diff --git a/.gitignore b/.gitignore
index 27ab40446fa88c0286207e30a1cc94c988777c4c..1d5d7383f3d7c450b631339e9370168c9666ac47 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
.vscode
-build.sh
\ No newline at end of file
+build.sh
+.idea/
\ No newline at end of file
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6dcdfdea0c6cac8d7f54f458c1a5d11b017a4339..07398cd12c823dbcad2932aca2185a210b24bd65 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -19,6 +19,7 @@ version-bump-dev:
- git checkout master
- export MASTER_CHART_VERSION=$(yq e '.version' charts/$CHART_NAME/Chart.yaml)
- git checkout $CI_COMMIT_REF_NAME
+ - git branch --set-upstream-to=origin/$CI_COMMIT_REF_NAME $CI_COMMIT_REF_NAME
- git pull
- export CURRENT_CHART_VERSION=$(yq e '.version' charts/$CHART_NAME/Chart.yaml)
- export CURRENT_DOCKER_IMAGE_VERSION=$(yq e '.platform.image.tag' charts/$CHART_NAME/values.yaml)
@@ -78,6 +79,7 @@ helm-lint:
- helm repo add nmaas-helm-mirror https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror
script:
- git checkout $CI_COMMIT_REF_NAME
+ - git branch --set-upstream-to=origin/$CI_COMMIT_REF_NAME $CI_COMMIT_REF_NAME
- git pull
- ct lint --all --debug --target-branch master
rules:
diff --git a/README.md b/README.md
index 32837841d833191eebc1d82e5a3f121dafa26d30..6ec1de40305981e77d0c04a0ff9425e7f7399682 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# nmaas
- 
+ 
GÉANT Network Management as a Service Helm chart for Kubernetes
@@ -14,7 +14,7 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| Repository | Name | Version |
|------------|------|---------|
-| https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror | postgresql | 10.16.2 |
+| https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror | postgresql | 16.6.0 |
## Values
@@ -34,6 +34,8 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| global.nmaasDomain | string | `"nmaas.example.com"` | |
| global.registrysecret | string | `"nmaas-registry"` | currently not needed, for future use |
| global.wildcardCertificateName | string | `"wildcard-tls"` | |
+| helm.clusterRoleBindingName | string | `"nmaas-helm-admin"` | |
+| helm.clusterRoleName | string | `"cluster-admin"` | |
| helm.enabled | bool | `true` | |
| helm.image.pullPolicy | string | `"Always"` | |
| helm.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-helm-3"` | |
@@ -49,10 +51,12 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| helm.serviceAccountName | string | `"nmaas-helm"` | |
| helm.targetPort | int | `22` | |
| helm.type | string | `"ClusterIP"` | |
+| janitor.clusterRoleBindingName | string | `"nmaas-janitor"` | |
+| janitor.clusterRoleName | string | `"janitor-role"` | |
| janitor.enabled | bool | `true` | |
| janitor.image.pullPolicy | string | `"IfNotPresent"` | |
| janitor.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-janitor"` | |
-| janitor.image.tag | string | `"1.6.1"` | |
+| janitor.image.tag | string | `"1.7.0"` | |
| janitor.name | string | `"nmaas-janitor"` | |
| janitor.port | int | `5000` | |
| janitor.serviceAccountName | string | `"nmaas-janitor"` | |
@@ -64,15 +68,17 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| platform.apiSecret.literal | string | `""` | leave empty to use existing secret specified below |
| platform.apiSecret.secret.key | string | `"secret"` | |
| platform.apiSecret.secret.name | string | `"nmaas-api-secret"` | must be created manually if literal is empty |
+| platform.clusterRoleBindingName | string | `"nmaas-platform"` | |
+| platform.clusterRoleName | string | `"nmaas-shell-role"` | |
| platform.enabled | bool | `true` | |
| platform.image.pullPolicy | string | `"IfNotPresent"` | |
| platform.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-platform"` | |
-| platform.image.tag | string | `"1.6.5"` | |
+| platform.image.tag | string | `"1.7.0"` | |
| platform.ingress.className | string | `""` | defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set |
| platform.initscripts.enabled | bool | `true` | |
| platform.initscripts.image.pullPolicy | string | `"Always"` | |
| platform.initscripts.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-platform-populate"` | |
-| platform.initscripts.image.tag | string | `"1.6.5"` | |
+| platform.initscripts.image.tag | string | `"1.7.0"` | |
| platform.livenessProbe.failureThreshold | int | `10` | |
| platform.livenessProbe.httpGet.path | string | `"/actuator/health"` | |
| platform.livenessProbe.httpGet.port | int | `9001` | |
@@ -93,6 +99,7 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| platform.properties.captchaSecret.secret.key | string | `"secret"` | |
| platform.properties.captchaSecret.secret.name | string | `"nmaas-captcha-secret-secret"` | |
| platform.properties.defaultLanguage | string | `"en"` | |
+| platform.properties.environment | string | `"prod"` | |
| platform.properties.helm.address | string | `"nmaas-helm"` | |
| platform.properties.helm.asyncUpdateCron | string | `"0 0 * * * ?"` | |
| platform.properties.helm.asyncUpdateEnabled | bool | `true` | |
@@ -103,6 +110,11 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| platform.properties.helm.useLocalCharts | bool | `false` | |
| platform.properties.helm.username | string | `"helm"` | |
| platform.properties.helm.version | string | `"v3"` | |
+| platform.properties.jwt.resetKey.literal | string | `""` | leave empty to use existing secret, length at least 96 characters |
+| platform.properties.jwt.resetKey.secret.key | string | `"jwtResetKey"` | |
+| platform.properties.jwt.secretName | string | `"nmaas-jwt"` | |
+| platform.properties.jwt.signingKey.literal | string | `""` | leave empty to use existing secret, length at least 96 characters |
+| platform.properties.jwt.signingKey.secret.key | string | `"jwtSigningKey"` | |
| platform.properties.k8s.deployment.defaultNamespace | string | `"default"` | parameter used only if USE_DEFAULT_NAMESPACE option is set |
| platform.properties.k8s.deployment.defaultStorageClass | string | `nil` | should be left blank if default storage class was defined defined at cluster should be used |
| platform.properties.k8s.deployment.namespaceConfigOption | string | `"USE_DOMAIN_NAMESPACE"` | two options possible: USE_DOMAIN_NAMESPACE or USE_DEFAULT_NAMESPACE |
@@ -116,7 +128,15 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| platform.properties.k8s.ingress.controller.publicServiceDomain | string | `"public.nmaas.example.com"` | base FQDN for deployed user applications exposed publicly (e.g. public.nmaas.example.com) |
| platform.properties.k8s.ingress.controller.tlsSupported | bool | `true` | flag indicating if ingress controller(s) support TLS |
| platform.properties.maintenance | bool | `false` | |
+| platform.properties.multiInstanceSupport | bool | `false` | |
| platform.properties.nmaasMetricsEnabled | bool | `true` | expose Prometheus metrics |
+| platform.properties.oidc.clientId | string | `""` | |
+| platform.properties.oidc.clientSecret.literal | string | `""` | leave empty to use existing secret |
+| platform.properties.oidc.clientSecret.secret.key | string | `"oidcClientSecret"` | |
+| platform.properties.oidc.enabled | bool | `false` | |
+| platform.properties.oidc.issuerUri | string | `"https://auth.example.com/realms/master"` | |
+| platform.properties.oidc.secretName | string | `"nmaas-oidc"` | |
+| platform.properties.oidcUserLinking | bool | `true` | |
| platform.properties.postgresql | object | `{"database":"nmaas","hostname":"nmaas-postgresql","password":{"literal":"","secret":{"key":"secret","name":"nmaas-postgresql-secret"}},"port":5432,"username":"nmaas"}` | only required if an external postgresql instance is used (when postgresql.install is false) |
| platform.properties.postgresql.password.literal | string | `""` | leave empty to use existing secret specified below |
| platform.properties.sendAppInstanceFailureEmails | bool | `false` | |
@@ -129,19 +149,13 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| platform.properties.smtp.defaultDomain | string | `"example.com"` | exposed as SMTP_FROM_DEFAULT_DOMAIN in global deployment parameters |
| platform.properties.smtp.from | string | `""` | override default SMTP from value |
| platform.properties.smtp.host | string | `"nmaas-postfix"` | |
-| platform.properties.sso.enabled | bool | `false` | |
-| platform.properties.sso.encryptionSecret.literal | string | `""` | leave empty to use existing secret specified below |
-| platform.properties.sso.encryptionSecret.secret.key | string | `"secret"` | |
-| platform.properties.sso.encryptionSecret.secret.name | string | `"nmaas-sp-secret"` | must be created manually if literal is empty |
-| platform.properties.sso.timeout | int | `15` | |
-| platform.properties.sso.urlLogin | string | `""` | |
-| platform.properties.sso.urlLogout | string | `""` | |
| platform.properties.testInstance | bool | `false` | |
| platform.readinessProbe.failureThreshold | int | `10` | |
| platform.readinessProbe.httpGet.path | string | `"/actuator/health"` | |
| platform.readinessProbe.httpGet.port | int | `9001` | |
| platform.readinessProbe.periodSeconds | int | `15` | |
| platform.readinessProbe.timeoutSeconds | int | `10` | |
+| platform.serviceAccountName | string | `"nmaas-platform"` | |
| platform.startupProbe.failureThreshold | int | `30` | |
| platform.startupProbe.httpGet.path | string | `"/actuator/health"` | |
| platform.startupProbe.httpGet.port | int | `9001` | |
@@ -153,7 +167,7 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| portal.enabled | bool | `true` | |
| portal.image.pullPolicy | string | `"IfNotPresent"` | |
| portal.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-portal"` | |
-| portal.image.tag | string | `"1.6.5"` | |
+| portal.image.tag | string | `"1.7.0"` | |
| portal.ingress.className | string | `""` | defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set |
| portal.name | string | `"nmaas-portal"` | |
| portal.port | int | `9009` | |
@@ -177,24 +191,8 @@ GÉANT Network Management as a Service Helm chart for Kubernetes
| postfix.properties.smtp.password.literal | string | `""` | leave empty to use existing secret |
| postfix.properties.smtp.username.literal | string | `""` | leave empty to use existing secret |
| postfix.type | string | `"ClusterIP"` | |
-| postgresql | object | `{"install":true,"persistence":{"enabled":true,"size":"8Gi"},"postgresqlDatabase":"nmaas","postgresqlPassword":"nmaas","postgresqlUsername":"nmaas"}` | settings for in-cluster postgresql |
+| postgresql | object | `{"auth":{"database":"nmaas","password":"nmaas","postgresPassword":"nmaas","username":"nmaas"},"install":true,"primary":{"networkPolicy":{"enabled":false},"persistence":{"enabled":true,"size":"8Gi"}}}` | settings for in-cluster postgresql |
| replicaCount | int | `1` | |
-| sp.enabled | bool | `false` | |
-| sp.image.pullPolicy | string | `"Always"` | |
-| sp.image.repository | string | `"artifactory.software.geant.org/nmaas-docker-local/nmaas-sp"` | |
-| sp.image.tag | string | `"1.6.3"` | |
-| sp.ingress.className | string | `""` | defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set |
-| sp.name | string | `"nmaas-sp"` | |
-| sp.port | int | `443` | |
-| sp.properties.idp.entityId | string | `"https://keycloak.example.com/realms/master"` | |
-| sp.properties.idp.metadataUrl | string | `"https://keycloak.example.com/realms/master/protocol/saml/descriptor"` | |
-| sp.properties.idp.name | string | `"edugain"` | |
-| sp.properties.idp.remoteUser | string | `"email"` | |
-| sp.properties.idp.uri | string | `"https://login.terena.org/wayf/saml2/idp/metadata.php"` | |
-| sp.properties.idp.userId | string | `"uid"` | |
-| sp.targetPort | int | `80` | |
-| sp.tls | bool | `true` | |
-| sp.type | string | `"ClusterIP"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
diff --git a/charts/nmaas/Chart.lock b/charts/nmaas/Chart.lock
index f72725165fa74a12bd71c4c918e911c92ed118b7..3e911db7de98ffe7446e9a3affd2ee5b299104c3 100644
--- a/charts/nmaas/Chart.lock
+++ b/charts/nmaas/Chart.lock
@@ -1,6 +1,6 @@
dependencies:
- name: postgresql
repository: https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror
- version: 10.16.2
-digest: sha256:94a23914d811a636356a9ee47d6910c3159225b69aef93bc4d9d56a1055b28a5
-generated: "2022-08-30T08:59:05.078630031+02:00"
+ version: 16.6.0
+digest: sha256:be748404e3b45e51a557c0406375f43a84aa32be35cf20c01cce266736bc2039
+generated: "2025-04-04T14:41:38.829381998+02:00"
diff --git a/charts/nmaas/Chart.yaml b/charts/nmaas/Chart.yaml
index db8671a279eb4c9e8fe68b86a3995897e74311e2..69476e80045a4b6a36398368d35e441aaf067c41 100644
--- a/charts/nmaas/Chart.yaml
+++ b/charts/nmaas/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v2
name: nmaas
description: GÉANT Network Management as a Service Helm chart for Kubernetes
-version: 1.2.17
-appVersion: 1.6.5
+version: 2.0.0-1
+appVersion: 1.7.0
keywords:
- Network Management
- Cloud Deployment
@@ -13,6 +13,6 @@ maintainers:
url: https://docs.nmaas.eu
dependencies:
- name: postgresql
- version: 10.16.2
+ version: 16.6.0
repository: https://artifactory.software.geant.org/artifactory/nmaas-helm-mirror
condition: postgresql.install
diff --git a/charts/nmaas/charts/bitnami-postgresql-10.16.2.tgz b/charts/nmaas/charts/bitnami-postgresql-10.16.2.tgz
deleted file mode 100644
index d3a6d0f8f51e3f5ef0fdfa10b3205e922b5fcea8..0000000000000000000000000000000000000000
Binary files a/charts/nmaas/charts/bitnami-postgresql-10.16.2.tgz and /dev/null differ
diff --git a/charts/nmaas/charts/postgresql-16.6.0.tgz b/charts/nmaas/charts/postgresql-16.6.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..865acadee30f59e1a872f84f12eaeae096f457aa
Binary files /dev/null and b/charts/nmaas/charts/postgresql-16.6.0.tgz differ
diff --git a/charts/nmaas/templates/nmaas-helm-clusterRoleBinding.yaml b/charts/nmaas/templates/nmaas-helm-clusterRoleBinding.yaml
index adc274220ce84a18ea11e2df49537f23647c87a0..e92642b77159ab30d95f82a2ead20a2d9f0f915f 100644
--- a/charts/nmaas/templates/nmaas-helm-clusterRoleBinding.yaml
+++ b/charts/nmaas/templates/nmaas-helm-clusterRoleBinding.yaml
@@ -1,11 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: nmaas-helm-admin
+ name: {{ .Values.helm.clusterRoleBindingName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: cluster-admin
+ name: {{ .Values.helm.clusterRoleName }}
subjects:
- kind: ServiceAccount
name: {{ .Values.helm.serviceAccountName }}
diff --git a/charts/nmaas/templates/nmaas-janitor-clusterRole.yaml b/charts/nmaas/templates/nmaas-janitor-clusterRole.yaml
index 44632bc2eb26d488ae57f36abd52500024c6d78a..d91245ce8da25639e5948567728bf956465ddd75 100644
--- a/charts/nmaas/templates/nmaas-janitor-clusterRole.yaml
+++ b/charts/nmaas/templates/nmaas-janitor-clusterRole.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: janitor-role
+ name: {{ .Values.janitor.clusterRoleName }}
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets", "namespaces"]
diff --git a/charts/nmaas/templates/nmaas-janitor-clusterRoleBinding.yaml b/charts/nmaas/templates/nmaas-janitor-clusterRoleBinding.yaml
index d01e15e3e8370e43e17b0efbf50ab0aa896ca68f..682cfe11530b75f72117f5cf38144b196cf6da14 100644
--- a/charts/nmaas/templates/nmaas-janitor-clusterRoleBinding.yaml
+++ b/charts/nmaas/templates/nmaas-janitor-clusterRoleBinding.yaml
@@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: nmaas-janitor
+ name: {{ .Values.janitor.clusterRoleBindingName }}
subjects:
- kind: ServiceAccount
- name: nmaas-janitor
+ name: {{ .Values.janitor.serviceAccountName }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
- name: janitor-role
+ name: {{ .Values.janitor.clusterRoleName }}
apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/charts/nmaas/templates/nmaas-janitor-serviceAccount.yaml b/charts/nmaas/templates/nmaas-janitor-serviceAccount.yaml
index b6f4ddb777f90d213711f2cc44b4276b2db1cf29..ea512b66306b36decc2b52f0d2f72795cabac068 100644
--- a/charts/nmaas/templates/nmaas-janitor-serviceAccount.yaml
+++ b/charts/nmaas/templates/nmaas-janitor-serviceAccount.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
- name: nmaas-janitor
\ No newline at end of file
+ name: {{ .Values.janitor.serviceAccountName }}
\ No newline at end of file
diff --git a/charts/nmaas/templates/nmaas-jwt-secret.yaml b/charts/nmaas/templates/nmaas-jwt-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8f273c7b2913172dec72cb45f77e87f21c8ed2f3
--- /dev/null
+++ b/charts/nmaas/templates/nmaas-jwt-secret.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.platform.properties.jwt.signingKey.literal .Values.platform.properties.jwt.resetKey.literal }}
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+ name: {{ .Values.platform.properties.jwt.secretName | quote }}
+data:
+ {{ .Values.platform.properties.jwt.signingKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.signingKey.literal | b64enc | quote }}
+ {{ .Values.platform.properties.jwt.resetKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.resetKey.literal | b64enc | quote }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/nmaas/templates/nmaas-oidc-secret.yaml b/charts/nmaas/templates/nmaas-oidc-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e42b885a23e552d2beb1275fe9ae8ad989f689e0
--- /dev/null
+++ b/charts/nmaas/templates/nmaas-oidc-secret.yaml
@@ -0,0 +1,9 @@
+{{- if and .Values.platform.properties.oidc.enabled .Values.platform.properties.oidc.clientSecret.literal }}
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+ name: {{ .Values.platform.properties.oidc.secretName | quote }}
+data:
+ {{ .Values.platform.properties.oidc.clientSecret.secret.key | quote }}: {{ .Values.platform.properties.oidc.clientSecret.literal | b64enc | quote }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/nmaas/templates/nmaas-platform-clusterRole.yaml b/charts/nmaas/templates/nmaas-platform-clusterRole.yaml
index 18fb6ed350a4924985812f709c326edfffd261e9..790a32e7458d03e659390543d2ca27668658ccc4 100644
--- a/charts/nmaas/templates/nmaas-platform-clusterRole.yaml
+++ b/charts/nmaas/templates/nmaas-platform-clusterRole.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: nmaas-shell-role
+ name: {{ .Values.platform.clusterRoleName }}
rules:
- apiGroups: [""]
resources: ["pods"]
@@ -9,4 +9,3 @@ rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "get", "watch"]
-
diff --git a/charts/nmaas/templates/nmaas-platform-clusterRoleBinding.yaml b/charts/nmaas/templates/nmaas-platform-clusterRoleBinding.yaml
index 094fb50bdbd75907c3830c674c19f4efc8467b5a..3f1eecf303b781102748a915c44f84b1e870e8fc 100644
--- a/charts/nmaas/templates/nmaas-platform-clusterRoleBinding.yaml
+++ b/charts/nmaas/templates/nmaas-platform-clusterRoleBinding.yaml
@@ -1,13 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: nmaas-platform
+ name: {{ .Values.platform.clusterRoleBindingName }}
subjects:
- kind: ServiceAccount
- name: nmaas-platform
+ name: {{ .Values.platform.serviceAccountName }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
- name: nmaas-shell-role
+ name: {{ .Values.platform.clusterRoleName }}
apiGroup: rbac.authorization.k8s.io
diff --git a/charts/nmaas/templates/nmaas-platform-deployment.yaml b/charts/nmaas/templates/nmaas-platform-deployment.yaml
index dbbc702aec70272a849cce86e3aad43c30cc0ac0..59be106caabcb4c2ff9f62a59b6439a5170e3333 100644
--- a/charts/nmaas/templates/nmaas-platform-deployment.yaml
+++ b/charts/nmaas/templates/nmaas-platform-deployment.yaml
@@ -21,7 +21,7 @@ spec:
labels:
app: {{ .Values.platform.name }}
spec:
- serviceAccount: nmaas-platform
+ serviceAccount: {{ .Values.platform.serviceAccountName }}
volumes:
- name: platform-data
{{- if .Values.platform.persistence.enabled }}
@@ -56,15 +56,17 @@ spec:
- name: helm-access-key
mountPath: /nmaas/.ssh
env:
+ - name: ENVIRONMENT
+ value: "{{ .Values.platform.properties.environment }}"
{{- if .Values.postgresql.install }}
- name: POSTGRESQL_HOST
- value: {{ .Release.Name }}-postgresql
+ value: {{ .Release.Name }}-postgresql-hl
- name: POSTGRESQL_DBNAME
- value: {{ .Values.postgresql.postgresqlDatabase }}
+ value: {{ .Values.postgresql.auth.database }}
- name: POSTGRESQL_USERNAME
- value: {{ .Values.postgresql.postgresqlUsername }}
+ value: {{ .Values.postgresql.auth.username }}
- name: POSTGRESQL_PASSWORD
- value: {{ .Values.postgresql.postgresqlPassword }}
+ value: {{ .Values.postgresql.auth.password }}
- name: POSTGRESQL_PORT
value: "5432"
{{- else }}
@@ -82,10 +84,6 @@ spec:
- name: POSTGRESQL_PORT
value: {{ .Values.platform.properties.postgresql.port | quote }}
{{- end }}
- - name: SSO_URL_LOGIN
- value: {{ .Values.platform.properties.sso.urlLogin | default (printf "https://%s/sso" .Values.global.nmaasDomain) | quote }}
- - name: SSO_URL_LOGOUT
- value: {{ .Values.platform.properties.sso.urlLogout | default (printf "https://%s/Shibboleth.sso/Logout" .Values.global.nmaasDomain) | quote }}
- name: ADMIN_EMAIL
value: {{ .Values.platform.properties.adminEmail }}
- name: ADMIN_PASSWORD
@@ -122,15 +120,6 @@ spec:
secretKeyRef:
name: {{ .Values.platform.apiSecret.secret.name }}
key: {{ .Values.platform.apiSecret.secret.key }}
- {{- if .Values.platform.properties.sso.enabled }}
- - name: SSO_KEY
- valueFrom:
- secretKeyRef:
- name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
- key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
- - name: SSO_TIMEOUT
- value: "{{ .Values.platform.properties.sso.timeout }}"
- {{- end }}
- name: SMTP_LOGIN
value: {{ .Values.platform.properties.smtp.login }}
- name: SMTP_PASSWORD
@@ -209,8 +198,6 @@ spec:
value: {{ .Values.platform.properties.k8s.deployment.defaultStorageClass }}
- name: PORTAL_MAINTENANCE_FLAG
value: {{ .Values.platform.properties.maintenance | quote }}
- - name: PORTAL_SSO_ALLOWED_FLAG
- value: {{ .Values.platform.properties.sso.enabled | quote }}
- name: PORTAL_TEST_INSTANCE_FLAG
value: {{ .Values.platform.properties.testInstance | quote }}
- name: PORTAL_SEND_FAILURE_NOTIF_FLAG
@@ -229,6 +216,31 @@ spec:
value: {{ .Values.platform.properties.showDomainRegistrationSelector | quote }}
- name: NAMESPACE_CREATION_ENABLED
value: {{ .Values.platform.properties.autoNamespaceCreationForDomains | quote }}
+ - name: PORTAL_SSO_ALLOWED_FLAG
+ value: {{ .Values.platform.properties.oidc.enabled | quote }}
+ - name: OIDC_CLIENT_ID
+ value: {{ .Values.platform.properties.oidc.clientId | quote }}
+ - name: OIDC_ISSUER_URI
+ value: {{ .Values.platform.properties.oidc.issuerUri | quote }}
+ - name: MULTI_INSTANCE_DEPLOYMENT
+ value: {{ .Values.platform.properties.multiInstanceSupport | quote }}
+ - name: OIDC_USER_LINKING
+ value: {{ .Values.platform.properties.oidcUserLinking | quote }}
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.platform.properties.oidc.secretName }}
+ key: {{ .Values.platform.properties.oidc.clientSecret.secret.key }}
+ - name: JWT_SIGNING_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.platform.properties.jwt.secretName }}
+ key: {{ .Values.platform.properties.jwt.signingKey.secret.key }}
+ - name: JWT_RESET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.platform.properties.jwt.secretName }}
+ key: {{ .Values.platform.properties.jwt.resetKey.secret.key }}
imagePullSecrets:
- name: {{ .Values.global.registrysecret }}
{{- end -}}
diff --git a/charts/nmaas/templates/nmaas-platform-serviceaccount.yaml b/charts/nmaas/templates/nmaas-platform-serviceaccount.yaml
index 8aa1d05d2c61d36894291dc110f3a0b9601f0297..d9a62337d72db22e55fb3fd3396282a177aec677 100644
--- a/charts/nmaas/templates/nmaas-platform-serviceaccount.yaml
+++ b/charts/nmaas/templates/nmaas-platform-serviceaccount.yaml
@@ -2,5 +2,4 @@ apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
- name: nmaas-platform
-
+ name: {{ .Values.platform.serviceAccountName }}
diff --git a/charts/nmaas/templates/nmaas-sp-deployment.yaml b/charts/nmaas/templates/nmaas-sp-deployment.yaml
deleted file mode 100644
index 674b3ce73e1a9fdd50468f9d50cf361997b19b09..0000000000000000000000000000000000000000
--- a/charts/nmaas/templates/nmaas-sp-deployment.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{- if .Values.sp.enabled -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ .Values.sp.name }}
- labels:
- app: {{ .Values.sp.name }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version }}
- heritage: {{ .Release.Service }}
- release: {{ .Release.Name }}
-spec:
- selector:
- matchLabels:
- app: {{ .Values.sp.name }}
- strategy:
- type: Recreate
- replicas: {{ .Values.replicaCount }}
- template:
- metadata:
- labels:
- app: {{ .Values.sp.name }}
- spec:
- containers:
- - name: {{ .Chart.Name }}
- image: "{{ .Values.sp.image.repository }}:{{ .Values.sp.image.tag }}"
- imagePullPolicy: {{ .Values.sp.image.pullPolicy }}
- ports:
- - containerPort: {{ .Values.sp.port }}
- protocol: TCP
- env:
- - name: SP_SECRET
- valueFrom:
- secretKeyRef:
- name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
- key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
- - name: SP_URL
- {{- if .Values.sp.tls }}
- value: {{ .Values.sp.host | default (printf "https://%s/" .Values.global.nmaasDomain) | quote}}
- {{- else }}
- value: {{ .Values.sp.host | default (printf "http://%s/" .Values.global.nmaasDomain) | quote}}
- {{- end }}
- - name: PORTAL_URL
- value: {{ .Values.sp.properties.portalUrl | default .Values.global.nmaasDomain }}
- - name: IDP_NAME
- value: {{ .Values.sp.properties.idp.name }}
- - name: IDP_URI
- value: {{ .Values.sp.properties.idp.uri | quote}}
- - name: SP_HOST
- value: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
- - name: SP_USED_ID
- value: {{ .Values.sp.properties.idp.userId | quote }}
- - name: SP_REMOTE_USER
- value: {{ .Values.sp.properties.idp.remoteUser | quote }}
- - name: SP_SSO_ENTITY_ID
- value: {{ .Values.sp.properties.idp.entityId | quote }}
- - name: SP_METADATA_URL
- value: {{ .Values.sp.properties.idp.metadataUrl | quote }}
- imagePullSecrets:
- - name: {{ .Values.global.registrysecret }}
-{{- end -}}
diff --git a/charts/nmaas/templates/nmaas-sp-ingress.yaml b/charts/nmaas/templates/nmaas-sp-ingress.yaml
deleted file mode 100644
index 0994cd2be84fe04608d02e6faa6a2075833d977a..0000000000000000000000000000000000000000
--- a/charts/nmaas/templates/nmaas-sp-ingress.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-{{- if .Values.sp.enabled -}}
-{{- if .Values.global.createIngressResources -}}
-{{- $kubeVersion := .Capabilities.KubeVersion.GitVersion -}}
-{{- if semverCompare ">=1.19-0" $kubeVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
- name: {{ .Values.global.ingressName }}-sp
- annotations:
- {{- if not (semverCompare ">=1.19-0" $kubeVersion) }}
- kubernetes.io/ingress.class: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
- {{- end }}
- nginx.org/mergeable-ingress-type: minion
- {{- if and .Values.platform.tls .Values.global.acmeIssuer }}
- kubernetes.io/tls-acme: "true"
- certmanager.k8s.io/cluster-issuer: {{ .Values.global.issuerName }}
- {{- end }}
-spec:
- {{- if $.Values.sp.tls }}
- tls:
- - hosts:
- - {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
- {{- if .Values.global.acmeIssuer }}
- secretName: {{ .Values.sp.certName | default "nmaas-sp-tls" | quote }}
- {{- else }}
- secretName: {{ .Values.sp.certName | default .Values.global.wildcardCertificateName | quote }}
- {{- end }}
- {{- end }}
- {{- if semverCompare ">=1.19-0" $kubeVersion }}
- ingressClassName: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
- {{- end }}
- rules:
- - host: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
- http:
- paths:
- - path: /sso
- {{- if semverCompare ">=1.19-0" $kubeVersion }}
- pathType: Prefix
- backend:
- service:
- name: {{ .Values.sp.name }}
- port:
- number: {{ .Values.sp.targetPort }}
- {{- else }}
- backend:
- serviceName: {{ .Values.sp.name }}
- servicePort: {{ .Values.sp.targetPort }}
- {{- end }}
- - path: /Shibboleth.sso
- {{- if semverCompare ">=1.19-0" $kubeVersion }}
- pathType: Prefix
- backend:
- service:
- name: {{ .Values.sp.name }}
- port:
- number: {{ .Values.sp.targetPort }}
- {{- else }}
- backend:
- serviceName: {{ .Values.sp.name }}
- servicePort: {{ .Values.sp.targetPort }}
- {{- end }}
-{{- end -}}
-{{- end -}}
diff --git a/charts/nmaas/templates/nmaas-sp-secret.yaml b/charts/nmaas/templates/nmaas-sp-secret.yaml
deleted file mode 100644
index 66528a5de33cc50c7116b15d41db9d12536cc03b..0000000000000000000000000000000000000000
--- a/charts/nmaas/templates/nmaas-sp-secret.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-{{- if .Values.platform.properties.sso.encryptionSecret.literal }}
-apiVersion: v1
-type: Opaque
-kind: Secret
-metadata:
- name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name | quote }}
-data:
- {{ .Values.platform.properties.sso.encryptionSecret.secret.key | quote }}: {{ .Values.platform.properties.sso.encryptionSecret.literal | b64enc | quote }}
-{{- end }}
\ No newline at end of file
diff --git a/charts/nmaas/templates/nmaas-sp-service.yaml b/charts/nmaas/templates/nmaas-sp-service.yaml
deleted file mode 100644
index c5de651a6e3ddaeb7db7ad8ae9bdfeed4a07c3c4..0000000000000000000000000000000000000000
--- a/charts/nmaas/templates/nmaas-sp-service.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-{{- if .Values.sp.enabled -}}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ .Values.sp.name }}
- labels:
- app: {{ .Values.sp.name }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version }}
- heritage: {{ .Release.Service }}
- release: {{ .Release.Name }}
-spec:
- type: {{ .Values.sp.type }}
- ports:
- - port: {{ .Values.sp.port }}
- targetPort: {{ .Values.sp.targetPort }}
- protocol: TCP
- selector:
- app: {{ .Values.sp.name }}
-{{- end -}}
diff --git a/charts/nmaas/values.yaml b/charts/nmaas/values.yaml
index c03e7ad7d150e6c2b8187daa472df95d6472db72..947a8ac8d1a36d69447d85b34664b4c757ef7a62 100644
--- a/charts/nmaas/values.yaml
+++ b/charts/nmaas/values.yaml
@@ -25,6 +25,9 @@ global:
platform:
enabled: true
name: nmaas-platform
+ serviceAccountName: nmaas-platform
+ clusterRoleName: nmaas-shell-role
+ clusterRoleBindingName: nmaas-platform
ingress:
# -- defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set
className: ''
@@ -58,7 +61,7 @@ platform:
timeoutSeconds: 10
image:
repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-platform
- tag: "1.6.5"
+ tag: "1.7.0"
pullPolicy: IfNotPresent
port: 9001
targetPort: 9001
@@ -82,11 +85,14 @@ platform:
enabled: true
image:
repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-platform-populate
- tag: "1.6.5"
+ tag: "1.7.0"
pullPolicy: Always
properties:
+ oidcUserLinking: true
+ multiInstanceSupport: false
maintenance: false
testInstance: false
+ environment: prod
defaultLanguage: en
serviceDeploymentCheckInterval: 10
serviceDeploymentCheckTimeout: 600
@@ -101,18 +107,6 @@ platform:
showDomainRegistrationSelector: true
# -- if true nmaas will automatically create the corresponding Kubernetes namespace for each new domain
autoNamespaceCreationForDomains: false
- sso:
- enabled: false
- urlLogin: ""
- urlLogout: ""
- encryptionSecret:
- # -- leave empty to use existing secret specified below
- literal: ""
- secret:
- # -- must be created manually if literal is empty
- name: nmaas-sp-secret
- key: secret
- timeout: 15
adminEmail: admin@example.com
# -- only required if an external postgresql instance is used (when postgresql.install is false)
postgresql:
@@ -126,7 +120,6 @@ platform:
secret:
name: nmaas-postgresql-secret
key: secret
-
helm:
address: nmaas-helm
username: helm
@@ -180,13 +173,35 @@ platform:
key: secret
# -- expose Prometheus metrics
nmaasMetricsEnabled: true
+ jwt:
+ secretName: nmaas-jwt
+ signingKey:
+ secret:
+ key: jwtSigningKey
+ # -- leave empty to use existing secret, length at least 96 characters
+ literal: ""
+ resetKey:
+ secret:
+ key: jwtResetKey
+ # -- leave empty to use existing secret, length at least 96 characters
+ literal: ""
+ oidc:
+ enabled: false
+ secretName: nmaas-oidc
+ clientId: ""
+ issuerUri: "https://auth.example.com/realms/master"
+ clientSecret:
+ secret:
+ key: oidcClientSecret
+ # -- leave empty to use existing secret
+ literal: ""
portal:
enabled: true
name: nmaas-portal
image:
repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-portal
- tag: "1.6.5"
+ tag: "1.7.0"
pullPolicy: IfNotPresent
ingress:
# -- defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set
@@ -240,33 +255,12 @@ postfix:
secret:
key: smtpPassword
-sp:
- enabled: false
- name: nmaas-sp
- image:
- repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-sp
- tag: "1.6.3"
- pullPolicy: Always
- ingress:
- # -- defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set
- className: ''
- port: 443
- targetPort: 80
- type: ClusterIP
- tls: true
- properties:
- idp:
- name: edugain
- uri: https://login.terena.org/wayf/saml2/idp/metadata.php
- userId: uid
- remoteUser: email
- entityId: https://keycloak.example.com/realms/master
- metadataUrl: https://keycloak.example.com/realms/master/protocol/saml/descriptor
-
helm:
enabled: true
name: nmaas-helm
serviceAccountName: nmaas-helm
+ clusterRoleBindingName: nmaas-helm-admin
+ clusterRoleName: cluster-admin
image:
repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-helm-3
tag: "3.9.3"
@@ -289,19 +283,26 @@ janitor:
name: nmaas-janitor
image:
repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-janitor
- tag: "1.6.1"
+ tag: "1.7.0"
pullPolicy: IfNotPresent
port: 5000
targetPort: 5000
serviceAccountName: nmaas-janitor
+ clusterRoleName: janitor-role
+ clusterRoleBindingName: nmaas-janitor
type: ClusterIP
# -- settings for in-cluster postgresql
postgresql:
install: true
- postgresqlUsername: nmaas
- postgresqlPassword: nmaas
- postgresqlDatabase: nmaas
- persistence:
- enabled: true
- size: 8Gi
+ auth:
+ username: nmaas
+ password: nmaas
+ database: nmaas
+ postgresPassword: nmaas
+ primary:
+ networkPolicy:
+ enabled: false
+ persistence:
+ enabled: true
+ size: 8Gi