--- apiVersion: template.openshift.io/v1 kind: Template labels: rhsso: 7.5.3.GA template: sso75-ocp4-x509-https message: A new RH-SSO service has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing RH-SSO requests were automatically created via OpenShift's service serving x509 certificate secrets. metadata: annotations: description: An example application based on RH-SSO 7.5 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/docs. iconClass: icon-sso openshift.io/display-name: Red Hat Single Sign-On 7.5 on OpenJDK (Ephemeral) openshift.io/provider-display-name: Red Hat, Inc. samples.operator.openshift.io/version: 4.18.25 tags: sso,keycloak,jboss template.openshift.io/documentation-url: https://access.redhat.com/documentation/en/red-hat-single-sign-on/ template.openshift.io/long-description: This template defines resources needed to develop Red Hat Single Sign-On 7.5 on OpenJDK server based deployment, securing RH-SSO communication using re-encrypt TLS. template.openshift.io/support-url: https://access.redhat.com version: 7.5.3.GA creationTimestamp: "2025-10-11T10:37:44Z" labels: samples.operator.openshift.io/managed: "true" managedFields: - apiVersion: template.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:labels: .: {} f:rhsso: {} f:template: {} f:message: {} f:metadata: f:annotations: .: {} f:description: {} f:iconClass: {} f:openshift.io/display-name: {} f:openshift.io/provider-display-name: {} f:samples.operator.openshift.io/version: {} f:tags: {} f:template.openshift.io/documentation-url: {} f:template.openshift.io/long-description: {} f:template.openshift.io/support-url: {} f:version: {} f:labels: .: {} f:samples.operator.openshift.io/managed: {} f:objects: {} f:parameters: {} manager: cluster-samples-operator operation: Update time: "2025-10-11T10:37:44Z" name: sso75-ocp4-x509-https namespace: openshift resourceVersion: "17456" uid: ff5a3fbe-ee99-440c-8303-0982d9a950fd objects: - apiVersion: v1 kind: ConfigMap metadata: annotations: description: ConfigMap providing service ca bundle. service.beta.openshift.io/inject-cabundle: "true" labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-service-ca - apiVersion: v1 kind: Service metadata: annotations: description: The web server's https port. service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: ports: - port: 8443 targetPort: 8443 selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: v1 kind: Service metadata: annotations: description: The JGroups ping port for clustering. service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-ping spec: clusterIP: None ports: - name: ping port: 8888 publishNotReadyAddresses: true selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: route.openshift.io/v1 id: ${APPLICATION_NAME}-https kind: Route metadata: annotations: description: Route for application's https service. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: tls: termination: reencrypt to: name: ${APPLICATION_NAME} - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: replicas: 1 selector: deploymentConfig: ${APPLICATION_NAME} strategy: type: Recreate template: metadata: labels: application: ${APPLICATION_NAME} deploymentConfig: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: containers: - env: - name: SSO_HOSTNAME value: ${SSO_HOSTNAME} - name: DB_MIN_POOL_SIZE value: ${DB_MIN_POOL_SIZE} - name: DB_MAX_POOL_SIZE value: ${DB_MAX_POOL_SIZE} - name: DB_TX_ISOLATION value: ${DB_TX_ISOLATION} - name: JGROUPS_PING_PROTOCOL value: openshift.DNS_PING - name: OPENSHIFT_DNS_PING_SERVICE_NAME value: ${APPLICATION_NAME}-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: "8888" - name: X509_CA_BUNDLE value: /var/run/configmaps/service-ca/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: JGROUPS_CLUSTER_PASSWORD value: ${JGROUPS_CLUSTER_PASSWORD} - name: SSO_ADMIN_USERNAME value: ${SSO_ADMIN_USERNAME} - name: SSO_ADMIN_PASSWORD value: ${SSO_ADMIN_PASSWORD} - name: SSO_REALM value: ${SSO_REALM} - name: SSO_SERVICE_USERNAME value: ${SSO_SERVICE_USERNAME} - name: SSO_SERVICE_PASSWORD value: ${SSO_SERVICE_PASSWORD} image: ${APPLICATION_NAME} imagePullPolicy: Always livenessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/livenessProbe.sh initialDelaySeconds: 60 name: ${APPLICATION_NAME} ports: - containerPort: 8778 name: jolokia protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 8888 name: ping protocol: TCP readinessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/readinessProbe.sh resources: limits: memory: ${MEMORY_LIMIT} volumeMounts: - mountPath: /etc/x509/https name: sso-x509-https-volume readOnly: true - mountPath: /etc/x509/jgroups name: sso-x509-jgroups-volume readOnly: true - mountPath: /var/run/configmaps/service-ca name: service-ca readOnly: true terminationGracePeriodSeconds: 75 volumes: - name: sso-x509-https-volume secret: secretName: sso-x509-https-secret - name: sso-x509-jgroups-volume secret: secretName: sso-x509-jgroups-secret - configMap: name: ${APPLICATION_NAME}-service-ca name: service-ca triggers: - imageChangeParams: automatic: true containerNames: - ${APPLICATION_NAME} from: kind: ImageStreamTag name: sso75-openshift-rhel8:7.5 namespace: ${IMAGE_STREAM_NAMESPACE} type: ImageChange - type: ConfigChange parameters: - description: The name for the application. displayName: Application Name name: APPLICATION_NAME required: true value: sso - description: Custom hostname for the RH-SSO server. displayName: Custom RH-SSO Server Hostname name: SSO_HOSTNAME - description: The password for the JGroups cluster. displayName: JGroups Cluster Password from: '[a-zA-Z0-9]{32}' generate: expression name: JGROUPS_CLUSTER_PASSWORD required: true - description: Sets xa-pool/min-pool-size for the configured datasource. displayName: Datasource Minimum Pool Size name: DB_MIN_POOL_SIZE - description: Sets xa-pool/max-pool-size for the configured datasource. displayName: Datasource Maximum Pool Size name: DB_MAX_POOL_SIZE - description: Sets transaction-isolation for the configured datasource. displayName: Datasource Transaction Isolation name: DB_TX_ISOLATION - description: Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. displayName: ImageStream Namespace name: IMAGE_STREAM_NAMESPACE required: true value: openshift - description: RH-SSO Server administrator username displayName: RH-SSO Administrator Username from: '[a-zA-Z0-9]{8}' generate: expression name: SSO_ADMIN_USERNAME required: true - description: RH-SSO Server admininistrator password displayName: RH-SSO Administrator Password from: '[a-zA-Z0-9]{32}' generate: expression name: SSO_ADMIN_PASSWORD required: true - description: Realm to be created in the RH-SSO server (e.g. demorealm). displayName: RH-SSO Realm name: SSO_REALM - description: The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. displayName: RH-SSO Service Username name: SSO_SERVICE_USERNAME - description: The password for the RH-SSO service user. displayName: RH-SSO Service Password name: SSO_SERVICE_PASSWORD - description: Container memory limit. displayName: Container Memory Limit name: MEMORY_LIMIT value: 1Gi