Update README

[jmesnil]

Improve the section to enable the management console by using a secret to create the admin user instead of hard-coding the password in the Dockerfile

[hpehl]

Add some instructions from https://quay.io/repository/halconsole/wildfly / https://github.com/hal/console/blob/main/wildfly/src/main/docker/Dockerfile-standalone

• Add management user
• Add allowed origins for https://hal.github.io and others in a configurable, container-compliant way

I don't like the current approach using sed to modify the configuration. I thought about overriding an attribute value with an environment variable. But since allowed-origins is of type LIST that won't work here. So I'm open to other approaches.

[darranl]

It was decided early in the life of AS7 we would avoid both default passwords AND usernames for use of the management endpoint.

[jmesnil]

• Add allowed origins for https://hal.github.io and others in a configurable, container-compliant way

I don't like the current approach using sed to modify the configuration. I thought about overriding an attribute value with an environment variable. But since allowed-origins is of type LIST that won't work here. So I'm open to other approaches.

I had a dig at it but it's not working atm:

$ cat server.cli
embed-server --admin-only --server-config=standalone.xml
/core-service=management/management-interface=http-interface:list-add(name=allowed-origins,value=https://${ROUTE_HOST:localhost})
exit

$ cat Dockerfile
FROM quay.io/wildfly/wildfly

RUN --mount=type=secret,id=ADMIN_USER,env=ADMIN_USER,required=true \
    --mount=type=secret,id=ADMIN_PASSWORD,env=ADMIN_PASSWORD,required=true \
    $JBOSS_HOME/bin/add-user.sh -u ${ADMIN_USER} -p ${ADMIN_PASSWORD} --silent
COPY . .
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=./server.cli
RUN rm -rf $JBOSS_HOME/standalone/configuration/standalone_xml_history

USER root
RUN chown -R jboss:0 ${JBOSS_HOME} \
   && chmod -R g+rw ${JBOSS_HOME}

USER jboss 

CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"]

Build the image and push it to quay.io

ADMIN_USER=alice ADMIN_PASSWORD=Admin#70365 docker build --platform=linux/amd64 --tag=quay.io/jmesnil/wildfly-admin --secret id=ADMIN_USER --secret id=ADMIN_PASSWORD .
docker push quay.io/jmesnil/wildfly-admin

Create the route wildfly-admin that reference a wildfly service (not existing yet but that's ok):

oc create route edge wildfly-admin --service wildfly --port 9990

Create the wildfly app and inject the route host with an env var:

oc new-app --name=wildfly quay.io/jmesnil/wildfly-admin -e ROUTE_HOST=$(oc get route wildfly-admin -o jsonpath='{.spec.host}')

At this point, it should work but somehow my route is giving me a 503.
When I look at the pod, the http-interface seems correct:

sh-5.1$ $JBOSS_HOME/bin/jboss-cli.sh -c
Authenticating against security realm: ManagementRealm
Username: alice
Password: 
[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:read-resource(resolve-expressions)
{
    "outcome" => "success",
    "result" => {
        "allowed-origins" => ["https://wildfly-admin-jmesnil1-dev.apps.sandbox-m4.g2pi.p1.openshiftapps.com"],
        "backlog" => 50,
        "connection-high-water" => 100,
        "connection-low-water" => 75,
        "console-enabled" => true,
        "constant-headers" => undefined,
        "http-authentication-factory" => "management-http-authentication",
        "http-upgrade" => {
            "enabled" => true,
            "sasl-authentication-factory" => "management-sasl-authentication"
        },
        "http-upgrade-enabled" => true,
        "no-request-timeout" => 60000,
        "sasl-protocol" => "remote",
        "secure-socket-binding" => undefined,
        "server-name" => undefined,
        "socket-binding" => "management-http",
        "ssl-context" => undefined
    }
}