Skip to content
Snippets Groups Projects
Commit e4a94d7a authored by Vojdan Kjorveziroski's avatar Vojdan Kjorveziroski
Browse files

Add new OIDC properties and remove SP references

parent ade5ef77
Branches
Tags
1 merge request!12Resolve "Alfa version of the Helm chart for version 1.7.0"
Pipeline #91590 passed
This commit is part of merge request !12. Comments created here will be created in the context of that merge request.
apiVersion: v2
name: nmaas
description: GÉANT Network Management as a Service Helm chart for Kubernetes
version: 1.3.0-alpha.1
version: 1.3.0-alpha.2
appVersion: 1.7.0-alfa
keywords:
- Network Management
......
{{- if and .Values.platform.properties.jwt.signingKey.literal .Values.platform.properties.jwt.resetKey.literal }}
apiVersion: v1
type: Opaque
kind: Secret
metadata:
name: {{ .Values.platform.properties.jwt.secretName | quote }}
data:
{{ .Values.platform.properties.jwt.signingKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.signingKey.literal | b64enc | quote }}
{{ .Values.platform.properties.jwt.resetKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.resetKey.literal | b64enc | quote }}
{{- end }}
\ No newline at end of file
{{- if and .Values.platform.properties.oidc.enabled .Values.platform.properties.oidc.clientSecret.literal }}
apiVersion: v1
type: Opaque
kind: Secret
metadata:
name: {{ .Values.platform.properties.oidc.secretName | quote }}
data:
{{ .Values.platform.properties.oidc.clientSecret.secret.key | quote }}: {{ .Values.platform.properties.oidc.clientSecret.literal | b64enc | quote }}
{{- end }}
\ No newline at end of file
......@@ -82,10 +82,6 @@ spec:
- name: POSTGRESQL_PORT
value: {{ .Values.platform.properties.postgresql.port | quote }}
{{- end }}
- name: SSO_URL_LOGIN
value: {{ .Values.platform.properties.sso.urlLogin | default (printf "https://%s/sso" .Values.global.nmaasDomain) | quote }}
- name: SSO_URL_LOGOUT
value: {{ .Values.platform.properties.sso.urlLogout | default (printf "https://%s/Shibboleth.sso/Logout" .Values.global.nmaasDomain) | quote }}
- name: ADMIN_EMAIL
value: {{ .Values.platform.properties.adminEmail }}
- name: ADMIN_PASSWORD
......@@ -122,15 +118,6 @@ spec:
secretKeyRef:
name: {{ .Values.platform.apiSecret.secret.name }}
key: {{ .Values.platform.apiSecret.secret.key }}
{{- if .Values.platform.properties.sso.enabled }}
- name: SSO_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
- name: SSO_TIMEOUT
value: "{{ .Values.platform.properties.sso.timeout }}"
{{- end }}
- name: SMTP_LOGIN
value: {{ .Values.platform.properties.smtp.login }}
- name: SMTP_PASSWORD
......@@ -209,8 +196,6 @@ spec:
value: {{ .Values.platform.properties.k8s.deployment.defaultStorageClass }}
- name: PORTAL_MAINTENANCE_FLAG
value: {{ .Values.platform.properties.maintenance | quote }}
- name: PORTAL_SSO_ALLOWED_FLAG
value: {{ .Values.platform.properties.sso.enabled | quote }}
- name: PORTAL_TEST_INSTANCE_FLAG
value: {{ .Values.platform.properties.testInstance | quote }}
- name: PORTAL_SEND_FAILURE_NOTIF_FLAG
......@@ -229,6 +214,27 @@ spec:
value: {{ .Values.platform.properties.showDomainRegistrationSelector | quote }}
- name: NAMESPACE_CREATION_ENABLED
value: {{ .Values.platform.properties.autoNamespaceCreationForDomains | quote }}
- name: PORTAL_SSO_ALLOWED_FLAG
value: {{ .Values.platform.properties.oidc.enabled | quote }}
- name: OIDC_CLIENT_ID
value: {{ .Values.platform.properties.oidc.clientId | quote }}
- name: OIDC_ISSUER_URI
value: {{ .Values.platform.properties.oidc.issuerUri | quote }}
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.platform.properties.oidc.secretName }}
key: {{ .Values.platform.properties.oidc.clientSecret.secret.key }}
- name: JWT_SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.platform.properties.jwt.secretName }}
key: {{ .Values.platform.properties.jwt.signingKey.secret.key }}
- name: JWT_RESET_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.platform.properties.jwt.secretName }}
key: {{ .Values.platform.properties.jwt.resetKey.secret.key }}
imagePullSecrets:
- name: {{ .Values.global.registrysecret }}
{{- end -}}
{{- if .Values.sp.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.sp.name }}
labels:
app: {{ .Values.sp.name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ .Values.sp.name }}
strategy:
type: Recreate
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: {{ .Values.sp.name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.sp.image.repository }}:{{ .Values.sp.image.tag }}"
imagePullPolicy: {{ .Values.sp.image.pullPolicy }}
ports:
- containerPort: {{ .Values.sp.port }}
protocol: TCP
env:
- name: SP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
- name: SP_URL
{{- if .Values.sp.tls }}
value: {{ .Values.sp.host | default (printf "https://%s/" .Values.global.nmaasDomain) | quote}}
{{- else }}
value: {{ .Values.sp.host | default (printf "http://%s/" .Values.global.nmaasDomain) | quote}}
{{- end }}
- name: PORTAL_URL
value: {{ .Values.sp.properties.portalUrl | default .Values.global.nmaasDomain }}
- name: IDP_NAME
value: {{ .Values.sp.properties.idp.name }}
- name: IDP_URI
value: {{ .Values.sp.properties.idp.uri | quote}}
- name: SP_HOST
value: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
- name: SP_USED_ID
value: {{ .Values.sp.properties.idp.userId | quote }}
- name: SP_REMOTE_USER
value: {{ .Values.sp.properties.idp.remoteUser | quote }}
- name: SP_SSO_ENTITY_ID
value: {{ .Values.sp.properties.idp.entityId | quote }}
- name: SP_METADATA_URL
value: {{ .Values.sp.properties.idp.metadataUrl | quote }}
imagePullSecrets:
- name: {{ .Values.global.registrysecret }}
{{- end -}}
{{- if .Values.sp.enabled -}}
{{- if .Values.global.createIngressResources -}}
{{- $kubeVersion := .Capabilities.KubeVersion.GitVersion -}}
{{- if semverCompare ">=1.19-0" $kubeVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ .Values.global.ingressName }}-sp
annotations:
{{- if not (semverCompare ">=1.19-0" $kubeVersion) }}
kubernetes.io/ingress.class: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
{{- end }}
nginx.org/mergeable-ingress-type: minion
{{- if and .Values.platform.tls .Values.global.acmeIssuer }}
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: {{ .Values.global.issuerName }}
{{- end }}
spec:
{{- if $.Values.sp.tls }}
tls:
- hosts:
- {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
{{- if .Values.global.acmeIssuer }}
secretName: {{ .Values.sp.certName | default "nmaas-sp-tls" | quote }}
{{- else }}
secretName: {{ .Values.sp.certName | default .Values.global.wildcardCertificateName | quote }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" $kubeVersion }}
ingressClassName: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
{{- end }}
rules:
- host: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
http:
paths:
- path: /sso
{{- if semverCompare ">=1.19-0" $kubeVersion }}
pathType: Prefix
backend:
service:
name: {{ .Values.sp.name }}
port:
number: {{ .Values.sp.targetPort }}
{{- else }}
backend:
serviceName: {{ .Values.sp.name }}
servicePort: {{ .Values.sp.targetPort }}
{{- end }}
- path: /Shibboleth.sso
{{- if semverCompare ">=1.19-0" $kubeVersion }}
pathType: Prefix
backend:
service:
name: {{ .Values.sp.name }}
port:
number: {{ .Values.sp.targetPort }}
{{- else }}
backend:
serviceName: {{ .Values.sp.name }}
servicePort: {{ .Values.sp.targetPort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- if .Values.platform.properties.sso.encryptionSecret.literal }}
apiVersion: v1
type: Opaque
kind: Secret
metadata:
name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name | quote }}
data:
{{ .Values.platform.properties.sso.encryptionSecret.secret.key | quote }}: {{ .Values.platform.properties.sso.encryptionSecret.literal | b64enc | quote }}
{{- end }}
\ No newline at end of file
{{- if .Values.sp.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.sp.name }}
labels:
app: {{ .Values.sp.name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
type: {{ .Values.sp.type }}
ports:
- port: {{ .Values.sp.port }}
targetPort: {{ .Values.sp.targetPort }}
protocol: TCP
selector:
app: {{ .Values.sp.name }}
{{- end -}}
......@@ -101,18 +101,6 @@ platform:
showDomainRegistrationSelector: true
# -- if true nmaas will automatically create the corresponding Kubernetes namespace for each new domain
autoNamespaceCreationForDomains: false
sso:
enabled: false
urlLogin: ""
urlLogout: ""
encryptionSecret:
# -- leave empty to use existing secret specified below
literal: ""
secret:
# -- must be created manually if literal is empty
name: nmaas-sp-secret
key: secret
timeout: 15
adminEmail: admin@example.com
# -- only required if an external postgresql instance is used (when postgresql.install is false)
postgresql:
......@@ -126,7 +114,6 @@ platform:
secret:
name: nmaas-postgresql-secret
key: secret
helm:
address: nmaas-helm
username: helm
......@@ -180,6 +167,28 @@ platform:
key: secret
# -- expose Prometheus metrics
nmaasMetricsEnabled: true
jwt:
secretName: nmaas-jwt
signingKey:
secret:
key:
# -- leave empty to use existing secret
literal: ""
resetKey:
secret:
key:
# -- leave empty to use existing secret
literal: ""
oidc:
enabled: false
secretName: nmaas-oidc
clientId: ""
issuerUri: "https://auth.example.com/realms/master"
clientSecret:
secret:
key: oidcClientSecret
# -- leave empty to use existing secret
literal: ""
portal:
enabled: true
......@@ -240,29 +249,6 @@ postfix:
secret:
key: smtpPassword
sp:
enabled: false
name: nmaas-sp
image:
repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-sp
tag: "1.6.3"
pullPolicy: Always
ingress:
# -- defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set
className: ''
port: 443
targetPort: 80
type: ClusterIP
tls: true
properties:
idp:
name: edugain
uri: https://login.terena.org/wayf/saml2/idp/metadata.php
userId: uid
remoteUser: email
entityId: https://keycloak.example.com/realms/master
metadataUrl: https://keycloak.example.com/realms/master/protocol/saml/descriptor
helm:
enabled: true
name: nmaas-helm
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment