andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #245 from moabu/add-gluu-chart 

feat(gluu): add Gluu partner chart
pull/247/head
alex-isv 2021-11-17 09:04:23 -07:00 committed by GitHub
parent a6d8a21216 59d8dd806e
commit ef6330dfb3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
177 changed files with 20426 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/gluu/gluu-5.0.0.tgz Normal file
View File

Binary file not shown.

109
charts/gluu/gluu/5.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,109 @@
annotations:
artifacthub.io/changes: |
- Gluu 5.0 Openbanking Distribution. Auth-server and config-api.
- Updated new images
- https://gluu.org/docs/openbanking
artifacthub.io/containsSecurityUpdates: "true"
artifacthub.io/images: |
- name: auth-server
image: janssenproject/auth-server:1.0.0_b12
- name: auth-server-key-rotation
image: janssenproject/certmanager:1.0.0_b12
- name: client-api
image: janssenproject/client-api:1.0.0_b12
- name: configuration-manager
image: janssenproject/configurator:1.0.0_b12
- name: config-api
image: janssenproject/config-api:1.0.0_b12
- name: fido2
image: janssenproject/fido2:1.0.0_b12
- name: opendj
image: gluufederation/opendj:5.0.0_dev
- name: persistence
image: janssenproject/persistence-loader:1.0.0_b12
- name: scim
image: janssenproject/scim:1.0.0_b12
artifacthub.io/license: Apache-2.0
artifacthub.io/prerelease: "true"
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management
catalog.cattle.io/release-name: gluu
apiVersion: v2
appVersion: 5.0.0
dependencies:
- condition: global.config.enabled
name: config
repository: ""
version: 5.0.0
- condition: global.config-api.enabled
name: config-api
repository: ""
version: 5.0.0
- condition: global.opendj.enabled
name: opendj
repository: ""
version: 5.0.0
- condition: global.jackrabbit.enabled
name: jackrabbit
repository: ""
version: 5.0.0
- condition: global.auth-server.enabled
name: auth-server
repository: ""
version: 5.0.0
- condition: global.fido2.enabled
name: fido2
repository: ""
version: 5.0.0
- condition: global.scim.enabled
name: scim
repository: ""
version: 5.0.0
- condition: global.nginx-ingress.enabled
name: nginx-ingress
repository: ""
version: 5.0.0
- condition: global.oxshibboleth.enabled
name: oxshibboleth
repository: ""
version: 5.0.0
- condition: config.configmap.cnPassportEnabled
name: oxpassport
repository: ""
version: 5.0.0
- condition: config.configmap.cnCasaEnabled
name: casa
repository: ""
version: 5.0.0
- condition: global.auth-server-key-rotation.enabled
name: auth-server-key-rotation
repository: ""
version: 5.0.0
- condition: global.cr-rotate.enabled
name: cr-rotate
repository: ""
version: 5.0.0
- condition: global.client-api.enabled
name: client-api
repository: ""
version: 5.0.0
- condition: global.persistence.enabled
name: persistence
repository: ""
version: 5.0.0
- condition: global.istio.ingress
name: cn-istio-ingress
repository: ""
version: 5.0.0
description: Gluu Access and Identity Management OpenBanking distribution
home: https://www.gluu.org
icon: https://gluu.org/docs/gluu-server/favicon.ico
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: moabu
name: gluu
sources:
- https://gluu.org/docs/gluu-server
- https://github.com/GluuFederation/cloud-native-edition
version: 5.0.0

566
charts/gluu/gluu/5.0.0/README.md Normal file
View File

@ -0,0 +1,566 @@
# gluu
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Gluu Access and Identity Management OpenBanking distribution
**Homepage:** <https://www.gluu.org>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| moabu | support@gluu.org | |
## Source Code
* <https://gluu.org/docs/gluu-server>
* <https://github.com/GluuFederation/cloud-native-edition>
## Requirements
Kubernetes: `>=v1.19.0-0`
| Repository | Name | Version |
|------------|------|---------|
| | auth-server | 5.0.0 |
| | auth-server-key-rotation | 5.0.0 |
| | casa | 5.0.0 |
| | client-api | 5.0.0 |
| | cn-istio-ingress | 5.0.0 |
| | config | 5.0.0 |
| | config-api | 5.0.0 |
| | cr-rotate | 5.0.0 |
| | fido2 | 5.0.0 |
| | jackrabbit | 5.0.0 |
| | nginx-ingress | 5.0.0 |
| | opendj | 5.0.0 |
| | oxpassport | 5.0.0 |
| | oxshibboleth | 5.0.0 |
| | persistence | 5.0.0 |
| | scim | 5.0.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| auth-server | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/auth-server","tag":"1.0.0_b12"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. |
| auth-server-key-rotation | object | `{"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/certmanager","tag":"1.0.0_b12"},"keysLife":48,"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours |
| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config |
| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy |
| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets |
| auth-server-key-rotation.image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. |
| auth-server-key-rotation.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours |
| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. |
| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. |
| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. |
| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. |
| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| auth-server.dnsConfig | object | `{}` | Add custom dns config |
| auth-server.dnsPolicy | string | `""` | Add custom dns policy |
| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| auth-server.hpa.behavior | object | `{}` | Scaling Policies |
| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets |
| auth-server.image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. |
| auth-server.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. |
| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py |
| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py |
| auth-server.replicas | int | `1` | Service replica number. |
| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. |
| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. |
| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. |
| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. |
| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. |
| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| casa | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/casa","tag":"5.0.0_dev"},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. |
| casa.dnsConfig | object | `{}` | Add custom dns config |
| casa.dnsPolicy | string | `""` | Add custom dns policy |
| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| casa.hpa.behavior | object | `{}` | Scaling Policies |
| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| casa.image.pullSecrets | list | `[]` | Image Pull Secrets |
| casa.image.repository | string | `"gluufederation/casa"` | Image to use for deploying. |
| casa.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. |
| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint |
| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. |
| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint |
| casa.replicas | int | `1` | Service replica number. |
| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. |
| casa.resources.limits.cpu | string | `"500m"` | CPU limit. |
| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. |
| casa.resources.requests.cpu | string | `"500m"` | CPU request. |
| casa.resources.requests.memory | string | `"500Mi"` | Memory request. |
| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| client-api | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/client-api","tag":"1.0.0_b12"},"livenessProbe":{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. |
| client-api.dnsConfig | object | `{}` | Add custom dns config |
| client-api.dnsPolicy | string | `""` | Add custom dns policy |
| client-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| client-api.hpa.behavior | object | `{}` | Scaling Policies |
| client-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| client-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| client-api.image.pullSecrets | list | `[]` | Image Pull Secrets |
| client-api.image.repository | string | `"janssenproject/client-api"` | Image to use for deploying. |
| client-api.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| client-api.livenessProbe | object | `{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. |
| client-api.livenessProbe.exec | object | `{"command":["curl","-k","https://localhost:8443/health-check"]}` | Executes the python3 healthcheck. |
| client-api.readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. |
| client-api.replicas | int | `1` | Service replica number. |
| client-api.resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. |
| client-api.resources.limits.cpu | string | `"1000m"` | CPU limit. |
| client-api.resources.limits.memory | string | `"400Mi"` | Memory limit. |
| client-api.resources.requests.cpu | string | `"1000m"` | CPU request. |
| client-api.resources.requests.memory | string | `"400Mi"` | Memory request. |
| client-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| client-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| client-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| client-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| client-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| config | object | `{"adminPassword":"Test1234#","city":"Austin","configmap":{"cnCacheType":"NATIVE_PERSISTENCE","cnCasaEnabled":false,"cnClientApiAdminCertCn":"client-api","cnClientApiApplicationCertCn":"client-api","cnClientApiBindIpAddresses":"*","cnConfigGoogleSecretNamePrefix":"gluu","cnConfigGoogleSecretVersionId":"latest","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCertFile":"/etc/certs/couchbase.crt","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbasePasswordFile":"/etc/gluu/conf/couchbase_password","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseSuperUserPasswordFile":"/etc/gluu/conf/couchbase_superuser_password","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnDocumentStoreType":"JCA","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJackrabbitAdminId":"admin","cnJackrabbitAdminIdFile":"/etc/gluu/conf/jackrabbit_admin_id","cnJackrabbitAdminPasswordFile":"/etc/gluu/conf/jackrabbit_admin_password","cnJackrabbitPostgresDatabaseName":"jackrabbit","cnJackrabbitPostgresHost":"postgresql.postgres.svc.cluster.local","cnJackrabbitPostgresPasswordFile":"/etc/gluu/conf/postgres_password","cnJackrabbitPostgresPort":5432,"cnJackrabbitPostgresUser":"jackrabbit","cnJackrabbitSyncInterval":300,"cnJackrabbitUrl":"http://jackrabbit:8080","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPassportEnabled":false,"cnPersistenceLdapMapping":"default","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnSamlEnabled":false,"cnScimProtectionMode":"OAUTH","cnSecretGoogleSecretNamePrefix":"gluu","cnSecretGoogleSecretVersionId":"latest","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqlPasswordFile":"/etc/jans/conf/sql_password","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"janssenproject/configurator","tag":"1.0.0_b12"},"ldapPassword":"P@ssw0rds","migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. |
| config-api | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/config-api","tag":"1.0.0_b12"},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). |
| config-api.dnsConfig | object | `{}` | Add custom dns config |
| config-api.dnsPolicy | string | `""` | Add custom dns policy |
| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| config-api.hpa.behavior | object | `{}` | Scaling Policies |
| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets |
| config-api.image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. |
| config-api.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. |
| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint |
| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint |
| config-api.replicas | int | `1` | Service replica number. |
| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. |
| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. |
| config-api.resources.limits.memory | string | `"400Mi"` | Memory limit. |
| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. |
| config-api.resources.requests.memory | string | `"400Mi"` | Memory request. |
| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. |
| config.city | string | `"Austin"` | City. Used for certificate creation. |
| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . |
| config.configmap.cnCasaEnabled | bool | `false` | Enable Casa flag . |
| config.configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . |
| config.configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. |
| config.configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy |
| config.configmap.cnConfigGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| config.configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer |
| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. |
| config.configmap.cnCouchbaseCertFile | string | `"/etc/certs/couchbase.crt"` | Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required. |
| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. |
| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. |
| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . |
| config.configmap.cnCouchbasePasswordFile | string | `"/etc/gluu/conf/couchbase_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password |
| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. |
| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol |
| config.configmap.cnCouchbaseSuperUserPasswordFile | string | `"/etc/gluu/conf/couchbase_superuser_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password. |
| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster |
| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. |
| config.configmap.cnDocumentStoreType | string | `"JCA"` | Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily. |
| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| config.configmap.cnGoogleSecretManagerPassPhrase | string | `"Test1234#"` | Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. |
| config.configmap.cnJackrabbitAdminId | string | `"admin"` | Jackrabbit admin uid. |
| config.configmap.cnJackrabbitAdminIdFile | string | `"/etc/gluu/conf/jackrabbit_admin_id"` | The location of the Jackrabbit admin uid config.cnJackrabbitAdminId. The file path must end with jackrabbit_admin_id. |
| config.configmap.cnJackrabbitAdminPasswordFile | string | `"/etc/gluu/conf/jackrabbit_admin_password"` | The location of the Jackrabbit admin password jackrabbit.secrets.cnJackrabbitAdminPassword. The file path must end with jackrabbit_admin_password. |
| config.configmap.cnJackrabbitPostgresDatabaseName | string | `"jackrabbit"` | Jackrabbit postgres database name. |
| config.configmap.cnJackrabbitPostgresHost | string | `"postgresql.postgres.svc.cluster.local"` | Postgres url |
| config.configmap.cnJackrabbitPostgresPasswordFile | string | `"/etc/gluu/conf/postgres_password"` | The location of the Jackrabbit postgres password file jackrabbit.secrets.cnJackrabbitPostgresPassword. The file path must end with postgres_password. |
| config.configmap.cnJackrabbitPostgresPort | int | `5432` | Jackrabbit Postgres port |
| config.configmap.cnJackrabbitPostgresUser | string | `"jackrabbit"` | Jackrabbit Postgres uid |
| config.configmap.cnJackrabbitSyncInterval | int | `300` | Interval between files sync (default to 300 seconds). |
| config.configmap.cnJackrabbitUrl | string | `"http://jackrabbit:8080"` | Jackrabbit internal url. Normally left as default. |
| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server |
| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage |
| config.configmap.cnPassportEnabled | bool | `false` | Boolean flag to enable/disable passport chart |
| config.configmap.cnPersistenceLdapMapping | string | `"default"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. |
| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number <url>:<port>. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| config.configmap.cnSamlEnabled | bool | `false` | Enable SAML-related features; UI menu, etc. |
| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA |
| config.configmap.cnSecretGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. |
| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` |
| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. |
| config.configmap.cnSqlDbName | string | `"jans"` | SQL database name. |
| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. |
| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. |
| config.configmap.cnSqlDbUser | string | `"jans"` | SQL database username. |
| config.configmap.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | SQL password file holding password from config.configmap.cnSqldbUserPassword . |
| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected as config.configmap.cnSqlPasswordFile . |
| config.configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. |
| config.countryCode | string | `"US"` | Country code. Used for certificate creation. |
| config.dnsConfig | object | `{}` | Add custom dns config |
| config.dnsPolicy | string | `""` | Add custom dns policy |
| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. |
| config.image.pullSecrets | list | `[]` | Image Pull Secrets |
| config.image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. |
| config.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. |
| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section |
| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE |
| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. |
| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files |
| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. |
| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. |
| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| config.resources.limits.cpu | string | `"300m"` | CPU limit. |
| config.resources.limits.memory | string | `"300Mi"` | Memory limit. |
| config.resources.requests.cpu | string | `"300m"` | CPU request. |
| config.resources.requests.memory | string | `"300Mi"` | Memory request. |
| config.state | string | `"TX"` | State code. Used for certificate creation. |
| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. |
| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 |
| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 |
| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| cr-rotate | object | `{"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/cr-rotate","tag":"5.0.0_dev"},"resources":{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}},"service":{"crRotateServiceName":"cr-rotate"},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | CacheRefreshRotation is a special container to monitor cache refresh on oxTrust containers. This may be depreciated. |
| cr-rotate.dnsConfig | object | `{}` | Add custom dns config |
| cr-rotate.dnsPolicy | string | `""` | Add custom dns policy |
| cr-rotate.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| cr-rotate.image.pullSecrets | list | `[]` | Image Pull Secrets |
| cr-rotate.image.repository | string | `"gluufederation/cr-rotate"` | Image to use for deploying. |
| cr-rotate.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| cr-rotate.resources | object | `{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | Resource specs. |
| cr-rotate.resources.limits.cpu | string | `"200m"` | CPU limit. |
| cr-rotate.resources.limits.memory | string | `"200Mi"` | Memory limit. |
| cr-rotate.resources.requests.cpu | string | `"200m"` | CPU request. |
| cr-rotate.resources.requests.memory | string | `"200Mi"` | Memory request. |
| cr-rotate.service.crRotateServiceName | string | `"cr-rotate"` | Name of the cr-rotate service. Please keep it as default. |
| cr-rotate.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| cr-rotate.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| cr-rotate.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| cr-rotate.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| cr-rotate.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| fido2 | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/fido2","tag":"1.0.0_b12"},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. |
| fido2.dnsConfig | object | `{}` | Add custom dns config |
| fido2.dnsPolicy | string | `""` | Add custom dns policy |
| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| fido2.hpa.behavior | object | `{}` | Scaling Policies |
| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets |
| fido2.image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. |
| fido2.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. |
| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint |
| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. |
| fido2.replicas | int | `1` | Service replica number. |
| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. |
| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. |
| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. |
| fido2.resources.requests.cpu | string | `"500m"` | CPU request. |
| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. |
| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| global | object | `{"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authServerServiceName":"auth-server","enabled":true},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"casaServiceName":"casa"},"client-api":{"appLoggers":{"clientApiLogLevel":"INFO","clientApiLogTarget":"STDOUT"},"clientApiServerServiceName":"client-api","enabled":false},"cloud":{"testEnviroment":false},"cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnJackrabbitCluster":true,"cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"ldap","config":{"enabled":true},"config-api":{"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT"},"configApiServerServiceName":"config-api","enabled":true},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","cr-rotate":{"enabled":false},"distribution":"default","fido2":{"appLoggers":{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"},"enabled":false,"fido2ServiceName":"fido2"},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"enabled":false,"ingress":false,"namespace":"istio-system"},"jackrabbit":{"enabled":false,"jackRabbitServiceName":"jackrabbit"},"lbIp":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"upgrade":{"enabled":false},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. |
| global.alb.ingress | bool | `false` | Activates ALB ingress |
| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. |
| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level |
| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target |
| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level |
| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target |
| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level |
| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target |
| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level |
| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target |
| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level |
| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target |
| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level |
| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target |
| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level |
| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target |
| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. |
| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. |
| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. |
| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. |
| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks |
| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. |
| global.client-api.appLoggers | object | `{"clientApiLogLevel":"INFO","clientApiLogTarget":"STDOUT"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
| global.client-api.appLoggers.clientApiLogLevel | string | `"INFO"` | client-api.log level |
| global.client-api.appLoggers.clientApiLogTarget | string | `"STDOUT"` | client-api.log target |
| global.client-api.clientApiServerServiceName | string | `"client-api"` | Name of the client-api service. Please keep it as default. |
| global.client-api.enabled | bool | `false` | Boolean flag to enable/disable the client-api chart. |
| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. |
| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. |
| global.cnJackrabbitCluster | bool | `true` | Boolean flag if enabled will enable jackrabbit in cluster mode with Postgres. |
| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G |
| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. |
| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. |
| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. |
| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. |
| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G |
| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. |
| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. |
| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. |
| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key pas`sphrase to unlock AS transport key. This must be encoded using base64. |
| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. |
| global.cnPersistenceType | string | `"ldap"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. |
| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level |
| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target |
| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. |
| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. |
| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false |
| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. google|kubernetes |
| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. google|kubernetes |
| global.cr-rotate.enabled | bool | `false` | Boolean flag to enable/disable the cr-rotate chart. |
| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. |
| global.fido2.appLoggers | object | `{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level |
| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target |
| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level |
| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target |
| global.fido2.enabled | bool | `false` | Boolean flag to enable/disable the fido2 chart. |
| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. |
| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. |
| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks |
| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. |
| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side cars with Gluu services. |
| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. |
| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. |
| global.jackrabbit.enabled | bool | `false` | Boolean flag to enable/disable the jackrabbit chart. For more information on how it is used inside Gluu https://gluu.org/docs/gluu-server/4.2/installation-guide/install-kubernetes/#working-with-jackrabbit. If disabled oxShibboleth cannot be run. |
| global.jackrabbit.jackRabbitServiceName | string | `"jackrabbit"` | Name of the Jackrabbit service. Please keep it as default. |
| global.lbIp | string | `""` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. |
| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. |
| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. |
| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. |
| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. |
| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. |
| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. |
| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. |
| global.scim.appLoggers | object | `{"ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level |
| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target |
| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level |
| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target |
| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level |
| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target |
| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level |
| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target |
| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level |
| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target |
| global.scim.enabled | bool | `false` | Boolean flag to enable/disable the SCIM chart. |
| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. |
| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for Jackrabbit and OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. |
| global.storageClass.parameters | object | `{}` | parameters: |
| global.upgrade.enabled | bool | `false` | Boolean flag used when running helm upgrade command. This allows upgrading the chart without immutable objects errors. |
| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services |
| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 |
| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 |
| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"jackrabbit":{"clusterMode":""},"ldap":{"backup":{"fullSchedule":""},"multiClusterIds":[],"subsequentCluster":""},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"upgrade":{"image":{"repository":"","tag":""},"targetVersion":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart |
| jackrabbit | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/jackrabbit","tag":"5.0.0_dev"},"livenessProbe":{"initialDelaySeconds":25,"periodSeconds":25,"tcpSocket":{"port":"http-jackrabbit"},"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":30,"periodSeconds":30,"tcpSocket":{"port":"http-jackrabbit"},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"1000Mi"},"requests":{"cpu":"1500m","memory":"1000Mi"}},"secrets":{"cnJackrabbitAdminPassword":"Test1234#","cnJackrabbitPostgresPassword":"P@ssw0rd"},"storage":{"size":"5Gi"},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Jackrabbit Oak is a complementary implementation of the JCR specification. It is an effort to implement a scalable and performant hierarchical content repository for use as the foundation of modern world-class web sites and other demanding content applications https://jackrabbit.apache.org/jcr/index.html |
| jackrabbit.dnsConfig | object | `{}` | Add custom dns config |
| jackrabbit.dnsPolicy | string | `""` | Add custom dns policy |
| jackrabbit.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| jackrabbit.hpa.behavior | object | `{}` | Scaling Policies |
| jackrabbit.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| jackrabbit.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| jackrabbit.image.pullSecrets | list | `[]` | Image Pull Secrets |
| jackrabbit.image.repository | string | `"gluufederation/jackrabbit"` | Image to use for deploying. |
| jackrabbit.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| jackrabbit.livenessProbe | object | `{"initialDelaySeconds":25,"periodSeconds":25,"tcpSocket":{"port":"http-jackrabbit"},"timeoutSeconds":5}` | Configure the liveness healthcheck for the Jackrabbit if needed. |
| jackrabbit.livenessProbe.tcpSocket | object | `{"port":"http-jackrabbit"}` | Executes tcp healthcheck. |
| jackrabbit.readinessProbe | object | `{"initialDelaySeconds":30,"periodSeconds":30,"tcpSocket":{"port":"http-jackrabbit"},"timeoutSeconds":5}` | Configure the readiness healthcheck for the Jackrabbit if needed. |
| jackrabbit.readinessProbe.tcpSocket | object | `{"port":"http-jackrabbit"}` | Executes tcp healthcheck. |
| jackrabbit.replicas | int | `1` | Service replica number. |
| jackrabbit.resources | object | `{"limits":{"cpu":"1500m","memory":"1000Mi"},"requests":{"cpu":"1500m","memory":"1000Mi"}}` | Resource specs. |
| jackrabbit.resources.limits.cpu | string | `"1500m"` | CPU limit. |
| jackrabbit.resources.limits.memory | string | `"1000Mi"` | Memory limit. |
| jackrabbit.resources.requests.cpu | string | `"1500m"` | CPU request. |
| jackrabbit.resources.requests.memory | string | `"1000Mi"` | Memory request. |
| jackrabbit.secrets.cnJackrabbitAdminPassword | string | `"Test1234#"` | Jackrabbit admin uid password |
| jackrabbit.secrets.cnJackrabbitPostgresPassword | string | `"P@ssw0rd"` | Jackrabbit Postgres uid password |
| jackrabbit.storage.size | string | `"5Gi"` | Jackrabbit volume size |
| jackrabbit.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| jackrabbit.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| jackrabbit.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| jackrabbit.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| jackrabbit.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| nginx-ingress | object | `{"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiEnabled":true,"adminUiLabels":{},"authServerEnabled":true,"authServerLabels":{},"authServerProtectedRedisterLabels":{},"authServerProtectedRegister":false,"authServerProtectedToken":false,"authServerProtectedTokenLabels":{},"configApiEnabled":true,"configApiLabels":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"hosts":["demoexample.gluu.org"],"openidConfigEnabled":true,"openidConfigLabels":{},"path":"/","scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerEnabled":true,"webfingerLabels":{}}}` | Nginx ingress definitions chart |
| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" |
| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} |
| nginx-ingress.ingress.adminUiEnabled | bool | `true` | Enable Admin UI endpoints. COMING SOON. |
| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. |
| nginx-ingress.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth |
| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken |
| nginx-ingress.ingress.authServerProtectedRedisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken |
| nginx-ingress.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register |
| nginx-ingress.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token |
| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken |
| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken |
| nginx-ingress.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration |
| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken |
| nginx-ingress.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration |
| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken |
| nginx-ingress.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration |
| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken |
| nginx-ingress.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim |
| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken |
| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. |
| nginx-ingress.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration |
| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken |
| nginx-ingress.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration |
| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken |
| nginx-ingress.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery |
| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken |
| nginx-ingress.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger |
| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken |
| opendj | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0_dev"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"multiCluster":{"clusterId":"","enabled":false,"namespaceIntId":0,"replicaCount":1,"serfAdvertiseAddrSuffix":"regional.gluu.org:30946","serfKey":"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk=","serfPeers":["gluu-opendj-regional-0-regional.gluu.org:30946","gluu-opendj-regional-0-regional.gluu.org:31946"]},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. |
| opendj.dnsConfig | object | `{}` | Add custom dns config |
| opendj.dnsPolicy | string | `""` | Add custom dns policy |
| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| opendj.hpa.behavior | object | `{}` | Scaling Policies |
| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets |
| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. |
| opendj.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py |
| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. |
| opendj.multiCluster.clusterId | string | `""` | This id needs to be unique to each kubernetes cluster in a multi cluster setup west, east, south, north, region ...etc If left empty it will be randomly generated. |
| opendj.multiCluster.enabled | bool | `false` | Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` |
| opendj.multiCluster.namespaceIntId | int | `0` | Namespace int id. This id needs to be a unique number 0-9 per gluu installation per namespace. Used when gluu is installed in the same kubernetes cluster more than once. |
| opendj.multiCluster.replicaCount | int | `1` | The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org |
| opendj.multiCluster.serfAdvertiseAddrSuffix | string | `"regional.gluu.org:30946"` | OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} |
| opendj.multiCluster.serfKey | string | `"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk="` | Serf key. This key will automatically sync across clusters. |
| opendj.multiCluster.serfPeers | list | `["gluu-opendj-regional-0-regional.gluu.org:30946","gluu-opendj-regional-0-regional.gluu.org:31946"]` | Serf peer addresses. One per cluster. |
| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size |
| opendj.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py |
| opendj.replicas | int | `1` | Service replica number. |
| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. |
| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. |
| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. |
| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. |
| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. |
| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| oxpassport | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0_dev"},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. |
| oxpassport.dnsConfig | object | `{}` | Add custom dns config |
| oxpassport.dnsPolicy | string | `""` | Add custom dns policy |
| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| oxpassport.hpa.behavior | object | `{}` | Scaling Policies |
| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets |
| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. |
| oxpassport.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. |
| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint |
| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. |
| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint |
| oxpassport.replicas | int | `1` | Service replica number |
| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. |
| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. |
| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. |
| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. |
| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. |
| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| oxshibboleth | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0_dev"},"livenessProbe":{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. |
| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config |
| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy |
| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies |
| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets |
| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. |
| oxshibboleth.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| oxshibboleth.livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. |
| oxshibboleth.livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint |
| oxshibboleth.readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. |
| oxshibboleth.readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint |
| oxshibboleth.replicas | int | `1` | Service replica number. |
| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. |
| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. |
| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. |
| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. |
| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. |
| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| persistence | object | `{"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/persistence-loader","tag":"1.0.0_b12"},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and intial config for Gluu Server persistence layer. |
| persistence.dnsConfig | object | `{}` | Add custom dns config |
| persistence.dnsPolicy | string | `""` | Add custom dns policy |
| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets |
| persistence.image.repository | string | `"janssenproject/persistence-loader"` | Image to use for deploying. |
| persistence.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| persistence.resources.limits.cpu | string | `"300m"` | CPU limit |
| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. |
| persistence.resources.requests.cpu | string | `"300m"` | CPU request. |
| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. |
| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| scim | object | `{"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/scim","tag":"1.0.0_b12"},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 |
| scim.dnsConfig | object | `{}` | Add custom dns config |
| scim.dnsPolicy | string | `""` | Add custom dns policy |
| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| scim.hpa.behavior | object | `{}` | Scaling Policies |
| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| scim.image.pullSecrets | list | `[]` | Image Pull Secrets |
| scim.image.repository | string | `"janssenproject/scim"` | Image to use for deploying. |
| scim.image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. |
| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint |
| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. |
| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint |
| scim.replicas | int | `1` | Service replica number. |
| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. |
| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. |
| scim.resources.requests.cpu | string | `"1000m"` | CPU request. |
| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. |
| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

35
charts/gluu/gluu/5.0.0/app-readme.md Normal file
View File

@ -0,0 +1,35 @@
## Introduction
The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions.
Common use cases include:
- Single sign-on (SSO)
- Mobile authentication
- API access management
- Two-factor authentication (2FA)
- Customer identity and access management (CIAM)
- Identity federation
### Free Open Source Software
The Gluu Server is a FOSS platform for IAM.
### Open Web Standards
The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management:
- OAuth 2.0
- OpenID Connect
- User Managed Access 2.0 (UMA)
- SAML 2.0
- System for Cross-domain Identity Management (SCIM)
- FIDO Universal 2nd Factor (U2F)
- FIDO 2.0 / WebAuthn
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-In User Service (RADIUS)
### Important notes for installation:
- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image.
### Quick install on Rancher UI with Docker single node
- Install the nginx-ingress-controller chart.
- Install the OpenEBS chart.
- Install Gluu chart and specify your persistence as ldap.

21
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

18
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v2
appVersion: 5.0.0
description: Responsible for regenerating auth-keys per x hours
home: https://gluu.org/docs/gluu-server
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- Auth keys Rotation
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: auth-server-key-rotation
sources:
- https://github.com/JanssenProject/docker-jans-certmanager
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation
type: application
version: 5.0.0

45
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/README.md Normal file
View File

@ -0,0 +1,45 @@
# auth-server-key-rotation
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Responsible for regenerating auth-keys per x hours
**Homepage:** <https://gluu.org/docs/gluu-server>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://github.com/JanssenProject/docker-jans-certmanager>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. |
| image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| keysLife | int | `48` | Auth server key rotation keys life in hours |
| nodeSelector | object | `{}` | |
| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| tolerations | list | `[]` | |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

68
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "auth-server-key-rotation.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "auth-server-key-rotation.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "auth-server-key-rotation.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "auth-server-key-rotation.labels" -}}
app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }}
helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "auth-server-key-rotation.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "auth-server-key-rotation.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

114
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/templates/cronjobs.yaml Normal file
View File

@ -0,0 +1,114 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
kind: CronJob
apiVersion: batch/v1beta1
metadata:
name: {{ include "auth-server-key-rotation.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: auth-server-key-rotation
release: {{ .Release.Name }}
{{ include "auth-server-key-rotation.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
schedule: "0 */{{ .Values.keysLife }} * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 12 }}
{{- end }}
containers:
- name: {{ include "auth-server-key-rotation.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
env:
{{- include "auth-server-key-rotation.usr-envs" . | indent 16 }}
{{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 16 }}
{{- end }}
args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"]
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
restartPolicy: Never

25
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/templates/service.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
name: {{ include "auth-server-key-rotation.fullname" . }}
labels:
{{ include "auth-server-key-rotation.fullname" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }}
type: ClusterIP
{{- end }}

22
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,22 @@
{{ if .Values.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
{{ include "auth-server-key-rotation.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

49
charts/gluu/gluu/5.0.0/charts/auth-server-key-rotation/values.yaml Normal file
View File

@ -0,0 +1,49 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- Responsible for regenerating auth-keys per x hours
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: janssenproject/certmanager
# -- Image tag to use for deploying.
tag: 1.0.0_b12
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Auth server key rotation keys life in hours
keysLife: 48
# -- Resource specs.
resources:
limits:
cpu: 300m
memory: 300Mi
requests:
cpu: 300m
memory: 300Mi
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
nodeSelector: {}
tolerations: []
affinity: {}
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

21
charts/gluu/gluu/5.0.0/charts/auth-server/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

22
charts/gluu/gluu/5.0.0/charts/auth-server/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v2
appVersion: 5.0.0
description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization
Server--this is the main Internet facing component of Gluu. It's the service that
returns tokens, JWT's and identity assertions. This service must be Internet facing.
home: https://gluu.org/docs/gluu-server
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- Autherization
- OpenID
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: auth-server
sources:
- https://github.com/JanssenProject/jans-auth-server
- https://github.com/JanssenProject/docker-jans-auth-server
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/auth-server
type: application
version: 5.0.0

59
charts/gluu/gluu/5.0.0/charts/auth-server/README.md Normal file
View File

@ -0,0 +1,59 @@
# auth-server
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.
**Homepage:** <https://gluu.org/docs/gluu-server>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://github.com/JanssenProject/jans-auth-server>
* <https://github.com/JanssenProject/docker-jans-auth-server>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/auth-server>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.enabled | bool | `true` | |
| hpa.maxReplicas | int | `10` | |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| hpa.minReplicas | int | `1` | |
| hpa.targetCPUUtilizationPercentage | int | `50` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. |
| image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. |
| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py |
| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"2500m"` | CPU limit. |
| resources.limits.memory | string | `"2500Mi"` | Memory limit. |
| resources.requests.cpu | string | `"2500m"` | CPU request. |
| resources.requests.memory | string | `"2500Mi"` | Memory request. |
| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. |
| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

68
charts/gluu/gluu/5.0.0/charts/auth-server/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "auth-server.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "auth-server.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "auth-server.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "auth-server.labels" -}}
app: {{ .Release.Name }}-{{ include "auth-server.name" . }}
helm.sh/chart: {{ include "auth-server.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "auth-server.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "auth-server.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

24
charts/gluu/gluu/5.0.0/charts/auth-server/templates/auth-server-destination-rules.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-auth-server-mtls
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: auth-server
{{ include "auth-server.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

94
charts/gluu/gluu/5.0.0/charts/auth-server/templates/auth-server-virtual-services.yaml Normal file
View File

@ -0,0 +1,94 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ .Release.Name }}-istio-auth-server
namespace: {{.Release.Namespace}}
labels:
APP_NAME: auth-server
{{ include "auth-server.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
hosts:
- {{ .Values.global.fqdn }}
gateways:
- {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service.
http:
- name: "{{ .Release.Name }}-istio-openid-config"
match:
- uri:
prefix: "/.well-known/openid-configuration"
rewrite:
uri: "/auth-server/.well-known/openid-configuration"
route:
- destination:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
weight: 100
- name: "{{ .Release.Name }}-istio-uma2-config"
match:
- uri:
prefix: "/.well-known/uma2-configuration"
rewrite:
uri: "/auth-server/restv1/uma2-configuration"
route:
- destination:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
weight: 100
- name: "{{ .Release.Name }}-istio-webdiscovery"
match:
- uri:
prefix: "/.well-known/simple-web-discovery"
rewrite:
uri: "/auth-server/.well-known/simple-web-discovery"
route:
- destination:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
weight: 100
- name: "{{ .Release.Name }}-istio-cn"
match:
- uri:
prefix: "/auth-server"
route:
- destination:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
- name: "{{ .Release.Name }}-istio-webfinger"
match:
- uri:
prefix: "/.well-known/webfinger"
rewrite:
uri: "/auth-server/.well-known/webfinger"
route:
- destination:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
weight: 100
- name: "{{ .Release.Name }}-istio-u2f-config"
match:
- uri:
prefix: "/.well-known/fido-configuration"
rewrite:
uri: "/auth-server/restv1/fido-configuration"
route:
- destination:
host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
weight: 100
{{- end }}

247
charts/gluu/gluu/5.0.0/charts/auth-server/templates/deployment.yml Normal file
View File

@ -0,0 +1,247 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "auth-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: auth-server
{{ include "auth-server.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "auth-server.name" . }}
template:
metadata:
labels:
APP_NAME: auth-server
app: {{ .Release.Name }}-{{ include "auth-server.name" . }}
{{- if .Values.global.istio.ingress }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
{{- end }}
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: {{ include "auth-server.name" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
env:
{{- include "auth-server.usr-envs" . | indent 12 }}
{{- include "auth-server.usr-secret-envs" . | indent 12 }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
command:
- /bin/sh
- -c
- |
/usr/bin/python3 /scripts/updatelbip.py &
/app/scripts/entrypoint.sh
{{- end}}
ports:
- name: {{ .Values.service.name }}
containerPort: {{ .Values.service.port }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }}
- name: cn-ob-ext-signing-jwks-key-passphrase
mountPath: /etc/certs/ob-ext-signing.pin
subPath: ob-ext-signing.pin
{{- end }}
{{ if .Values.global.cnObExtSigningJwksKey }}
- name: cn-ob-ext-signing-jwks-key
mountPath: /etc/certs/ob-ext-signing.key
subPath: ob-ext-signing.key
{{- end }}
{{ if .Values.global.cnObExtSigningJwksCrt }}
- name: cn-ob-ext-signing-jwks-crt
mountPath: /etc/certs/ob-ext-signing.crt
subPath: ob-ext-signing.crt
{{- end }}
{{ if .Values.global.cnObTransportKeyPassPhrase }}
- name: cn-ob-transport-key-passphrase
mountPath: /etc/certs/ob-transport.pin
subPath: ob-transport.pin
{{- end }}
{{ if .Values.global.cnObTransportKey }}
- name: cn-ob-transport-key
mountPath: /etc/certs/ob-transport.key
subPath: ob-transport.key
{{- end }}
{{ if .Values.global.cnObTransportCrt }}
- name: cn-ob-transport-crt
mountPath: /etc/certs/ob-transport.crt
subPath: ob-transport.crt
{{- end }}
{{ if .Values.global.cnObTransportTrustStore }}
- name: cn-ob-transport-truststore
mountPath: /etc/certs/ob-transport-truststore.p12
subPath: ob-transport-truststore.p12
{{- end }}
{{- if .Values.global.jackrabbit.enabled }}
- name: cn-jackrabbit-admin-pass
mountPath: /etc/gluu/conf/jackrabbit_admin_password
subPath: jackrabbit_admin_password
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "auth-server.fullname" .}}-updatelbip
mountPath: "/scripts"
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 10 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 10 }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
{{- end }}
{{- if not .Values.global.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.global.lbIp }}
hostnames:
- {{ .Values.global.fqdn }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if .Values.global.cnObExtSigningJwksCrt }}
- name: cn-ob-ext-signing-jwks-crt
secret:
secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin
items:
- key: ob-ext-signing.crt
path: ob-ext-signing.crt
{{- end }}
{{ if .Values.global.cnObExtSigningJwksKey }}
- name: cn-ob-ext-signing-jwks-key
secret:
secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin
items:
- key: ob-ext-signing.key
path: ob-ext-signing.key
{{- end }}
{{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }}
- name: cn-ob-ext-signing-jwks-key-passphrase
secret:
secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin
items:
- key: ob-ext-signing.pin
path: ob-ext-signing.pin
{{- end }}
{{ if .Values.global.cnObTransportCrt }}
- name: cn-ob-transport-crt
secret:
secretName: {{ .Release.Name }}-ob-transport-crt-key-pin
items:
- key: ob-transport.crt
path: ob-transport.crt
{{- end }}
{{ if .Values.global.cnObTransportKey }}
- name: cn-ob-transport-key
secret:
secretName: {{ .Release.Name }}-ob-transport-crt-key-pin
items:
- key: ob-transport.key
path: ob-transport.key
{{- end }}
{{ if .Values.global.cnObTransportKeyPassPhrase }}
- name: cn-ob-transport-key-passphrase
secret:
secretName: {{ .Release.Name }}-ob-transport-crt-key-pin
items:
- key: ob-transport.pin
path: ob-transport.pin
{{- end }}
{{ if .Values.global.cnObTransportTrustStore }}
- name: cn-ob-transport-truststore
secret:
secretName: {{ .Release.Name }}-ob-transport-truststore
{{- end }}
{{- if .Values.global.jackrabbit.enabled }}
- name: cn-jackrabbit-admin-pass
secret:
secretName: cn-jackrabbit-admin-pass
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "auth-server.fullname" . }}-updatelbip
configMap:
name: {{ .Release.Name }}-updatelbip
{{- end }}

39
charts/gluu/gluu/5.0.0/charts/auth-server/templates/hpa.yaml Normal file
View File

@ -0,0 +1,39 @@
{{ if .Values.hpa.enabled -}}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "auth-server.fullname" . }}
labels:
APP_NAME: auth-server
{{ include "auth-server.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "auth-server.fullname" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

27
charts/gluu/gluu/5.0.0/charts/auth-server/templates/service.yml Normal file
View File

@ -0,0 +1,27 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
name: {{ index .Values "global" "auth-server" "authServerServiceName" }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: auth-server
{{ include "auth-server.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.global.alb.ingress }}
type: NodePort
{{- end }}
ports:
- port: {{ .Values.service.port }}
name: {{ .Values.service.name }}
selector:
app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server

23
charts/gluu/gluu/5.0.0/charts/auth-server/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,23 @@
{{ if .Values.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: auth-server
{{ include "auth-server.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

82
charts/gluu/gluu/5.0.0/charts/auth-server/values.yaml Normal file
View File

@ -0,0 +1,82 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.
# -- Configure the HorizontalPodAutoscaler
hpa:
enabled: true
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
# -- metrics if targetCPUUtilizationPercentage is not set
metrics: []
# -- Scaling Policies
behavior: {}
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: janssenproject/auth-server
# -- Image tag to use for deploying.
tag: 1.0.0_b12
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Service replica number.
replicas: 1
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 2500m
# -- Memory limit.
memory: 2500Mi
requests:
# -- CPU request.
cpu: 2500m
# -- Memory request.
memory: 2500Mi
service:
# -- The name of the oxauth port within the oxauth service. Please keep it as default.
name: http-auth
# -- Port of the oxauth service. Please keep it as default.
port: 8080
# -- Configure the liveness healthcheck for the auth server if needed.
livenessProbe:
# -- Executes the python3 healthcheck.
# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py
exec:
command:
- python3
- /app/scripts/healthcheck.py
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
# -- Configure the readiness healthcheck for the auth server if needed.
# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py
readinessProbe:
exec:
command:
- python3
- /app/scripts/healthcheck.py
initialDelaySeconds: 25
periodSeconds: 25
timeoutSeconds: 5
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

22
charts/gluu/gluu/5.0.0/charts/casa/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

22
charts/gluu/gluu/5.0.0/charts/casa/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v2
appVersion: 5.0.0
description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage
authentication and authorization preferences for their account in a Gluu Server.
home: https://gluu.org/docs/casa/
icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico
keywords:
- casa
- 2FA
- passwordless
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: casa
sources:
- https://gluu.org/docs/casa/
- https://github.com/GluuFederation/docker-casa
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/casa
type: application
version: 5.0.0

64
charts/gluu/gluu/5.0.0/charts/casa/README.md Normal file
View File

@ -0,0 +1,64 @@
# casa
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.
**Homepage:** <https://gluu.org/docs/casa/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://gluu.org/docs/casa/>
* <https://github.com/GluuFederation/docker-casa>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/casa>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| fullnameOverride | string | `""` | |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.enabled | bool | `true` | |
| hpa.maxReplicas | int | `10` | |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| hpa.minReplicas | int | `1` | |
| hpa.targetCPUUtilizationPercentage | int | `50` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. |
| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. |
| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint |
| nameOverride | string | `""` | |
| podSecurityContext | object | `{}` | |
| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. |
| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"500m"` | CPU limit. |
| resources.limits.memory | string | `"500Mi"` | Memory limit. |
| resources.requests.cpu | string | `"500m"` | CPU request. |
| resources.requests.memory | string | `"500Mi"` | Memory request. |
| securityContext | object | `{}` | |
| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. |
| service.port | int | `8080` | Port of the casa service. Please keep it as default. |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

79
charts/gluu/gluu/5.0.0/charts/casa/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,79 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "casa.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "casa.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "casa.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "casa.labels" -}}
app: {{ .Release.Name }}-{{ include "casa.name" . }}
helm.sh/chart: {{ include "casa.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "casa.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "casa.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "casa.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "casa.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

24
charts/gluu/gluu/5.0.0/charts/casa/templates/casa-destination-rules.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-casa-mtls
namespace: {{.Release.Namespace}}
labels:
APP_NAME: casa
{{ include "casa.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

36
charts/gluu/gluu/5.0.0/charts/casa/templates/casa-virtual-services.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- if .Values.global.istio.ingress }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
creationTimestamp: null
name: {{ .Release.Name }}-istio-casa
namespace: {{.Release.Namespace}}
labels:
APP_NAME: casa
{{ include "casa.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
gateways:
- {{ .Release.Name }}-global-gtw
hosts:
- {{ .Values.global.fqdn }}
http:
- name: {{ .Release.Name }}-istio-casa
match:
- uri:
exact: /casa
route:
- destination:
host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local
port:
number: 8080
weight: 100
{{- end }}

163
charts/gluu/gluu/5.0.0/charts/casa/templates/deployment.yaml Normal file
View File

@ -0,0 +1,163 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "casa.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: casa
{{ include "casa.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "casa.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
APP_NAME: casa
app: {{ .Release.Name }}-{{ include "casa.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.global.istio.ingress }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
{{- end }}
spec:
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ include "casa.name" . }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
env:
{{- include "casa.usr-envs" . | indent 12 }}
{{- include "casa.usr-secret-envs" . | indent 12 }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
command:
- /bin/sh
- -c
- |
/usr/bin/python3 /scripts/updatelbip.py &
/app/scripts/entrypoint.sh
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: {{ .Values.service.name }}
containerPort: {{ .Values.service.port}}
protocol: TCP
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.global.jackrabbit.enabled }}
- name: cn-jackrabbit-admin-pass
mountPath: /etc/gluu/conf/jackrabbit_admin_password
subPath: jackrabbit_admin_password
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "casa.fullname" .}}-updatelbip
mountPath: "/scripts"
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if .Values.global.jackrabbit.enabled }}
- name: cn-jackrabbit-admin-pass
secret:
secretName: cn-jackrabbit-admin-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "casa.fullname" . }}-updatelbip
configMap:
name: {{ .Release.Name }}-updatelbip
{{- end }}
{{- if not .Values.global.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.global.lbIp }}
hostnames:
- {{ .Values.global.fqdn }}
{{- end }}

39
charts/gluu/gluu/5.0.0/charts/casa/templates/hpa.yaml Normal file
View File

@ -0,0 +1,39 @@
{{ if .Values.hpa.enabled -}}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "casa.fullname" . }}
labels:
APP_NAME: casa
{{ include "casa.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "casa.fullname" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

27
charts/gluu/gluu/5.0.0/charts/casa/templates/service.yaml Normal file
View File

@ -0,0 +1,27 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.global.casa.casaServiceName }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: casa
{{ include "casa.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.global.alb.ingress }}
type: NodePort
{{- end }}
ports:
- port: {{ .Values.service.port }}
name: {{ .Values.service.name }}
selector:
app: {{ .Release.Name }}-{{ include "casa.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

23
charts/gluu/gluu/5.0.0/charts/casa/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,23 @@
{{ if .Values.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: casa
{{ include "casa.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

94
charts/gluu/gluu/5.0.0/charts/casa/values.yaml Normal file
View File

@ -0,0 +1,94 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.
# -- Configure the HorizontalPodAutoscaler
hpa:
enabled: true
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
# -- metrics if targetCPUUtilizationPercentage is not set
metrics: []
# -- Scaling Policies
behavior: {}
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: gluufederation/casa
# -- Image tag to use for deploying.
tag: 5.0.0_dev
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Service replica number.
replicas: 1
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 500m
# -- Memory limit.
memory: 500Mi
requests:
# -- CPU request.
cpu: 500m
# -- Memory request.
memory: 500Mi
service:
# -- Port of the casa service. Please keep it as default.
port: 8080
# -- The name of the casa port within the casa service. Please keep it as default.
name: http-casa
# -- Configure the liveness healthcheck for casa if needed.
livenessProbe:
httpGet:
# -- http liveness probe endpoint
path: /casa/health-check
port: http-casa
initialDelaySeconds: 25
periodSeconds: 25
timeoutSeconds: 5
# -- Configure the readiness healthcheck for the casa if needed.
readinessProbe:
httpGet:
# -- http readiness probe endpoint
path: /casa/health-check
port: http-casa
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
nameOverride: ""
fullnameOverride: ""
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

21
charts/gluu/gluu/5.0.0/charts/client-api/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

23
charts/gluu/gluu/5.0.0/charts/client-api/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: v2
appVersion: 5.0.0
description: Middleware API to help application developers call an OAuth, OpenID or
UMA server. You may wonder why this is necessary. It makes it easier for client
developers to use OpenID signing and encryption features, without becoming crypto
experts. This API provides some high level endpoints to do some of the heavy lifting.
home: https://gluu.org/docs/oxd
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- client
- API
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: client-api
sources:
- https://github.com/JanssenProject/jans-client-api
- https://github.com/JanssenProject/docker-jans-client-api
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/client-api
type: application
version: 5.0.0

60
charts/gluu/gluu/5.0.0/charts/client-api/README.md Normal file
View File

@ -0,0 +1,60 @@
# client-api
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting.
**Homepage:** <https://gluu.org/docs/oxd>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://github.com/JanssenProject/jans-client-api>
* <https://github.com/JanssenProject/docker-jans-client-api>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/client-api>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.enabled | bool | `true` | |
| hpa.maxReplicas | int | `10` | |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| hpa.minReplicas | int | `1` | |
| hpa.targetCPUUtilizationPercentage | int | `50` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/client-api"` | Image to use for deploying. |
| image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| livenessProbe | object | `{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. |
| livenessProbe.exec | object | `{"command":["curl","-k","https://localhost:8443/health-check"]}` | Executes the python3 healthcheck. |
| nodeSelector | object | `{}` | |
| readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"1000m"` | CPU limit. |
| resources.limits.memory | string | `"400Mi"` | Memory limit. |
| resources.requests.cpu | string | `"1000m"` | CPU request. |
| resources.requests.memory | string | `"400Mi"` | Memory request. |
| tolerations | list | `[]` | |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

68
charts/gluu/gluu/5.0.0/charts/client-api/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "client-api.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "client-api.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "client-api.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "client-api.labels" -}}
app: {{ .Release.Name }}-{{ include "client-api.name" . }}
helm.sh/chart: {{ include "client-api.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "client-api.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "client-api.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

24
charts/gluu/gluu/5.0.0/charts/client-api/templates/client-api-destination-rules.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-client-api-mtls
namespace: {{.Release.Namespace}}
labels:
APP_NAME: client-api
{{ include "client-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
host: {{ index .Values "global" "client-api" "clientApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

151
charts/gluu/gluu/5.0.0/charts/client-api/templates/deployment.yaml Normal file
View File

@ -0,0 +1,151 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "client-api.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: client-api
{{ include "client-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "client-api.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
APP_NAME: client-api
app: {{ .Release.Name }}-{{ include "client-api.name" . }}
release: {{ .Release.Name }}
{{- if .Values.global.istio.ingress }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
{{- end }}
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: {{ include "client-api.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
env:
{{- include "client-api.usr-envs" . | indent 12 }}
{{- include "client-api.usr-secret-envs" . | indent 12 }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
command:
- /bin/sh
- -c
- |
/usr/bin/python3 /scripts/updatelbip.py &
/app/scripts/entrypoint.sh
{{- end }}
ports:
- containerPort: 8444
- containerPort: 8443
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "client-api.name" . }}-updatelbip
mountPath: /scripts
{{- end }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "client-api.name" . }}-updatelbip
configMap:
name: {{ .Release.Name }}-updatelbip
{{- end }}
{{- if not .Values.global.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.global.lbIp }}
hostnames:
- {{ .Values.global.fqdn }}
{{- end }}

39
charts/gluu/gluu/5.0.0/charts/client-api/templates/hpa.yaml Normal file
View File

@ -0,0 +1,39 @@
{{ if .Values.hpa.enabled -}}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "client-api.fullname" . }}
labels:
APP_NAME: client-api
{{ include "client-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "client-api.fullname" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

46
charts/gluu/gluu/5.0.0/charts/client-api/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,46 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: {{ .Release.Namespace }}
name: client-api-policy
labels:
APP_NAME: client-api
{{ include "client-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: client-api
ingress:
- from:
- podSelector:
matchLabels:
app: casa
ports:
- protocol: TCP
port: 8443
- from:
- podSelector:
matchLabels:
app: auth-server
ports:
- protocol: TCP
port: 8443
- from:
- namespaceSelector:
matchLabels:
app: ingress-kong
- podSelector:
matchLabels:
app: ingress-kong
ports:
- protocol: TCP
port: 8443

26
charts/gluu/gluu/5.0.0/charts/client-api/templates/service.yaml Normal file
View File

@ -0,0 +1,26 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
# the name must match the application
name: {{ index .Values "global" "client-api" "clientApiServerServiceName" }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: client-api
{{ include "client-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
ports:
- port: 8444
name: tcp-{{ include "client-api.name" . }}-admin-gui
- port: 8443
name: tcp-{{ include "client-api.name" . }}-app-connector
selector:
app: {{ .Release.Name }}-{{ include "client-api.name" . }}

23
charts/gluu/gluu/5.0.0/charts/client-api/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,23 @@
{{ if .Values.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: client-api
{{ include "client-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

81
charts/gluu/gluu/5.0.0/charts/client-api/values.yaml Normal file
View File

@ -0,0 +1,81 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting.
# -- Configure the HorizontalPodAutoscaler
hpa:
enabled: true
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
# -- metrics if targetCPUUtilizationPercentage is not set
metrics: []
# -- Scaling Policies
behavior: {}
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: janssenproject/client-api
# -- Image tag to use for deploying.
tag: 1.0.0_b12
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Service replica number.
replicas: 1
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 1000m
# -- Memory limit.
memory: 400Mi
requests:
# -- CPU request.
cpu: 1000m
# -- Memory request.
memory: 400Mi
# -- Configure the liveness healthcheck for the auth server if needed.
livenessProbe:
# -- Executes the python3 healthcheck.
exec:
command:
- curl
- -k
- https://localhost:8443/health-check
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
# -- Configure the readiness healthcheck for the auth server if needed.
readinessProbe:
tcpSocket:
port: 8443
initialDelaySeconds: 60
timeoutSeconds: 5
periodSeconds: 25
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
nodeSelector: {}
tolerations: []
affinity: {}
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

22
charts/gluu/gluu/5.0.0/charts/cn-istio-ingress/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

19
charts/gluu/gluu/5.0.0/charts/cn-istio-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v2
appVersion: 5.0.0
description: Istio Gateway
home: https://gluu.org/docs/gluu-server/
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- istio
- gateway
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: cn-istio-ingress
sources:
- https://gluu.org/docs/gluu-server/
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress
type: application
version: 5.0.0

25
charts/gluu/gluu/5.0.0/charts/cn-istio-ingress/README.md Normal file
View File

@ -0,0 +1,25 @@
# cn-istio-ingress
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Istio Gateway
**Homepage:** <https://gluu.org/docs/gluu-server/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://gluu.org/docs/gluu-server/>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress>
## Requirements
Kubernetes: `>=v1.19.0-0`
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

63
charts/gluu/gluu/5.0.0/charts/cn-istio-ingress/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,63 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "istio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "istio.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "istio.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "istio.labels" -}}
helm.sh/chart: {{ include "istio.chart" . }}
{{ include "istio.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "istio.selectorLabels" -}}
app.kubernetes.io/name: {{ include "istio.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "istio.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "istio.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

36
charts/gluu/gluu/5.0.0/charts/cn-istio-ingress/templates/gateway.yaml Normal file
View File

@ -0,0 +1,36 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: {{ .Release.Name }}-global-gtw
namespace: {{ .Release.Namespace }}
{{- if .Values.global.istio.additionalLabels }}
labels:
{{ toYaml .Values.global.istio.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.global.istio.additionalAnnotations }}
annotations:
{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }}
{{- end }}
spec:
selector:
istio: ingressgateway
servers:
# oxtrust
- port:
number: 80
name: http-admin-ui
protocol: HTTP
hosts:
- {{ .Values.global.fqdn }}
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- {{ .Values.global.fqdn }}
tls:
mode: SIMPLE # enable https on this port
credentialName: tls-certificate # fetch cert from k8s secret

4
charts/gluu/gluu/5.0.0/charts/cn-istio-ingress/values.yaml Normal file
View File

@ -0,0 +1,4 @@
# Default values for istio.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

21
charts/gluu/gluu/5.0.0/charts/config-api/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

22
charts/gluu/gluu/5.0.0/charts/config-api/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v2
appVersion: 5.0.0
description: Jans Config Api endpoints can be used to configure jans-auth-server,
which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server
(AS)
home: https://gluu.org/docs/gluu-server
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- configuration
- API
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: config-api
sources:
- https://github.com/JanssenProject/jans-config-api
- https://github.com/JanssenProject/docker-jans-config-api
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/config-api
type: application
version: 5.0.0

63
charts/gluu/gluu/5.0.0/charts/config-api/README.md Normal file
View File

@ -0,0 +1,63 @@
# config-api
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)
**Homepage:** <https://gluu.org/docs/gluu-server>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://github.com/JanssenProject/jans-config-api>
* <https://github.com/JanssenProject/docker-jans-config-api>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/config-api>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| fullnameOverride | string | `""` | |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.enabled | bool | `true` | |
| hpa.maxReplicas | int | `10` | |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| hpa.minReplicas | int | `1` | |
| hpa.targetCPUUtilizationPercentage | int | `50` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. |
| image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. |
| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"2500m"` | CPU limit. |
| resources.limits.memory | string | `"2500Mi"` | Memory limit. |
| resources.requests.cpu | string | `"2500m"` | CPU request. |
| resources.requests.memory | string | `"2500Mi"` | Memory request. |
| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. |
| tolerations | list | `[]` | |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

68
charts/gluu/gluu/5.0.0/charts/config-api/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "config-api.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "config-api.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "config-api.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "config-api.labels" -}}
app: {{ .Release.Name }}-{{ include "config-api.name" . }}
helm.sh/chart: {{ include "config-api.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "oxauth.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "oxauth.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

24
charts/gluu/gluu/5.0.0/charts/config-api/templates/config-api-destination-rules.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-config-api-mtls
namespace: {{.Release.Namespace}}
labels:
APP_NAME: config-api
{{ include "config-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

138
charts/gluu/gluu/5.0.0/charts/config-api/templates/deployment.yaml Normal file
View File

@ -0,0 +1,138 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "config-api.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: config-api
{{ include "config-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "config-api.name" . }}
template:
metadata:
labels:
app: {{ .Release.Name }}-{{ include "config-api.name" . }}
release: {{ .Release.Name }}
{{- if .Values.global.istio.ingress }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
{{- end }}
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: {{ include "config-api.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
securityContext:
runAsUser: 1000
runAsNonRoot: true
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
command:
- /bin/sh
- -c
- |
/usr/bin/python3 /scripts/updatelbip.py &
/app/scripts/entrypoint.sh
{{- end }}
ports:
- containerPort: 9444
- containerPort: 8074
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "config-api.name" . }}-updatelbip
mountPath: /scripts
{{- end }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "config-api.name" . }}-updatelbip
configMap:
name: {{ .Release.Name }}-updatelbip
{{- end }}
{{- if not .Values.global.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.global.lbIp }}
hostnames:
- {{ .Values.global.fqdn }}
{{- end }}

39
charts/gluu/gluu/5.0.0/charts/config-api/templates/hpa.yaml Normal file
View File

@ -0,0 +1,39 @@
{{ if .Values.hpa.enabled -}}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "config-api.fullname" . }}
labels:
APP_NAME: config-api
{{ include "config-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "config-api.fullname" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

26
charts/gluu/gluu/5.0.0/charts/config-api/templates/service.yaml Normal file
View File

@ -0,0 +1,26 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
# the name must match the application
name: {{ index .Values "global" "config-api" "configApiServerServiceName" }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: config-api
{{ include "config-api.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
ports:
- port: 9444
name: tcp-{{ include "config-api.name" . }}-ssl
- port: 8074
name: tcp-{{ include "config-api.name" . }}-http
selector:
app: {{ .Release.Name }}-{{ include "config-api.name" . }}

91
charts/gluu/gluu/5.0.0/charts/config-api/values.yaml Normal file
View File

@ -0,0 +1,91 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- Gluu Admin UI. This shouldn't be internet facing.
# -- Configure the HorizontalPodAutoscaler
hpa:
enabled: true
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
# -- metrics if targetCPUUtilizationPercentage is not set
metrics: []
# -- Scaling Policies
behavior: {}
nameOverride: ""
fullnameOverride: ""
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: janssenproject/config-api
# -- Image tag to use for deploying.
tag: 1.0.0_b12
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Service replica number.
replicas: 1
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 2500m
# -- Memory limit.
memory: 2500Mi
requests:
# -- CPU request.
cpu: 2500m
# -- Memory request.
memory: 2500Mi
service:
# -- The name of the config-api port within the config-api service. Please keep it as default.
name: http-config-api
# -- Configure the liveness healthcheck for the auth server if needed.
livenessProbe:
# -- Executes the python3 healthcheck.
# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py
httpGet:
path: /jans-config-api/api/v1/health/live
port: 8074
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
# -- Configure the readiness healthcheck for the auth server if needed.
# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py
readinessProbe:
httpGet:
path: /jans-config-api/api/v1/health/ready
port: 8074
initialDelaySeconds: 25
periodSeconds: 25
timeoutSeconds: 5
nodeSelector: {}
tolerations: []
affinity: {}
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

22
charts/gluu/gluu/5.0.0/charts/config/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
tls_generator.py

21
charts/gluu/gluu/5.0.0/charts/config/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v2
appVersion: 5.0.0
description: Configuration parameters for setup and initial configuration secret and
config layers used by Gluu services.
home: https://gluu.org/docs/gluu-server/reference/container-configs/
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- configuration
- secrets
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: config
sources:
- https://gluu.org/docs/gluu-server/reference/container-configs/
- https://github.com/JanssenProject/docker-jans-configuration-manager
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/config
type: application
version: 5.0.0

119
charts/gluu/gluu/5.0.0/charts/config/README.md Normal file
View File

@ -0,0 +1,119 @@
# config
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Configuration parameters for setup and initial configuration secret and config layers used by Gluu services.
**Homepage:** <https://gluu.org/docs/gluu-server/reference/container-configs/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://gluu.org/docs/gluu-server/reference/container-configs/>
* <https://github.com/JanssenProject/docker-jans-configuration-manager>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/config>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. |
| city | string | `"Austin"` | City. Used for certificate creation. |
| cnOxtrustConfigGeneration | bool | `true` | |
| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . |
| configmap.cnCasaEnabled | bool | `false` | Enable Casa flag . |
| configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . |
| configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. |
| configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy |
| configmap.cnConfigGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer |
| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. |
| configmap.cnCouchbaseCertFile | string | `"/etc/certs/couchbase.crt"` | Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required. |
| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. |
| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. |
| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . |
| configmap.cnCouchbasePasswordFile | string | `"/etc/gluu/conf/couchbase_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password |
| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. |
| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol |
| configmap.cnCouchbaseSuperUserPasswordFile | string | `"/etc/gluu/conf/couchbase_superuser_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password. |
| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster |
| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. |
| configmap.cnDocumentStoreType | string | `"JCA"` | Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily. |
| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| configmap.cnGoogleSecretManagerPassPhrase | string | `"Test1234#"` | Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | |
| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. |
| configmap.cnGoogleSpannerInstanceId | string | `""` | |
| configmap.cnJackrabbitAdminId | string | `"admin"` | Jackrabbit admin uid. |
| configmap.cnJackrabbitAdminIdFile | string | `"/etc/gluu/conf/jackrabbit_admin_id"` | The location of the Jackrabbit admin uid config.cnJackrabbitAdminId. The file path must end with jackrabbit_admin_id. |
| configmap.cnJackrabbitAdminPasswordFile | string | `"/etc/gluu/conf/jackrabbit_admin_password"` | The location of the Jackrabbit admin password jackrabbit.secrets.cnJackrabbitAdminPassword. The file path must end with jackrabbit_admin_password. |
| configmap.cnJackrabbitPostgresDatabaseName | string | `"jackrabbit"` | Jackrabbit postgres database name. |
| configmap.cnJackrabbitPostgresHost | string | `"postgresql.postgres.svc.cluster.local"` | Postgres url |
| configmap.cnJackrabbitPostgresPasswordFile | string | `"/etc/gluu/conf/postgres_password"` | The location of the Jackrabbit postgres password file jackrabbit.secrets.cnJackrabbitPostgresPassword. The file path must end with postgres_password. |
| configmap.cnJackrabbitPostgresPort | int | `5432` | Jackrabbit Postgres port |
| configmap.cnJackrabbitPostgresUser | string | `"jackrabbit"` | Jackrabbit Postgres uid |
| configmap.cnJackrabbitSyncInterval | int | `300` | Interval between files sync (default to 300 seconds). |
| configmap.cnJackrabbitUrl | string | `"http://jackrabbit:8080"` | Jackrabbit internal url. Normally left as default. |
| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server |
| configmap.cnLdapUrl | string | `"opendj:1636"` | |
| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage |
| configmap.cnPassportEnabled | bool | `false` | Boolean flag to enable/disable passport chart |
| configmap.cnPersistenceLdapMapping | string | `"default"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. |
| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number <url>:<port>. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. |
| configmap.cnSamlEnabled | bool | `false` | Enable SAML-related features; UI menu, etc. |
| configmap.cnSecretGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. |
| configmap.cnSecretGoogleSecretVersionId | string | `"latest"` | |
| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. |
| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` |
| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. |
| configmap.cnSqlDbName | string | `"jans"` | SQL database name. |
| configmap.cnSqlDbPort | int | `3306` | SQL database port. |
| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. |
| configmap.cnSqlDbUser | string | `"jans"` | SQL database username. |
| configmap.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | SQL password file holding password from config.configmap.cnSqldbUserPassword . |
| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected as config.configmap.cnSqlPasswordFile . |
| configmap.containerMetadataName | string | `"kubernetes"` | |
| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. |
| countryCode | string | `"US"` | Country code. Used for certificate creation. |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. |
| fullNameOverride | string | `""` | |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. |
| image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. |
| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section |
| migration.enabled | bool | `false` | Boolean flag to enable migration from CE |
| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. |
| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files |
| nameOverride | string | `""` | |
| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. |
| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. |
| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"300m"` | CPU limit. |
| resources.limits.memory | string | `"300Mi"` | Memory limit. |
| resources.requests.cpu | string | `"300m"` | CPU request. |
| resources.requests.memory | string | `"300Mi"` | Memory request. |
| state | string | `"TX"` | State code. Used for certificate creation. |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

94
charts/gluu/gluu/5.0.0/charts/config/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,94 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "config.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "config.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "config.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "config.labels" -}}
app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load
helm.sh/chart: {{ include "config.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "config.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "config.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}
{{/*
Create optional scopes list
*/}}
{{- define "config.optionalScopes"}}
{{ $newList := list }}
{{- if eq .Values.configmap.cnCacheType "REDIS" }}
{{ $newList = append $newList ("redis" | quote ) }}
{{- end}}
{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
{{ $newList = append $newList ("couchbase" | quote) }}
{{- end}}
{{- if .Values.global.opendj.enabled}}
{{ $newList = append $newList ("ldap" | quote) }}
{{- end}}
{{- if .Values.global.fido2.enabled}}
{{ $newList = append $newList ("fido2" | quote) }}
{{- end}}
{{- if .Values.global.scim.enabled}}
{{ $newList = append $newList ("scim" | quote) }}
{{- end}}
{{- if index .Values "global" "client-api" "enabled"}}
{{ $newList = append $newList ("client-api" |quote) }}
{{- end}}
{{ toJson $newList }}
{{- end }}

46
charts/gluu/gluu/5.0.0/charts/config/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,46 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: User
# change it to your actual account; the email can be fetched using
# the following command: `gcloud info | grep Account`
name: "ACCOUNT"
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ include "config.name" . }}-load
name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- kind: ServiceAccount
name: default
namespace: {{ .Release.Namespace }}

404
charts/gluu/gluu/5.0.0/charts/config/templates/configmaps.yaml Normal file
View File

@ -0,0 +1,404 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-config-cm
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
data:
# Jetty header size in bytes in the auth server
CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }}
# Distribution
CN_DISTRIBUTION: {{ .Values.global.distribution | quote }}
{{ if .Values.global.cnObExtSigningJwksUri }}
CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }}
CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }}
CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }}
# force the AS to use a specific signing key
CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
# [google_envs] Envs related to using Google
GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }}
GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }}
{{- end }}
{{ if eq .Values.global.cnPersistenceType "spanner" }}
# [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer
CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }}
CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }}
# [google_spanner_envs] END
{{- end }}
{{ if eq .Values.global.configSecretAdapter "google" }}
# [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer
CN_SECRET_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnSecretGoogleSecretVersionId | quote }}
CN_SECRET_GOOGLE_SECRET_MANAGER_PASSPHRASE: {{ .Values.configmap.cnGoogleSecretManagerPassPhrase | quote }}
CN_SECRET_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnSecretGoogleSecretNamePrefix | quote }}
CN_CONFIG_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnConfigGoogleSecretVersionId | quote }}
CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnConfigGoogleSecretNamePrefix | quote }}
# [google_secret_manager_envs] END
{{- end }}
CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }}
CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }}
CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }}
CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }}
CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }}
CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }}
CN_SQL_PASSWORD_FILE: {{ .Values.configmap.cnSqlPasswordFile }}
CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }}
CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }}
CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }}
CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }}
CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }}
CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }}
CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }}
CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }}
CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }}
{{- if not .Values.global.jackrabbit.enabled }}
CN_DOCUMENT_STORE_TYPE: LOCAL
{{- else }}
CN_DOCUMENT_STORE_TYPE: {{ .Values.configmap.cnDocumentStoreType | quote }}
{{- end }}
CN_JACKRABBIT_SYNC_INTERVAL: {{ .Values.configmap.cnJackrabbitSyncInterval | quote }}
{{- if .Values.configmap.cnJackrabbitUrl }}
CN_JACKRABBIT_URL: {{ .Values.configmap.cnJackrabbitUrl | quote }}
{{- else }}
CN_JACKRABBIT_URL: {{ cat "http://" ( .Values.global.jackrabbit.jackRabbitServiceName ) ":8080" | quote | nospace }}
{{- end }}
DOMAIN: {{ .Values.global.fqdn | quote }}
CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }}
CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers"
| toJson
| replace "authLogTarget" "auth_log_target"
| replace "authLogLevel" "auth_log_level"
| replace "httpLogTarget" "http_log_target"
| replace "httpLogLevel" "http_log_level"
| replace "persistenceLogTarget" "persistence_log_target"
| replace "persistenceLogLevel" "persistence_log_level"
| replace "persistenceDurationLogTarget" "persistence_duration_log_target"
| replace "persistenceDurationLogLevel" "persistence_duration_log_level"
| replace "ldapStatsLogTarget" "ldap_stats_log_target"
| replace "ldapStatsLogLevel" "ldap_stats_log_level"
| replace "scriptLogTarget" "script_log_target"
| replace "scriptLogLevel" "script_log_level"
| replace "auditStatsLogTarget" "audit_log_target"
| replace "auditStatsLogLevel" "audit_log_level"
| squote
}}
{{- if index .Values "global" "client-api" "enabled" }}
CN_CLIENT_API_SERVER_URL: {{ cat ( index .Values "global" "client-api" "clientApiServerServiceName" ) ":8443" | quote | nospace }}
CN_CLIENT_API_BIND_IP_ADDRESSES: {{ .Values.configmap.cnClientApiBindIpAddresses | quote }}
CN_CLIENT_API_APP_LOGGERS: {{ index .Values "global" "client-api" "appLoggers"
| toJson
| replace "clientApiLogTarget" "client_api_log_target"
| replace "clientApiLogLevel" "client_api_log_level"
| squote
}}
{{- end }}
{{- if index .Values "global" "config-api" "enabled" }}
CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers"
| toJson
| replace "configApiLogTarget" "config_api_log_target"
| replace "configApiLogLevel" "config_api_log_level"
| squote
}}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
LB_ADDR: {{ .Values.configmap.lbAddr }}
{{- end }}
CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }}
{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }}
# used only if CN_PERSISTENCE_TYPE is ldap or hybrid
{{- if .Values.configmap.cnLdapUrl }}
CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }}
{{- else }}
CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }}
{{- end }}
{{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
# used only if CN_PERSISTENCE_TYPE is couchbase or hybrid
CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }}
CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }}
CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }}
CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }}
CN_COUCHBASE_CERT_FILE: {{ .Values.configmap.cnCouchbaseCertFile | quote }}
CN_COUCHBASE_PASSWORD_FILE: {{ .Values.configmap.cnCouchbasePasswordFile | quote }}
CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }}
CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.configmap.cnCouchbaseSuperUserPasswordFile | quote }}
{{- end }}
CN_KEY_ROTATION_FORCE: "false"
CN_KEY_ROTATION_CHECK: "3600"
CN_KEY_ROTATION_INTERVAL: "48"
CN_SSL_CERT_FROM_SECRETS: "true"
CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server
# options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid
{{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }}
# must the same as the opendj service name
CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service
CN_PERSISTENCE_LDAP_MAPPING: {{ .Values.configmap.cnPersistenceLdapMapping | quote }}
{{- end }}
CN_OXTRUST_CONFIG_GENERATION: {{ .Values.cnOxtrustConfigGeneration | quote }}
{{ if .Values.global.cnJackrabbitCluster }}
CN_JACKRABBIT_ADMIN_ID: {{ .Values.configmap.cnJackrabbitAdminId | quote }}
CN_JACKRABBIT_ADMIN_PASSWORD_FILE: {{ .Values.configmap.cnJackrabbitAdminPasswordFile | quote }}
CN_JACKRABBIT_CLUSTER: {{ .Values.global.cnJackrabbitCluster | quote }}
CN_JACKRABBIT_POSTGRES_USER: {{ .Values.configmap.cnJackrabbitPostgresUser | quote }}
CN_JACKRABBIT_POSTGRES_PASSWORD_FILE: {{ .Values.configmap.cnJackrabbitPostgresPasswordFile | quote }}
CN_JACKRABBIT_POSTGRES_HOST: {{ .Values.configmap.cnJackrabbitPostgresHost | quote }}
CN_JACKRABBIT_POSTGRES_PORT: {{ .Values.configmap.cnJackrabbitPostgresPort | quote }}
CN_JACKRABBIT_POSTGRES_DATABASE: {{ .Values.configmap.cnJackrabbitPostgresDatabaseName | quote }}
# CN_JACKRABBIT_PASSWORD_FILE: {{ .Values.configmap.cnJcaPasswordFile | quote }} NOT IMPLEMENTED
{{- end }}
# Auto enable installation of some services
CN_CASA_ENABLED: {{ .Values.configmap.cnCasaEnabled | quote }}
CN_PASSPORT_ENABLED: {{ .Values.configmap.cnPassportEnabled | quote }}
{{- if .Values.global.oxshibboleth.enabled }}
CN_SAML_ENABLED: {{ .Values.configmap.cnSamlEnabled | quote }}
{{- end }}
CN_CLIENT_API_APPLICATION_CERT_CN: {{ .Values.configmap.cnClientApiApplicationCertCn | quote }}
CN_CLIENT_API_ADMIN_CERT_CN: {{ .Values.configmap.cnClientApiAdminCertCn | quote }}
{{ if eq .Values.configmap.cnCacheType "REDIS" }}
CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }}
CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }}
CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }}
CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }}
CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }}
{{- end }}
{{- if .Values.global.istio.enabled }}
CN_COUCHBASE_TRUSTSTORE_ENABLE: "false"
CN_LDAP_USE_SSL: "false"
{{- end }}
{{- if .Values.global.scim.enabled }}
CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }}
CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }}
CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers
| toJson
| replace "scimLogTarget" "scim_log_target"
| replace "scimLogLevel" "scim_log_level"
| replace "persistenceLogTarget" "persistence_log_target"
| replace "persistenceLogLevel" "persistence_log_level"
| replace "persistenceDurationLogTarget" "persistence_duration_log_target"
| replace "persistenceDurationLogLevel" "persistence_duration_log_level"
| replace "ldapStatsLogTarget" "ldap_stats_log_target"
| replace "ldapStatsLogLevel" "ldap_stats_log_level"
| replace "scriptLogTarget" "script_log_target"
| replace "scriptLogLevel" "script_log_level"
| squote
}}
{{- end }}
{{- if .Values.global.fido2.enabled }}
CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers
| toJson
| replace "fido2LogTarget" "fido2_log_target"
| replace "fido2LogLevel" "fido2_log_level"
| replace "persistenceLogTarget" "persistence_log_target"
| replace "persistenceLogLevel" "persistence_log_level"
| squote
}}
{{- end }}
---
apiVersion: v1
data:
tls_generator.py: |-
from kubernetes import config, client
import logging
log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s'
logging.basicConfig(format=log_format, level=logging.INFO)
logger = logging.getLogger("tls-generator")
# use the serviceAccount k8s gives to pods
config.load_incluster_config()
core_cli = client.CoreV1Api()
def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default",
secret_type="Opaque", second_literal=None, value_of_second_literal=None,
data=None):
"""Patch secret and if not exist create
:param name:
:param literal:
:param value_of_literal:
:param namespace:
:param secret_type:
:param second_literal:
:param value_of_second_literal:
:param data:
:return:
"""
# Instantiate the Secret object
body = client.V1Secret()
metadata = client.V1ObjectMeta(name=name)
body.data = data
if not data:
body.data = {literal: value_of_literal}
body.metadata = metadata
body.type = secret_type
if second_literal:
body.data = {literal: value_of_literal, second_literal: value_of_second_literal}
try:
core_cli.patch_namespaced_secret(name, namespace, body)
logger.info('Secret {} in namespace {} has been patched'.format(name, namespace))
return
except client.rest.ApiException as e:
if e.status == 404 or not e.status:
try:
core_cli.create_namespaced_secret(namespace=namespace, body=body)
logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace))
return True
except client.rest.ApiException as e:
logger.exception(e)
return False
logger.exception(e)
return False
# check if gluu secret exists
def get_certs(secret_name, namespace):
"""
:param namespace:
:return: ssl cert and key from gluu secrets
"""
ssl_cert = None
ssl_key = None
if core_cli.read_namespaced_secret(secret_name, namespace):
ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert']
ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key']
return ssl_cert, ssl_key
def main():
namespace = {{.Release.Namespace | quote}}
secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }}
cert, key = get_certs(secret_name, namespace)
# global vars
name = "tls-certificate"
# if istio is enabled
{{- if.Values.global.istio.ingress}}
namespace = {{.Values.global.istio.namespace | quote}}
{{- end}}
if cert and key:
patch_or_create_namespaced_secret(name=name,
namespace=namespace,
literal="tls.crt",
value_of_literal=cert,
secret_type="kubernetes.io/tls",
second_literal="tls.key",
value_of_second_literal=key)
else:
logger.error("No certificate or key was found in secrets.")
if __name__ == "__main__":
main()
kind: ConfigMap
metadata:
name: {{ include "config.fullname" . }}-tls-script
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
---
apiVersion: v1
data:
updatelbip.py: |-
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Update the IP of the load balancer automatically
"""
License terms and conditions for Gluu Cloud Native Edition:
https://www.apache.org/licenses/LICENSE-2.0
"""
import socket
import os
import logging
import time
logger = logging.getLogger("update-lb-ip")
logger.setLevel(logging.INFO)
ch = logging.StreamHandler()
fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s')
ch.setFormatter(fmt)
logger.addHandler(ch)
def backup(hosts):
timenow = time.strftime("%c")
timestamp = "Backup occurred %s \n" % timenow
logger.info("Backing up hosts file to /etc/hosts.back ...")
with open('/etc/hosts.back', 'a+') as f:
f.write(timestamp)
for line in hosts:
f.write(line)
def get_hosts(lb_addr, domain):
ip_list = []
hosts_list = []
ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0)
for result in ais:
ip_list.append(result[-1][0])
ip_list = list(set(ip_list))
for ip in ip_list:
add_host = ip + " " + domain
hosts_list.append(add_host)
return hosts_list
def main():
try:
while True:
lb_addr = os.environ.get("LB_ADDR", "")
domain = os.environ.get("DOMAIN", "demoexample.gluu.org")
host_file = open('/etc/hosts', 'r').readlines()
hosts = get_hosts(lb_addr, domain)
stop = []
for host in hosts:
for i in host_file:
if host.replace(" ", "") in i.replace(" ", ""):
stop.append("found")
if len(stop) != len(hosts):
backup(host_file)
logger.info("Writing new hosts file")
with open('/etc/hosts', 'w') as f:
for line in host_file:
if domain not in line:
f.write(line)
for host in hosts:
f.write(host)
f.write("\n")
f.write("\n")
time.sleep(300)
except KeyboardInterrupt:
logger.warning("Canceled by user; exiting ...")
if __name__ == "__main__":
main()
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-updatelbip
namespace: {{ .Release.Namespace }}

106
charts/gluu/gluu/5.0.0/charts/config/templates/load-init-config.yml Normal file
View File

@ -0,0 +1,106 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "config.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
template:
metadata:
name: {{ include "config.name" . }}-job
labels:
APP_NAME: configuration-manager
app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: {{ include "config.fullname" . }}-mount-gen-file
secret:
secretName: {{ include "config.fullname" . }}-gen-json-file
- name: {{ include "config.fullname" . }}-tls-script
configMap:
name: {{ include "config.fullname" . }}-tls-script
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
containers:
- name: {{ include "config.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
securityContext:
runAsUser: 1000
runAsNonRoot: true
env:
{{- include "config.usr-envs" . | indent 12 }}
{{- include "config.usr-secret-envs" . | indent 12 }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
- mountPath: /app/db/generate.json
name: {{ include "config.fullname" . }}-mount-gen-file
subPath: generate.json
- mountPath: /scripts/tls_generator.py
name: {{ include "config.fullname" . }}-tls-script
subPath: tls_generator.py
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
command:
- tini
- -g
- --
- /bin/sh
- -c
- |
{{- if .Values.migration.enabled }}
/app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }}
{{- else }}
/app/scripts/entrypoint.sh load
{{- end }}
/usr/bin/python3 /scripts/tls_generator.py
{{- if .Values.global.istio.enabled }}
curl -X POST http://localhost:15020/quitquitquit
{{- end }}
restartPolicy: Never

28
charts/gluu/gluu/5.0.0/charts/config/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,28 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
subjects:
- kind: User
name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # this must be Role or ClusterRole
name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io

24
charts/gluu/gluu/5.0.0/charts/config/templates/roles.yaml Normal file
View File

@ -0,0 +1,24 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
rules:
- apiGroups: [""] # "" refers to the core API group
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

214
charts/gluu/gluu/5.0.0/charts/config/templates/secrets.yaml Normal file
View File

@ -0,0 +1,214 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ include "config.fullname" . }}-gen-json-file
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
stringData:
generate.json: |-
{
"hostname": {{ .Values.global.fqdn | quote }},
"country_code": {{ .Values.countryCode | quote }},
"state": {{ .Values.state | quote }},
"city": {{ .Values.city | quote }},
"admin_pw": {{ .Values.adminPassword | quote }},
"ldap_pw": {{ .Values.ldapPassword | quote }},
"redis_pw": {{ .Values.redisPassword | quote }},
"email": {{ .Values.email | quote }},
"org_name": {{ .Values.orgName | quote }},
"optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }}
}
{{ if eq .Values.global.cnPersistenceType "sql" }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-sql-pass
namespace: {{ .Release.Namespace }}
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
sql_password: {{ .Values.configmap.cnSqldbUserPassword | b64enc }}
{{- end }}
{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-cb-pass
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }}
{{- if not .Values.global.istio.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-cb-crt
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-superuser-cb-pass
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-google-sa
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }}
{{- end}}
{{ if .Values.global.cnObExtSigningJwksCrt }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin
namespace: {{ .Release.Namespace }}
type: Opaque
data:
ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }}
{{ if .Values.global.cnObExtSigningJwksKey }}
ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }}
{{- end }}
{{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }}
ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }}
{{- end }}
{{- end }}
{{ if .Values.global.cnObTransportCrt }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-ob-transport-crt-key-pin
namespace: {{ .Release.Namespace }}
type: Opaque
data:
ob-transport.crt: {{ .Values.global.cnObTransportCrt }}
{{ if .Values.global.cnObTransportKey }}
ob-transport.key: {{ .Values.global.cnObTransportKey }}
{{- end }}
{{ if .Values.global.cnObTransportKeyPassPhrase }}
ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }}
{{- end }}
{{- end }}
{{ if .Values.global.cnObTransportTrustStore }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-ob-transport-truststore
namespace: {{ .Release.Namespace }}
type: Opaque
data:
ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }}
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }}
---
# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup.
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-ldap-cron-pass
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
data:
password: {{ .Values.ldapPassword | b64enc }}
{{- end}}

31
charts/gluu/gluu/5.0.0/charts/config/templates/service.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if ( .Values.global.istio.enabled) }}
# License terms and conditions:
# https://www.apache.org/licenses/LICENSE-2.0
# Used with Istio
apiVersion: v1
kind: Service
metadata:
name: {{ include "config.fullname" . }}
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load
type: ClusterIP
{{- end }}

1778
charts/gluu/gluu/5.0.0/charts/config/templates/upgrade-ldap-101-jans.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

132
charts/gluu/gluu/5.0.0/charts/config/templates/upgradejob.yaml Normal file
View File

@ -0,0 +1,132 @@
{{- if.Values.global.upgrade.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "config.fullname" . }}-upgrader
namespace: {{ .Release.Namespace }}
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "2"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
template:
metadata:
name: {{ include "config.name" . }}-upgrader
labels:
app: {{ include "config.name" . }}-upgrader
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
restartPolicy: Never
containers:
- name: {{ include "config.name" . }}-upgrader
image: "{{ .Values.global.upgrade.image.repository }}:{{ .Values.global.upgrade.image.tag }}"
args:
- "--source"
- {{ .Values.global.upgrade.sourceVersion | quote }}
- "--target"
- {{ .Values.global.upgrade.targetVersion | quote }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.global.jackrabbit.enabled }}
- name: cn-jackrabbit-admin-pass
mountPath: /etc/jans/conf/jackrabbit_admin_password
subPath: jackrabbit_admin_password
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/jans/conf/couchbase_password"
subPath: couchbase_password
- name: cb-super-pass
mountPath: "/etc/jans/conf/couchbase_superuser_password"
subPath: couchbase_superuser_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.global.jackrabbit.enabled }}
- name: cn-jackrabbit-admin-pass
secret:
secretName: cn-jackrabbit-admin-pass
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
- name: cb-super-pass
secret:
secretName: {{ .Release.Name }}-superuser-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- end }}

75
charts/gluu/gluu/5.0.0/charts/config/templates/user-custom-envs.yaml Normal file
View File

@ -0,0 +1,75 @@
{{ if .Values.global.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-global-user-custom-envs
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.global.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}
{{ if .Values.global.usrEnvs.normal }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-global-user-custom-envs
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
data:
{{- range $key, $val := .Values.global.usrEnvs.normal }}
{{ $key }}: {{ $val }}
{{- end}}
{{- end}}
{{ if .Values.usrEnvs.secret }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: configuration-manager
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation
{{- if .Values.additionalAnnotations }}
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

197
charts/gluu/gluu/5.0.0/charts/config/values.yaml Normal file
View File

@ -0,0 +1,197 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# Required environment variables for generating Gluu server initial config
# -- Add custom normal and secret envs to the service.
usrEnvs:
# -- Add custom normal envs to the service.
# variable1: value1
normal: {}
# -- Add custom secret envs to the service.
# variable1: value1
secret: {}
# -- Admin password to log in to the UI.
adminPassword: Test1234#
# -- City. Used for certificate creation.
city: Austin
configmap:
# -- Jetty header size in bytes in the auth server
cnJettyRequestHeaderSize: 8192
# -- SQL database dialect. `mysql` or `pgsql`
cnSqlDbDialect: mysql
# -- SQL database host uri.
cnSqlDbHost: my-release-mysql.default.svc.cluster.local
# -- SQL database port.
cnSqlDbPort: 3306
# -- SQL database name.
cnSqlDbName: jans
# -- SQL database username.
cnSqlDbUser: jans
# -- SQL database timezone.
cnSqlDbTimezone: UTC
# -- SQL password file holding password from config.configmap.cnSqldbUserPassword .
cnSqlPasswordFile: /etc/jans/conf/sql_password
# -- SQL password injected as config.configmap.cnSqlPasswordFile .
cnSqldbUserPassword: Test1234#
# -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` .
cnCacheType: NATIVE_PERSISTENCE
# -- Enable Casa flag .
cnCasaEnabled: false
# -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api .
cnClientApiAdminCertCn: client-api
# -- Client-api OAuth client application certificate common name. This should be left to the default value client-api.
cnClientApiApplicationCertCn: client-api
# -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy
cnClientApiBindIpAddresses: "*"
containerMetadataName: kubernetes
# -- The name of the Kubernetes ConfigMap that will hold the configuration layer
cnConfigKubernetesConfigMap: cn
# -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.
cnCouchbaseBucketPrefix: jans
# -- Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required.
cnCouchbaseCertFile: /etc/certs/couchbase.crt
# -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.
cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=
# -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.
cnCouchbaseIndexNumReplica: 0
# -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol .
cnCouchbasePassword: P@ssw0rd
# -- The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password
cnCouchbasePasswordFile: /etc/gluu/conf/couchbase_password
# -- The Couchbase super user (admin) user name. This user is used during initialization only.
cnCouchbaseSuperUser: admin
# -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol
cnCouchbaseSuperUserPassword: Test1234#
# -- The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.
cnCouchbaseSuperUserPasswordFile: /etc/gluu/conf/couchbase_superuser_password
# -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster
cnCouchbaseUrl: cbgluu.default.svc.cluster.local
# -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.
cnCouchbaseUser: gluu
# -- Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily.
cnDocumentStoreType: JCA
# -- Jackrabbit admin uid.
cnJackrabbitAdminId: admin
# -- The location of the Jackrabbit admin uid config.cnJackrabbitAdminId. The file path must end with jackrabbit_admin_id.
cnJackrabbitAdminIdFile: /etc/gluu/conf/jackrabbit_admin_id
# -- The location of the Jackrabbit admin password jackrabbit.secrets.cnJackrabbitAdminPassword. The file path must end with jackrabbit_admin_password.
cnJackrabbitAdminPasswordFile: /etc/gluu/conf/jackrabbit_admin_password
# -- Jackrabbit postgres database name.
cnJackrabbitPostgresDatabaseName: jackrabbit
# -- Postgres url
cnJackrabbitPostgresHost: postgresql.postgres.svc.cluster.local
# -- The location of the Jackrabbit postgres password file jackrabbit.secrets.cnJackrabbitPostgresPassword. The file path must end with postgres_password.
cnJackrabbitPostgresPasswordFile: /etc/gluu/conf/postgres_password
# -- Jackrabbit Postgres port
cnJackrabbitPostgresPort: 5432
# -- Jackrabbit Postgres uid
cnJackrabbitPostgresUser: jackrabbit
# -- Interval between files sync (default to 300 seconds).
cnJackrabbitSyncInterval: 300
# -- Jackrabbit internal url. Normally left as default.
cnJackrabbitUrl: "http://jackrabbit:8080"
# [google_envs] Envs related to using Google
# -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=
# -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnGoogleProjectId: google-project-to-save-config-and-secrets-to
# [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer
# -- Google Spanner ID. Used only when global.cnPersistenceType is spanner.
cnGoogleSpannerInstanceId: ""
# -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.
cnGoogleSpannerDatabaseId: ""
# [google_spanner_envs] END
# [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer
# -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnSecretGoogleSecretVersionId: "latest"
# -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnSecretGoogleSecretNamePrefix: gluu
# -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnGoogleSecretManagerPassPhrase: Test1234#
# -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnConfigGoogleSecretVersionId: "latest"
# -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.
cnConfigGoogleSecretNamePrefix: gluu
# [google_secret_manager_envs] END
# [google_envs] END
# -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.
cnLdapUrl: "opendj:1636"
# -- Value passed to Java option -XX:MaxRAMPercentage
cnMaxRamPercent: "75.0"
# -- Boolean flag to enable/disable passport chart
cnPassportEnabled: false
# -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.
cnPersistenceLdapMapping: default
# -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.
cnRedisSentinelGroup: ""
# -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.
cnRedisSslTruststore: ""
# -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.
cnRedisType: STANDALONE
# -- Redis URL and port number <url>:<port>. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.
cnRedisUrl: "redis.redis.svc.cluster.local:6379"
# -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.
cnRedisUseSsl: false
# -- Enable SAML-related features; UI menu, etc.
cnSamlEnabled: false
# -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.
cnSecretKubernetesSecret: cn
# -- Loadbalancer address for AWS if the FQDN is not registered.
lbAddr: ""
# -- Country code. Used for certificate creation.
countryCode: US
# -- Email address of the administrator usually. Used for certificate creation.
email: support@gluu.org
image:
# -- Image to use for deploying.
repository: janssenproject/configurator
# -- Image tag to use for deploying.
tag: 1.0.0_b12
# -- Image Pull Secrets
pullSecrets: [ ]
# -- LDAP admin password if OpennDJ is used for persistence.
ldapPassword: P@ssw0rds
# -- Organization name. Used for certificate creation.
orgName: Gluu
# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`.
redisPassword: P@assw0rd
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 300m
# -- Memory limit.
memory: 300Mi
requests:
# -- CPU request.
cpu: 300m
# -- Memory request.
memory: 300Mi
# -- State code. Used for certificate creation.
state: TX
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
# -- CE to CN Migration section
migration:
# -- Boolean flag to enable migration from CE
enabled: false
# -- Directory holding all migration files
migrationDir: /ce-migration
# -- migration data-format depending on persistence backend.
# Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json.
migrationDataFormat: ldif
cnOxtrustConfigGeneration: true
nameOverride: ""
fullNameOverride: ""
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

21
charts/gluu/gluu/5.0.0/charts/cr-rotate/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

20
charts/gluu/gluu/5.0.0/charts/cr-rotate/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v2
appVersion: 5.0.0
description: CacheRefreshRotation is a special container to monitor cache refresh
on oxTrust containers. This may become depreciated in 5.0.
home: https://gluu.org/docs/gluu-server
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- CacheRefresh
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: cr-rotate
sources:
- https://gluu.org/docs/gluu-server/
- https://github.com/GluuFederation/docker-cr-rotate
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/cr-rotate
type: application
version: 5.0.0

51
charts/gluu/gluu/5.0.0/charts/cr-rotate/README.md Normal file
View File

@ -0,0 +1,51 @@
# cr-rotate
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
CacheRefreshRotation is a special container to monitor cache refresh on oxTrust containers. This may become depreciated in 5.0.
**Homepage:** <https://gluu.org/docs/gluu-server>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://gluu.org/docs/gluu-server/>
* <https://github.com/GluuFederation/docker-cr-rotate>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/cr-rotate>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"gluufederation/cr-rotate"` | Image to use for deploying. |
| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| nameOverride | string | `""` | |
| resources | object | `{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"200m"` | CPU limit. |
| resources.limits.memory | string | `"200Mi"` | Memory limit. |
| resources.requests.cpu | string | `"200m"` | CPU request. |
| resources.requests.memory | string | `"200Mi"` | Memory request. |
| service.crRotateServiceName | string | `"cr-rotate"` | Name of the cr-rotate service. Please keep it as default. |
| service.name | string | `"http-cr-rotate"` | The name of the cr-rotate port within the cr-rotate service. Please keep it as default. |
| service.port | int | `8084` | Port of the casa service. Please keep it as default. |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

69
charts/gluu/gluu/5.0.0/charts/cr-rotate/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,69 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "cr-rotate.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cr-rotate.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cr-rotate.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "cr-rotate.labels" -}}
app: {{ .Release.Name }}-{{ include "cr-rotate.name" . }}
helm.sh/chart: {{ include "cr-rotate.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "cr-rotate.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "cr-rotate.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

88
charts/gluu/gluu/5.0.0/charts/cr-rotate/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,88 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "cr-rotate.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: cr-rotote
{{ include "cr-rotate.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "cr-rotate.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}-{{ include "cr-rotate.name" . }}
release: {{ .Release.Name }}
APP_NAME: cr-rotate
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: {{ include "cr-rotate.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
env:
{{- include "cr-rotate.usr-envs" . | indent 12 }}
{{- include "cr-rotate.usr-secret-envs" . | indent 12 }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}

29
charts/gluu/gluu/5.0.0/charts/cr-rotate/templates/service.yaml Normal file
View File

@ -0,0 +1,29 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.crRotateServiceName }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}-{{ include "cr-rotate.name" . }}
chart: {{ include "cr-rotate.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
APP_NAME: cr-rotote
{{ include "cr-rotate.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.service.port }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: {{ .Release.Name }}-{{ include "cr-rotate.name" . }}
release: {{ .Release.Name }}

23
charts/gluu/gluu/5.0.0/charts/cr-rotate/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,23 @@
{{ if .Values.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: cr-rotote
{{ include "cr-rotate.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

55
charts/gluu/gluu/5.0.0/charts/cr-rotate/values.yaml Normal file
View File

@ -0,0 +1,55 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- CacheRefreshRotation is a special container to monitor cache refresh on oxTrust containers. This may be depreciated.
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: gluufederation/cr-rotate
# -- Image tag to use for deploying.
tag: 5.0.0_dev
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 200m
# -- Memory limit.
memory: 200Mi
requests:
# -- CPU request.
cpu: 200m
# -- Memory request.
memory: 200Mi
service:
# -- Name of the cr-rotate service. Please keep it as default.
crRotateServiceName: cr-rotate
# -- Port of the casa service. Please keep it as default.
port: 8084
# -- The name of the cr-rotate port within the cr-rotate service. Please keep it as default.
name: http-cr-rotate
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
nameOverride: ""
fullnameOverride: ""
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

21
charts/gluu/gluu/5.0.0/charts/fido2/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

22
charts/gluu/gluu/5.0.0/charts/fido2/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v2
appVersion: 5.0.0
description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging
common devices to authenticate to online services in both mobile and desktop environments.
home: https://gluu.org/docs/gluu-server/
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- fido2
- u2f
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: fido2
sources:
- https://gluu.org/docs/gluu-server/
- https://github.com/JanssenProject/jans-fido2
- https://github.com/JanssenProject/docker-jans-fido2
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/fido2
type: application
version: 5.0.0

57
charts/gluu/gluu/5.0.0/charts/fido2/README.md Normal file
View File

@ -0,0 +1,57 @@
# fido2
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.
**Homepage:** <https://gluu.org/docs/gluu-server/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://gluu.org/docs/gluu-server/>
* <https://github.com/JanssenProject/jans-fido2>
* <https://github.com/JanssenProject/docker-jans-fido2>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/fido2>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. |
| image.tag | string | `"1.0.0_b12"` | Image tag to use for deploying. |
| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. |
| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint |
| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"500m"` | CPU limit. |
| resources.limits.memory | string | `"500Mi"` | Memory limit. |
| resources.requests.cpu | string | `"500m"` | CPU request. |
| resources.requests.memory | string | `"500Mi"` | Memory request. |
| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. |
| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

68
charts/gluu/gluu/5.0.0/charts/fido2/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "fido2.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "fido2.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "fido2.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "fido2.labels" -}}
app: {{ .Release.Name }}-{{ include "fido2.name" . }}
helm.sh/chart: {{ include "fido2.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "fido2.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "fido2.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

149
charts/gluu/gluu/5.0.0/charts/fido2/templates/deployment.yml Normal file
View File

@ -0,0 +1,149 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "fido2.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: fido2
{{ include "fido2.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Release.Name }}-{{ include "fido2.name" . }}
template:
metadata:
labels:
APP_NAME: fido2
app: {{ .Release.Name }}-{{ include "fido2.name" . }}
{{- if .Values.global.istio.ingress }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
{{- end }}
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: {{ include "fido2.name" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
env:
{{- include "fido2.usr-envs" . | indent 12 }}
{{- include "fido2.usr-secret-envs" . | indent 12 }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
command:
- /bin/sh
- -c
- |
/usr/bin/python3 /scripts/updatelbip.py &
/app/scripts/entrypoint.sh
{{- end}}
ports:
- name: {{ .Values.service.name }}
containerPort: {{ .Values.service.port }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.global.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.global.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
volumeMounts:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
mountPath: "/etc/jans/conf/sql_password"
subPath: sql_password
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "fido2.fullname" .}}-updatelbip
mountPath: "/scripts"
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 10 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 10 }}
{{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }}
resources: {}
{{- else if .Values.global.cloud.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
{{- end }}
{{- if not .Values.global.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.global.lbIp }}
hostnames:
- {{ .Values.global.fqdn }}
{{- end }}
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{- if eq .Values.global.cnPersistenceType "sql" }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }}
- name: cb-pass
secret:
secretName: {{ .Release.Name }}-cb-pass
{{- if not .Values.global.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }}
- name: {{ include "fido2.fullname" . }}-updatelbip
configMap:
name: {{ .Release.Name }}-updatelbip
{{- end }}

24
charts/gluu/gluu/5.0.0/charts/fido2/templates/fido2-destination-rules.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-fido2-mtls
namespace: {{.Release.Namespace}}
labels:
APP_NAME: fido2
{{ include "fido2.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

37
charts/gluu/gluu/5.0.0/charts/fido2/templates/fido2-virtual-services.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.global.istio.ingress }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ .Release.Name }}-istio-fido2-configuration
namespace: {{.Release.Namespace}}
labels:
APP_NAME: fido2
{{ include "fido2.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
hosts:
- {{ .Values.global.fqdn }}
gateways:
- {{ .Release.Name }}-global-gtw
http:
- name: {{ .Release.Name }}-istio-fido2-configuration
match:
- uri:
prefix: /.well-known/fido2-configuration
rewrite:
uri: /fido2/restv1/fido2/configuration
route:
- destination:
host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local
port:
number: 8080
weight: 100
{{- end }}

39
charts/gluu/gluu/5.0.0/charts/fido2/templates/hpa.yaml Normal file
View File

@ -0,0 +1,39 @@
{{ if .Values.hpa.enabled -}}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "fido2.fullname" . }}
labels:
APP_NAME: fido2
{{ include "fido2.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "fido2.fullname" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

27
charts/gluu/gluu/5.0.0/charts/fido2/templates/service.yml Normal file
View File

@ -0,0 +1,27 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.global.fido2.fido2ServiceName }}
namespace: {{ .Release.Namespace }}
labels:
APP_NAME: fido2
{{ include "fido2.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.global.alb.ingress }}
type: NodePort
{{- end }}
ports:
- port: {{ .Values.service.port }}
name: {{ .Values.service.name }}
selector:
app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2

23
charts/gluu/gluu/5.0.0/charts/fido2/templates/user-custom-secret-envs.yaml Normal file
View File

@ -0,0 +1,23 @@
{{ if .Values.usrEnvs.secret }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs
labels:
APP_NAME: fido2
{{ include "fido2.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
data:
{{- range $key, $val := .Values.usrEnvs.secret }}
{{ $key }}: {{ $val | b64enc }}
{{- end}}
{{- end}}

80
charts/gluu/gluu/5.0.0/charts/fido2/values.yaml Normal file
View File

@ -0,0 +1,80 @@
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.
# -- Configure the HorizontalPodAutoscaler
hpa:
enabled: true
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
# -- metrics if targetCPUUtilizationPercentage is not set
metrics: []
# -- Scaling Policies
behavior: {}
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: janssenproject/fido2
# -- Image tag to use for deploying.
tag: 1.0.0_b12
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Service replica number.
replicas: 1
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 500m
# -- Memory limit.
memory: 500Mi
requests:
# -- CPU request.
cpu: 500m
# -- Memory request.
memory: 500Mi
service:
# -- The name of the fido2 port within the fido2 service. Please keep it as default.
name: http-fido2
# -- Port of the fido2 service. Please keep it as default.
port: 8080
# -- Configure the liveness healthcheck for the fido2 if needed.
livenessProbe:
# -- http liveness probe endpoint
httpGet:
path: /jans-fido2/sys/health-check
port: http-fido2
initialDelaySeconds: 25
periodSeconds: 25
timeoutSeconds: 5
# -- Configure the readiness healthcheck for the fido2 if needed.
readinessProbe:
httpGet:
path: /jans-fido2/sys/health-check
port: http-fido2
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken
additionalAnnotations: { }

21
charts/gluu/gluu/5.0.0/charts/jackrabbit/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

24
charts/gluu/gluu/5.0.0/charts/jackrabbit/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
appVersion: 5.0.0
description: Jackrabbit Oak is a complementary implementation of the JCR specification.
It is an effort to implement a scalable and performant hierarchical content repository
for use as the foundation of modern world-class web sites and other demanding content
applications.
home: https://gluu.org/docs/gluu-server/installation-guide/install-kubernetes/#working-with-jackrabbit
icon: https://gluu.org/docs/gluu-server/favicon.ico
keywords:
- jackrabbit
- content repository
kubeVersion: '>=v1.19.0-0'
maintainers:
- email: support@gluu.org
name: Mohammad Abudayyeh
url: https://github.com/moabu
name: jackrabbit
sources:
- https://gluu.org/docs/gluu-server/installation-guide/install-kubernetes/#working-with-jackrabbit
- https://github.com/GluuFederation/docker-jackrabbit
- https://jackrabbit.apache.org/jcr/index.html
- https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/jackrabbit
type: application
version: 5.0.0

75
charts/gluu/gluu/5.0.0/charts/jackrabbit/README.md Normal file
View File

@ -0,0 +1,75 @@
# jackrabbit
![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
Jackrabbit Oak is a complementary implementation of the JCR specification. It is an effort to implement a scalable and performant hierarchical content repository for use as the foundation of modern world-class web sites and other demanding content applications.
**Homepage:** <https://gluu.org/docs/gluu-server/installation-guide/install-kubernetes/#working-with-jackrabbit>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu |
## Source Code
* <https://gluu.org/docs/gluu-server/installation-guide/install-kubernetes/#working-with-jackrabbit>
* <https://github.com/GluuFederation/docker-jackrabbit>
* <https://jackrabbit.apache.org/jcr/index.html>
* <https://github.com/GluuFederation/cloud-native-edition/tree/master/pygluu/kubernetes/templates/helm/gluu/charts/jackrabbit>
## Requirements
Kubernetes: `>=v1.19.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| clusterId | string | `""` | This id needs to be unique to each kubernetes cluster in a multi cluster setup west, east, south, north, region ...etc If left empty it will be randomly generated. |
| dnsConfig | object | `{}` | Add custom dns config |
| dnsPolicy | string | `""` | Add custom dns policy |
| fullnameOverride | string | `""` | |
| hpa.behavior | object | `{}` | Scaling Policies |
| hpa.enabled | bool | `true` | |
| hpa.maxReplicas | int | `10` | |
| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set |
| hpa.minReplicas | int | `1` | |
| hpa.targetCPUUtilizationPercentage | int | `50` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| image.pullSecrets | list | `[]` | Image Pull Secrets |
| image.repository | string | `"gluufederation/jackrabbit"` | Image to use for deploying. |
| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. |
| jackrabbitVolumeMounts.repository.mountPath | string | `"/opt/jackrabbit/repository"` | |
| jackrabbitVolumeMounts.repository.name | string | `"jackrabbit-volume"` | |
| jackrabbitVolumeMounts.version.mountPath | string | `"/opt/jackrabbit/version"` | |
| jackrabbitVolumeMounts.version.name | string | `"jackrabbit-volume"` | |
| jackrabbitVolumeMounts.workspaces.mountPath | string | `"opt/jackrabbit/workspaces"` | |
| jackrabbitVolumeMounts.workspaces.name | string | `"jackrabbit-volume"` | |
| livenessProbe | object | `{"initialDelaySeconds":25,"periodSeconds":25,"tcpSocket":{"port":"http-jackrabbit"},"timeoutSeconds":5}` | Configure the liveness healthcheck for the Jackrabbit if needed. |
| livenessProbe.tcpSocket | object | `{"port":"http-jackrabbit"}` | Executes tcp healthcheck. |
| nameOverride | string | `""` | |
| readinessProbe | object | `{"initialDelaySeconds":30,"periodSeconds":30,"tcpSocket":{"port":"http-jackrabbit"},"timeoutSeconds":5}` | Configure the readiness healthcheck for the Jackrabbit if needed. |
| readinessProbe.tcpSocket | object | `{"port":"http-jackrabbit"}` | Executes tcp healthcheck. |
| replicas | int | `1` | Service replica number. |
| resources | object | `{"limits":{"cpu":"1500m","memory":"1000Mi"},"requests":{"cpu":"1500m","memory":"1000Mi"}}` | Resource specs. |
| resources.limits.cpu | string | `"1500m"` | CPU limit. |
| resources.limits.memory | string | `"1000Mi"` | Memory limit. |
| resources.requests.cpu | string | `"1500m"` | CPU request. |
| resources.requests.memory | string | `"1000Mi"` | Memory request. |
| secrets.cnJackrabbitAdminPassword | string | `"admin"` | Jackrabbit admin uid password |
| secrets.cnJackrabbitPostgresPassword | string | `"P@ssw0rd"` | Jackrabbit Postgres uid password |
| service.name | string | `"http-jackrabbit"` | The name of the jackrabbit port within the jackrabbit service. Please keep it as default. |
| service.port | int | `8080` | Port of the jackrabbit service. Please keep it as default. |
| storage.accessModes | string | `"ReadWriteOnce"` | |
| storage.size | string | `"5Gi"` | Jackrabbit volume size |
| storage.type | string | `"DirectoryOrCreate"` | |
| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

83
charts/gluu/gluu/5.0.0/charts/jackrabbit/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,83 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "jackrabbit.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "jackrabbit.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Generate random clusterId to appended to the name. This is relevent expecially when there are multiple kubernetes clusters where this id otherwise would be the same.
In Jackrabbit:
<Cluster id="<container hostname>">
<Journal class="org.apache.jackrabbit.core.journal.DatabaseJournal">
</Journal>
</Cluster>
*/}}
{{- define "jackrabbit.clusterId" -}}
{{- if .Values.clusterId -}}
{{- .Values.clusterId | lower -}}
{{- else -}}
{{- randAlpha 5 | lower -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "jackrabbit.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "jackrabbit.labels" -}}
app: {{ .Release.Name }}-{{ include "jackrabbit.name" . }}
helm.sh/chart: {{ include "jackrabbit.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create user custom defined envs
*/}}
{{- define "jackrabbit.usr-envs"}}
{{- range $key, $val := .Values.usrEnvs.normal }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- end }}
{{/*
Create user custom defined secret envs
*/}}
{{- define "jackrabbit.usr-secret-envs"}}
{{- range $key, $val := .Values.usrEnvs.secret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs
key: {{ $key }}
{{- end }}
{{- end }}

38
charts/gluu/gluu/5.0.0/charts/jackrabbit/templates/hpa.yaml Normal file
View File

@ -0,0 +1,38 @@
{{ if .Values.hpa.enabled -}}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "jackrabbit.fullname" . }}-{{ include "jackrabbit.clusterId" . }}
labels:
{{ include "jackrabbit.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: StatefulSet
name: {{ include "jackrabbit.fullname" . }}-{{ include "jackrabbit.clusterId" . }}
minReplicas: {{ .Values.hpa.minReplicas }}
maxReplicas: {{ .Values.hpa.maxReplicas }}
{{- if .Values.hpa.targetCPUUtilizationPercentage }}
targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }}
{{- else if .Values.hpa.metrics }}
metrics:
{{- with .Values.hpa.metrics }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hpa.behavior }}
behavior:
{{- with .Values.hpa.behavior }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

23
charts/gluu/gluu/5.0.0/charts/jackrabbit/templates/jackrabbit-destination-rules.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.global.istio.enabled }}
# License terms and conditions for Gluu Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ .Release.Name }}-jackrabbit-mtls
namespace: {{.Release.Namespace}}
labels:
{{ include "jackrabbit.labels" . | indent 4}}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
spec:
host: {{ .Values.global.jackrabbit.jackRabbitServiceName }}.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
{{- end }}

Some files were not shown because too many files have changed in this diff Show More