Resolve "Alfa version of the Helm chart for version 1.7.0"

.gitignore

 .vscode
-build.sh
+build.sh
\ No newline at end of file
+.idea/
\ No newline at end of file

.gitlab-ci.yml

@@ -19,6 +19,7 @@ version-bump-dev:
     - git checkout master
     - export MASTER_CHART_VERSION=$(yq e '.version' charts/$CHART_NAME/Chart.yaml)
     - git checkout $CI_COMMIT_REF_NAME
+    - git branch --set-upstream-to=origin/$CI_COMMIT_REF_NAME $CI_COMMIT_REF_NAME
     - git pull
     - export CURRENT_CHART_VERSION=$(yq e '.version' charts/$CHART_NAME/Chart.yaml)
     - export CURRENT_DOCKER_IMAGE_VERSION=$(yq e '.platform.image.tag' charts/$CHART_NAME/values.yaml)

README.md

 # nmaas
 
-![Version: 1.2.17](https://img.shields.io/badge/Version-1.2.17-informational?style=flat-square) ![AppVersion: 1.6.5](https://img.shields.io/badge/AppVersion-1.6.5-informational?style=flat-square)
+![Version: 2.0.0-1](https://img.shields.io/badge/Version-2.0.0--1-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square)
 
 GÉANT Network Management as a Service Helm chart for Kubernetes
 
@@ -14,7 +14,7 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror | postgresql | 10.16.2 |
+| https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror | postgresql | 16.6.0 |
 
 ## Values
 
@@ -34,6 +34,8 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | global.nmaasDomain | string | `"nmaas.example.com"` |  |
 | global.registrysecret | string | `"nmaas-registry"` | currently not needed, for future use |
 | global.wildcardCertificateName | string | `"wildcard-tls"` |  |
+| helm.clusterRoleBindingName | string | `"nmaas-helm-admin"` |  |
+| helm.clusterRoleName | string | `"cluster-admin"` |  |
 | helm.enabled | bool | `true` |  |
 | helm.image.pullPolicy | string | `"Always"` |  |
 | helm.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-helm-3"` |  |
@@ -49,10 +51,12 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | helm.serviceAccountName | string | `"nmaas-helm"` |  |
 | helm.targetPort | int | `22` |  |
 | helm.type | string | `"ClusterIP"` |  |
+| janitor.clusterRoleBindingName | string | `"nmaas-janitor"` |  |
+| janitor.clusterRoleName | string | `"janitor-role"` |  |
 | janitor.enabled | bool | `true` |  |
 | janitor.image.pullPolicy | string | `"IfNotPresent"` |  |
 | janitor.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-janitor"` |  |
-| janitor.image.tag | string | `"1.6.1"` |  |
+| janitor.image.tag | string | `"1.7.0"` |  |
 | janitor.name | string | `"nmaas-janitor"` |  |
 | janitor.port | int | `5000` |  |
 | janitor.serviceAccountName | string | `"nmaas-janitor"` |  |
@@ -64,15 +68,17 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | platform.apiSecret.literal | string | `""` | leave empty to use existing secret specified below |
 | platform.apiSecret.secret.key | string | `"secret"` |  |
 | platform.apiSecret.secret.name | string | `"nmaas-api-secret"` | must be created manually if literal is empty |
+| platform.clusterRoleBindingName | string | `"nmaas-platform"` |  |
+| platform.clusterRoleName | string | `"nmaas-shell-role"` |  |
 | platform.enabled | bool | `true` |  |
 | platform.image.pullPolicy | string | `"IfNotPresent"` |  |
 | platform.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-platform"` |  |
-| platform.image.tag | string | `"1.6.5"` |  |
+| platform.image.tag | string | `"1.7.0"` |  |
 | platform.ingress.className | string | `""` | defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set |
 | platform.initscripts.enabled | bool | `true` |  |
 | platform.initscripts.image.pullPolicy | string | `"Always"` |  |
 | platform.initscripts.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-platform-populate"` |  |
-| platform.initscripts.image.tag | string | `"1.6.5"` |  |
+| platform.initscripts.image.tag | string | `"1.7.0"` |  |
 | platform.livenessProbe.failureThreshold | int | `10` |  |
 | platform.livenessProbe.httpGet.path | string | `"/actuator/health"` |  |
 | platform.livenessProbe.httpGet.port | int | `9001` |  |
@@ -93,6 +99,7 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | platform.properties.captchaSecret.secret.key | string | `"secret"` |  |
 | platform.properties.captchaSecret.secret.name | string | `"nmaas-captcha-secret-secret"` |  |
 | platform.properties.defaultLanguage | string | `"en"` |  |
+| platform.properties.environment | string | `"prod"` |  |
 | platform.properties.helm.address | string | `"nmaas-helm"` |  |
 | platform.properties.helm.asyncUpdateCron | string | `"0 0 * * * ?"` |  |
 | platform.properties.helm.asyncUpdateEnabled | bool | `true` |  |
@@ -103,6 +110,11 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | platform.properties.helm.useLocalCharts | bool | `false` |  |
 | platform.properties.helm.username | string | `"helm"` |  |
 | platform.properties.helm.version | string | `"v3"` |  |
+| platform.properties.jwt.resetKey.literal | string | `""` | leave empty to use existing secret, length at least 96 characters |
+| platform.properties.jwt.resetKey.secret.key | string | `"jwtResetKey"` |  |
+| platform.properties.jwt.secretName | string | `"nmaas-jwt"` |  |
+| platform.properties.jwt.signingKey.literal | string | `""` | leave empty to use existing secret, length at least 96 characters |
+| platform.properties.jwt.signingKey.secret.key | string | `"jwtSigningKey"` |  |
 | platform.properties.k8s.deployment.defaultNamespace | string | `"default"` | parameter used only if USE_DEFAULT_NAMESPACE option is set |
 | platform.properties.k8s.deployment.defaultStorageClass | string | `nil` | should be left blank if default storage class was defined defined at cluster should be used |
 | platform.properties.k8s.deployment.namespaceConfigOption | string | `"USE_DOMAIN_NAMESPACE"` | two options possible: USE_DOMAIN_NAMESPACE or USE_DEFAULT_NAMESPACE |
@@ -116,7 +128,15 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | platform.properties.k8s.ingress.controller.publicServiceDomain | string | `"public.nmaas.example.com"` | base FQDN for deployed user applications exposed publicly (e.g. public.nmaas.example.com) |
 | platform.properties.k8s.ingress.controller.tlsSupported | bool | `true` | flag indicating if ingress controller(s) support TLS |
 | platform.properties.maintenance | bool | `false` |  |
+| platform.properties.multiInstanceSupport | bool | `false` |  |
 | platform.properties.nmaasMetricsEnabled | bool | `true` | expose Prometheus metrics |
+| platform.properties.oidc.clientId | string | `""` |  |
+| platform.properties.oidc.clientSecret.literal | string | `""` | leave empty to use existing secret |
+| platform.properties.oidc.clientSecret.secret.key | string | `"oidcClientSecret"` |  |
+| platform.properties.oidc.enabled | bool | `false` |  |
+| platform.properties.oidc.issuerUri | string | `"https://auth.example.com/realms/master"` |  |
+| platform.properties.oidc.secretName | string | `"nmaas-oidc"` |  |
+| platform.properties.oidcUserLinking | bool | `true` |  |
 | platform.properties.postgresql | object | `{"database":"nmaas","hostname":"nmaas-postgresql","password":{"literal":"","secret":{"key":"secret","name":"nmaas-postgresql-secret"}},"port":5432,"username":"nmaas"}` | only required if an external postgresql instance is used (when postgresql.install is false) |
 | platform.properties.postgresql.password.literal | string | `""` | leave empty to use existing secret specified below |
 | platform.properties.sendAppInstanceFailureEmails | bool | `false` |  |
@@ -129,19 +149,13 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | platform.properties.smtp.defaultDomain | string | `"example.com"` | exposed as SMTP_FROM_DEFAULT_DOMAIN in global deployment parameters |
 | platform.properties.smtp.from | string | `""` | override default SMTP from value |
 | platform.properties.smtp.host | string | `"nmaas-postfix"` |  |
-| platform.properties.sso.enabled | bool | `false` |  |
-| platform.properties.sso.encryptionSecret.literal | string | `""` | leave empty to use existing secret specified below |
-| platform.properties.sso.encryptionSecret.secret.key | string | `"secret"` |  |
-| platform.properties.sso.encryptionSecret.secret.name | string | `"nmaas-sp-secret"` | must be created manually if literal is empty |
-| platform.properties.sso.timeout | int | `15` |  |
-| platform.properties.sso.urlLogin | string | `""` |  |
-| platform.properties.sso.urlLogout | string | `""` |  |
 | platform.properties.testInstance | bool | `false` |  |
 | platform.readinessProbe.failureThreshold | int | `10` |  |
 | platform.readinessProbe.httpGet.path | string | `"/actuator/health"` |  |
 | platform.readinessProbe.httpGet.port | int | `9001` |  |
 | platform.readinessProbe.periodSeconds | int | `15` |  |
 | platform.readinessProbe.timeoutSeconds | int | `10` |  |
+| platform.serviceAccountName | string | `"nmaas-platform"` |  |
 | platform.startupProbe.failureThreshold | int | `30` |  |
 | platform.startupProbe.httpGet.path | string | `"/actuator/health"` |  |
 | platform.startupProbe.httpGet.port | int | `9001` |  |
@@ -153,7 +167,7 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | portal.enabled | bool | `true` |  |
 | portal.image.pullPolicy | string | `"IfNotPresent"` |  |
 | portal.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-portal"` |  |
-| portal.image.tag | string | `"1.6.5"` |  |
+| portal.image.tag | string | `"1.7.0"` |  |
 | portal.ingress.className | string | `""` | defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set |
 | portal.name | string | `"nmaas-portal"` |  |
 | portal.port | int | `9009` |  |
@@ -177,24 +191,8 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
 | postfix.properties.smtp.password.literal | string | `""` | leave empty to use existing secret |
 | postfix.properties.smtp.username.literal | string | `""` | leave empty to use existing secret |
 | postfix.type | string | `"ClusterIP"` |  |
-| postgresql | object | `{"install":true,"persistence":{"enabled":true,"size":"8Gi"},"postgresqlDatabase":"nmaas","postgresqlPassword":"nmaas","postgresqlUsername":"nmaas"}` | settings for in-cluster postgresql |
+| postgresql | object | `{"auth":{"database":"nmaas","password":"nmaas","postgresPassword":"nmaas","username":"nmaas"},"install":true,"primary":{"networkPolicy":{"enabled":false},"persistence":{"enabled":true,"size":"8Gi"}}}` | settings for in-cluster postgresql |
 | replicaCount | int | `1` |  |
-| sp.enabled | bool | `false` |  |
-| sp.image.pullPolicy | string | `"Always"` |  |
-| sp.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-sp"` |  |
-| sp.image.tag | string | `"1.6.3"` |  |
-| sp.ingress.className | string | `""` | defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set |
-| sp.name | string | `"nmaas-sp"` |  |
-| sp.port | int | `443` |  |
-| sp.properties.idp.entityId | string | `"https://keycloak.example.com/realms/master"` |  |
-| sp.properties.idp.metadataUrl | string | `"https://keycloak.example.com/realms/master/protocol/saml/descriptor"` |  |
-| sp.properties.idp.name | string | `"edugain"` |  |
-| sp.properties.idp.remoteUser | string | `"email"` |  |
-| sp.properties.idp.uri | string | `"https://login.terena.org/wayf/saml2/idp/metadata.php"` |  |
-| sp.properties.idp.userId | string | `"uid"` |  |
-| sp.targetPort | int | `80` |  |
-| sp.tls | bool | `true` |  |
-| sp.type | string | `"ClusterIP"` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

charts/nmaas/Chart.lock

 dependencies:
 - name: postgresql
   repository: https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror
-  version: 10.16.2
-digest: sha256:94a23914d811a636356a9ee47d6910c3159225b69aef93bc4d9d56a1055b28a5
-generated: "2022-08-30T08:59:05.078630031+02:00"
+  version: 16.6.0
+digest: sha256:be748404e3b45e51a557c0406375f43a84aa32be35cf20c01cce266736bc2039
+generated: "2025-04-04T14:41:38.829381998+02:00"

charts/nmaas/Chart.yaml

 apiVersion: v2
 name: nmaas
 description: GÉANT Network Management as a Service Helm chart for Kubernetes
-version: 1.2.17
-appVersion: 1.6.5
+version: 2.0.0-1
+appVersion: 1.7.0
 keywords:
   - Network Management
   - Cloud Deployment
@@ -13,6 +13,6 @@ maintainers:
     url: https://docs.nmaas.eu
 dependencies:
   - name: postgresql
-    version: 10.16.2
+    version: 16.6.0
     repository: https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror
     condition: postgresql.install

charts/nmaas/templates/nmaas-helm-clusterRoleBinding.yaml

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nmaas-helm-admin
+  name: {{ .Values.helm.clusterRoleBindingName }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ .Values.helm.clusterRoleName }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.helm.serviceAccountName }}

charts/nmaas/templates/nmaas-janitor-clusterRole.yaml

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: janitor-role
+  name: {{ .Values.janitor.clusterRoleName }}
 rules:
 - apiGroups: [""]
   resources: ["configmaps", "secrets", "namespaces"]

charts/nmaas/templates/nmaas-janitor-clusterRoleBinding.yaml

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nmaas-janitor
+  name: {{ .Values.janitor.clusterRoleBindingName }}
 subjects:
 - kind: ServiceAccount
-  name: nmaas-janitor
+  name: {{ .Values.janitor.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole 
-  name: janitor-role
+  name: {{ .Values.janitor.clusterRoleName }}
   apiGroup: rbac.authorization.k8s.io
\ No newline at end of file

charts/nmaas/templates/nmaas-janitor-serviceAccount.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: true
 metadata:
-  name: nmaas-janitor
+  name: {{ .Values.janitor.serviceAccountName }}
\ No newline at end of file

charts/nmaas/templates/nmaas-jwt-secret.yaml

+{{- if and .Values.platform.properties.jwt.signingKey.literal .Values.platform.properties.jwt.resetKey.literal }}
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+  name: {{ .Values.platform.properties.jwt.secretName | quote }}
+data:
+  {{ .Values.platform.properties.jwt.signingKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.signingKey.literal | b64enc | quote }}
+  {{ .Values.platform.properties.jwt.resetKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.resetKey.literal | b64enc | quote }}
+{{- end }}
\ No newline at end of file

charts/nmaas/templates/nmaas-oidc-secret.yaml

+{{- if and .Values.platform.properties.oidc.enabled .Values.platform.properties.oidc.clientSecret.literal }}
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+  name: {{ .Values.platform.properties.oidc.secretName | quote }}
+data:
+  {{ .Values.platform.properties.oidc.clientSecret.secret.key | quote }}: {{ .Values.platform.properties.oidc.clientSecret.literal | b64enc | quote }}
+{{- end }}
\ No newline at end of file

charts/nmaas/templates/nmaas-platform-clusterRole.yaml

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: nmaas-shell-role
+  name: {{ .Values.platform.clusterRoleName }}
 rules:
 - apiGroups: [""]
   resources: ["pods"]
@@ -9,4 +9,3 @@ rules:
 - apiGroups: [""]
   resources: ["pods/exec"]
   verbs: ["create", "get", "watch"]
-

charts/nmaas/templates/nmaas-platform-clusterRoleBinding.yaml

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nmaas-platform
+  name: {{ .Values.platform.clusterRoleBindingName }}
 subjects:
 - kind: ServiceAccount
-  name: nmaas-platform
+  name: {{ .Values.platform.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: nmaas-shell-role
+  name: {{ .Values.platform.clusterRoleName }}
   apiGroup: rbac.authorization.k8s.io
 

charts/nmaas/templates/nmaas-platform-deployment.yaml

@@ -21,7 +21,7 @@ spec:
       labels:
         app: {{ .Values.platform.name }}
     spec:
-      serviceAccount: nmaas-platform
+      serviceAccount: {{ .Values.platform.serviceAccountName }}
       volumes:
       - name: platform-data
       {{- if .Values.platform.persistence.enabled }}
@@ -56,15 +56,17 @@ spec:
         - name: helm-access-key
           mountPath: /nmaas/.ssh
         env:
+          - name: ENVIRONMENT
+            value: "{{ .Values.platform.properties.environment }}"
           {{- if .Values.postgresql.install }}
           - name: POSTGRESQL_HOST
-            value: {{ .Release.Name }}-postgresql
+            value: {{ .Release.Name }}-postgresql-hl
           - name: POSTGRESQL_DBNAME
-            value: {{ .Values.postgresql.postgresqlDatabase }}
+            value: {{ .Values.postgresql.auth.database }}
           - name: POSTGRESQL_USERNAME
-            value: {{ .Values.postgresql.postgresqlUsername }}
+            value: {{ .Values.postgresql.auth.username }}
           - name: POSTGRESQL_PASSWORD
-            value: {{ .Values.postgresql.postgresqlPassword }}
+            value: {{ .Values.postgresql.auth.password }}
           - name: POSTGRESQL_PORT
             value: "5432"
           {{- else }}
@@ -82,10 +84,6 @@ spec:
           - name: POSTGRESQL_PORT
             value: {{ .Values.platform.properties.postgresql.port | quote }}
           {{- end }}
-          - name: SSO_URL_LOGIN
-            value: {{ .Values.platform.properties.sso.urlLogin | default (printf "https://%s/sso" .Values.global.nmaasDomain) | quote }}
-          - name: SSO_URL_LOGOUT
-            value: {{ .Values.platform.properties.sso.urlLogout | default (printf "https://%s/Shibboleth.sso/Logout" .Values.global.nmaasDomain) | quote }}
           - name: ADMIN_EMAIL
             value: {{ .Values.platform.properties.adminEmail }}
           - name: ADMIN_PASSWORD
@@ -122,15 +120,6 @@ spec:
               secretKeyRef:
                 name: {{ .Values.platform.apiSecret.secret.name }}
                 key: {{ .Values.platform.apiSecret.secret.key }}
-          {{- if .Values.platform.properties.sso.enabled }}
-          - name: SSO_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
-                key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
-          - name: SSO_TIMEOUT
-            value: "{{ .Values.platform.properties.sso.timeout }}"
-          {{- end }}
           - name: SMTP_LOGIN
             value: {{ .Values.platform.properties.smtp.login }}
           - name: SMTP_PASSWORD
@@ -209,8 +198,6 @@ spec:
             value: {{ .Values.platform.properties.k8s.deployment.defaultStorageClass }}
           - name: PORTAL_MAINTENANCE_FLAG
             value: {{ .Values.platform.properties.maintenance | quote }}
-          - name: PORTAL_SSO_ALLOWED_FLAG
-            value: {{ .Values.platform.properties.sso.enabled | quote }}
           - name: PORTAL_TEST_INSTANCE_FLAG
             value: {{ .Values.platform.properties.testInstance | quote }}
           - name: PORTAL_SEND_FAILURE_NOTIF_FLAG
@@ -229,6 +216,31 @@ spec:
             value: {{ .Values.platform.properties.showDomainRegistrationSelector | quote }}
           - name: NAMESPACE_CREATION_ENABLED
             value: {{ .Values.platform.properties.autoNamespaceCreationForDomains | quote }}
+          - name: PORTAL_SSO_ALLOWED_FLAG
+            value: {{ .Values.platform.properties.oidc.enabled | quote }}
+          - name: OIDC_CLIENT_ID
+            value: {{ .Values.platform.properties.oidc.clientId | quote }}
+          - name: OIDC_ISSUER_URI
+            value: {{ .Values.platform.properties.oidc.issuerUri | quote }}
+          - name: MULTI_INSTANCE_DEPLOYMENT
+            value: {{ .Values.platform.properties.multiInstanceSupport | quote }}
+          - name: OIDC_USER_LINKING
+            value: {{ .Values.platform.properties.oidcUserLinking | quote }}
+          - name: OIDC_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.platform.properties.oidc.secretName }}
+                key: {{ .Values.platform.properties.oidc.clientSecret.secret.key }}
+          - name: JWT_SIGNING_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.platform.properties.jwt.secretName }}
+                key: {{ .Values.platform.properties.jwt.signingKey.secret.key }}
+          - name: JWT_RESET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.platform.properties.jwt.secretName }}
+                key: {{ .Values.platform.properties.jwt.resetKey.secret.key }}
       imagePullSecrets:
       - name: {{ .Values.global.registrysecret }}
 {{- end -}}

charts/nmaas/templates/nmaas-platform-serviceaccount.yaml

@@ -2,5 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: true
 metadata:
-  name: nmaas-platform
-
+  name: {{ .Values.platform.serviceAccountName }}

charts/nmaas/templates/nmaas-sp-deployment.yaml

-{{- if .Values.sp.enabled -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ .Values.sp.name }}
-  labels:
-    app: {{ .Values.sp.name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-spec:
-  selector:
-    matchLabels:
-      app: {{ .Values.sp.name }}
-  strategy: 
-    type: Recreate
-  replicas: {{ .Values.replicaCount }}
-  template:
-    metadata:
-      labels:
-        app: {{ .Values.sp.name }}
-    spec:
-      containers:
-      - name: {{ .Chart.Name }}
-        image: "{{ .Values.sp.image.repository }}:{{ .Values.sp.image.tag }}"
-        imagePullPolicy: {{ .Values.sp.image.pullPolicy }}
-        ports:
-        - containerPort: {{ .Values.sp.port }}
-          protocol: TCP
-        env:
-          - name: SP_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
-                key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
-          - name: SP_URL
-            {{- if .Values.sp.tls }}
-            value: {{ .Values.sp.host | default (printf "https://%s/" .Values.global.nmaasDomain) | quote}}
-            {{- else }}
-            value: {{ .Values.sp.host | default (printf "http://%s/" .Values.global.nmaasDomain) | quote}}
-            {{- end }}
-          - name: PORTAL_URL
-            value: {{ .Values.sp.properties.portalUrl | default .Values.global.nmaasDomain }}
-          - name: IDP_NAME
-            value: {{ .Values.sp.properties.idp.name }}
-          - name: IDP_URI
-            value: {{ .Values.sp.properties.idp.uri | quote}}
-          - name: SP_HOST
-            value: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
-          - name: SP_USED_ID
-            value: {{ .Values.sp.properties.idp.userId | quote }}
-          - name: SP_REMOTE_USER
-            value: {{ .Values.sp.properties.idp.remoteUser | quote }}
-          - name: SP_SSO_ENTITY_ID
-            value: {{ .Values.sp.properties.idp.entityId | quote }}
-          - name: SP_METADATA_URL
-            value: {{ .Values.sp.properties.idp.metadataUrl | quote }}
-      imagePullSecrets:
-      - name: {{ .Values.global.registrysecret }}
-{{- end -}}

charts/nmaas/templates/nmaas-sp-ingress.yaml

-{{- if .Values.sp.enabled -}}
-{{- if .Values.global.createIngressResources -}}
-{{- $kubeVersion := .Capabilities.KubeVersion.GitVersion -}}
-{{- if semverCompare ">=1.19-0" $kubeVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ .Values.global.ingressName }}-sp
-  annotations:
-    {{- if not (semverCompare ">=1.19-0" $kubeVersion) }}
-    kubernetes.io/ingress.class: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
-    {{- end }}
-    nginx.org/mergeable-ingress-type: minion
-    {{- if and .Values.platform.tls .Values.global.acmeIssuer }}
-    kubernetes.io/tls-acme: "true"
-    certmanager.k8s.io/cluster-issuer: {{ .Values.global.issuerName }}
-    {{- end }}
-spec:
-  {{- if $.Values.sp.tls }}
-  tls:
-  - hosts:
-    - {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
-    {{- if .Values.global.acmeIssuer }}
-    secretName: {{ .Values.sp.certName | default "nmaas-sp-tls" | quote }}
-    {{- else }}
-    secretName: {{ .Values.sp.certName | default .Values.global.wildcardCertificateName | quote }}
-    {{- end }}
-  {{- end }}
-  {{- if semverCompare ">=1.19-0" $kubeVersion }}
-  ingressClassName: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
-  {{- end }}
-  rules:
-  - host: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
-    http:
-      paths:
-      - path: /sso
-        {{- if semverCompare ">=1.19-0" $kubeVersion }}
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.sp.name }}
-            port:
-              number: {{ .Values.sp.targetPort }}
-        {{- else }}      
-        backend:
-          serviceName: {{ .Values.sp.name }}
-          servicePort: {{ .Values.sp.targetPort }}
-        {{- end }}
-      - path: /Shibboleth.sso
-        {{- if semverCompare ">=1.19-0" $kubeVersion }}
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.sp.name }}
-            port:
-              number: {{ .Values.sp.targetPort }}
-        {{- else }}      
-        backend:
-          serviceName: {{ .Values.sp.name }}
-          servicePort: {{ .Values.sp.targetPort }}
-        {{- end }}
-{{- end -}}
-{{- end -}}

charts/nmaas/templates/nmaas-sp-secret.yaml

-{{- if .Values.platform.properties.sso.encryptionSecret.literal }}
-apiVersion: v1
-type: Opaque
-kind: Secret
-metadata:
-  name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name | quote }}
-data:
-  {{ .Values.platform.properties.sso.encryptionSecret.secret.key | quote }}: {{ .Values.platform.properties.sso.encryptionSecret.literal | b64enc | quote }}
-{{- end }}
\ No newline at end of file