diff --git a/pygluu/kubernetes/templates/helm/gluu/README.md b/pygluu/kubernetes/templates/helm/gluu/README.md index bb291276..fc651b39 100644 --- a/pygluu/kubernetes/templates/helm/gluu/README.md +++ b/pygluu/kubernetes/templates/helm/gluu/README.md @@ -77,7 +77,7 @@ Kubernetes: `>=v1.21.0-0` | casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPass":"P@ssw0rd","city":"Austin","configmap":{"cnConfigGoogleSecretNamePrefix":"gluu","cnConfigGoogleSecretVersionId":"latest","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerEmulatorHost":"","cnGoogleSpannerInstanceId":"","cnSecretGoogleSecretNamePrefix":"gluu","cnSecretGoogleSecretVersionId":"latest","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqlPasswordFile":"/etc/gluu/conf/sql_password","cnSqldbUserPassword":"Test1234#","containerMetadataName":"kubernetes","gluuCacheType":"NATIVE_PERSISTENCE","gluuCasaEnabled":false,"gluuCouchbaseBucketPrefix":"gluu","gluuCouchbaseCertFile":"/etc/certs/couchbase.crt","gluuCouchbaseCrt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlakNDQW1LZ0F3SUJBZ0lKQUwyem5UWlREUHFNTUEwR0NTcUdTSWIzRFFFQkN3VUFNQzB4S3pBcEJnTlYKQkFNTUlpb3VZMkpuYkhWMUxtUmxabUYxYkhRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3TWpBMQpNRGt4T1RVeFdoY05NekF3TWpBeU1Ea3hPVFV4V2pBdE1Tc3dLUVlEVlFRRERDSXFMbU5pWjJ4MWRTNWtaV1poCmRXeDBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUIKQ2dLQ0FRRUFycmQ5T3lvSnRsVzhnNW5nWlJtL2FKWjJ2eUtubGU3dVFIUEw4Q2RJa1RNdjB0eHZhR1B5UkNQQgo3RE00RTFkLzhMaU5takdZZk41QjZjWjlRUmNCaG1VNmFyUDRKZUZ3c0x0cTFGT3MxaDlmWGo3d3NzcTYrYmlkCjV6Umw3UEE0YmdvOXVkUVRzU1UrWDJUUVRDc0dxVVVPWExrZ3NCMjI0RDNsdkFCbmZOeHcvYnFQa2ZCQTFxVzYKVXpxellMdHN6WE5GY0dQMFhtU3c4WjJuaFhhUGlva2pPT2dyMkMrbVFZK0htQ2xGUWRpd2g2ZjBYR0V0STMrKwoyMStTejdXRkF6RlFBVUp2MHIvZnk4TDRXZzh1YysvalgwTGQrc2NoQTlNQjh3YmJORUp2ZjNMOGZ5QjZ0cTd2CjF4b0FnL0g0S1dJaHdqSEN0dFVnWU1oU0xWV3UrUUlEQVFBQm80R2NNSUdaTUIwR0ExVWREZ1FXQkJTWmQxWU0KVGNIRVZjSENNUmp6ejczZitEVmxxREJkQmdOVkhTTUVWakJVZ0JTWmQxWU1UY0hFVmNIQ01Sanp6NzNmK0RWbApxS0V4cEM4d0xURXJNQ2tHQTFVRUF3d2lLaTVqWW1kc2RYVXVaR1ZtWVhWc2RDNXpkbU11WTJ4MWMzUmxjaTVzCmIyTmhiSUlKQUwyem5UWlREUHFNTUF3R0ExVWRFd1FGTUFNQkFmOHdDd1lEVlIwUEJBUURBZ0VHTUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQk9meTVWSHlKZCtWUTBXaUQ1aSs2cmhidGNpSmtFN0YwWVVVZnJ6UFN2YWVFWQp2NElVWStWOC9UNnE4Mk9vVWU1eCtvS2dzbFBsL01nZEg2SW9CRnVtaUFqek14RTdUYUhHcXJ5dk13Qk5IKzB5CnhadG9mSnFXQzhGeUlwTVFHTEs0RVBGd3VHRlJnazZMRGR2ZEN5NVdxWW1MQWdBZVh5VWNaNnlHYkdMTjRPUDUKZTFiaEFiLzRXWXRxRHVydFJrWjNEejlZcis4VWNCVTRLT005OHBZN05aaXFmKzlCZVkvOEhZaVQ2Q0RRWWgyTgoyK0VWRFBHcFE4UkVsRThhN1ZLL29MemlOaXFyRjllNDV1OU1KdjM1ZktmNUJjK2FKdWduTGcwaUZUYmNaT1prCkpuYkUvUENIUDZFWmxLaEFiZUdnendtS1dDbTZTL3g0TklRK2JtMmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=","gluuCouchbaseIndexNumReplica":0,"gluuCouchbasePass":"P@ssw0rd","gluuCouchbasePassFile":"/etc/gluu/conf/couchbase_password","gluuCouchbaseSuperUser":"admin","gluuCouchbaseSuperUserPass":"P@ssw0rd","gluuCouchbaseSuperUserPassFile":"/etc/gluu/conf/couchbase_superuser_password","gluuCouchbaseUrl":"cbgluu.default.svc.cluster.local","gluuCouchbaseUser":"gluu","gluuDocumentStoreType":"JCA","gluuJackrabbitAdminId":"admin","gluuJackrabbitAdminIdFile":"/etc/gluu/conf/jackrabbit_admin_id","gluuJackrabbitAdminPassFile":"/etc/gluu/conf/jackrabbit_admin_password","gluuJackrabbitPostgresDatabaseName":"jackrabbit","gluuJackrabbitPostgresHost":"postgresql.postgres.svc.cluster.local","gluuJackrabbitPostgresPasswordFile":"/etc/gluu/conf/postgres_password","gluuJackrabbitPostgresPort":5432,"gluuJackrabbitPostgresUser":"jackrabbit","gluuJackrabbitSyncInterval":300,"gluuJackrabbitUrl":"http://jackrabbit:8080","gluuLdapUrl":"opendj:1636","gluuMaxRamPercent":"75.0","gluuOxauthBackend":"oxauth:8080","gluuOxdAdminCertCn":"oxd-server","gluuOxdApplicationCertCn":"oxd-server","gluuOxdBindIpAddresses":"*","gluuOxdServerUrl":"oxd-server:8443","gluuOxtrustApiEnabled":false,"gluuOxtrustApiTestMode":false,"gluuOxtrustBackend":"oxtrust:8080","gluuOxtrustConfigGeneration":true,"gluuPassportEnabled":false,"gluuPassportFailureRedirectUrl":"","gluuPersistenceLdapMapping":"default","gluuRedisSentinelGroup":"","gluuRedisSslTruststore":"","gluuRedisType":"STANDALONE","gluuRedisUrl":"redis:6379","gluuRedisUseSsl":"false","gluuSamlEnabled":false,"gluuScimProtectionMode":"OAUTH","gluuSyncCasaManifests":false,"gluuSyncShibManifests":false,"lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.com","image":{"pullSecrets":[],"repository":"gluufederation/config-init","tag":"4.5.0-1"},"ldapPass":"P@ssw0rd","migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPass":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPass":"P@ssw0rd","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnConfigGoogleSecretNamePrefix":"gluu","cnConfigGoogleSecretVersionId":"latest","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerEmulatorHost":"","cnGoogleSpannerInstanceId":"","cnSecretGoogleSecretNamePrefix":"gluu","cnSecretGoogleSecretVersionId":"latest","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqlPasswordFile":"/etc/gluu/conf/sql_password","cnSqldbUserPassword":"Test1234#","containerMetadataName":"kubernetes","gluuCacheType":"NATIVE_PERSISTENCE","gluuCasaEnabled":false,"gluuCouchbaseBucketPrefix":"gluu","gluuCouchbaseCertFile":"/etc/certs/couchbase.crt","gluuCouchbaseCrt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlakNDQW1LZ0F3SUJBZ0lKQUwyem5UWlREUHFNTUEwR0NTcUdTSWIzRFFFQkN3VUFNQzB4S3pBcEJnTlYKQkFNTUlpb3VZMkpuYkhWMUxtUmxabUYxYkhRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3TWpBMQpNRGt4T1RVeFdoY05NekF3TWpBeU1Ea3hPVFV4V2pBdE1Tc3dLUVlEVlFRRERDSXFMbU5pWjJ4MWRTNWtaV1poCmRXeDBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUIKQ2dLQ0FRRUFycmQ5T3lvSnRsVzhnNW5nWlJtL2FKWjJ2eUtubGU3dVFIUEw4Q2RJa1RNdjB0eHZhR1B5UkNQQgo3RE00RTFkLzhMaU5takdZZk41QjZjWjlRUmNCaG1VNmFyUDRKZUZ3c0x0cTFGT3MxaDlmWGo3d3NzcTYrYmlkCjV6Umw3UEE0YmdvOXVkUVRzU1UrWDJUUVRDc0dxVVVPWExrZ3NCMjI0RDNsdkFCbmZOeHcvYnFQa2ZCQTFxVzYKVXpxellMdHN6WE5GY0dQMFhtU3c4WjJuaFhhUGlva2pPT2dyMkMrbVFZK0htQ2xGUWRpd2g2ZjBYR0V0STMrKwoyMStTejdXRkF6RlFBVUp2MHIvZnk4TDRXZzh1YysvalgwTGQrc2NoQTlNQjh3YmJORUp2ZjNMOGZ5QjZ0cTd2CjF4b0FnL0g0S1dJaHdqSEN0dFVnWU1oU0xWV3UrUUlEQVFBQm80R2NNSUdaTUIwR0ExVWREZ1FXQkJTWmQxWU0KVGNIRVZjSENNUmp6ejczZitEVmxxREJkQmdOVkhTTUVWakJVZ0JTWmQxWU1UY0hFVmNIQ01Sanp6NzNmK0RWbApxS0V4cEM4d0xURXJNQ2tHQTFVRUF3d2lLaTVqWW1kc2RYVXVaR1ZtWVhWc2RDNXpkbU11WTJ4MWMzUmxjaTVzCmIyTmhiSUlKQUwyem5UWlREUHFNTUF3R0ExVWRFd1FGTUFNQkFmOHdDd1lEVlIwUEJBUURBZ0VHTUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQk9meTVWSHlKZCtWUTBXaUQ1aSs2cmhidGNpSmtFN0YwWVVVZnJ6UFN2YWVFWQp2NElVWStWOC9UNnE4Mk9vVWU1eCtvS2dzbFBsL01nZEg2SW9CRnVtaUFqek14RTdUYUhHcXJ5dk13Qk5IKzB5CnhadG9mSnFXQzhGeUlwTVFHTEs0RVBGd3VHRlJnazZMRGR2ZEN5NVdxWW1MQWdBZVh5VWNaNnlHYkdMTjRPUDUKZTFiaEFiLzRXWXRxRHVydFJrWjNEejlZcis4VWNCVTRLT005OHBZN05aaXFmKzlCZVkvOEhZaVQ2Q0RRWWgyTgoyK0VWRFBHcFE4UkVsRThhN1ZLL29MemlOaXFyRjllNDV1OU1KdjM1ZktmNUJjK2FKdWduTGcwaUZUYmNaT1prCkpuYkUvUENIUDZFWmxLaEFiZUdnendtS1dDbTZTL3g0TklRK2JtMmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=","gluuCouchbaseIndexNumReplica":0,"gluuCouchbasePass":"P@ssw0rd","gluuCouchbasePassFile":"/etc/gluu/conf/couchbase_password","gluuCouchbaseSuperUser":"admin","gluuCouchbaseSuperUserPass":"P@ssw0rd","gluuCouchbaseSuperUserPassFile":"/etc/gluu/conf/couchbase_superuser_password","gluuCouchbaseUrl":"cbgluu.default.svc.cluster.local","gluuCouchbaseUser":"gluu","gluuDocumentStoreType":"JCA","gluuJackrabbitAdminId":"admin","gluuJackrabbitAdminIdFile":"/etc/gluu/conf/jackrabbit_admin_id","gluuJackrabbitAdminPassFile":"/etc/gluu/conf/jackrabbit_admin_password","gluuJackrabbitPostgresDatabaseName":"jackrabbit","gluuJackrabbitPostgresHost":"postgresql.postgres.svc.cluster.local","gluuJackrabbitPostgresPasswordFile":"/etc/gluu/conf/postgres_password","gluuJackrabbitPostgresPort":5432,"gluuJackrabbitPostgresUser":"jackrabbit","gluuJackrabbitSyncInterval":300,"gluuJackrabbitUrl":"http://jackrabbit:8080","gluuLdapUrl":"opendj:1636","gluuMaxRamPercent":"75.0","gluuOxauthBackend":"oxauth:8080","gluuOxdAdminCertCn":"oxd-server","gluuOxdApplicationCertCn":"oxd-server","gluuOxdBindIpAddresses":"*","gluuOxdServerUrl":"oxd-server:8443","gluuOxtrustApiEnabled":false,"gluuOxtrustApiTestMode":false,"gluuOxtrustBackend":"oxtrust:8080","gluuOxtrustConfigGeneration":true,"gluuPassportEnabled":false,"gluuPassportFailureRedirectUrl":"","gluuPersistenceLdapMapping":"default","gluuRedisSentinelGroup":"","gluuRedisSslTruststore":"","gluuRedisType":"STANDALONE","gluuRedisUrl":"redis:6379","gluuRedisUseSsl":"false","gluuSamlEnabled":false,"gluuScimProtectionMode":"OAUTH","gluuSyncCasaManifests":false,"gluuSyncShibManifests":false,"lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.com","image":{"pullSecrets":[],"repository":"gluufederation/config-init","tag":"4.5.0-1"},"ldapPass":"P@ssw0rd","migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPass":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | | config.additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | config.additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | | config.adminPass | string | `"P@ssw0rd"` | Admin password to log in to the UI. | @@ -226,7 +226,7 @@ Kubernetes: `>=v1.21.0-0` | fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| global | object | `{"alb":{"ingress":{"additionalAnnotations":{"alb.ingress.kubernetes.io/auth-session-cookie":"custom-cookie","alb.ingress.kubernetes.io/certificate-arn":"arn:aws:acm:us-west-2:xxxx:certificate/xxxxxx","alb.ingress.kubernetes.io/scheme":"internet-facing","kubernetes.io/ingress.class":"alb"},"additionalLabels":{},"adminUiEnabled":true,"authServerEnabled":true,"casaEnabled":false,"enabled":false,"fido2ConfigEnabled":false,"fido2Enabled":false,"openidConfigEnabled":true,"passportEnabled":false,"scimConfigEnabled":false,"scimEnabled":false,"shibEnabled":false,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","cloud":{"testEnviroment":false},"cnGoogleApplicationCredentials":"/etc/gluu/conf/google-credentials.json","config":{"enabled":true},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","cr-rotate":{"enabled":false},"domain":"demoexample.gluu.org","fido2":{"appLoggers":{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"},"enabled":false},"gcePdStorageType":"pd-standard","gluuJackrabbitCluster":"true","gluuPersistenceType":"couchbase","isDomainRegistered":"false","istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"ingress":false,"namespace":"istio-system"},"jackrabbit":{"enabled":true},"jobTtlSecondsAfterFinished":300,"lbIp":"","ldapServiceName":"opendj","nginx-ingress":{"enabled":true},"opendj":{"enabled":true},"oxauth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","cleanerLogLevel":"INFO","cleanerLogTarget":"FILE","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true},"oxauth-key-rotation":{"enabled":false},"oxd-server":{"appLoggers":{"oxdServerLogLevel":"INFO","oxdServerLogTarget":"STDOUT"},"enabled":false},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false},"oxtrust":{"appLoggers":{"apachehcLogLevel":"INFO","apachehcLogTarget":"FILE","auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","cacheRefreshLogLevel":"INFO","cacheRefreshLogTarget":"FILE","cacheRefreshPythonLogLevel":"INFO","cacheRefreshPythonLogTarget":"FILE","cleanerLogLevel":"INFO","cleanerLogTarget":"FILE","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","oxtrustLogLevel":"INFO","oxtrustLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE","velocityLogLevel":"INFO","velocityLogTarget":"FILE"},"enabled":true},"persistence":{"enabled":true},"scim":{"appLoggers":{"persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"upgrade":{"enabled":false,"image":{"repository":"gluufederation/upgrade","tag":"4.5.0-1"},"sourceVersion":"4.4","targetVersion":"4.4"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global | object | `{"alb":{"ingress":{"additionalAnnotations":{"alb.ingress.kubernetes.io/auth-session-cookie":"custom-cookie","alb.ingress.kubernetes.io/certificate-arn":"arn:aws:acm:us-west-2:xxxx:certificate/xxxxxx","alb.ingress.kubernetes.io/scheme":"internet-facing","kubernetes.io/ingress.class":"alb"},"additionalLabels":{},"adminUiEnabled":true,"authServerEnabled":true,"casaEnabled":false,"enabled":false,"fido2ConfigEnabled":false,"fido2Enabled":false,"openidConfigEnabled":true,"passportEnabled":false,"scimConfigEnabled":false,"scimEnabled":false,"shibEnabled":false,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/gluu/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/gluu/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/gluu/conf/aws_shared_credential_file","cnGoogleApplicationCredentials":"/etc/gluu/conf/google-credentials.json","config":{"enabled":true},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","cr-rotate":{"enabled":false},"domain":"demoexample.gluu.org","fido2":{"appLoggers":{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"},"enabled":false},"gcePdStorageType":"pd-standard","gluuJackrabbitCluster":"true","gluuPersistenceType":"couchbase","isDomainRegistered":"false","istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"ingress":false,"namespace":"istio-system"},"jackrabbit":{"enabled":true},"jobTtlSecondsAfterFinished":300,"lbIp":"","ldapServiceName":"opendj","nginx-ingress":{"enabled":true},"opendj":{"enabled":true},"oxauth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","cleanerLogLevel":"INFO","cleanerLogTarget":"FILE","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true},"oxauth-key-rotation":{"enabled":false},"oxd-server":{"appLoggers":{"oxdServerLogLevel":"INFO","oxdServerLogTarget":"STDOUT"},"enabled":false},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false},"oxtrust":{"appLoggers":{"apachehcLogLevel":"INFO","apachehcLogTarget":"FILE","auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","cacheRefreshLogLevel":"INFO","cacheRefreshLogTarget":"FILE","cacheRefreshPythonLogLevel":"INFO","cacheRefreshPythonLogTarget":"FILE","cleanerLogLevel":"INFO","cleanerLogTarget":"FILE","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","oxtrustLogLevel":"INFO","oxtrustLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE","velocityLogLevel":"INFO","velocityLogTarget":"FILE"},"enabled":true},"persistence":{"enabled":true},"scim":{"appLoggers":{"persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"upgrade":{"enabled":false,"image":{"repository":"gluufederation/upgrade","tag":"4.5.0-1"},"sourceVersion":"4.4","targetVersion":"4.4"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | | global.alb.ingress.additionalAnnotations | object | `{"alb.ingress.kubernetes.io/auth-session-cookie":"custom-cookie","alb.ingress.kubernetes.io/certificate-arn":"arn:aws:acm:us-west-2:xxxx:certificate/xxxxxx","alb.ingress.kubernetes.io/scheme":"internet-facing","kubernetes.io/ingress.class":"alb"}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | global.alb.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | | global.alb.ingress.adminUiEnabled | bool | `true` | Enable Admin UI endpoints /identity | @@ -246,10 +246,10 @@ Kubernetes: `>=v1.21.0-0` | global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | | global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | | global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | -| global.cnGoogleApplicationCredentials | string | `"/etc/gluu/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. | +| global.cnGoogleApplicationCredentials | string | `"/etc/gluu/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | | global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | -| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. google|kubernetes | -| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. google|kubernetes | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes. OpenDJ as a persistence is restricted to kubernetes ONLY! | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes OpenDJ as a persistence is restricted to kubernetes ONLY! | | global.cr-rotate.enabled | bool | `false` | Boolean flag to enable/disable the cr-rotate chart. | | global.domain | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | | global.fido2.appLoggers | object | `{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/casa/templates/deployment.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/casa/templates/deployment.yaml index 1f5358af..611d322d 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/casa/templates/deployment.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/casa/templates/deployment.yaml @@ -84,6 +84,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -129,6 +140,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/load-init-config.yml b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/load-init-config.yml index 46ac4abb..7b126723 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/load-init-config.yml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/load-init-config.yml @@ -41,6 +41,26 @@ spec: volumes: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions {{- end }} - name: {{ include "config.fullname" . }}-mount-gen-file secret: @@ -63,6 +83,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} - mountPath: /opt/config-init/db/generate.json name: {{ include "config.fullname" . }}-mount-gen-file subPath: generate.json diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/secrets.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/secrets.yaml index 5732aefa..7065856b 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/secrets.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/secrets.yaml @@ -108,6 +108,33 @@ type: Opaque data: couchbase_superuser_password: {{ .Values.configmap.gluuCouchbaseSuperUserPass | b64enc }} {{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile | quote }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile | quote }}] + region = {{ .Values.configmap.cnAwsDefaultRegion | quote }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.gluuPersistenceType "spanner") }} --- apiVersion: v1 diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/cr-rotate/templates/daemonset.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/cr-rotate/templates/daemonset.yaml index 81e851b3..844eb3ea 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/cr-rotate/templates/daemonset.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/cr-rotate/templates/daemonset.yaml @@ -58,6 +58,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -90,6 +101,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/fido2/templates/deployment.yml b/pygluu/kubernetes/templates/helm/gluu/charts/fido2/templates/deployment.yml index c3765dfa..7ff7a2d4 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/fido2/templates/deployment.yml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/fido2/templates/deployment.yml @@ -76,6 +76,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -122,6 +133,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/oxauth-key-rotation/templates/cronjobs.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/oxauth-key-rotation/templates/cronjobs.yaml index 60ac8cac..0e152fe0 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/oxauth-key-rotation/templates/cronjobs.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/oxauth-key-rotation/templates/cronjobs.yaml @@ -39,6 +39,17 @@ spec: {{- include "oxauth-key-rotation.usr-secret-envs" . | indent 16 }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.gluuPersistenceType "spanner") }} - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} name: google-sa @@ -98,6 +109,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 12 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/oxauth/templates/deployment.yml b/pygluu/kubernetes/templates/helm/gluu/charts/oxauth/templates/deployment.yml index 9e9d9ff9..8e047e60 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/oxauth/templates/deployment.yml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/oxauth/templates/deployment.yml @@ -76,6 +76,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -127,6 +138,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/oxd-server/templates/deployment.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/oxd-server/templates/deployment.yaml index 75a89d61..430ae77a 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/oxd-server/templates/deployment.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/oxd-server/templates/deployment.yaml @@ -80,6 +80,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -116,6 +127,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport/templates/deployment.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport/templates/deployment.yaml index 5bd1f5e8..17b6679d 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport/templates/deployment.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport/templates/deployment.yaml @@ -79,6 +79,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.gluuPersistenceType "spanner") }} - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} name: google-sa @@ -110,6 +121,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.gluuPersistenceType "spanner") }} - name: google-sa secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth/templates/statefulset.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth/templates/statefulset.yaml index 608a2185..c71bb879 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth/templates/statefulset.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth/templates/statefulset.yaml @@ -82,6 +82,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -133,6 +144,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/oxtrust/templates/statefulset.yml b/pygluu/kubernetes/templates/helm/gluu/charts/oxtrust/templates/statefulset.yml index d37651a7..7671e556 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/oxtrust/templates/statefulset.yml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/oxtrust/templates/statefulset.yml @@ -87,6 +87,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -124,6 +135,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/persistence/templates/jobs.yml b/pygluu/kubernetes/templates/helm/gluu/charts/persistence/templates/jobs.yml index d1bfb252..9e78f4d2 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/persistence/templates/jobs.yml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/persistence/templates/jobs.yml @@ -64,6 +64,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if .Values.global.jackrabbit.enabled }} - name: gluu-jackrabbit-admin-pass mountPath: /etc/gluu/conf/jackrabbit_admin_password @@ -98,6 +109,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if .Values.global.jackrabbit.enabled }} - name: gluu-jackrabbit-admin-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/scim/templates/deployment.yml b/pygluu/kubernetes/templates/helm/gluu/charts/scim/templates/deployment.yml index 9d79b8ce..d46da1b4 100644 --- a/pygluu/kubernetes/templates/helm/gluu/charts/scim/templates/deployment.yml +++ b/pygluu/kubernetes/templates/helm/gluu/charts/scim/templates/deployment.yml @@ -84,6 +84,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass mountPath: "/etc/gluu/conf/sql_password" @@ -122,6 +133,26 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} {{- if eq .Values.global.gluuPersistenceType "sql" }} - name: sql-pass secret: diff --git a/pygluu/kubernetes/templates/helm/gluu/values.yaml b/pygluu/kubernetes/templates/helm/gluu/values.yaml index 7336d254..05fe80e4 100644 --- a/pygluu/kubernetes/templates/helm/gluu/values.yaml +++ b/pygluu/kubernetes/templates/helm/gluu/values.yaml @@ -111,12 +111,18 @@ global: gluuPersistenceType: couchbase # -- Boolean flag if enabled will enable jackrabbit in cluster mode with Postgres. gluuJackrabbitCluster: "true" - # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes. OpenDJ as a persistence is restricted to kubernetes ONLY! configAdapterName: kubernetes - # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes OpenDJ as a persistence is restricted to kubernetes ONLY! configSecretAdapter: kubernetes - # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. cnGoogleApplicationCredentials: /etc/gluu/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/gluu/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/gluu/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/gluu/conf/aws_secrets_replica_regions oxauth: # -- Boolean flag to enable/disable oxauth chart. You should never set this to false. enabled: true @@ -467,6 +473,24 @@ config: cnConfigGoogleSecretNamePrefix: gluu # [google_secret_manager_envs] END # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + # The URL of AWS secretsmanager service (if omitted, will use the one in specified region). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The default profile to use. + cnAwsProfile: "gluu" + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END # -- Loadbalancer address for AWS if the FQDN is not registered. lbAddr: "" # -- Enable oxTrust API