diff --git a/charts/nmaas/Chart.yaml b/charts/nmaas/Chart.yaml index c48d9296b9b0757b16d206ad8b48ccd528cad8b4..02d2fc44ccc9e55a2652c53c5a49b5d3d4221467 100644 --- a/charts/nmaas/Chart.yaml +++ b/charts/nmaas/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: nmaas description: GÉANT Network Management as a Service Helm chart for Kubernetes -version: 1.3.0-alpha.1 +version: 1.3.0-alpha.2 appVersion: 1.7.0-alfa keywords: - Network Management diff --git a/charts/nmaas/templates/nmaas-jwt-secret.yaml b/charts/nmaas/templates/nmaas-jwt-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8f273c7b2913172dec72cb45f77e87f21c8ed2f3 --- /dev/null +++ b/charts/nmaas/templates/nmaas-jwt-secret.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.platform.properties.jwt.signingKey.literal .Values.platform.properties.jwt.resetKey.literal }} +apiVersion: v1 +type: Opaque +kind: Secret +metadata: + name: {{ .Values.platform.properties.jwt.secretName | quote }} +data: + {{ .Values.platform.properties.jwt.signingKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.signingKey.literal | b64enc | quote }} + {{ .Values.platform.properties.jwt.resetKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.resetKey.literal | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/nmaas/templates/nmaas-oidc-secret.yaml b/charts/nmaas/templates/nmaas-oidc-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e42b885a23e552d2beb1275fe9ae8ad989f689e0 --- /dev/null +++ b/charts/nmaas/templates/nmaas-oidc-secret.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.platform.properties.oidc.enabled .Values.platform.properties.oidc.clientSecret.literal }} +apiVersion: v1 +type: Opaque +kind: Secret +metadata: + name: {{ .Values.platform.properties.oidc.secretName | quote }} +data: + {{ .Values.platform.properties.oidc.clientSecret.secret.key | quote }}: {{ .Values.platform.properties.oidc.clientSecret.literal | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/nmaas/templates/nmaas-platform-deployment.yaml b/charts/nmaas/templates/nmaas-platform-deployment.yaml index dbbc702aec70272a849cce86e3aad43c30cc0ac0..46a6d347c5d26311bec97795674419d380d5a355 100644 --- a/charts/nmaas/templates/nmaas-platform-deployment.yaml +++ b/charts/nmaas/templates/nmaas-platform-deployment.yaml @@ -82,10 +82,6 @@ spec: - name: POSTGRESQL_PORT value: {{ .Values.platform.properties.postgresql.port | quote }} {{- end }} - - name: SSO_URL_LOGIN - value: {{ .Values.platform.properties.sso.urlLogin | default (printf "https://%s/sso" .Values.global.nmaasDomain) | quote }} - - name: SSO_URL_LOGOUT - value: {{ .Values.platform.properties.sso.urlLogout | default (printf "https://%s/Shibboleth.sso/Logout" .Values.global.nmaasDomain) | quote }} - name: ADMIN_EMAIL value: {{ .Values.platform.properties.adminEmail }} - name: ADMIN_PASSWORD @@ -122,15 +118,6 @@ spec: secretKeyRef: name: {{ .Values.platform.apiSecret.secret.name }} key: {{ .Values.platform.apiSecret.secret.key }} - {{- if .Values.platform.properties.sso.enabled }} - - name: SSO_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }} - key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }} - - name: SSO_TIMEOUT - value: "{{ .Values.platform.properties.sso.timeout }}" - {{- end }} - name: SMTP_LOGIN value: {{ .Values.platform.properties.smtp.login }} - name: SMTP_PASSWORD @@ -209,8 +196,6 @@ spec: value: {{ .Values.platform.properties.k8s.deployment.defaultStorageClass }} - name: PORTAL_MAINTENANCE_FLAG value: {{ .Values.platform.properties.maintenance | quote }} - - name: PORTAL_SSO_ALLOWED_FLAG - value: {{ .Values.platform.properties.sso.enabled | quote }} - name: PORTAL_TEST_INSTANCE_FLAG value: {{ .Values.platform.properties.testInstance | quote }} - name: PORTAL_SEND_FAILURE_NOTIF_FLAG @@ -229,6 +214,27 @@ spec: value: {{ .Values.platform.properties.showDomainRegistrationSelector | quote }} - name: NAMESPACE_CREATION_ENABLED value: {{ .Values.platform.properties.autoNamespaceCreationForDomains | quote }} + - name: PORTAL_SSO_ALLOWED_FLAG + value: {{ .Values.platform.properties.oidc.enabled | quote }} + - name: OIDC_CLIENT_ID + value: {{ .Values.platform.properties.oidc.clientId | quote }} + - name: OIDC_ISSUER_URI + value: {{ .Values.platform.properties.oidc.issuerUri | quote }} + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.platform.properties.oidc.secretName }} + key: {{ .Values.platform.properties.oidc.clientSecret.secret.key }} + - name: JWT_SIGNING_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.platform.properties.jwt.secretName }} + key: {{ .Values.platform.properties.jwt.signingKey.secret.key }} + - name: JWT_RESET_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.platform.properties.jwt.secretName }} + key: {{ .Values.platform.properties.jwt.resetKey.secret.key }} imagePullSecrets: - name: {{ .Values.global.registrysecret }} {{- end -}} diff --git a/charts/nmaas/templates/nmaas-sp-deployment.yaml b/charts/nmaas/templates/nmaas-sp-deployment.yaml deleted file mode 100644 index 674b3ce73e1a9fdd50468f9d50cf361997b19b09..0000000000000000000000000000000000000000 --- a/charts/nmaas/templates/nmaas-sp-deployment.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.sp.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Values.sp.name }} - labels: - app: {{ .Values.sp.name }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ .Values.sp.name }} - strategy: - type: Recreate - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ .Values.sp.name }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.sp.image.repository }}:{{ .Values.sp.image.tag }}" - imagePullPolicy: {{ .Values.sp.image.pullPolicy }} - ports: - - containerPort: {{ .Values.sp.port }} - protocol: TCP - env: - - name: SP_SECRET - valueFrom: - secretKeyRef: - name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }} - key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }} - - name: SP_URL - {{- if .Values.sp.tls }} - value: {{ .Values.sp.host | default (printf "https://%s/" .Values.global.nmaasDomain) | quote}} - {{- else }} - value: {{ .Values.sp.host | default (printf "http://%s/" .Values.global.nmaasDomain) | quote}} - {{- end }} - - name: PORTAL_URL - value: {{ .Values.sp.properties.portalUrl | default .Values.global.nmaasDomain }} - - name: IDP_NAME - value: {{ .Values.sp.properties.idp.name }} - - name: IDP_URI - value: {{ .Values.sp.properties.idp.uri | quote}} - - name: SP_HOST - value: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }} - - name: SP_USED_ID - value: {{ .Values.sp.properties.idp.userId | quote }} - - name: SP_REMOTE_USER - value: {{ .Values.sp.properties.idp.remoteUser | quote }} - - name: SP_SSO_ENTITY_ID - value: {{ .Values.sp.properties.idp.entityId | quote }} - - name: SP_METADATA_URL - value: {{ .Values.sp.properties.idp.metadataUrl | quote }} - imagePullSecrets: - - name: {{ .Values.global.registrysecret }} -{{- end -}} diff --git a/charts/nmaas/templates/nmaas-sp-ingress.yaml b/charts/nmaas/templates/nmaas-sp-ingress.yaml deleted file mode 100644 index 0994cd2be84fe04608d02e6faa6a2075833d977a..0000000000000000000000000000000000000000 --- a/charts/nmaas/templates/nmaas-sp-ingress.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if .Values.sp.enabled -}} -{{- if .Values.global.createIngressResources -}} -{{- $kubeVersion := .Capabilities.KubeVersion.GitVersion -}} -{{- if semverCompare ">=1.19-0" $kubeVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else -}} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ .Values.global.ingressName }}-sp - annotations: - {{- if not (semverCompare ">=1.19-0" $kubeVersion) }} - kubernetes.io/ingress.class: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }} - {{- end }} - nginx.org/mergeable-ingress-type: minion - {{- if and .Values.platform.tls .Values.global.acmeIssuer }} - kubernetes.io/tls-acme: "true" - certmanager.k8s.io/cluster-issuer: {{ .Values.global.issuerName }} - {{- end }} -spec: - {{- if $.Values.sp.tls }} - tls: - - hosts: - - {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }} - {{- if .Values.global.acmeIssuer }} - secretName: {{ .Values.sp.certName | default "nmaas-sp-tls" | quote }} - {{- else }} - secretName: {{ .Values.sp.certName | default .Values.global.wildcardCertificateName | quote }} - {{- end }} - {{- end }} - {{- if semverCompare ">=1.19-0" $kubeVersion }} - ingressClassName: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }} - {{- end }} - rules: - - host: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }} - http: - paths: - - path: /sso - {{- if semverCompare ">=1.19-0" $kubeVersion }} - pathType: Prefix - backend: - service: - name: {{ .Values.sp.name }} - port: - number: {{ .Values.sp.targetPort }} - {{- else }} - backend: - serviceName: {{ .Values.sp.name }} - servicePort: {{ .Values.sp.targetPort }} - {{- end }} - - path: /Shibboleth.sso - {{- if semverCompare ">=1.19-0" $kubeVersion }} - pathType: Prefix - backend: - service: - name: {{ .Values.sp.name }} - port: - number: {{ .Values.sp.targetPort }} - {{- else }} - backend: - serviceName: {{ .Values.sp.name }} - servicePort: {{ .Values.sp.targetPort }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/nmaas/templates/nmaas-sp-secret.yaml b/charts/nmaas/templates/nmaas-sp-secret.yaml deleted file mode 100644 index 66528a5de33cc50c7116b15d41db9d12536cc03b..0000000000000000000000000000000000000000 --- a/charts/nmaas/templates/nmaas-sp-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.platform.properties.sso.encryptionSecret.literal }} -apiVersion: v1 -type: Opaque -kind: Secret -metadata: - name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name | quote }} -data: - {{ .Values.platform.properties.sso.encryptionSecret.secret.key | quote }}: {{ .Values.platform.properties.sso.encryptionSecret.literal | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/charts/nmaas/templates/nmaas-sp-service.yaml b/charts/nmaas/templates/nmaas-sp-service.yaml deleted file mode 100644 index c5de651a6e3ddaeb7db7ad8ae9bdfeed4a07c3c4..0000000000000000000000000000000000000000 --- a/charts/nmaas/templates/nmaas-sp-service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.sp.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.sp.name }} - labels: - app: {{ .Values.sp.name }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.sp.type }} - ports: - - port: {{ .Values.sp.port }} - targetPort: {{ .Values.sp.targetPort }} - protocol: TCP - selector: - app: {{ .Values.sp.name }} -{{- end -}} diff --git a/charts/nmaas/values.yaml b/charts/nmaas/values.yaml index e4e5106e40efbf0dcb5aeb76e05fcc45c4b7822a..76f493cadb88ae6d3fcb0ad5fb94c7e1fd5d4605 100644 --- a/charts/nmaas/values.yaml +++ b/charts/nmaas/values.yaml @@ -101,18 +101,6 @@ platform: showDomainRegistrationSelector: true # -- if true nmaas will automatically create the corresponding Kubernetes namespace for each new domain autoNamespaceCreationForDomains: false - sso: - enabled: false - urlLogin: "" - urlLogout: "" - encryptionSecret: - # -- leave empty to use existing secret specified below - literal: "" - secret: - # -- must be created manually if literal is empty - name: nmaas-sp-secret - key: secret - timeout: 15 adminEmail: admin@example.com # -- only required if an external postgresql instance is used (when postgresql.install is false) postgresql: @@ -126,7 +114,6 @@ platform: secret: name: nmaas-postgresql-secret key: secret - helm: address: nmaas-helm username: helm @@ -180,6 +167,28 @@ platform: key: secret # -- expose Prometheus metrics nmaasMetricsEnabled: true + jwt: + secretName: nmaas-jwt + signingKey: + secret: + key: + # -- leave empty to use existing secret + literal: "" + resetKey: + secret: + key: + # -- leave empty to use existing secret + literal: "" + oidc: + enabled: false + secretName: nmaas-oidc + clientId: "" + issuerUri: "https://auth.example.com/realms/master" + clientSecret: + secret: + key: oidcClientSecret + # -- leave empty to use existing secret + literal: "" portal: enabled: true @@ -240,29 +249,6 @@ postfix: secret: key: smtpPassword -sp: - enabled: false - name: nmaas-sp - image: - repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-sp - tag: "1.6.3" - pullPolicy: Always - ingress: - # -- defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set - className: '' - port: 443 - targetPort: 80 - type: ClusterIP - tls: true - properties: - idp: - name: edugain - uri: https://login.terena.org/wayf/saml2/idp/metadata.php - userId: uid - remoteUser: email - entityId: https://keycloak.example.com/realms/master - metadataUrl: https://keycloak.example.com/realms/master/protocol/saml/descriptor - helm: enabled: true name: nmaas-helm