So, I was looking for a way to run keyclaok / Red Hat SSO in a container with a slightly modified configuration (so, changing the standalone-openshift.xml) without having to build a custom image. The solution I came up with, wasn’t really documented but works like charme. The trick is to use a post configuration script, which is executed before the JBoss EAP is started. Once you know this, it really is straight forward. All you need is a bash script which executes the CLI commands. Don’t forget to use the offline mode for CLI execution. You don’t want to start the entire app server just to. e.g. add a certificate via CLI. This also makes sure you keep the boot-time overhead as minimal as possible.

The bash script really juut is there to execute our CLI script, so the content is fairly easy:


${JBOSS_HOME}/bin/ --file=${JBOSS_HOME}/extensions/my-cli-script.cli

The content of the CLI script is whatever you need, let’s jsut do an echo for now:

embed-server -c standalone-openshift.xml

echo foobar


Don’t forget to use the standalone-openshift.xml as config. This is the one which is used by default on server startup.

So, first we create a config map where we store the contents of the CLI script and the bash script:

oc create configmap cli-script --from-file=my-cli-script.cli=extensions/my-cli-script.cli

After that, we need to add a volume mount to our deploymentconfig:

oc set volumes dc/my-eap --add --name=cli-script --mount-path=/opt/eap/extensions --type=configmap --configmap-name=cli-script --default-mode='0755' --overwrite