Skip to content

Commit

Permalink
CLOUD-2249 secure routes for basic EAP, JWS and Java templates using …
Browse files Browse the repository at this point in the history 
…TLS edge

           replace passthrough TLS with edge TLS for ephemeral templates
           remove HTTP/S_NAME parameters from basic and ephemeral templates

Signed-off-by: rcernich <[email protected]>
  • Loading branch information
@rcernich
rcernich committed Jun 26, 2018
1 parent 225f292 commit fa5d00a
Show file tree
Hide file tree
Showing 40 changed files with 128 additions and 2,436 deletions.
4 changes: 2 additions & 2 deletions eap/eap64-amq-persistent-s2i.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
"iconClass": "icon-eap",
"tags": "eap,javaee,java,jboss",
"version": "1.4.14",
"openshift.io/display-name": "JBoss EAP 6.4 + A-MQ (with https)",
"openshift.io/display-name": "JBoss EAP 6.4 + A-MQ (Persistent)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"description": "An example EAP 6 A-MQ application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration, using Red Hat JBoss A-MQ with persistence and secure communication using https.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration, using Red Hat JBoss A-MQ with persistence and secure communication using passthrough TLS.",
"template.openshift.io/documentation-url": "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/",
"template.openshift.io/support-url": "https://access.redhat.com"
},
Expand Down
200 changes: 3 additions & 197 deletions eap/eap64-amq-s2i.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"iconClass": "icon-eap",
"tags": "eap,javaee,java,jboss,hidden",
"version": "1.4.14",
"openshift.io/display-name": "JBoss EAP 6.4 + A-MQ (Ephemeral with https)",
"openshift.io/display-name": "JBoss EAP 6.4 + A-MQ (Ephemeral)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"description": "An example EAP 6 A-MQ application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration, using Red Hat JBoss A-MQ and secure communication using https.",
Expand All @@ -19,7 +19,7 @@
"template": "eap64-amq-s2i",
"xpaas": "1.4.14"
},
"message": "A new EAP 6 and A-MQ based application with SSL support has been created in your project. The username/password for accessing the A-MQ service is ${MQ_USERNAME}/${MQ_PASSWORD}. Please be sure to create the following secrets: \"${HTTPS_SECRET}\" containing the ${HTTPS_KEYSTORE} file used for serving secure content; \"${JGROUPS_ENCRYPT_SECRET}\" containing the ${JGROUPS_ENCRYPT_KEYSTORE} file used for securing JGroups communications.",
"message": "A new EAP 6 and A-MQ based application has been created in your project. The username/password for accessing the A-MQ service is ${MQ_USERNAME}/${MQ_PASSWORD}.",
"parameters": [
{
"displayName": "Application Name",
Expand All @@ -28,20 +28,6 @@
"value": "eap-app",
"required": true
},
{
"displayName": "Custom http Route Hostname",
"description": "Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-<project>.<default-domain-suffix>",
"name": "HOSTNAME_HTTP",
"value": "",
"required": false
},
{
"displayName": "Custom https Route Hostname",
"description": "Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-<project>.<default-domain-suffix>",
"name": "HOSTNAME_HTTPS",
"value": "",
"required": false
},
{
"displayName": "Git Repository URL",
"description": "Git source URI for application",
Expand Down Expand Up @@ -98,41 +84,6 @@
"value": "",
"required": false
},
{
"displayName": "Server Keystore Secret Name",
"description": "The name of the secret containing the keystore file",
"name": "HTTPS_SECRET",
"value": "eap-app-secret",
"required": false
},
{
"displayName": "Server Keystore Filename",
"description": "The name of the keystore file within the secret",
"name": "HTTPS_KEYSTORE",
"value": "keystore.jks",
"required": false
},
{
"displayName": "Server Keystore Type",
"description": "The type of the keystore file (JKS or JCEKS)",
"name": "HTTPS_KEYSTORE_TYPE",
"value": "",
"required": false
},
{
"displayName": "Server Certificate Name",
"description": "The name associated with the server certificate",
"name": "HTTPS_NAME",
"value": "",
"required": false
},
{
"displayName": "Server Keystore Password",
"description": "The password for the keystore and certificate",
"name": "HTTPS_PASSWORD",
"value": "",
"required": false
},
{
"displayName": "A-MQ Username",
"description": "User name for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.",
Expand Down Expand Up @@ -186,34 +137,6 @@
"value": "openshift",
"required": true
},
{
"displayName": "JGroups Secret Name",
"description": "The name of the secret containing the keystore file",
"name": "JGROUPS_ENCRYPT_SECRET",
"value": "eap-app-secret",
"required": false
},
{
"displayName": "JGroups Keystore Filename",
"description": "The name of the keystore file within the secret",
"name": "JGROUPS_ENCRYPT_KEYSTORE",
"value": "jgroups.jceks",
"required": false
},
{
"displayName": "JGroups Certificate Name",
"description": "The name associated with the server certificate",
"name": "JGROUPS_ENCRYPT_NAME",
"value": "",
"required": false
},
{
"displayName": "JGroups Keystore Password",
"description": "The password for the keystore and certificate",
"name": "JGROUPS_ENCRYPT_PASSWORD",
"value": "",
"required": false
},
{
"displayName": "JGroups Cluster Password",
"description": "JGroups cluster password",
Expand Down Expand Up @@ -275,31 +198,6 @@
}
}
},
{
"kind": "Service",
"apiVersion": "v1",
"spec": {
"ports": [
{
"port": 8443,
"targetPort": 8443
}
],
"selector": {
"deploymentConfig": "${APPLICATION_NAME}"
}
},
"metadata": {
"name": "secure-${APPLICATION_NAME}",
"labels": {
"application": "${APPLICATION_NAME}"
},
"annotations": {
"description": "The web server's HTTPS port.",
"service.alpha.openshift.io/dependencies": "[{\"name\": \"${APPLICATION_NAME}-amq-tcp\", \"kind\": \"Service\"}]"
}
}
},
{
"kind": "Service",
"apiVersion": "v1",
Expand Down Expand Up @@ -390,32 +288,11 @@
}
},
"spec": {
"host": "${HOSTNAME_HTTP}",
"to": {
"name": "${APPLICATION_NAME}"
}
}
},
{
"kind": "Route",
"apiVersion": "v1",
"id": "${APPLICATION_NAME}-https",
"metadata": {
"name": "secure-${APPLICATION_NAME}",
"labels": {
"application": "${APPLICATION_NAME}"
},
"annotations": {
"description": "Route for application's HTTPS service."
}
},
"spec": {
"host": "${HOSTNAME_HTTPS}",
"to": {
"name": "secure-${APPLICATION_NAME}"
},
"tls": {
"termination": "passthrough"
"termination": "edge"
}
}
},
Expand Down Expand Up @@ -552,18 +429,6 @@
"memory": "${MEMORY_LIMIT}"
}
},
"volumeMounts": [
{
"name": "eap-keystore-volume",
"mountPath": "/etc/eap-secret-volume",
"readOnly": true
},
{
"name": "eap-jgroups-keystore-volume",
"mountPath": "/etc/jgroups-encrypt-secret-volume",
"readOnly": true
}
],
"livenessProbe": {
"exec": {
"command": [
Expand Down Expand Up @@ -594,11 +459,6 @@
"containerPort": 8080,
"protocol": "TCP"
},
{
"name": "https",
"containerPort": 8443,
"protocol": "TCP"
},
{
"name": "ping",
"containerPort": 8888,
Expand Down Expand Up @@ -650,46 +510,6 @@
"name": "OPENSHIFT_DNS_PING_SERVICE_PORT",
"value": "8888"
},
{
"name": "HTTPS_KEYSTORE_DIR",
"value": "/etc/eap-secret-volume"
},
{
"name": "HTTPS_KEYSTORE",
"value": "${HTTPS_KEYSTORE}"
},
{
"name": "HTTPS_KEYSTORE_TYPE",
"value": "${HTTPS_KEYSTORE_TYPE}"
},
{
"name": "HTTPS_NAME",
"value": "${HTTPS_NAME}"
},
{
"name": "HTTPS_PASSWORD",
"value": "${HTTPS_PASSWORD}"
},
{
"name": "JGROUPS_ENCRYPT_SECRET",
"value": "${JGROUPS_ENCRYPT_SECRET}"
},
{
"name": "JGROUPS_ENCRYPT_KEYSTORE_DIR",
"value": "/etc/jgroups-encrypt-secret-volume"
},
{
"name": "JGROUPS_ENCRYPT_KEYSTORE",
"value": "${JGROUPS_ENCRYPT_KEYSTORE}"
},
{
"name": "JGROUPS_ENCRYPT_NAME",
"value": "${JGROUPS_ENCRYPT_NAME}"
},
{
"name": "JGROUPS_ENCRYPT_PASSWORD",
"value": "${JGROUPS_ENCRYPT_PASSWORD}"
},
{
"name": "JGROUPS_CLUSTER_PASSWORD",
"value": "${JGROUPS_CLUSTER_PASSWORD}"
Expand All @@ -700,20 +520,6 @@
}
]
}
],
"volumes": [
{
"name": "eap-keystore-volume",
"secret": {
"secretName": "${HTTPS_SECRET}"
}
},
{
"name": "eap-jgroups-keystore-volume",
"secret": {
"secretName": "${JGROUPS_ENCRYPT_SECRET}"
}
}
]
}
}
Expand Down
15 changes: 5 additions & 10 deletions eap/eap64-basic-s2i.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
"iconClass": "icon-eap",
"tags": "eap,javaee,java,jboss",
"version": "1.4.14",
"openshift.io/display-name": "JBoss EAP 6.4 (no https)",
"openshift.io/display-name": "JBoss EAP 6.4",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"description": "An example EAP 6 application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration and insecure communication using http.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration and secure communication using https.",
"template.openshift.io/documentation-url": "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/",
"template.openshift.io/support-url": "https://access.redhat.com"
},
Expand All @@ -28,13 +28,6 @@
"value": "eap-app",
"required": true
},
{
"displayName": "Custom http Route Hostname",
"description": "Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-<project>.<default-domain-suffix>",
"name": "HOSTNAME_HTTP",
"value": "",
"required": false
},
{
"displayName": "Git Repository URL",
"description": "Git source URI for application",
Expand Down Expand Up @@ -201,9 +194,11 @@
}
},
"spec": {
"host": "${HOSTNAME_HTTP}",
"to": {
"name": "${APPLICATION_NAME}"
},
"tls": {
"termination": "edge"
}
}
},
Expand Down
4 changes: 2 additions & 2 deletions eap/eap64-https-s2i.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
"iconClass": "icon-eap",
"tags": "eap,javaee,java,jboss,hidden",
"version": "1.4.14",
"openshift.io/display-name": "JBoss EAP 6.4 (with https)",
"openshift.io/display-name": "JBoss EAP 6.4 (Passthrough TLS)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"description": "An example EAP 6 application. For more information about using this template, see https://github.com/jboss-openshift/application-templates.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration and secure communication using https.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration and secure communication using passthrough TLS.",
"template.openshift.io/documentation-url": "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/",
"template.openshift.io/support-url": "https://access.redhat.com"
},
Expand Down
4 changes: 2 additions & 2 deletions eap/eap64-mongodb-persistent-s2i.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
"iconClass": "icon-eap",
"tags": "eap,javaee,java,jboss,hidden",
"version": "1.4.14",
"openshift.io/display-name": "JBoss EAP 6.4 + MongoDB (with https)",
"openshift.io/display-name": "JBoss EAP 6.4 + MongoDB (Persistent)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"description": "An example EAP 6 application with a MongoDB database. For more information about using this template, see https://github.com/jboss-openshift/application-templates.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration, database deployment configuration for MongoDB using persistence and secure communication using https.",
"template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Enterprise Application Server 6.4 based application, including a build configuration, application deployment configuration, database deployment configuration for MongoDB using persistence and secure communication using passthrough TLS.",
"template.openshift.io/documentation-url": "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/",
"template.openshift.io/support-url": "https://access.redhat.com"
},
Expand Down
Loading

0 comments on commit fa5d00a

Please sign in to comment.