Connecting Red Hat Single Sign-on on Openshift to an External Database
In this post, I demonstrate how I've implemented an instance of Red Hat Single Sign-on (RHSSO) with an external MySQL database on Openshift version 4.8.
Join the DZone community and get the full member experience.
Join For FreeThe Red Hat Single Sign-On or just RHSSO is an enterprise version of Keycloak, which is an open-source Identity and Access Management solution aimed at modern applications and services.
In the last few days, I needed to install RHSSO on Openshift version 4.8, however, I needed to implement small customization in the database connection. By default a non-ephemeral RHSSO installation uses an embedded installation of PostgreSQL database, however, I would change the type of database from PostgreSQL to MySQL, and even change the location of this one to the outside of Openshift.
For non-Openshift installations it is common, however, for RHSSO 7.5 on Openshift 4.8, there are some details:
- First point: The "Operator component" for RHSSO is not prepared until this date for managing a non-Postgres database.
- Second Point: There isn't an official RHSSO template for other databases either in version 7.5.
- Third Point: We are talking about an environment Openshift 4.8.
The Solution
Forget the Operator Component. Until this date, it is in the Tech Preview version and does not support this implementation.
Basically, we need to create a custom image of RHSSO and change the data source to MySQL type. Remember RHSSO is software that is performing inside of JBoss Enterprise Application Platform 7 (EAP7), and because of that, we can customize it using a CLI (Command Line Interface).
For that, follow these below steps:
- Download the MySQL JDBC Driver. I used MySQL 8 (mysql-connector-java-8.0.27.jar).
- Create a file called sso-extensions.cli and put the below content. Basically, it is a property file with the params of MySQL Database and the commands for removing the PostgreSQL configuration. Notice that we remove a data source called KeycloakDS and after that, recreate it with the new definitions.
Shell
batch set DB_DRIVER_NAME=mysql set DB_USERNAME=root set DB_PASSWORD=jujuba set DB_DRIVER=com.mysql.jdbc.Driver set DB_XA_DRIVER=com.mysql.cj.jdbc.MysqlXADataSource set DB_JDBC_URL=jdbc:mysql://mysql.database-poc:3306/sampledb set DB_EAP_MODULE=com.mysql set FILE=/opt/eap/extensions/mysql-connector-java-8.0.27.jar module add --name=$DB_EAP_MODULE --resources=$FILE --dependencies=javax.api,javax.resource.api /subsystem=datasources/jdbc-driver=$DB_DRIVER_NAME:add( \ driver-name=$DB_DRIVER_NAME, \ driver-module-name=$DB_EAP_MODULE, \ driver-class-name=$DB_DRIVER, \ driver-xa-datasource-class-name=$DB_XA_DRIVER \ ) /subsystem=datasources/data-source=KeycloakDS:remove() /subsystem=datasources/data-source=KeycloakDS:add( \ jndi-name=java:jboss/datasources/KeycloakDS, \ enabled=true, \ use-java-context=true, \ connection-url=$DB_JDBC_URL, \ driver-name=$DB_DRIVER_NAME, \ user-name=$DB_USERNAME, \ password=$DB_PASSWORD \ ) run-batch
- Create an image using the official RHSSO Image. (sso75-openshift-rhel8:latest). Below is the Dockerfile to create an image.
Dockerfile
FROM registry.redhat.io/rh-sso-7/sso75-openshift-rhel8:latest COPY sso-extensions.cli /opt/eap/extensions/ COPY mysql-connector-java-8.0.27.jar /opt/eap/extensions/mysql-connector-java-8.0.27.jar
Notice that it is mandatory to copy the sso-extensions.cli file and mysql-connector-java-8.0.27.jar to folder called /opt/eap/extensions/
- Build and push the image for some service registry accessible from Openshift. I used the docker hub service.
Shell
$docker build -t iamrogerio2/rhsso75-mysql:1.0 . $docker push iamrogerio2/rhsso75-mysql:1.0
The published image is something like this: docker.io/iamrogerio2/rhsso75-mysql.
- Deploy this image in an Openshift namespace. If the MySQL server is on and the parameters of sso-extensions.cli file are correct, the RHSSO will create a lot of tables in the database indicating that the connection is ok.
Below is the command to create a namespace and deploy the image.
Shell$ oc new-project rhsso75-example $ oc new-app --docker-image="iamrogerio2/rhsso75-mysql:1.0" $ oc create route edge --service=rhsso75-mysql
Notice that I need to create an HTTPS route using default certificates from Openshift.
- This is an optional step but is good practice. Create a configMap to store the file sso-extensions.cli, this way, you don't need to recreate the image if you need to change any database parameter. Basically, we import the sso-extensions.cli file into a configMap and set this configMap into deployConfig.
Shell
$ oc create configmap jboss-cli --from-file=sso-extensions.cli $ oc set volume dc/rhsso75-mysql --add --name=jboss-cli -m /opt/eap/extensions -t configmap --configmap-name=jboss-cli --default-mode='0755' --overwrite
Final Consideration
Beyond PostgreSQL and MySQL, RHSSO works very well with the Oracle database. This example is valid for an Oracle implementation too as long as it inserted the right JDBC Driver.
I didn't work with other database integrations, however, the official documentation for version 7.5 describes these databases:
Database |
Version (JDBC driver version) |
MariaDB |
10.3.27 (MariaDB Connector/J 2.7.2) |
MySQL |
8.0 (MySQL Connector/J 8.0.23) |
Oracle DB[1] |
19c RAC 19.3 (Oracle JDBC Driver v19.10.0.0 (ojdbc8.jar)) |
Microsoft SQL Server |
2019 (Microsoft JDBC Drivers 9.2.0 (.jre8.jar)) |
Enterprise DB Postgres Plus Advanced Server |
13.2 (Postgres Plus Advanced Server Driver 42.2.12) |
PostgreSQL |
13.2 (JDBC4 Postgresql Driver, Version 42.2.18) |
Enjoy :-).
Opinions expressed by DZone contributors are their own.
Comments