Demo of using Red Hat Single Sign-On 7.5 (Keycloak) as an authentication provider for Red Hat AMQ 7.9 on OpenShift.
Install the image stream and templates:
oc apply -f https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso75-cpaas-dev/templates/sso75-image-stream.json
oc apply -f https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso75-cpaas-dev/templates/sso75-x509-https.json
Create a new app, giving an explicit username and password, and telling OpenShift to look in the current project for the SSO image:
oc new-app sso75-x509-https \
-p SSO_ADMIN_USERNAME=rhssotest -p SSO_ADMIN_PASSWORD=L00kAr0undY0u \
-p IMAGE_STREAM_NAMESPACE=$(oc project -q)
If your default requests and limits in your shared OpenShift cluster are pitifully small, you might need to set these too, to make the health check a little less severe, and succeed:
oc set resources dc/sso --requests=cpu=500m,memory=1Gi --limits=cpu=1,memory=1Gi
oc set probe dc/sso --liveness --initial-delay-seconds=180
Add the realm JSON definition to a ConfigMap, mount it in the SSO pod, and tell SSO to import it on startup:
oc create configmap keycloak-broker-realm --from-file=keycloak-broker-realm.json
oc set volume dc/sso --add --overwrite --name=realm-config --mount-path=/etc/realm/broker --type=configmap --configmap-name=keycloak-broker-realm
oc set env dc/sso SSO_IMPORT_FILE=/etc/realm/broker/keycloak-broker-realm.json
Now log on to SSO Admin console using rhssotest user, and add a user into the realm. Set a password, and ensure the user is granted an appropriate role from the list.
Update the Keycloak adapter JSON configuration files, setting the correct URL to your SSO deployment in the field auth-server-url. Then, add the files into a ConfigMap, which will be mounted into the AMQ pod:
# Edit the 'auth-server-url' attribute in the JSON files first!
oc create configmap artemis-keycloak-config --from-file=artemis-keycloak-config
Pull the AMQ image from a private registry, if required:
REGISTRY_HOST=registry.mycompany.com
oc create secret docker-registry my-private-registry \
--docker-username USER --docker-password PASSWORD --docker-server ${REGISTRY_HOST}
oc secrets link default my-private-registry --for=pull
Deploy AMQ using a slightly fudged AMQ 7.8 template (note that this method is deprecated and will be unsupported in future!):
oc process -f amq-broker-78-custom-modified.yaml \
-p AMQ_REQUIRE_LOGIN="true" \
-p AMQ_USER=admin -p AMQ_PASSWORD=cheesecake \
-p IMAGE=${REGISTRY_HOST}/amq-broker-7/amq-broker-79-openshift-rhel8:7.9-10 \
| oc apply -f -
oc set env dc/broker-amq JAVA_ARGS="-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Dhawtio.keycloakEnabled=true -Dhawtio.keycloakClientConfig=/home/jboss/broker/etc/rhsso-js-client.json -Dhawtio.authenticationEnabled=true -Dhawtio.realm=console"
# Remove the readiness probe so that the Service and Route are active
# (Otherwise the Readiness probe fails due to the redirect to Keycloak - I think)
oc set probe dc/broker-amq --remove --readiness
Note that the role(s) required to access Hawtio is set using the HAWTIO_ROLE property in artemis.profile. This is then translated into the hawtio.role property in the Artemis startup script (/home/jboss/broker/bin/artemis). See docs.
fmtn/a is a nice little command-line ActiveMQ testing utility.
Set up a Docker Hub secret if necessary:
oc create secret docker-registry docker-hub \
--docker-server docker.io --docker-username USER --docker-password PASS
oc secrets link default docker-hub --for=pull
Then run the a image and try to put a message onto a queue:
oc run -i -t a --image=fmtn/a-util:1.5.0 --restart=Never -- sh
java -jar /a/a.jar --artemis-core --broker tcp://broker-amq-tcp:61616 --user bobby --pass password0 --put "my message" sandwiches.queue
If all is well, the test client should output something like this:
Message sent
Operation completed in 306ms (excluding connect)
...and you might also see a line like this in the Artemis logs, which is logged when the Keycloak adapter in Artemis makes a connection to Keycloak:
2021-09-29 07:39:31,095 INFO [org.keycloak.adapters.KeycloakDeployment] Loaded URLs from https://sso-toms-sso-demo.apps.shared.openshift.example.com/auth/realms/mycorp-amq-sso/.well-known/openid-configuration
Not sure what's going on at all. Need help? Use the included util/logging.properties file to see what's going on in the broker:
oc create configmap artemis-logging-properties --from-file=LOGGING_PROPERTIES=util/logging.properties
oc set env --from=configmap/artemis-logging-properties dc/broker-amq
Some previous issues and solutions, in case it's useful for you.
Can't authenticate to Artemis, nothing in the Keycloak logs, and nothing in the Artemis logs except "Unable to validate user from":
- Have you set the
auth-server-urlcorrectly in rhsso-direct-access.json? - If the URL is incorrect, you won't see a log in Artemis.
"Error: Realm does not exist" in the Artemis logs:
- The realm wasn't imported into SSO properly. Make sure that the JSON file exists and that the
SSO_IMPORT_FILEenv var is set.
"invalid_grant" in the Artemis logs, and "User_not_found" in the Keycloak logs:
- This happens when the user does not exist in SSO/Keycloak.
- Create the user in the Realm using the Keycloak web UI.
How do I get broker to pick up updated ConfigMap values?
- Scale the broker deployment down and then back up - e.g.
oc scale dc/broker-amq --replicas=0 && oc scale dc/broker-amq --replicas=1
Banner created with Pattern Generator