Openshift Container Platform (OCP)
Openshift Container Platform
ZTrust can be deployed on the Openshift Container Platform. The prerequisites of deploying ZTrust on OCP are as follows.
Prerequisites
OCP Version 4.15 or higher:
We recommend deploying production-grade ZTrust SSO on OCP cluster as Kind deployment.
ZTrust SSO is not a stateless app. It maintains user sessions and cache and requires a database.
ZTrust SSO uses OCP's service discovery to discover similar ZTrust pods and create ZTrust clusters automatically for HA.
OCP can automatically restart pods, auto-rollout upgrades, and auto-scale pods with zero downtime.
Sticky sessions are more efficiently handled with OCP Routes and Service.
For production, multi-tenant, HA-enabled ZTrust → use OCP.
Minimum vCPU & RAM
ZTrust SSO requires a minimum of 800 millicore CPUs and 600 MB of RAM during startup.
With a standard load, ZTrust consumes around 300 millicores of CPU and 1200 MB of RAM per pod.
The usage may vary depending on the number of users, active user sessions, and features used.
Database
For a production-grade setup, ZTrust needs a database to persist the ZTrust configuration and user data. The following table shows a list of supported databases for ZTrust
DatabaseOptionTested versionMaria DB Server
mariadb
11.2
Micosoft SQL Server
mssql
2022
MySQL
mysql
8.4
Oracle Database
oracle
23.5
PostgreSQL
posgres
17
Amazon Aurora PostgreSQL
postgres
16.8
It is recommended to use 100 GB storage for the SQL DB for up to 100,000 users. The storage may increase if the number of users is increased.
Route: Use route for,
Session stickiness
ZTrust relies on session cookies during login and admin console use.
If requests bounce between different ZTrust pods, users may get logged out or see errors.
Route can enforce sticky sessions via cookie affinity, ensuring all user requests hit the same pod for the session.
TLS termination & hostname handling
ZTrust requires a fixed hostname in OCP Route (ZT_HOSTNAME); otherwise, redirects and OIDC flows fail.
Route handles:
TLS termination
Large Tokens in auth header.
Hostname routing. For multi-organisation setup, Route is helpful in setting up multiple hosts for the same ZTrust instance. Route hosts option can be leveraged for isolating organisation-specific traffic and routing to a shared ZTrust instance (Pod).
Load balancing & failover
If you run multiple ZTrust pod replicas, OCP Route and Service balances traffic automatically.
Route gives finer control: health checks, failover, and pod draining during rolling upgrades.
Compatibility with OIDC/SAML flows
OIDC & SAML redirect flows need absolute URLs and consistent session state.
OCP Route simplifies this by presenting a single, stable public endpoint even if backend pods move around.
Custom routing & path handling
Many setups run ZTrust under a path (e.g., /auth).
Route handles path rewrites, forwarding, and securing access with annotations.
RabbitMQ – Version 3.12.2 (recommended)
ZTrust SSO uses RabbitMQ-based interactions with the ZTrust Authenticator app via the MQTT protocol. You should ensure that your RabbitMQ has the following:
RabbitMQ version is 3.12.2
The TLS certificates are added to RabbitMQ, and MQTTS is configured.
A writable virtual host is configured with the right permissions of the topic exchanges for the RabbitMQ user.
For a production-grade RabbitMQ, it is recommended to go with 30 GB of disc space in the virtual host.
SSL/TLS certificates
Certificates are required during the runtime of ZTrust SSO on OCP to enable better encryption and production grade. Please ensure you have a valid CA signed certificate for the ZTrust deployment. Alternatively, you can use a
Let’s Encryptor Self-signed certificate in your non-prod environment.ZTrust SSO requires the SSL certificates' public and private keys during pod startup for a production-grade setup. Hence, OCP Route should be configured with 'Passthrough' or 'Edge' TLS Termination, maintaining both route termination and pod certificates as same.
Deploy on OCP
Once the prerequisites are satisfied, you are ready to deploy the ZTrust SSO on your OCP Cluster. Let’s consider the OCP deployment kind with service and route for this installation. The following environment variables are required to be added to ZTrust SSO deployment.
ZT_DB
Database type (e.g., postgres, mysql, mariadb).
mariadbmssqlmysqloraclepostgres
ZT_DB_URL
Full JDBC URL string including host, port, and database name.
jdbc:postgresql://url:port/db-name
ZT_DB_USERNAME
Database username with privileges to access the DB.
<string>
ZT_DB_PASSWORD
Database password.
<string>
ZTRUST_ADMIN
Default Admin username for ZTrust Admin Console.
<string>
ZTRUST_ADMIN_PASSWORD
Default password for Admin user.
<string>
ZT_HOSTNAME
Defines the external hostname (base URL) that ZTrust uses to generate redirects, tokens, and OIDC/SAML endpoints.
auth.example.com
ZT_PROXY
This variable tells ZTrust how to handle proxy headers (like X-Forwarded-For, X-Forwarded-Proto) when running behind reverse proxies or ingress controllers (NGINX, HAProxy, ALB, etc.). If ZTrust is behind a reverse proxy use “edge”. If the proxy terminates TLS and then re-encrypts traffic back to ZTrust then use “reencrypt”If the proxy is not terminating TLS, but just passing it through to ZTrust then use “passthrough”
edge reencrypt passthrough
PROXY_ADDRESS_FORWARDING
Same as ZT_PROXY but useful in older ZTrust versions
true false
ZT_HTTPS_CERTIFICATE_FILE
Path to the TLS/SSL certificate file (.crt or .pem) that ZTrust should use for HTTPS. The certificates can be mounted via configmap to the ZTrust deployment.
/tmp/ztrust/tls.crt
ZT_HTTPS_CERTIFICATE_KEY_FILE
Path to the certificate private key file (.key or .pem) that ZTrust should use for HTTPS. The private key can be mounted via configmap to the ZTrust deployment.
/tmp/ztrust/tls.key
Create a namespace in your OCP cluster, "ztrust-sso", using the oc command.
oc new-project ztrust-ssoOr,
Log into the web-console of the OCP cluster.
In the Sidebar, click Home ⇒ Projects.
Click the Create Project button. Give it a name, "ztrust-sso", and description.
Click Create.
Create a OCP TLS secret in the same namespace using the following command.
oc create secret tls ztrust-tls-secret --key path/to/key-file --cert path/to/cert-fileIn the web-console, click Workloads ⇒ Secrets
Click on
ztrust-tls-secret.
Click on Add Secret to Workload button
Now, we will create a Image Pull secret. Go to Workloads ⇒ Secrets. Click on Create Secret button and select Image Pull secret.
Fill in the details and click Create.
In the web-console, click Workloads ⇒ Deployment.
Click on Create Deployment button.
Fill the following YAML file. You can change the name of the deployment, labels, secrets and volumes as per your convenience.
apiVersion: v1 items: - apiVersion: apps/v1 kind: Deployment metadata: name: ztrust-sso namespace: ztrust-sso spec: replicas: 1 selector: matchLabels: app: ztrust-sso template: metadata: labels: app: ztrust-sso spec: containers: - command: - /opt/ZTrust/bin/zt.sh - start env: - name: ZTRUST_ADMIN value: <admin-username> - name: ZTRUST_ADMIN_PASSWORD value: <admin-paddword> - name: PROXY_ADDRESS_FORWARDING value: "true" - name: ZT_PROXY value: edge - name: ZT_DB value: postgres - name: ZT_DB_URL value: jdbc:postgresql://<url:port>/<db-name> - name: ZT_DB_USERNAME value: <db-username> - name: ZT_DB_PASSWORD value: <db-password> - name: ZT_HOSTNAME value: <auth.example.com> - name: ZT_HTTPS_CERTIFICATE_FILE value: /tmp/ztrust/tls.crt - name: ZT_HTTPS_CERTIFICATE_KEY_FILE value: /tmp/ztrust/tls.key image: registry.prodevans.com/ztrust-sso/ztrust-sso: imagePullPolicy: IfNotPresent name: ztrust-container ports: - containerPort: 8443 protocol: TCP resources: {} volumeMounts: - mountPath: /tmp/ztrust name: ztrust-cert readOnly: true dnsPolicy: ClusterFirst imagePullSecrets: - name: <image-pull-secret-name> securityContext: {}Note the TLS secret attached as the volume mount in this deployment. The TLS secret should be mounted to ZTrust deployment to a readable path. Openshift will create the read-only mount point directory in the pod which is only readable. Then the TLS certificates will be available as certificate files. Please don't attach the TLS secret to "/tmp/" directory since it will block that directory and will not allow the "ZTrust-SSO" container to create cache files there
Click Save and you should be seeing the pods rolling up and changing to running state in the OCP.
Then we need to create a service for this deployment. In the web-console, click Networking ⇒ Services.
Click on Create Service button.
Fill in with the following YAML file.
apiVersion: v1 kind: Service metadata: name: ztrust-service namespace: ztrust-sso spec: selector: app: ztrust-sso ports: - protocol: TCP port: 8443 targetPort: 8443Note the port number and selector, which should be matching with your deployment you created in the previous step.
Click Save and you should be able to see the new service created in your OCP cluster.
Now the service has to be exposed to outside networks using a Route. To create a Route in the same namespace, click Networking ⇒ Routes.
Click on the Create Route button.
Give a Name, "ztrust", to the route and remove the '/' from the Path.
Select the Service you just created and select the Target port.
Check the Secure Route checkbox and select the TLS Termination as Passthrough.
Click Create.
Now, copy the URL and paste into the deployment YAML as the value of ZT_HOSTNAME.
Click Save.
Now, your ZTrust service should be acessible, and you should be able to navigate to the ZTrust Admin Console.
Last updated