -1 (no expiration time applied) | |
| Prefix that the broker applies to the name of an automatically-created expiry queue. Type: string Example: myExp. Default value: EXP. | |
| Suffix that the broker applies to the name of an automatically-created expiry queue. Type: string Example: .EXP Default value: None | |
| Specify whether a queue uses only last values or not. Type: Boolean Example: true Default value: false | |
| Specify how many messages a management resource can browse. Type: integer Example: 100 Default value: 200 | |
| String that matches address settings to addresses configured on the broker. You can specify an exact address name or use a wildcard expression to match the address settings to a set of addresses.
If you use a wildcard expression as a value for the Type: string Example: 'myAddresses*' Default value: None | |
| Specifies how many times the broker attempts to deliver a message before sending the message to the configured dead letter address. Type: integer Example: 20 Default value: 10 | |
| Expiration time, in milliseconds, applied to messages that are using an expiration time greater than this value. Type: integer Example: 20 Default value: -1 (no maximum expiration time applied) | |
| Maximum value, in milliseconds, between message redelivery attempts made by the broker. Type: integer Example: 100
Default value: The default value is ten times the value of | |
|
Maximum memory size, in bytes, for an address. Used when Type: string Example: 10Mb Default value: -1 (no limit) | |
|
Maximum size, in bytes, that an address can reach before the broker begins to reject messages. Used when the Type: integer Example: 500 Default value: -1 (no maximum size) | |
| Number of days for which a broker keeps a message counter history for an address. Type: integer Example: 5 Default value: 0 | |
| Expiration time, in milliseconds, applied to messages that are using an expiration time lower than this value. Type: integer Example: 20 Default value: -1 (no minimum expiration time applied) | |
| Number of page files to keep in memory to optimize I/O during paging navigation. Type: integer Example: 10 Default value: 5 | |
|
Paging size in bytes. Also supports byte notation such as Type: string Example: 20971520 Default value: 10485760 (approximately 10.5 MB) | |
| Time, in milliseconds, that the broker waits before redelivering a cancelled message. Type: integer Example: 100 Default value: 0 | |
| Time, in milliseconds, that the broker waits after the last consumer is closed on a queue before redistributing any remaining messages. Type: integer Example: 100 Default value: -1 (not set) | |
| Number of messages to keep for future queues created on an address. Type: integer Example: 100 Default value: 0 | |
| Specify whether a message will be sent to the configured dead letter address if it cannot be routed to any queues. Type: Boolean Example: true Default value: false | |
| How often, in seconds, that the broker checks for slow consumers. Type: integer Example: 15 Default value: 5 | |
|
Specifies what happens when a slow consumer is identified. Valid options are Type: string Example: KILL Default value: NOTIFY | |
| Minimum rate of message consumption, in messages per second, before a consumer is considered slow. Type: integer Example: 100 Default value: -1 (not set) | |
|
| Set environment variables for the broker. Type: array Example:
name: TZ Default value: Not applicable |
| Configure broker properties that are not exposed in the broker’s Custom Resource Definitions (CRDs) and are, otherwise, not configurable in a Custom Resource(CR). | |
| A list of property names and values to configure for the broker. Type: string Example: globalMaxSize=512m Default value: Not applicable | |
|
Specify the version of the AMQ Broker container images that you want the Operator to deploy. For example, if you change the value of
You can omit the micro and minor digits from the version number to automatically upgrade to the broker images that are available for the latest micro or minor release. For example, if you specify a version of Type: string Example: 7.12.3 Default value: Current version of AMQ Broker |
8.1.2. Address Custom Resource configuration reference
A CR instance based on the address CRD enables you to define addresses and queues for the brokers in your deployment. The following table details the items that you can configure.
Configuration items marked with an asterisk (*) are required in any corresponding Custom Resource (CR) that you deploy. If you do not explicitly specify a value for a non-required item, the configuration uses the default value.
Entry | Description and usage |
---|---|
| Address name to be created on broker. Type: string Example: address0 Default value: Not specified |
|
Queue name to be created on broker. If Type: string Example: queue0 Default value: Not specified |
|
Specify whether the Operator removes existing addresses for all brokers in a deployment when you remove the address CR instance for that deployment. The default value is Type: Boolean Example: true Default value: false |
|
Routing type to be used; Type: string Example: anycast Default value: multicast |
8.1.3. Security Custom Resource configuration reference
A CR instance based on the security CRD enables you to define the security configuration for the brokers in your deployment, including:
- users and roles
-
login modules, including
propertiesLoginModule
,guestLoginModule
andkeycloakLoginModule
- role based access control
- console access control
Many of the options require you understand the broker security concepts described in Securing brokers
The following table details the items that you can configure.
Configuration items marked with an asterisk (*) are required in any corresponding Custom Resource (CR) that you deploy. If you do not explicitly specify a value for a non-required item, the configuration uses the default value.
Entry | Sub-entry | Description and usage |
---|---|---|
loginModules | One or more login module configurations. A login module can be one of the following types:
| |
propertiesLoginModule | name* | Name of login module. Type: string Example: my-login Default value: Not applicable |
users.name* | Name of user. Type: string Example: jdoe Default value: Not applicable | |
users.password* | password of user. Type: string Example: password Default value: Not applicable | |
users.roles | Names of roles. Type: string Example: viewer Default value: Not applicable | |
guestLoginModule | name* | Name of guest login module. Type: string Example: guest-login Default value: Not applicable |
guestUser | Name of guest user. Type: string Example: myguest Default value: Not applicable | |
guestRole | Name of role for guest user. Type: string Example: guest Default value: Not applicable | |
keycloakLoginModule | name | Name for KeycloakLoginModule Type: string Example: sso Default value: Not applicable |
moduleType | Type of KeycloakLoginModule (directAccess or bearerToken) Type: string Example: bearerToken Default value: Not applicable | |
configuration | The following configuration items are related to Red Hat Single Sign-On and detailed information is available from the OpenID Connect documentation. | |
configuration.realm* | Realm for KeycloakLoginModule Type: string Example: myrealm Default value: Not applicable | |
configuration.realmPublicKey | Public key for the realm Type: string Default value: Not applicable | |
configuration.authServerUrl* | URL of the keycloak authentication server Type: string Default value: Not applicable | |
configuration.sslRequired | Specify whether SSL is required Type: string Valid values are 'all', 'external' and 'none'. | |
configuration.resource* | Resource Name The client-id of the application. Each application has a client-id that is used to identify the application. | |
configuration.publicClient | Specify whether it is public client. Type: Boolean Default value: false Example: false | |
configuration.credentials.key | Specify the credentials key. Type: string Default value: Not applicable Type: string Default value: Not applicable | |
configuration.credentials.value | Specify the credentials value Type: string Default value: Not applicable | |
configuration.useResourceRoleMappings | Specify whether to use resource role mappings Type: Boolean Example: false | |
configuration.enableCors | Specify whether to enable Cross-Origin Resource Sharing (CORS) It will handle CORS preflight requests. It will also look into the access token to determine valid origins. Type: Boolean Default value: false | |
configuration.corsMaxAge | CORS max age If CORS is enabled, this sets the value of the Access-Control-Max-Age header. | |
configuration.corsAllowedMethods | CORS allowed methods If CORS is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. | |
configuration.corsAllowedHeaders | CORS allowed headers If CORS is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. | |
configuration.corsExposedHeaders | CORS exposed headers If CORS is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. | |
configuration.exposeToken | Specify whether to expose access token Type: Boolean Default value: false | |
configuration.bearerOnly | Specify whether to verify bearer token Type: Boolean Default value: false | |
configuration.autoDetectBearerOnly | Specify whether to only auto-detect bearer token Type: Boolean Default value: false | |
configuration.connectionPoolSize | Size of the connection pool Type: Integer Default value: 20 | |
configuration.allowAnyHostName | Specify whether to allow any host name Type: Boolean Default value: false | |
configuration.disableTrustManager | Specify whether to disable trust manager Type: Boolean Default value: false | |
configuration.trustStore* | Path of a trust store This is REQUIRED unless ssl-required is none or disable-trust-manager is true. | |
configuration.trustStorePassword* | Truststore password This is REQUIRED if truststore is set and the truststore requires a password. | |
configuration.clientKeyStore | Path of a client keystore Type: string Default value: Not applicable | |
configuration.clientKeyStorePassword | Client keystore password Type: string Default value: Not applicable | |
configuration.clientKeyPassword | Client key password Type: string Default value: Not applicable | |
configuration.alwaysRefreshToken | Specify whether to always refresh token Type: Boolean Example: false | |
configuration.registerNodeAtStartup | Specify whether to register node at startup Type: Boolean Example: false | |
configuration.registerNodePeriod | Period for re-registering node Type: string Default value: Not applicable | |
configuration.tokenStore | Type of token store (session or cookie) Type: string Default value: Not applicable | |
configuration.tokenCookiePath | Cookie path for a cookie store Type: string Default value: Not applicable | |
configuration.principalAttribute | OpenID Connect ID Token attribute to populate the UserPrincipal name with OpenID Connect ID Token attribute to populate the UserPrincipal name with. If token attribute is null, defaults to sub. Possible values are sub, preferred_username, email, name, nickname, given_name, family_name. | |
configuration.proxyUrl | The proxy URL | |
configuration.turnOffChangeSessionIdOnLogin | Specify whether to change session id on a successful login Type: Boolean Example: false | |
configuration.tokenMinimumTimeToLive | Minimum time to refresh an active access token Type: Integer Default value: 0 | |
configuration.minTimeBetweenJwksRequests | Minimum interval between two requests to Keycloak to retrieve new public keys Type: Integer Default value: 10 | |
configuration.publicKeyCacheTtl | Maximum interval between two requests to Keycloak to retrieve new public keys Type: Integer Default value: 86400 | |
configuration.ignoreOauthQueryParameter | Whether to turn off processing of the access_token query parameter for bearer token processing Type: Boolean Example: false | |
configuration.verifyTokenAudience | Verify whether the token contains this client name (resource) as an audience Type: Boolean Example: false | |
configuration.enableBasicAuth | Whether to support basic authentication Type: Boolean Default value: false | |
configuration.confidentialPort | The confidential port used by the Keycloak server for secure connections over SSL/TLS Type: Integer Example: 8443 | |
configuration.redirectRewriteRules.key | The regular expression used to match the Redirect URI. Type: string Default value: Not applicable | |
configuration.redirectRewriteRules.value | The replacement String Type: string Default value: Not applicable | |
configuration.scope | The OAuth2 scope parameter for DirectAccessGrantsLoginModule Type: string Default value: Not applicable | |
securityDomains | Broker security domains | |
brokerDomain.name | Broker domain name Type: string Example: activemq Default value: Not applicable | |
brokerDomain.loginModules |
One or more login modules. Each entry must be previously defined in the | |
brokerDomain.loginModules.name | Name of login module Type: string Example: prop-module Default value: Not applicable | |
brokerDomain.loginModules.flag |
Same as propertiesLoginModule, Type: string Example: sufficient Default value: Not applicable | |
brokerDomain.loginModules.debug | Debug | |
brokerDomain.loginModules.reload | Reload | |
consoleDomain.name | Broker domain name Type: string Example: activemq Default value: Not applicable | |
consoleDomain.loginModules | A single login module configuration. | |
consoleDomain.loginModules.name | Name of login module Type: string Example: prop-module Default value: Not applicable | |
consoleDomain.loginModules.flag |
Same as propertiesLoginModule, Type: string Example: sufficient Default value: Not applicable | |
consoleDomain.loginModules.debug | Debug Type: Boolean Example: false | |
consoleDomain.loginModules.reload | Reload Type: Boolean Example: true Default: false | |
securitySettings |
Additional security settings to add to | |
broker.match | The address match pattern for a security setting section. See AMQ Broker wildcard syntax for details about the match pattern syntax. | |
broker.permissions.operationType | The operation type of a security setting, as described in Setting permissions. Type: string Example: createAddress Default value: Not applicable | |
broker.permissions.roles | The security settings are applied to these roles, as described in Setting permissions. Type: string Example: root Default value: Not applicable | |
securitySettings.management |
Options to configure | |
hawtioRoles | The roles allowed to log into the Broker console. Type: string Example: root Default value: Not applicable | |
connector.host | The connector host for connecting to the management API. Type: string Example: myhost Default value: localhost | |
connector.port | The connector port for connecting to the management API. Type: integer Example: 1099 Default value: 1099 | |
connector.jmxRealm | The JMX realm of the management API. Type: string Example: activemq Default value: activemq | |
connector.objectName | The JMX object name of the management API. Type: String Example: connector:name=rmi Default: connector:name=rmi | |
connector.authenticatorType | The management API authentication type. Type: String Example: password Default: password | |
connector.secured | Whether the management API connection is secured. Type: Boolean Example: true Default value: false | |
connector.keyStoreProvider | The keystore provider for the management connector. Required if you have set connector.secured="true". The default value is JKS. | |
connector.keyStorePath | Location of the keystore. Required if you have set connector.secured="true". | |
connector.keyStorePassword | The keystore password for the management connector. Required if you have set connector.secured="true". | |
connector.trustStoreProvider | The truststore provider for the management connector Required if you have set connector.secured="true". Type: String Example: JKS Default: JKS | |
connector.trustStorePath | Location of the truststore for the management connector. Required if you have set connector.secured="true". Type: string Default value: Not applicable | |
connector.trustStorePassword | The truststore password for the management connector. Required if you have set connector.secured="true". Type: string Default value: Not applicable | |
connector.passwordCodec | The password codec for management connector The fully qualified class name of the password codec to use as described in Encrypting a password in a configuration file. | |
authorisation.allowedList.domain | The domain of allowedList Type: string Default value: Not applicable | |
authorisation.allowedList.key | The key of allowedList Type: string Default value: Not applicable | |
authorisation.defaultAccess.method | The method of defaultAccess List Type: string Default value: Not applicable | |
authorisation.defaultAccess.roles | The roles of defaultAccess List Type: string Default value: Not applicable | |
authorisation.roleAccess.domain | The domain of roleAccess List Type: string Default value: Not applicable | |
authorisation.roleAccess.key | The key of roleAccess List Type: string Default value: Not applicable | |
authorisation.roleAccess.accessList.method | The method of roleAccess List Type: string Default value: Not applicable | |
authorisation.roleAccess.accessList.roles | The roles of roleAccess List Type: string Default value: Not applicable | |
applyToCrNames | Apply this security config to the brokers defined by the named CRs in the current namespace. A value of * or empty string means applying to all brokers. Type: string Example: my-broker Default value: All brokers defined by CRs in the current namespace. |
8.2. Example JAAS login module configurations
The following example shows a JAAS login module configuration that has both a properties login module and an LDAP login module configured. The properties login module references the default login module that contains the credentials used by the Operator to authenticate with the broker.
activemq { org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required debug=true initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL="LDAP://localhost:389" connectionUsername="CN=Administrator,CN=Users,OU=System,DC=example,DC=com" connectionPassword=redhat.123 connectionProtocol=s connectionTimeout="5000" authentication=simple userBase="dc=example,dc=com" userSearchMatching="(CN={0})" userSearchSubtree=true readTimeout="5000" roleBase="dc=example,dc=com" roleName=cn roleSearchMatching="(member={0})" roleSearchSubtree=true; org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule reload=true org.apache.activemq.jaas.properties.user="artemis-users.properties" org.apache.activemq.jaas.properties.role="artemis-roles.properties" baseDir="/home/jboss/amq-broker/etc"; };
The following example shows a JAAS login module configuration that has two properties login modules in separate realms.
-
The default properties login module is in a realm named
console
and has the properties files that are used by the Operator and AMQ Management Console to authenticate with the broker. -
The login module in the
activemq
realm has new properties files, which, for example, could contain the credentials to authenticate users for messaging.
You might want to create separate realms to, for example, apply specific security controls to the realm that contains the login module used by the Operator to authenticate with the broker.
activemq { org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule reload=true org.apache.activemq.jaas.properties.user="new-users.properties" org.apache.activemq.jaas.properties.role="new-roles.properties" }; console { org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule reload=true org.apache.activemq.jaas.properties.user="artemis-users.properties" org.apache.activemq.jaas.properties.role="artemis-roles.properties" baseDir="/home/jboss/amq-broker/etc"; };
By default, AMQ Management Console uses the default properties login module in the activemq
realm for authentication. If the default properties login module is configured in another realm, as in the example, you must set an environment variable in the broker CR to configure AMQ Management Console to use that realm. For example:
spec: ... env: - name: JAVA_ARGS_APPEND value: --Hawtio.realm=console ...
For more information about setting environment variables in a CR, see Section 4.9, “Setting environment variables for the broker containers”.
8.3. Example: configuring AMQ Broker to use Red Hat Single Sign-On
This example shows how to configure AMQ Broker to use Red Hat Single Sign-On for authentication and authorization by using JAAS login modules.
Prerequisites
A Red Hat Single Sign-On instance integrated with an LDAP directory.
- The LDAP directory is populated with users and role information for AMQ Broker.
- Red Hat Single Sign-On is configured to federate users from the LDAP server.
- Red Hat Single Sign-On is configured to use the role-ldap-mapper to map role information from LDAP to Red Hat Single Sign-On.
A Red Hat Single Sign-On realm that has:
A client configured with the following settings for applications, such as AMQ Management Console, that can use the oAuth protocol to obtain a token:
Authentication flow: Standard flow
Valid Redirect URIs: An OpenShift Container Platform route for AMQ Management Console. For example, http://artemis-wconsj-0-svc-rte-kc-ldap-tests-0eae49.apps.redhat-412t.broker.app-services-dev.net/console/*
A separate client configured with the following settings if you have messaging client applications that cannot use the oAuth protocol to obtain a token:
Authentication flow: Direct Access Grants
Valid Redirect URIs: *
Each realm in Red Hat Single Sign-On includes a client named Broker
. This client is not related to AMQ Broker.
Procedure
Create a text file named
login.config
and add the JAAS login module configuration to connect AMQ Broker with Red Hat Single Sign-On. For example:console { // ensure the operator can connect to the broker by referencing the existing properties config org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient org.apache.activemq.jaas.properties.user="artemis-users.properties" org.apache.activemq.jaas.properties.role="artemis-roles.properties" baseDir="/home/jboss/amq-broker/etc"; org.keycloak.adapters.jaas.BearerTokenLoginModule sufficient keycloak-config-file="/amq/extra/secrets/sso-jaas-config/_keycloak-bearer-token.json" role-principal-class=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal; }; activemq { org.keycloak.adapters.jaas.BearerTokenLoginModule sufficient keycloak-config-file="/amq/extra/secrets/sso-jaas-config/_keycloak-bearer-token.json" role-principal-class=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal; org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule sufficient keycloak-config-file="/amq/extra/secrets/sso-jaas-config/_keycloak-direct-access.json" role-principal-class=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal; org.apache.activemq.artemis.spi.core.security.jaas.PrincipalConversionLoginModule required principalClassList=org.keycloak.KeycloakPrincipal; };
Note-
The path to the
.json
configuration files must be in the format/amq/extra/secrets/name-jaas-config
. For name, specify a string value. You must use the same string value and a-jaas-config
suffix to name the secret that you create later in this procedure. -
In the example
login.config
file, a realm namedconsole
is used to authenticate AMQ Management Console users and a realm namedactivemq
to authenticate messaging clients.
-
The path to the
The following login modules are configured in the example login.config
file.
Login module | Description and usage |
---|---|
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule |
This is the default login module and contains the |
org.keycloak.adapters.jaas.BearerTokenLoginModule | This login module is for applications, for example, AMQ Management Console, that can use the oAuth protocol to obtain a token. When a user opens AMQ Management Console in a browser window, they are redirected to the Red Hat Single Sign-On console to log in to obtain a bearer token. |
org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule | This login module is required for non-HTTP applications, such as messaging clients, which cannot use the oAuth protocol. Using this login module, the broker first authenticates the client using a secret that is configured in Red Hat Single Sign-On and then obtains a token on behalf of the client. |
org.apache.activemq.artemis.spi.core.security.jaas.PrincipalConversionLoginModule | This login module is required to convert the Keycloak principal received into a JAAS principal that can be used by AMQ Broker. |
In the login.config
file example, each .json
properties file name has an underscore prefix. The Operator ignores files prefixed with an underscore when it reports the status of the JaasPropertiesApplied
condition. If the file names do not have an underscore prefix, the status of the JaasPropertiesApplied
condition shows OutofSync
permanently because the broker does not recognize properties files used by third party login modules. For more information about status reporting, see Section 4.3.2.1, “Configuring the default JAAS login module using the Security Custom Resource (CR)”.
Create text files for each of the
.json
properties files that are referenced in the login modules and configure the details required to connect AMQ Broker to Red Hat Single Sign-On. For example:_keycloak-bearer-token.json
{ "realm": "amq-broker-ldap", "resource": "amq-console", "auth-server-url": "https://keycloak-svc-rte-kc-ldap-tests-0eae49.apps.412t.broker.app-services-dev.net", "principal-attribute": "preferred_username", "use-resource-role-mappings": false, "ssl-required": "external", "confidential-port": 0 }
_keycloak-direct-access.json
{ "realm": "amq-broker-ldap", "resource": "amq-broker", "auth-server-url": "https://keycloak-svc-rte-kc-ldap-tests-0eae49.apps.412t.broker.app-services-dev.net", "principal-attribute": "preferred_username", "use-resource-role-mappings": false, "ssl-required": "external", "credentials": { "secret": "Lfk6g1ZKlGzNT6eRkz0d1scM4M29Ohmn" } }
- realm
- The realm configured to authenticate the AMQ Broker applications and services in Red Hat Single Sign-On.
- resource
- The client ID of a client that is configured in Red Red Hat Single Sign-On.
- auth-server-url
- The base URL of the Red Hat Single Sign-On server.
- principal-attribute
- The token attribute with which to populate the UserPrincipal name.
- use-resource-role-mappings
- If set to true, Red Hat Single Sign-On looks inside the token for application level role mappings for the user. If false, it looks at the realm level for user role mappings. The default value is false.
- ssl-required
-
Ensures that all communication to and from the Red Hat Single Sign-On server is over HTTPS. The default value is
external
, which means that HTTPS is required by default for external requests. - credentials
- A secret configured in Red Hat Single Sign-On which the broker uses to log in to Red Hat Single Sign-On and obtain a token on behalf of the client.
Create a text file named
_keycloak-js-client.json
and add the configuration required for AMQ Management Console to redirect users to the URL of the Red Hat Single Sign-On Admin Console, where they enter their credentials. For example:{ "realm": "amq-broker-ldap", "clientId": "amq-console", "url": "https://keycloak-svc-rte-kc-ldap-tests-0eae49.apps.412t.broker.app-services-dev.net" }
Use the
oc create secret
command to create a secret that contains the files that are referenced in the login module configuration. For example:oc create secret generic sso-jaas-config --from-file=login.config --from-file=artemis-users.properties --from-file=artemis-roles.properties --from-file=_keycloak-bearer-token.json --from-file=_keycloak-direct-access.json --from-file=_keycloak-js-client.json
Note-
The secret name must have a suffix of
-jaas-config
so the Operator can recognize that the secret contains login module configuration and propagate any updates to each broker Pod. -
The secret name must match the last directory name in the path to the
.json
configuration files, which you specified in thelogin.config
file. For example, if the path to the configuration files is/amq/extra/secrets/sso-jaas-config
, you must specify a secret name ofsso-jaas-config
.
For more information about how to create secrets, see Secrets in the Kubernetes documentation.
-
The secret name must have a suffix of
Add the secret you created to the ActiveMQArtemis Custom Resource (CR) instance for your broker deployment.
Using the OpenShift command-line interface:
- Log in to OpenShift as a user that has privileges to deploy CRs in the project for the broker deployment.
Edit the CR for your deployment.
oc edit ActiveMQArtemis <CR instance name> -n <namespace>
Using the OpenShift Container Platform web console:
- Log in to the console as a user that has privileges to deploy CRs in the project for the broker deployment.
-
In the left pane, click
. - Click the Red Hat Integration - AMQ Broker for RHEL 8 (Multiarch) operator.
- Click the AMQ Broker tab.
- Click the name of the ActiveMQArtemis instance name.
Click the YAML tab.
Within the console, a YAML editor opens, enabling you to configure a CR instance.
Create an
extraMounts
attribute and asecrets
attribute and add the name of the secret. The following example adds a secret namedcustom-jaas-config
to the CR.deploymentPlan: ... extraMounts: secrets: - "sso-jaas-config" ...
In the
ActiveMQArtemis
CR, create an environment variable that contains the hawtio settings required by AMQ Management Console to use Red Hat Single Sign-On for authentication. The contents of the environment variable are passed as arguments to the Java application launcher when the JVM that hosts a broker is started. For example:env: - name: JAVA_ARGS_APPEND value: -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Dhawtio.keycloakEnabled=true -Dhawtio.keycloakClientConfig=/amq/extra/secrets/sso-jaas-config/_keycloak-js-client.json -Dhawtio.authenticationEnabled=true -Dhawtio.realm=console
For more information on hawtio settings, see the hawtio documentation.
In the
spec
section of theActiveMQArtemis
CR, add abrokerProperties
attribute and add permissions for the roles configured in the LDAP directory. You can grant a role permissions to a single address. Or, you can specify a wildcard match using the#
sign to grant a role permissions to all addresses. For example:spec: ... brokerProperties: - securityRoles.#.producers.send=true - securityRoles.#.consumers.consume=true ...
Save the CR.
The Operator mounts the files in the secret in a
/amq/extra/secrets/secret name
directory on each Pod and configures the broker JVM to read the mountedlogin.config
file, which contains the SSO configuration, instead of the defaultlogin.config
file.
8.4. Logging
In addition to viewing the OpenShift logs, you can troubleshoot a running AMQ Broker on OpenShift Container Platform image by viewing the AMQ logs that are output to the container’s console.
Procedure
- At the command line, run the following command:
$ oc logs -f <pass:quotes[<pod-name>]> <pass:quotes[<container-name>]>
Revised on 2024-11-07 15:46:24 UTC