Connecting Red Hat Single Sign-on on Openshift to an External Database

The Red Hat Single Sign-On or just RHSSO is an enterprise version of Keycloak, which is an open-source Identity and Access Management solution aimed at modern applications and services. 

In the last few days, I needed to install RHSSO on Openshift version 4.8, however, I needed to implement small customization in the database connection.  By default a non-ephemeral RHSSO installation uses an embedded installation of PostgreSQL database, however, I would change the type of database from PostgreSQL to MySQL, and even change the location of this one to the outside of Openshift.

For non-Openshift installations it is common, however, for RHSSO 7.5 on Openshift 4.8, there are some details:

• First point: The "Operator component" for RHSSO is not prepared until this date for managing a non-Postgres database.
• Second Point: There isn't an official  RHSSO template for other databases either in version 7.5.
• Third Point: We are talking about an environment Openshift 4.8.

The Solution

Forget the Operator Component. Until this date, it is in the Tech Preview version and does not support this implementation.

Basically, we need to create a custom image of RHSSO and change the data source to MySQL type. Remember  RHSSO is software that is performing inside of JBoss Enterprise Application Platform 7 (EAP7),  and because of that, we can customize it using a CLI (Command Line Interface).

For that, follow these below steps:

1. Download the MySQL JDBC Driver. I used MySQL 8 (mysql-connector-java-8.0.27.jar).
2. Create a file called sso-extensions.cli and put the below content. Basically, it is a property file with the params of MySQL Database and the commands for removing the PostgreSQL configuration. Notice that we remove a data source called KeycloakDS and after that, recreate it with the new definitions.
   Shell

    

   batch
   
   set DB_DRIVER_NAME=mysql
   set DB_USERNAME=root
   set DB_PASSWORD=jujuba
   set DB_DRIVER=com.mysql.jdbc.Driver
   set DB_XA_DRIVER=com.mysql.cj.jdbc.MysqlXADataSource
   set DB_JDBC_URL=jdbc:mysql://mysql.database-poc:3306/sampledb
   set DB_EAP_MODULE=com.mysql
   
   set FILE=/opt/eap/extensions/mysql-connector-java-8.0.27.jar
   
   module add --name=$DB_EAP_MODULE --resources=$FILE --dependencies=javax.api,javax.resource.api
   /subsystem=datasources/jdbc-driver=$DB_DRIVER_NAME:add( \
     driver-name=$DB_DRIVER_NAME, \
     driver-module-name=$DB_EAP_MODULE, \
     driver-class-name=$DB_DRIVER, \
     driver-xa-datasource-class-name=$DB_XA_DRIVER \
   )
   
   /subsystem=datasources/data-source=KeycloakDS:remove()
   /subsystem=datasources/data-source=KeycloakDS:add( \
     jndi-name=java:jboss/datasources/KeycloakDS, \
     enabled=true, \
     use-java-context=true, \
     connection-url=$DB_JDBC_URL, \
     driver-name=$DB_DRIVER_NAME, \
     user-name=$DB_USERNAME, \
     password=$DB_PASSWORD \
   )
   
   run-batch
   

   
   

3. Create an image using the official RHSSO Image. (sso75-openshift-rhel8:latest). Below is the Dockerfile to create an image.
   Dockerfile

    

   FROM registry.redhat.io/rh-sso-7/sso75-openshift-rhel8:latest
   
   COPY sso-extensions.cli /opt/eap/extensions/
   COPY mysql-connector-java-8.0.27.jar /opt/eap/extensions/mysql-connector-java-8.0.27.jar
   

   
   

   Notice that it is mandatory to copy the sso-extensions.cli file and mysql-connector-java-8.0.27.jar to folder called /opt/eap/extensions/

4. Build and push the image for some service registry accessible from Openshift. I used the docker hub service.
   Shell

    

   $docker build -t iamrogerio2/rhsso75-mysql:1.0 .
   $docker push iamrogerio2/rhsso75-mysql:1.0
   

   
   

   The published image is something like this: docker.io/iamrogerio2/rhsso75-mysql.

5. Deploy this image in an Openshift namespace. If the MySQL server is on and the parameters of sso-extensions.cli file are correct, the RHSSO will create a lot of tables in the database indicating that the connection is ok.

   Below is the command to create a namespace and deploy the image.

   Shell

    

   $ oc new-project rhsso75-example
   $ oc new-app --docker-image="iamrogerio2/rhsso75-mysql:1.0"
   $ oc create route edge --service=rhsso75-mysql
   

   
   

   Notice that I need to create an HTTPS route using default certificates from Openshift.

6. This is an optional step but is good practice. Create a configMap to store the file sso-extensions.cli, this way, you don't need to recreate the image if you need to change any database parameter. Basically, we import the sso-extensions.cli file into a configMap and set this configMap into deployConfig.
   Shell

    

   $ oc create configmap jboss-cli --from-file=sso-extensions.cli
   $ oc set volume dc/rhsso75-mysql --add --name=jboss-cli -m /opt/eap/extensions -t configmap --configmap-name=jboss-cli --default-mode='0755' --overwrite
   

Final Consideration

Beyond PostgreSQL and MySQL, RHSSO works very well with the Oracle database.  This example is valid for an Oracle implementation too as long as it inserted the right JDBC Driver.

I didn't work with other database integrations, however, the official documentation for version 7.5 describes these databases:

Enjoy :-).