--- apiVersion: template.openshift.io/v1 kind: Template labels: rhsso: 7.5.3.GA template: sso75-ocp4-x509-postgresql-persistent message: A new persistent RH-SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database "${DB_DATABASE}" is ${DB_USERNAME}/${DB_PASSWORD}. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing RH-SSO requests were automatically created via OpenShift's service serving x509 certificate secrets. metadata: annotations: description: An example application based on RH-SSO 7.5 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/docs. iconClass: icon-sso openshift.io/display-name: Red Hat Single Sign-On 7.5 on OpenJDK + PostgreSQL (Persistent) openshift.io/provider-display-name: Red Hat, Inc. samples.operator.openshift.io/version: 4.18.25 tags: sso,keycloak,jboss template.openshift.io/documentation-url: https://access.redhat.com/documentation/en/red-hat-single-sign-on/ template.openshift.io/long-description: This template defines resources needed to develop Red Hat Single Sign-On 7.5 on OpenJDK server based deployment, deployment configuration for PostgreSQL using persistence, and securing RH-SSO communication using re-encrypt TLS. template.openshift.io/support-url: https://access.redhat.com version: 7.5.3.GA creationTimestamp: "2025-10-11T10:37:44Z" labels: samples.operator.openshift.io/managed: "true" managedFields: - apiVersion: template.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:labels: .: {} f:rhsso: {} f:template: {} f:message: {} f:metadata: f:annotations: .: {} f:description: {} f:iconClass: {} f:openshift.io/display-name: {} f:openshift.io/provider-display-name: {} f:samples.operator.openshift.io/version: {} f:tags: {} f:template.openshift.io/documentation-url: {} f:template.openshift.io/long-description: {} f:template.openshift.io/support-url: {} f:version: {} f:labels: .: {} f:samples.operator.openshift.io/managed: {} f:objects: {} f:parameters: {} manager: cluster-samples-operator operation: Update time: "2025-10-11T10:37:44Z" name: sso75-ocp4-x509-postgresql-persistent namespace: openshift resourceVersion: "17422" uid: cd5490d6-93ef-437b-8d26-24a5187b8a23 objects: - apiVersion: v1 kind: ConfigMap metadata: annotations: description: ConfigMap providing service ca bundle. service.beta.openshift.io/inject-cabundle: "true" labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-service-ca - apiVersion: v1 kind: Service metadata: annotations: description: The web server's https port. service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-postgresql", "kind": "Service"}]' service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: ports: - port: 8443 targetPort: 8443 selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: v1 kind: Service metadata: annotations: description: The database server's port. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-postgresql spec: ports: - port: 5432 targetPort: 5432 selector: deploymentConfig: ${APPLICATION_NAME}-postgresql - apiVersion: v1 kind: Service metadata: annotations: description: The JGroups ping port for clustering. service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-ping spec: clusterIP: None ports: - name: ping port: 8888 publishNotReadyAddresses: true selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: route.openshift.io/v1 id: ${APPLICATION_NAME}-https kind: Route metadata: annotations: description: Route for application's https service. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: tls: termination: reencrypt to: name: ${APPLICATION_NAME} - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: replicas: 1 selector: deploymentConfig: ${APPLICATION_NAME} strategy: type: Recreate template: metadata: labels: application: ${APPLICATION_NAME} deploymentConfig: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: containers: - env: - name: SSO_HOSTNAME value: ${SSO_HOSTNAME} - name: DB_SERVICE_PREFIX_MAPPING value: ${APPLICATION_NAME}-postgresql=DB - name: DB_JNDI value: ${DB_JNDI} - name: DB_USERNAME value: ${DB_USERNAME} - name: DB_PASSWORD value: ${DB_PASSWORD} - name: DB_DATABASE value: ${DB_DATABASE} - name: TX_DATABASE_PREFIX_MAPPING value: ${APPLICATION_NAME}-postgresql=DB - name: DB_MIN_POOL_SIZE value: ${DB_MIN_POOL_SIZE} - name: DB_MAX_POOL_SIZE value: ${DB_MAX_POOL_SIZE} - name: DB_TX_ISOLATION value: ${DB_TX_ISOLATION} - name: JGROUPS_PING_PROTOCOL value: openshift.DNS_PING - name: OPENSHIFT_DNS_PING_SERVICE_NAME value: ${APPLICATION_NAME}-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: "8888" - name: X509_CA_BUNDLE value: /var/run/configmaps/service-ca/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: JGROUPS_CLUSTER_PASSWORD value: ${JGROUPS_CLUSTER_PASSWORD} - name: SSO_ADMIN_USERNAME value: ${SSO_ADMIN_USERNAME} - name: SSO_ADMIN_PASSWORD value: ${SSO_ADMIN_PASSWORD} - name: SSO_REALM value: ${SSO_REALM} - name: SSO_SERVICE_USERNAME value: ${SSO_SERVICE_USERNAME} - name: SSO_SERVICE_PASSWORD value: ${SSO_SERVICE_PASSWORD} image: ${APPLICATION_NAME} imagePullPolicy: Always livenessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/livenessProbe.sh initialDelaySeconds: 60 name: ${APPLICATION_NAME} ports: - containerPort: 8778 name: jolokia protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 8888 name: ping protocol: TCP readinessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/readinessProbe.sh resources: limits: memory: ${MEMORY_LIMIT} volumeMounts: - mountPath: /etc/x509/https name: sso-x509-https-volume readOnly: true - mountPath: /etc/x509/jgroups name: sso-x509-jgroups-volume readOnly: true - mountPath: /var/run/configmaps/service-ca name: service-ca readOnly: true terminationGracePeriodSeconds: 75 volumes: - name: sso-x509-https-volume secret: secretName: sso-x509-https-secret - name: sso-x509-jgroups-volume secret: secretName: sso-x509-jgroups-secret - configMap: name: ${APPLICATION_NAME}-service-ca name: service-ca triggers: - imageChangeParams: automatic: true containerNames: - ${APPLICATION_NAME} from: kind: ImageStreamTag name: sso75-openshift-rhel8:7.5 namespace: ${IMAGE_STREAM_NAMESPACE} type: ImageChange - type: ConfigChange - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-postgresql spec: replicas: 1 selector: deploymentConfig: ${APPLICATION_NAME}-postgresql strategy: type: Recreate template: metadata: labels: application: ${APPLICATION_NAME} deploymentConfig: ${APPLICATION_NAME}-postgresql name: ${APPLICATION_NAME}-postgresql spec: containers: - env: - name: POSTGRESQL_USER value: ${DB_USERNAME} - name: POSTGRESQL_PASSWORD value: ${DB_PASSWORD} - name: POSTGRESQL_DATABASE value: ${DB_DATABASE} - name: POSTGRESQL_MAX_CONNECTIONS value: ${POSTGRESQL_MAX_CONNECTIONS} - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS value: ${POSTGRESQL_MAX_CONNECTIONS} - name: POSTGRESQL_SHARED_BUFFERS value: ${POSTGRESQL_SHARED_BUFFERS} image: postgresql imagePullPolicy: Always livenessProbe: failureThreshold: 3 initialDelaySeconds: 90 'successThreshold:': 1 tcpSocket: port: 5432 timeoutSeconds: 10 name: ${APPLICATION_NAME}-postgresql ports: - containerPort: 5432 protocol: TCP readinessProbe: exec: command: - /bin/sh - -i - -c - psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' failureThreshold: 3 initialDelaySeconds: 90 'successThreshold:': 1 timeoutSeconds: 10 volumeMounts: - mountPath: /var/lib/pgsql/data name: ${APPLICATION_NAME}-postgresql-pvol terminationGracePeriodSeconds: 60 volumes: - name: ${APPLICATION_NAME}-postgresql-pvol persistentVolumeClaim: claimName: ${APPLICATION_NAME}-postgresql-claim triggers: - imageChangeParams: automatic: true containerNames: - ${APPLICATION_NAME}-postgresql from: kind: ImageStreamTag name: postgresql13-for-sso75-openshift-rhel8:${POSTGRESQL_IMAGE_STREAM_TAG} namespace: ${IMAGE_STREAM_NAMESPACE} type: ImageChange - type: ConfigChange - apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-postgresql-claim spec: accessModes: - ReadWriteOnce resources: requests: storage: ${VOLUME_CAPACITY} parameters: - description: The name for the application. displayName: Application Name name: APPLICATION_NAME required: true value: sso - description: Custom hostname for the RH-SSO server. displayName: Custom RH-SSO Server Hostname name: SSO_HOSTNAME - description: The password for the JGroups cluster. displayName: JGroups Cluster Password from: '[a-zA-Z0-9]{32}' generate: expression name: JGROUPS_CLUSTER_PASSWORD required: true - description: Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql displayName: Database JNDI Name name: DB_JNDI value: java:jboss/datasources/KeycloakDS - description: Database name displayName: Database Name name: DB_DATABASE required: true value: root - description: Sets xa-pool/min-pool-size for the configured datasource. displayName: Datasource Minimum Pool Size name: DB_MIN_POOL_SIZE - description: Sets xa-pool/max-pool-size for the configured datasource. displayName: Datasource Maximum Pool Size name: DB_MAX_POOL_SIZE - description: Sets transaction-isolation for the configured datasource. displayName: Datasource Transaction Isolation name: DB_TX_ISOLATION - description: The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. displayName: PostgreSQL Maximum number of connections name: POSTGRESQL_MAX_CONNECTIONS - description: Configures how much memory is dedicated to PostgreSQL for caching data. displayName: PostgreSQL Shared Buffers name: POSTGRESQL_SHARED_BUFFERS - description: Database user name displayName: Database Username from: user[a-zA-Z0-9]{3} generate: expression name: DB_USERNAME required: true - description: Database user password displayName: Database Password from: '[a-zA-Z0-9]{32}' generate: expression name: DB_PASSWORD required: true - description: Size of persistent storage for database volume. displayName: Database Volume Capacity name: VOLUME_CAPACITY required: true value: 1Gi - description: Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. displayName: ImageStream Namespace name: IMAGE_STREAM_NAMESPACE required: true value: openshift - description: RH-SSO Server administrator username displayName: RH-SSO Administrator Username from: '[a-zA-Z0-9]{8}' generate: expression name: SSO_ADMIN_USERNAME required: true - description: RH-SSO Server administrator password displayName: RH-SSO Administrator Password from: '[a-zA-Z0-9]{32}' generate: expression name: SSO_ADMIN_PASSWORD required: true - description: Realm to be created in the RH-SSO server (e.g. demorealm). displayName: RH-SSO Realm name: SSO_REALM - description: The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. displayName: RH-SSO Service Username name: SSO_SERVICE_USERNAME - description: The password for the RH-SSO service user. displayName: RH-SSO Service Password name: SSO_SERVICE_PASSWORD - description: The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. displayName: PostgreSQL Image Stream Tag name: POSTGRESQL_IMAGE_STREAM_TAG required: true value: 13-el8 - description: Container memory limit. displayName: Container Memory Limit name: MEMORY_LIMIT value: 1Gi