--- apiVersion: template.openshift.io/v1 kind: Template labels: rhsso: 7.5.3.GA template: sso75-postgresql message: 'A new RH-SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database "${DB_DATABASE}" is ${DB_USERNAME}/${DB_PASSWORD}. Please be sure to create the following secrets: "${HTTPS_SECRET}" containing the ${HTTPS_KEYSTORE} file used for serving secure content; "${JGROUPS_ENCRYPT_SECRET}" containing the ${JGROUPS_ENCRYPT_KEYSTORE} file used for securing JGroups communications; "${SSO_TRUSTSTORE_SECRET}" containing the ${SSO_TRUSTSTORE} file used for securing RH-SSO requests.' metadata: annotations: description: An example application based on RH-SSO 7.5 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/docs. iconClass: icon-sso openshift.io/display-name: Red Hat Single Sign-On 7.5 on OpenJDK + PostgreSQL (Ephemeral with passthrough TLS) openshift.io/provider-display-name: Red Hat, Inc. samples.operator.openshift.io/version: 4.18.25 tags: sso,keycloak,jboss,hidden template.openshift.io/documentation-url: https://access.redhat.com/documentation/en/red-hat-single-sign-on/ template.openshift.io/long-description: This template defines resources needed to develop Red Hat Single Sign-On 7.5 on OpenJDK server based deployment, deployment configuration for PostgreSQL using ephemeral (temporary) storage, and securing RH-SSO communication using passthrough TLS. template.openshift.io/support-url: https://access.redhat.com version: 7.5.3.GA creationTimestamp: "2025-10-11T10:37:43Z" labels: samples.operator.openshift.io/managed: "true" managedFields: - apiVersion: template.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:labels: .: {} f:rhsso: {} f:template: {} f:message: {} f:metadata: f:annotations: .: {} f:description: {} f:iconClass: {} f:openshift.io/display-name: {} f:openshift.io/provider-display-name: {} f:samples.operator.openshift.io/version: {} f:tags: {} f:template.openshift.io/documentation-url: {} f:template.openshift.io/long-description: {} f:template.openshift.io/support-url: {} f:version: {} f:labels: .: {} f:samples.operator.openshift.io/managed: {} f:objects: {} f:parameters: {} manager: cluster-samples-operator operation: Update time: "2025-10-11T10:37:43Z" name: sso75-postgresql namespace: openshift resourceVersion: "17356" uid: 4b14eaf3-9d7a-4104-aff8-df8c4bb1070c objects: - apiVersion: v1 kind: Service metadata: annotations: description: The web server's http port. service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-postgresql", "kind": "Service"}]' labels: application: ${APPLICATION_NAME} component: server name: ${APPLICATION_NAME} spec: ports: - port: 8080 targetPort: 8080 selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: v1 kind: Service metadata: annotations: description: The web server's https port. service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-postgresql", "kind": "Service"}]' labels: application: ${APPLICATION_NAME} component: server name: secure-${APPLICATION_NAME} spec: ports: - port: 8443 targetPort: 8443 selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: v1 kind: Service metadata: annotations: description: The database server's port. labels: application: ${APPLICATION_NAME} component: database name: ${APPLICATION_NAME}-postgresql spec: ports: - port: 5432 targetPort: 5432 selector: deploymentConfig: ${APPLICATION_NAME}-postgresql - apiVersion: v1 kind: Service metadata: annotations: description: The JGroups ping port for clustering. labels: application: ${APPLICATION_NAME} name: ${APPLICATION_NAME}-ping spec: clusterIP: None ports: - name: ping port: 8888 publishNotReadyAddresses: true selector: deploymentConfig: ${APPLICATION_NAME} - apiVersion: route.openshift.io/v1 id: ${APPLICATION_NAME}-http kind: Route metadata: annotations: description: Route for application's http service. labels: application: ${APPLICATION_NAME} component: server name: ${APPLICATION_NAME} spec: host: ${HOSTNAME_HTTP} to: name: ${APPLICATION_NAME} - apiVersion: route.openshift.io/v1 id: ${APPLICATION_NAME}-https kind: Route metadata: annotations: description: Route for application's https service. labels: application: ${APPLICATION_NAME} component: server name: secure-${APPLICATION_NAME} spec: host: ${HOSTNAME_HTTPS} tls: termination: passthrough to: name: secure-${APPLICATION_NAME} - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: labels: application: ${APPLICATION_NAME} component: server name: ${APPLICATION_NAME} spec: replicas: 1 selector: deploymentConfig: ${APPLICATION_NAME} strategy: type: Recreate template: metadata: labels: application: ${APPLICATION_NAME} component: server deploymentConfig: ${APPLICATION_NAME} name: ${APPLICATION_NAME} spec: containers: - env: - name: SSO_HOSTNAME value: ${SSO_HOSTNAME} - name: DB_SERVICE_PREFIX_MAPPING value: ${APPLICATION_NAME}-postgresql=DB - name: DB_JNDI value: ${DB_JNDI} - name: DB_USERNAME value: ${DB_USERNAME} - name: DB_PASSWORD value: ${DB_PASSWORD} - name: DB_DATABASE value: ${DB_DATABASE} - name: TX_DATABASE_PREFIX_MAPPING value: ${APPLICATION_NAME}-postgresql=DB - name: DB_MIN_POOL_SIZE value: ${DB_MIN_POOL_SIZE} - name: DB_MAX_POOL_SIZE value: ${DB_MAX_POOL_SIZE} - name: DB_TX_ISOLATION value: ${DB_TX_ISOLATION} - name: JGROUPS_PING_PROTOCOL value: openshift.DNS_PING - name: OPENSHIFT_DNS_PING_SERVICE_NAME value: ${APPLICATION_NAME}-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: "8888" - name: HTTPS_KEYSTORE_DIR value: /etc/eap-secret-volume - name: HTTPS_KEYSTORE value: ${HTTPS_KEYSTORE} - name: HTTPS_KEYSTORE_TYPE value: ${HTTPS_KEYSTORE_TYPE} - name: HTTPS_NAME value: ${HTTPS_NAME} - name: HTTPS_PASSWORD value: ${HTTPS_PASSWORD} - name: JGROUPS_ENCRYPT_SECRET value: ${JGROUPS_ENCRYPT_SECRET} - name: JGROUPS_ENCRYPT_KEYSTORE_DIR value: /etc/jgroups-encrypt-secret-volume - name: JGROUPS_ENCRYPT_KEYSTORE value: ${JGROUPS_ENCRYPT_KEYSTORE} - name: JGROUPS_ENCRYPT_NAME value: ${JGROUPS_ENCRYPT_NAME} - name: JGROUPS_ENCRYPT_PASSWORD value: ${JGROUPS_ENCRYPT_PASSWORD} - name: JGROUPS_CLUSTER_PASSWORD value: ${JGROUPS_CLUSTER_PASSWORD} - name: SSO_ADMIN_USERNAME value: ${SSO_ADMIN_USERNAME} - name: SSO_ADMIN_PASSWORD value: ${SSO_ADMIN_PASSWORD} - name: SSO_REALM value: ${SSO_REALM} - name: SSO_SERVICE_USERNAME value: ${SSO_SERVICE_USERNAME} - name: SSO_SERVICE_PASSWORD value: ${SSO_SERVICE_PASSWORD} - name: SSO_TRUSTSTORE value: ${SSO_TRUSTSTORE} - name: SSO_TRUSTSTORE_DIR value: /etc/sso-secret-volume - name: SSO_TRUSTSTORE_PASSWORD value: ${SSO_TRUSTSTORE_PASSWORD} image: ${APPLICATION_NAME} imagePullPolicy: Always livenessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/livenessProbe.sh initialDelaySeconds: 60 name: ${APPLICATION_NAME} ports: - containerPort: 8778 name: jolokia protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 8888 name: ping protocol: TCP readinessProbe: exec: command: - /bin/bash - -c - /opt/eap/bin/readinessProbe.sh resources: limits: memory: ${MEMORY_LIMIT} volumeMounts: - mountPath: /etc/eap-secret-volume name: eap-keystore-volume readOnly: true - mountPath: /etc/jgroups-encrypt-secret-volume name: eap-jgroups-keystore-volume readOnly: true - mountPath: /etc/sso-secret-volume name: sso-truststore-volume readOnly: true terminationGracePeriodSeconds: 75 volumes: - name: eap-keystore-volume secret: secretName: ${HTTPS_SECRET} - name: eap-jgroups-keystore-volume secret: secretName: ${JGROUPS_ENCRYPT_SECRET} - name: sso-truststore-volume secret: secretName: ${SSO_TRUSTSTORE_SECRET} triggers: - imageChangeParams: automatic: true containerNames: - ${APPLICATION_NAME} from: kind: ImageStreamTag name: sso75-openshift-rhel8:7.5 namespace: ${IMAGE_STREAM_NAMESPACE} type: ImageChange - type: ConfigChange - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: labels: application: ${APPLICATION_NAME} component: database name: ${APPLICATION_NAME}-postgresql spec: replicas: 1 selector: deploymentConfig: ${APPLICATION_NAME}-postgresql strategy: type: Recreate template: metadata: labels: application: ${APPLICATION_NAME} component: database deploymentConfig: ${APPLICATION_NAME}-postgresql name: ${APPLICATION_NAME}-postgresql spec: containers: - env: - name: POSTGRESQL_USER value: ${DB_USERNAME} - name: POSTGRESQL_PASSWORD value: ${DB_PASSWORD} - name: POSTGRESQL_DATABASE value: ${DB_DATABASE} - name: POSTGRESQL_MAX_CONNECTIONS value: ${POSTGRESQL_MAX_CONNECTIONS} - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS value: ${POSTGRESQL_MAX_CONNECTIONS} - name: POSTGRESQL_SHARED_BUFFERS value: ${POSTGRESQL_SHARED_BUFFERS} image: postgresql imagePullPolicy: Always livenessProbe: initialDelaySeconds: 30 tcpSocket: port: 5432 timeoutSeconds: 1 name: ${APPLICATION_NAME}-postgresql ports: - containerPort: 5432 protocol: TCP readinessProbe: exec: command: - /bin/sh - -i - -c - psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' initialDelaySeconds: 5 timeoutSeconds: 1 volumeMounts: - mountPath: /var/lib/pgsql/data name: ${APPLICATION_NAME}-data terminationGracePeriodSeconds: 60 volumes: - emptyDir: medium: "" name: ${APPLICATION_NAME}-data triggers: - imageChangeParams: automatic: true containerNames: - ${APPLICATION_NAME}-postgresql from: kind: ImageStreamTag name: postgresql13-for-sso75-openshift-rhel8:${POSTGRESQL_IMAGE_STREAM_TAG} namespace: ${IMAGE_STREAM_NAMESPACE} type: ImageChange - type: ConfigChange parameters: - description: The name for the application. displayName: Application Name name: APPLICATION_NAME required: true value: sso - description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: ..' displayName: Custom http Route Hostname name: HOSTNAME_HTTP - description: 'Custom hostname for https service route. Leave blank for default hostname, e.g.: ..' displayName: Custom https Route Hostname name: HOSTNAME_HTTPS - description: Custom hostname for the RH-SSO server. displayName: Custom RH-SSO Server Hostname name: SSO_HOSTNAME - description: Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql displayName: Database JNDI Name name: DB_JNDI value: java:jboss/datasources/KeycloakDS - description: Database name displayName: Database Name name: DB_DATABASE required: true value: root - description: The name of the secret containing the keystore file displayName: Server Keystore Secret Name name: HTTPS_SECRET value: sso-app-secret - description: The name of the keystore file within the secret displayName: Server Keystore Filename name: HTTPS_KEYSTORE value: keystore.jks - description: The type of the keystore file (JKS or JCEKS) displayName: Server Keystore Type name: HTTPS_KEYSTORE_TYPE - description: The name associated with the server certificate (e.g. jboss) displayName: Server Certificate Name name: HTTPS_NAME - description: The password for the keystore and certificate (e.g. mykeystorepass) displayName: Server Keystore Password name: HTTPS_PASSWORD - description: Sets xa-pool/min-pool-size for the configured datasource. displayName: Datasource Minimum Pool Size name: DB_MIN_POOL_SIZE - description: Sets xa-pool/max-pool-size for the configured datasource. displayName: Datasource Maximum Pool Size name: DB_MAX_POOL_SIZE - description: Sets transaction-isolation for the configured datasource. displayName: Datasource Transaction Isolation name: DB_TX_ISOLATION - description: The maximum number of client connections allowed. This also sets the maximum number of prepared transactions. displayName: PostgreSQL Maximum number of connections name: POSTGRESQL_MAX_CONNECTIONS - description: Configures how much memory is dedicated to PostgreSQL for caching data. displayName: PostgreSQL Shared Buffers name: POSTGRESQL_SHARED_BUFFERS - description: Database user name displayName: Database Username from: user[a-zA-Z0-9]{3} generate: expression name: DB_USERNAME required: true - description: Database user password displayName: Database Password from: '[a-zA-Z0-9]{8}' generate: expression name: DB_PASSWORD required: true - description: The name of the secret containing the keystore file displayName: JGroups Secret Name name: JGROUPS_ENCRYPT_SECRET value: sso-app-secret - description: The name of the keystore file within the secret displayName: JGroups Keystore Filename name: JGROUPS_ENCRYPT_KEYSTORE value: jgroups.jceks - description: The name associated with the server certificate (e.g. secret-key) displayName: JGroups Certificate Name name: JGROUPS_ENCRYPT_NAME - description: The password for the keystore and certificate (e.g. password) displayName: JGroups Keystore Password name: JGROUPS_ENCRYPT_PASSWORD - description: JGroups cluster password displayName: JGroups Cluster Password from: '[a-zA-Z0-9]{8}' generate: expression name: JGROUPS_CLUSTER_PASSWORD required: true - description: Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. displayName: ImageStream Namespace name: IMAGE_STREAM_NAMESPACE required: true value: openshift - description: RH-SSO Server administrator username displayName: RH-SSO Administrator Username from: '[a-zA-Z0-9]{8}' generate: expression name: SSO_ADMIN_USERNAME required: true - description: RH-SSO Server administrator password displayName: RH-SSO Administrator Password from: '[a-zA-Z0-9]{8}' generate: expression name: SSO_ADMIN_PASSWORD required: true - description: Realm to be created in the RH-SSO server (e.g. demorealm). displayName: RH-SSO Realm name: SSO_REALM - description: The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm. displayName: RH-SSO Service Username name: SSO_SERVICE_USERNAME - description: The password for the RH-SSO service user. displayName: RH-SSO Service Password name: SSO_SERVICE_PASSWORD - description: The name of the truststore file within the secret (e.g. truststore.jks) displayName: RH-SSO Trust Store name: SSO_TRUSTSTORE - description: The password for the truststore and certificate (e.g. mykeystorepass) displayName: RH-SSO Trust Store Password name: SSO_TRUSTSTORE_PASSWORD - description: The name of the secret containing the truststore file (e.g. truststore-secret). Used for volume secretName displayName: RH-SSO Trust Store Secret name: SSO_TRUSTSTORE_SECRET value: sso-app-secret - description: The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL. displayName: PostgreSQL Image Stream Tag name: POSTGRESQL_IMAGE_STREAM_TAG required: true value: 13-el8 - description: Container memory limit. displayName: Container Memory Limit name: MEMORY_LIMIT value: 1Gi