description:"Open banking external signing jwks uri. Used in SSA Validation."
type:hostname
group:"OpenBanking Distribution"
label:Openbanking external signing JWKS URI
show_if:"global.distribution=openbanking"
subquestions:
- variable:global.cnObExtSigningJwksCrt
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set."
type:multiline
label:Open banking external signing jwks AS certificate authority string
- variable:global.cnObExtSigningJwksKey
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set."
type:multiline
label:Open banking external signing jwks AS key string
- variable:global.cnObExtSigningJwksKeyPassPhrase
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set."
type:password
label:Open banking external signing jwks AS key passphrase
min_length:6
- variable:global.cnObExtSigningAlias
default:"XkwIzWy44xWSlcWnMiEc8iq9s2G"
required:true
group:"OpenBanking Distribution"
description:"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G"
type:string
label:Open banking external signing AS Alias
- variable:global.cnObStaticSigningKeyKid
default:"Wy44xWSlcWnMiEc8iq9s2G"
required:true
group:"OpenBanking Distribution"
description:"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G"
type:string
label:Open banking signing AS kid
show_if:"global.distribution=openbanking"
- variable:global.cnObTransportAlias
default:""
required:false
group:"OpenBanking Distribution"
description:"Open banking transport Alias used inside the JVM."
type:string
label:Open banking transport Alias used inside the JVM.
show_if:"global.distribution=openbanking"
subquestions:
- variable:global.cnObTransportCrt
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64."
type:multiline
label:Open banking AS transport crt
- variable:global.cnObTransportKey
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64."
type:multiline
label:Open banking AS transport key
- variable:global.cnObTransportKeyPassPhrase
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64."
type:password
label:Open banking AS transport key passphrase
min_length:6
- variable:global.cnObTransportTrustStore
default:""
required:true
group:"OpenBanking Distribution"
description:"Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64."
type:multiline
label:Open banking external signing jwks AS certificate authority string
description:"Auth server key rotation keys life in hours."
type:int
label:Key life
- variable:global.fido2.enabled
default:false
type:boolean
group:"Optional Services"
required:true
show_if:"global.distribution=default"
label:Enable Fido2
description:"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments."
description:"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)."
description:"Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server."
description:"System for Cross-domain Identity Management (SCIM) version 2.0"
- variable:global.client-api.enabled
default:false
type:boolean
group:"Optional Services"
required:true
label:Enable ClientAPI
show_if:"global.distribution=default"
description:"Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting."
description:"Needed for SAML. Jackrabbit Oak is a complementary implementation of the JCR specification. It is an effort to implement a scalable and performant hierarchical content repository for use as the foundation of modern world-class web sites and other demanding content applications. https://jackrabbit.apache.org/jcr/index.html ."
subquestions:
- variable:jackrabbit.storage.size
default:"4Gi"
description:"Size of Jackrabbit content repository volume storage."
description:"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`."
options:
- "default"
- "user"
- "site"
- "cache"
- "token"
- "session"
show_if:"global.cnPersistenceType=hybrid"
# Multi cluster ldap replication
- variable:opendj.multiCluster.enabled
default:false
type:boolean
group:"Persistence"
required:true
label:Enable OpenDJ multiCluster mode
description:"Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster`"
description:"OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }}"
label:OpenDJ Serf advertise address suffix
- variable:opendj.multiCluster.replicaCount
default:1
type:int
group:"Persistence"
required:true
description:"The number of opendj non scalable statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org"
label:The number of opendj non scalable statefulsets to create.
- variable:opendj.multiCluster.clusterId
default:"west"
type:string
group:"Persistence"
required:true
description:"This id needs to be unique to each kubernetes cluster in a multi cluster setup; west, east, south, north, region ...etc If left empty it will be randomly generated."
description:"The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner."
type:multiline
label:Google Spanner Service Account json
show_if:"global.cnPersistenceType=spanner"
- variable:config.configmap.cnGoogleProjectId
default:""
group:"Persistence"
description:"The Google Project ID"
type:string
label:Google Project ID
show_if:"global.cnPersistenceType=spanner"
#Couchbase
- variable:config.configmap.cnCouchbaseCrt
default:""
group:"Persistence"
description:"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required."
description:"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster"
description:"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu."
description:"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1."
description:"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol"
description:"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ."
description:"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically."
- variable:config.migration.enabled
default:false
required:true
type:boolean
group:"Configuration"
label:Migration from Gluu CE
description:"Boolean flag to enable migration from CE"
show_subquestion_if:true
subquestions:
- variable:config.migration.migrationDataFormat
default:"ldif"
type:enum
group:"Configuration"
required:false
label:Migration data-format
description:"Migration data-format depending on persistence backend."
options:
- "ldif"
- "couchbase+json"
- "spanner+avro"
- "postgresql+json"
- "mysql+json"
- variable:config.migration.migrationDir
default:"/ce-migration"
required:false
type:string
group:"Configuration"
label:Migration Directory
description:"Directory holding all migration files"
# ===========================
# Ingress group(Istio, NGINX)
# ===========================
# ===========
# Istio group
# ===========
- variable:global.istio.enabled
default:false
type:boolean
group:"Istio"
required:true
description:"Boolean flag that enables using istio side cars with Gluu services."
label:Use Istio side cars
show_subquestion_if:true
subquestions:
- variable:global.istio.ingress
default:false
type:boolean
group:"Istio"
required:true
description:"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available."
label:Use Istio Ingress
- variable:global.istio.namespace
default:"istio-system"
type:string
group:"Istio"
required:true
description:"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available."
label:Istio namespace
- variable:config.configmap.lbAddr
default:""
group:"Istio"
description:"Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)"
