--- apiVersion: template.openshift.io/v1 kind: Template labels: rhsso: 7.5.3.GA template: sso75-https message: 'A new RH-SSO service has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. Please be sure to create the following secrets: "${HTTPS_SECRET}" containing the ${HTTPS_KEYSTORE} file used for serving secure content; "${JGROUPS_ENCRYPT_SECRET}" containing the ${JGROUPS_ENCRYPT_KEYSTORE} file used for securing JGroups communications; "${SSO_TRUSTSTORE_SECRET}" containing the ${SSO_TRUSTSTORE} file used for securing RH-SSO requests.' metadata: annotations: description: An example application based on RH-SSO 7.5 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/docs. iconClass: icon-sso openshift.io/display-name: Red Hat Single Sign-On 7.5 on OpenJDK (Ephemeral with passthrough TLS) openshift.io/provider-display-name: Red Hat, Inc. samples.operator.openshift.io/version: 4.18.25 tags: sso,keycloak,jboss,hidden template.openshift.io/documentation-url: https://access.redhat.com/documentation/en/red-hat-single-sign-on/ template.openshift.io/long-description: This template defines resources needed to develop Red Hat Single Sign-On 7.5 on OpenJDK server based deployment, securing RH-SSO communication using passthrough TLS. template.openshift.io/support-url: https://access.redhat.com version: 7.5.3.GA creationTimestamp: "2025-10-11T10:37:44Z" labels: samples.operator.openshift.io/managed: "true" managedFields: - apiVersion: template.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:labels: .: {} f:rhsso: {} f:template: {} f:message: {} f:metadata: f:annotations: .: {} f:description: {} f:iconClass: {} f:openshift.io/display-name: {} f:openshift.io/provider-display-name: {} f:samples.operator.openshift.io/version: {} f:tags: {} f:template.openshift.io/documentation-url: {} f:template.openshift.io/long-description: {} f:template.openshift.io/support-url: {} f:version: {} f:labels: .: {} f:samples.operator.openshift.io/managed: {} f:objects: {} f:parameters: {} manager: cluster-samples-operator operation: Update time: "2025-10-11T10:37:44Z" name: sso75-https namespace: openshift resourceVersion: "17402" uid: 13cc29c2-a016-4202-9ea2-720464863d5c objects: - apiVersion: v1 kind: Service metadata: annotations: description: The web server's http port. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: ports: - port: 8080 targetPort: 8080 selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: v1 kind: Service metadata: annotations: description: The web server's https port. labels: application: ${APPLICATION_NAME} name: secure-${APPLICATION_NAME} spec: ports: - port: 8443 targetPort: 8443 selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: v1 kind: Service metadata: annotations: description: The JGroups ping port for clustering. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-ping spec: clusterIP: None ports: - name: ping port: 8888 publishNotReadyAddresses: true selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: route.openshift.io/v1 id: ${APPLICATION_NAME}-http kind: Route metadata: annotations: description: Route for application's http service. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: host: ${HOSTNAME_HTTP} to: name: ${APPLICATION_NAME} - apiVersion: route.openshift.io/v1 id: ${APPLICATION_NAME}-https kind: Route metadata: annotations: description: Route for application's https service. labels: application: ${APPLICATION_NAME} name: secure-${APPLICATION_NAME} spec: host: ${HOSTNAME_HTTPS} tls: termination: passthrough to: name: secure-${APPLICATION_NAME} - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: replicas: 1 selector: deploymentConfig: ${APPLICATION_NAME} strategy: type: Recreate template: metadata: labels: application: ${APPLICATION_NAME} deploymentConfig: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: containers: - env: - name: SSO_HOSTNAME value: ${SSO_HOSTNAME} - name: DB_MIN_POOL_SIZE value: ${DB_MIN_POOL_SIZE} - name: DB_MAX_POOL_SIZE value: ${DB_MAX_POOL_SIZE} - name: DB_TX_ISOLATION value: ${DB_TX_ISOLATION} - name: JGROUPS_PING_PROTOCOL value: openshift.DNS_PING - name: OPENSHIFT_DNS_PING_SERVICE_NAME value: ${APPLICATION_NAME}-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: "8888" - name: HTTPS_KEYSTORE_DIR value: /etc/eap-secret-volume - name: HTTPS_KEYSTORE value: ${HTTPS_KEYSTORE} - name: HTTPS_KEYSTORE_TYPE value: ${HTTPS_KEYSTORE_TYPE} - name: HTTPS_NAME value: ${HTTPS_NAME} - name: HTTPS_PASSWORD value: ${HTTPS_PASSWORD} - name: JGROUPS_ENCRYPT_SECRET value: ${JGROUPS_ENCRYPT_SECRET} - name: JGROUPS_ENCRYPT_KEYSTORE_DIR value: /etc/jgroups-encrypt-secret-volume - name: JGROUPS_ENCRYPT_KEYSTORE value: ${JGROUPS_ENCRYPT_KEYSTORE} - name: JGROUPS_ENCRYPT_NAME value: ${JGROUPS_ENCRYPT_NAME} - name: JGROUPS_ENCRYPT_PASSWORD value: ${JGROUPS_ENCRYPT_PASSWORD} - name: JGROUPS_CLUSTER_PASSWORD value: ${JGROUPS_CLUSTER_PASSWORD} - name: SSO_ADMIN_USERNAME value: ${SSO_ADMIN_USERNAME} - name: SSO_ADMIN_PASSWORD value: ${SSO_ADMIN_PASSWORD} - name: SSO_REALM value: ${SSO_REALM} - name: SSO_SERVICE_USERNAME value: ${SSO_SERVICE_USERNAME} - name: SSO_SERVICE_PASSWORD value: ${SSO_SERVICE_PASSWORD} - name: SSO_TRUSTSTORE value: ${SSO_TRUSTSTORE} - name: SSO_TRUSTSTORE_DIR value: /etc/sso-secret-volume - name: SSO_TRUSTSTORE_PASSWORD value: ${SSO_TRUSTSTORE_PASSWORD} image: ${APPLICATION_NAME} imagePullPolicy: Always livenessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/livenessProbe.sh initialDelaySeconds: 60 name: ${APPLICATION_NAME} ports: - containerPort: 8778 name: jolokia protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 8888 name: ping protocol: TCP readinessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/readinessProbe.sh resources: limits: memory: ${MEMORY_LIMIT} volumeMounts: - mountPath: /etc/eap-secret-volume name: eap-keystore-volume readOnly: true - mountPath: /etc/jgroups-encrypt-secret-volume name: eap-jgroups-keystore-volume readOnly: true - mountPath: /etc/sso-secret-volume name: sso-truststore-volume readOnly: true terminationGracePeriodSeconds: 75 volumes: - name: eap-keystore-volume secret: secretName: ${HTTPS_SECRET} - name: eap-jgroups-keystore-volume secret: secretName: ${JGROUPS_ENCRYPT_SECRET} - name: sso-truststore-volume secret: secretName: ${SSO_TRUSTSTORE_SECRET} triggers: - imageChangeParams: automatic: true containerNames: - ${APPLICATION_NAME} from: kind: ImageStreamTag name: sso75-openshift-rhel8:7.5 namespace: ${IMAGE_STREAM_NAMESPACE} type: ImageChange - type: ConfigChange parameters: - description: The name for the application. displayName: Application Name name: APPLICATION_NAME required: true value: sso - description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: ..' displayName: Custom http Route Hostname name: HOSTNAME_HTTP - description: 'Custom hostname for https service route. Leave blank for default hostname, e.g.: ..' displayName: Custom https Route Hostname name: HOSTNAME_HTTPS - description: Custom hostname for the RH-SSO server. displayName: Custom RH-SSO Server Hostname name: SSO_HOSTNAME - description: The name of the secret containing the keystore file displayName: Server Keystore Secret Name name: HTTPS_SECRET value: sso-app-secret - description: The name of the keystore file within the secret displayName: Server Keystore Filename name: HTTPS_KEYSTORE value: keystore.jks - description: The type of the keystore file (JKS or JCEKS) displayName: Server Keystore Type name: HTTPS_KEYSTORE_TYPE - description: The name associated with the server certificate (e.g. jboss) displayName: Server Certificate Name name: HTTPS_NAME - description: The password for the keystore and certificate (e.g. mykeystorepass) displayName: Server Keystore Password name: HTTPS_PASSWORD - description: Sets xa-pool/min-pool-size for the configured datasource. displayName: Datasource Minimum Pool Size name: DB_MIN_POOL_SIZE - description: Sets xa-pool/max-pool-size for the configured datasource. displayName: Datasource Maximum Pool Size name: DB_MAX_POOL_SIZE - description: Sets transaction-isolation for the configured datasource. displayName: Datasource Transaction Isolation name: DB_TX_ISOLATION - description: The name of the secret containing the keystore file displayName: JGroups Secret Name name: JGROUPS_ENCRYPT_SECRET value: sso-app-secret - description: The name of the keystore file within the secret displayName: JGroups Keystore Filename name: JGROUPS_ENCRYPT_KEYSTORE value: jgroups.jceks - description: The name associated with the server certificate (e.g. secret-key) displayName: JGroups Certificate Name name: JGROUPS_ENCRYPT_NAME - description: The password for the keystore and certificate (e.g. password) displayName: JGroups Keystore Password name: JGROUPS_ENCRYPT_PASSWORD - description: JGroups cluster password displayName: JGroups Cluster Password from: '[a-zA-Z0-9]{8}' generate: expression name: JGROUPS_CLUSTER_PASSWORD required: true - description: Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. displayName: ImageStream Namespace name: IMAGE_STREAM_NAMESPACE required: true value: openshift - description: RH-SSO Server administrator username displayName: RH-SSO Administrator Username from: '[a-zA-Z0-9]{8}' generate: expression name: SSO_ADMIN_USERNAME required: true - description: RH-SSO Server administrator password displayName: RH-SSO Administrator Password from: '[a-zA-Z0-9]{8}' generate: expression name: SSO_ADMIN_PASSWORD required: true - description: Realm to be created in the RH-SSO server (e.g. demorealm). displayName: RH-SSO Realm name: SSO_REALM - description: The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. displayName: RH-SSO Service Username name: SSO_SERVICE_USERNAME - description: The password for the RH-SSO service user. displayName: RH-SSO Service Password name: SSO_SERVICE_PASSWORD - description: The name of the truststore file within the secret (e.g. truststore.jks) displayName: RH-SSO Trust Store name: SSO_TRUSTSTORE - description: The password for the truststore and certificate (e.g. mykeystorepass) displayName: RH-SSO Trust Store Password name: SSO_TRUSTSTORE_PASSWORD - description: The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName displayName: RH-SSO Trust Store Secret name: SSO_TRUSTSTORE_SECRET value: sso-app-secret - description: Container memory limit. displayName: Container Memory Limit name: MEMORY_LIMIT value: 1Gi