Last active
May 28, 2020 16:58
-
-
Save pbertera/6f8d37fa0edaacf0bde85a570da245e8 to your computer and use it in GitHub Desktop.
AMQ broker with TLS+SNI and custom credentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # create the project | |
| oc new-project amq-broker | |
| # import the templates (this is done project-wise here) | |
| oc replace --force -f \ | |
| https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/76-7.6.0.GA/amq-broker-7-image-streams.yaml | |
| for template in amq-broker-76-basic.yaml \ | |
| amq-broker-76-ssl.yaml \ | |
| amq-broker-76-custom.yaml \ | |
| amq-broker-76-persistence.yaml \ | |
| amq-broker-76-persistence-ssl.yaml \ | |
| amq-broker-76-persistence-clustered.yaml \ | |
| amq-broker-76-persistence-clustered-ssl.yaml; | |
| do | |
| oc replace --force -f \ | |
| https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/76-7.6.0.GA/templates/${template} | |
| done | |
| # create an SA with name: amq-service-account | |
| echo '{"kind": "ServiceAccount", "apiVersion": "v1", "metadata": {"name": "amq-service-account"}}' | oc create -f - | |
| # add the role | |
| oc policy add-role-to-user view system:serviceaccount:amq-broker:amq-service-account | |
| # create the certificates | |
| keytool -genkey -alias broker -keyalg RSA -keystore broker.ks | |
| keytool -export -alias broker -keystore broker.ks -file broker_cert | |
| keytool -genkey -alias client -keyalg RSA -keystore client.ks | |
| keytool -import -alias broker -keystore client.ts -file broker_cert | |
| # create the secret out of the certificates | |
| oc create secret generic amq-ssl-certs --from-file=broker.ks --from-file=client.ts | |
| # create the secret with AMQ credentials: | |
| # amqUser is the key defining the AMQ username with value "amq" | |
| # amqPassword is the key defining the AMQ password with value "amq" | |
| # trustStorePassword is the key containing the trust store password with value "pipppo123" | |
| # keyStorePassword is the key containing the key store password with value "pipppo123" | |
| oc create secret generic amq-credential-secrets --from-literal=amqUser=amq --from-literal amqPassword=amq --from-literal=trustStorePassword=pippo123 --from-literal=keyStorePassword=pippo123 | |
| # link the secrets to the SA | |
| oc secrets link sa/amq-service-account secret/amq-ssl-certs | |
| oc secrets link sa/amq-service-account secret/amq-credential-secrets | |
| # deploy the app from the template | |
| oc new-app --template=amq-broker-76-ssl \ | |
| -p AMQ_PROTOCOL=core,openwire,amqp,stomp,mqtt,hornetq \ | |
| -p AMQ_QUEUES=demoQueue \ | |
| -p AMQ_ADDRESSES=demoTopic \ | |
| -p AMQ_MULTICAST_PREFIX=jms.topic. \ | |
| -p AMQ_ANYCAST_PREFIX=jms.queue. \ | |
| -p AMQ_USER=amqUser \ | |
| -p AMQ_PASSWORD=amqPassword \ | |
| -p AMQ_KEYSTORE=broker.ks \ | |
| -p AMQ_TRUSTSTORE=client.ts \ | |
| -p AMQ_KEYSTORE_PASSWORD=keyStorePassword \ | |
| -p AMQ_TRUSTSTORE_PASSWORD=trustStorePassword \ | |
| -p AMQ_CREDENTIAL_SECRET=amq-credential-secrets \ | |
| -p AMQ_SECRET=amq-ssl-certs | |
| # check the service is created | |
| oc describe svc/broker-amq-tcp-ssl | |
| # create the route | |
| oc create route passthrough --service broker-amq-tcp-ssl amq-tcp-ssl --port 61617 | |
| # you can test the router looking at the pod logs and sending a TLS/SNI request to the route: | |
| # openssl s_client -connect amq-tcp-ssl-amqtest1.apps.amqtest.lab.upshift.rdu2.redhat.com:443 -servername amq-tcp-ssl-amqtest1.apps.amqtest.lab.upshift.rdu2.redhat.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment