Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Deploy Red Hat’s single sign-on technology 7.4 with Red Hat OpenShift

March 25, 2021
Olivier Rivat
Related topics:
ContainersDevOpsLinuxKubernetes
Related products:
Red Hat OpenShift Container Platform

Share:

    In this article, you will learn how to deploy Red Hat’s single sign-on technology 7.4 with Red Hat OpenShift 4. For this integration, we'll use the PostgreSQL database. PostgreSQL requires a persistent storage database provided by an external Network File System (NFS) server partition.

    The PostgreSQL persistent storage database is not a hard requirement, but the advantage of using persistent storage for the PostgreSQL pod is that the data is preserved across (single sign-on or PostgreSQL) pod restarts. 

    Prerequisites

    To follow the instructions in this article, you will need the following components in your development environment:

    • An OpenShift 4 or higher cluster with leader and follower nodes.
    • Red Hat’s single sign-on template.
    • Red Hat OpenShift Data Foundation.

    Note: For the purposes of this article, I will refer to leader and follower nodes, although the code output uses the terminology of master and worker nodes.

    The OpenShift storage configuration described in this article is Persistent storage using NFS, as it corresponds to the OpenShift storage configuration used in our lab to test this setup.

    OpenShift also provides many other persistent storage configuration or block storage services. However, such considerations go beyond the scope of this article.

    Create persistent storage for an OpenShift 4.5 cluster

    In this section, we'll describe the different steps to set up persistent storage on OpenShift 4.5 with an NFS server.

    Set up the external NFS server

    NFS allows remote hosts to mount file systems over a network and interact with them as though they are mounted locally. This lets system administrators consolidate resources on centralized servers on the network. For an introduction to NFS concepts and fundamentals, see the introduction to NFS in the Red Hat Enterprise Linux 7 documentation.

    Map OpenShift persistent storage to NFS

    To access an NFS partition from an OpenShift cluster's follower (worker) nodes, you must manually map persistent storage to the NFS partition. In this section, you will do the following:

    • Get a list of nodes.
    • Access a follower node:
      • Ping the NFS server.
      • Mount the exported NFS server partition.
      • Verify that the file is present on the NFS server.

    Get a list of nodes

    To get a list of the nodes, enter:

    $ oc get nodes
    

    The list of requested nodes displays as follows:

    NAME STATUS ROLES AGE VERSION
    master-0.example.com Ready master 81m v1.18.3+2cf11e2
    worker-0.example.com Ready worker 72m v1.18.3+2cf11e2
    worker-1.example.com Ready worker 72m v1.18.3+2cf11e2
    

    Access the follower node

    To access the follower node, use the oc debug node command and type chroot /root, as shown here:

    $ oc debug node/worker-0.example.com
    
    Starting pod/worker-example.com-debug ...
    

    Run chroot /host before issuing further commands:

    sh-4.2# chroot /host
    Ping the NFS server

    Next, ping the NFS server from the follower node in debug mode:

    sh-4.2#ping node-0.nfserver1.example.com
    
    Mount the NFS partition

    Now, mount the NFS partition from the follower node (still in debug mode):

    sh-4.2#mount node-0.nfserver1.example.com:/persistent_volume1 /mnt
    
    Verify that the file is present on the NFS server

    Create a dummy file from the follower node in debug mode:

    sh-4.2#touch /mnt/test.txt
    

    Verify that the file is present on the NFS server:

    $ cd /persistent_volume1
    
    $ ls -al
    total 0
    drwxrwxrwx. 2  root root  22 Sep 23 09:31 .
    dr-xr-xr-x. 19 root root 276 Sep 23 08:37 ..
    -rw-r--r--. 1 nfsnobody nfsnobody 0 Sep 23 09:31 test.txt
    

    Note: You must issue the same command sequence for every follower node in the cluster.

    Persistent volume storage

    The previous section showed how to define and mount an NFS partition. Now, you'll use the NFS partition to define and map an OpenShift persistent volume. The steps are as follows:

    • Make the persistent volume writable on the NFS server.
    • Map the persistent volume to the NFS partition.
    • Create the persistent volume.

    Make the persistent volume writable

    Make the persistent volume writable on the NFS server:

    $ chmod 777 /persistent_volume1

    Map the persistent volume to the NFS partition

    Define a storage class and specify the default storage class. For example, the following YAML defines the StorageClass of slow:

    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: slow
    provisioner: kubernetes.io/no-provisioner
    reclaimPolicy: Delete
    

    Next, make the storage class the default class:

    $ oc create -f slow_sc.yaml 
    $ oc patch storageclass slow -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "true"}}}'
    

    Note: The StorageClass is common to all namespaces.

    Create the persistent volume

    You can create a persistent volume either from the OpenShift admin console or from a YAML file, as follows:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: example
    spec:
      capacity:
        storage: 5Gi
      accessModes:
        - ReadWriteOnce
      persistentVolumeReclaimPolicy: Retain
      storageClassName: slow
      nfs:
        path: /persistent_volume2
        server: node-0.nfserver1.example.com
    
    $ oc create -f pv.yaml
    persistentvolume/example created
    
    $ oc get pv
    NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
    example 5Gi RWO Retain Available slow 5s
    

    Deploy SSO on the OpenShift cluster

    Next, you'll deploy Red Hat’s single sign-on technology on the OpenShift cluster. The steps are as follows:

    • Create a new project.
    • Download the sso-74 templates.
    • Customize the sso74-ocp4-x509-postgresql-persistent template.

    Create a new project

    Create a new project using the oc new-project command:

    $ oc new-project sso-74

    Import the OpenShift image for Red Hat’s single sign-on technology 7.4:

    $ oc -n openshift import-image rh-sso-7/sso74-openshift-rhel8:7.4 --from=registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4 --confirm
    

    Note: If you need to delete and re-create the SSO project, first delete the secrets, which are project-specific.

    Note: The command (oc -n openshift) needs to be run under a privileged cluster user (cluster administrator) or under a user with write access into the OpenShift namespace; otherwise, it won’t work.

    Download the sso-74 templates

    Here is the list of available templates:

    $ oc get templates -n openshift -o name | grep -o 'sso74.\+'
    
    sso74-https
    sso74-ocp4-x509-https
    sso74-ocp4-x509-postgresql-persistent
    sso74-postgresql
    sso74-postgresql-persistent
    

    Customize the sso74-ocp4-x509-postgresql-persistent template

    Next, you'll customize the sso74-ocp4-x509-postgresql-persistent template to allow a TLS connection to the persistent PostgreSQL database:

    $ oc process sso74-ocp4-x509-postgresql-persistent -n openshift SSO_ADMIN_USERNAME=admin SSO_ADMIN_PASSWORD=password -o yaml > my_sso74-x509-postgresql-persistent.yaml
    

    Control manually set pod replica scheduling

    To set the pod replica scheduling, change the setting of the replicas field in the definition of both the sso and
     sso-postgresql deployment configs. Within the updated template file, my_sso74-x509-postgresql-persistent.yaml, set both replicas for sso and sso-postgresql to zero (0).

    Setting the replicas to zero (0) within each deployment config lets you manually control the initial pod rollout. If that's not enough, you can also increase the initialDelaySeconds value for the liveness and readiness probes. Here is the updated deployment config of sso:

    kind: DeploymentConfig
      metadata:
        labels:
          application: sso
          rhsso: 7.4.2.GA
          template: sso74-x509-postgresql-persistent
        name: sso
      spec:
        replicas: 0
        selector:
          deploymentConfig: sso
    

    Here is the updated config for sso-postgresql:

    metadata:
        labels:
          application: sso
          rhsso: 7.4.2.GA
          template: sso74-x509-postgresql-persistent
        name: sso-postgresql
      spec:
        replicas: 0
        selector:my_sso74-ocp4-x509-postgresql-persistent.yaml
          deploymentConfig: sso-postgresql
    

    Process the YAML template

    Use the oc create command to process the YAML template:

    $ oc create -f my_sso74-x509-postgresql-persistent.yaml
    
    service/sso created
    service/sso-postgresql created
    service/sso-ping created
    route.route.openshift.io/sso created
    deploymentconfig.apps.openshift.io/sso created
    deploymentconfig.apps.openshift.io/sso-postgresql created
    persistentvolumeclaim/sso-postgresql-claim created
    

    Upscale the sso-postgresql pod

    Use the oc scale command to upscale the sso-postgresql pod:

    $ oc scale --replicas=1 dc/sso-postgresql
    

    Note: Wait until the PostgreSQL pod has reached a ready state of 1/1. This might take a couple of minutes.

    $ oc get pods
    NAME                      READY   STATUS      RESTARTS   AGE
    sso-1-deploy              0/1     Completed   0          10m
    sso-postgresql-1-deploy   0/1     Completed   0          10m
    sso-postgresql-1-fzgf7    1/1     Running     0          3m46s
    

    When the sso-postgresql pod starts correctly, it provides a log output similar to the following one:

    pg_ctl -D /var/lib/pgsql/data/userdata -l logfile start waiting for server to start....2020-09-25 15:13:01.579 UTC [37] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
    2020-09-25 15:13:01.588 UTC [37] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
    2020-09-25 15:13:01.631 UTC [37] LOG: redirecting log output to logging collector process
    2020-09-25 15:13:01.631 UTC [37] HINT: Future log output will appear in directory "log".
    done server started
    /var/run/postgresql:5432 - accepting connections
    => sourcing /usr/share/container-scripts/postgresql/start/set_passwords.sh ...
    ALTER ROLE
    waiting for server to shut down.... done
    server stopped
    Starting server...
    2020-09-25 15:13:06.147 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
    2020-09-25 15:13:06.147 UTC [1] LOG: listening on IPv6 address "::", port 5432
    2020-09-25 15:13:06.157 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
    2020-09-25 15:13:06.164 UTC [1] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
    2020-09-25 15:13:06.206 UTC [1] LOG: redirecting log output to logging collector process
    2020-09-25 15:13:06.206 UTC [1] HINT: Future log output will appear in directory "log".
    

    Upscale the sso pod

    Use the oc scale command to upscale the sso pod as follows:

    $ oc scale --replicas=1 dc/sso
    deploymentconfig.apps.openshift.io/sso
    

    Next, use the oc get pods command and get the SSO pod fully up and running. It reaches a ready state of 1/1 as shown:

    $oc get pods
    NAME                      READY   STATUS      RESTARTS   AGE
    sso-1-d45k2               1/1     Running     0          52m
    sso-1-deploy              0/1     Completed   0          63m
    sso-postgresql-1-deploy   0/1     Completed   0          63m
    sso-postgresql-1-fzgf7    1/1     Running     0          57m

    Testing

    The testing oc status command includes:

    $ oc status
    In project sso-74 on server https://api.example.com:6443
    svc/sso-ping (headless):8888
    https://sso-sso-74.apps.example.com (reencrypt) (svc/sso)
      dc/sso deploys openshift/sso74-openshift-rhel8:7.4
        deployment #1 deployed about an hour ago - 1 pod
    
    svc/sso-postgresql - 172.30.113.48:5432
      dc/sso-postgresql deploys openshift/postgresql:10
        deployment #1 deployed about an hour ago - 1 pod
    

    Visit the URL https://sso-sso-74.apps.example.com to access the administrator console of the Red Hat single sign-on technology 7.4, running on OpenShift 4.5. Provide the single sign-on administrator username and password when prompted.

    Conclusion

    This article highlighted the basic steps to be executed when deploying Red Hat's single sign-on technology 7.4 on OpenShift. Deploying single sign-on on OpenShift makes OpenShift's SSO features available out of the box. As one example, it is very easy to increase your workload capacity by adding new single sign-on pods to your OpenShift deployment during horizontal scaling.

    Last updated: October 7, 2022

    Recent Posts

    • How Trilio secures OpenShift virtual machines and containers

    • How to implement observability with Node.js and Llama Stack

    • How to encrypt RHEL images for Azure confidential VMs

    • How to manage RHEL virtual machines with Podman Desktop

    • Speech-to-text with Whisper and Red Hat AI Inference Server

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue