红帽全球峰会此内容没有您所选择的语言版本。
Chapter 3. Get Started
3.1. Using the Red Hat Single Sign-On for OpenShift Image Streams and Application Templates
Red Hat JBoss Middleware for OpenShift images are pulled on demand from the secured Red Hat Registry: registry.redhat.io, which requires authentication. To retrieve content, you will need to log into the registry using the Red Hat account.
To consume container images from registry.redhat.io in shared environments such as OpenShift, it is recommended for an administrator to use a Registry Service Account, also referred to as authentication tokens, in place of an individual person’s Red Hat Customer Portal credentials.
To create a Registry Service Account, navigate to the Registry Service Account Management Application, and log in if necessary.
- From the Registry Service Accounts page, click Create Service Account.
Provide a name for the Service Account, for example registry.redhat.io-sa. It will be prepended with a fixed, random string.
- Enter a description for the Service Account, for example Service account to consume container images from registry.redhat.io..
- Click Create.
- After the Service Account was created, click the registry.redhat.io-sa link in the Account name column of the table presented on the Registry Service Accounts page.
- Finally, click the OpenShift Secret tab, and perform all steps listed on that page.
See the Red Hat Container Registry Authentication article for more information.
To update to the latest Red Hat Single Sign-On for OpenShift images, run the following commands:
On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global
openshiftproject.$ oc login -u system:admin
Run the following commands to update the core set of Red Hat Single Sign-On 7.3.8.GA resources for OpenShift in the
openshiftproject:$ for resource in sso73-image-stream.json \ sso73-https.json \ sso73-mysql.json \ sso73-mysql-persistent.json \ sso73-postgresql.json \ sso73-postgresql-persistent.json \ sso73-x509-https.json \ sso73-x509-mysql-persistent.json \ sso73-x509-postgresql-persistent.json do oc replace -n openshift --force -f \ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource} doneRun the following command to install the Red Hat Single Sign-On 7.3.8.GA OpenShift image streams in the
openshiftproject:$ oc -n openshift import-image redhat-sso73-openshift:1.0
3.2. Deploying the Red Hat Single Sign-On Image
3.2.1. Preparing the Deployment
Log in to the OpenShift CLI with a user that holds the cluster:admin role.
Create a new project:
$ oc new-project sso-app-demo
Add the
viewrole to thedefaultservice account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
3.2.2. Deploying the Red Hat Single Sign-On Image using the Application Template
3.2.2.1. Deploying the Template via OpenShift CLI
List the available Red Hat Single Sign-On application templates:
$ oc get templates -n openshift -o name | grep -o 'sso73.\+' sso73-https sso73-mysql sso73-mysql-persistent sso73-postgresql sso73-postgresql-persistent sso73-x509-https sso73-x509-mysql-persistent sso73-x509-postgresql-persistent
Deploy the selected one:
$ oc new-app --template=sso73-x509-https --> Deploying template "openshift/sso73-x509-https" to project sso-app-demo Red Hat Single Sign-On 7.3 (Ephemeral) --------- An example Red Hat Single Sign-On 7 application. For more information about using this template, see <link xlink:href="https://github.com/jboss-openshift/application-templates">https://github.com/jboss-openshift/application-templates</link>. A new Red Hat Single Sign-On service has been created in your project. The admin username/password for accessing the master realm via the Red Hat Single Sign-On console is IACfQO8v/nR7llVSVb4Dye3TNRbXoXhRpAKTmiCRc. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing Red Hat Single Sign-On requests were automatically created via OpenShift's service serving x509 certificate secrets. * With parameters: * Application Name=sso * JGroups Cluster Password=jg0Rssom0gmHBnooDF3Ww7V4Mu5RymmB # generated * Datasource Minimum Pool Size= * Datasource Maximum Pool Size= * Datasource Transaction Isolation= * ImageStream Namespace=openshift * Red Hat Single Sign-On Administrator Username=IACfQO8v # generated * Red Hat Single Sign-On Administrator Password=nR7llVSVb4Dye3TNRbXoXhRpAKTmiCRc # generated * Red Hat Single Sign-On Realm= * Red Hat Single Sign-On Service Username= * Red Hat Single Sign-On Service Password= * Container Memory Limit=1Gi --> Creating resources ... service "sso" created service "secure-sso" created service "sso-ping" created route "sso" created route "secure-sso" created deploymentconfig "sso" created --> Success Run 'oc status' to view your app.
3.2.2.2. Deploying the Template via the OpenShift Web Console
Alternatively, perform the following steps to deploy the Red Hat Single Sign-On template via the OpenShift web console:
- Log in to the OpenShift web console and select the sso-app-demo project space.
- Click Add to Project, then Browse Catalog to list the default image streams and templates.
- Use the Filter by Keyword search bar to limit the list to those that match sso. You may need to click Middleware, then Integration to show the desired application template.
- Select an Red Hat Single Sign-On application template. This example uses Red Hat Single Sign-On 7.3 (Ephemeral).
- Click Next in the Information step.
- From the Add to Project drop-down menu, select the sso-app-demo project space. Then click Next.
- Select Do not bind at this time radio button in the Binding step. Click Create to continue.
- In the Results step, click the Continue to the project overview link to verify the status of the deployment.
3.2.3. Accessing the Administrator Console of the Red Hat Single Sign-On Pod
After the template got deployed, identify the available routes:
$ oc get routes
| NAME | HOST/PORT | PATH | SERVICES | PORT | TERMINATION | WILDCARD |
|---|---|---|---|---|---|---|
| sso | sso-sso-app-demo.openshift.example.com | sso | <all> | reencrypt | None |
and access the Red Hat Single Sign-On administrator console at:
- https://sso-sso-app-demo.openshift.example.com/auth/admin
using the administrator account.
