diff --git a/charts/gluu/openbanking-values.yaml b/charts/gluu/openbanking-values.yaml index 535b9cc9d..834b6c9a5 100644 --- a/charts/gluu/openbanking-values.yaml +++ b/charts/gluu/openbanking-values.yaml @@ -1,48 +1,5 @@ # -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server: - # -- Add tolerations for the pods - tolerations: [] - # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API - # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ - topologySpreadConstraints: {} - # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. - # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart - #tsc1: - # maxSkew: 1 - # minDomains: 1 # optional; beta since v1.25 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: DoNotSchedule - # matchLabelKeys: [] # optional; alpha since v1.25 - # nodeAffinityPolicy: [] # optional; alpha since v1.25 - # nodeTaintsPolicy: [] # optional; alpha since v1.25 - #tsc2: - #maxSkew: 1 - # -- Configure the PodDisruptionBudget - pdb: - enabled: true - maxUnavailable: "90%" - # -- Configure the HorizontalPodAutoscaler - hpa: - enabled: true - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 50 - # -- metrics if targetCPUUtilizationPercentage is not set - metrics: [] - # -- Scaling Policies - behavior: {} - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} image: # -- Image pullPolicy to use for deploying. pullPolicy: IfNotPresent @@ -52,154 +9,9 @@ auth-server: tag: 0.0.0-nightly # -- Image Pull Secrets pullSecrets: [ ] - # -- Service replica number. - replicas: 1 - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 2500m - # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. - memory: 2500Mi - requests: - # -- CPU request. - cpu: 2500m - # -- Memory request. - memory: 2500Mi - # -- Configure the liveness healthcheck for the auth server if needed. - livenessProbe: - # -- Executes the python3 healthcheck. - # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py - exec: - command: - - python3 - - /app/scripts/healthcheck.py - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - # -- Configure the readiness healthcheck for the auth server if needed. - # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py - readinessProbe: - exec: - command: - - python3 - - /app/scripts/healthcheck.py - initialDelaySeconds: 25 - periodSeconds: 25 - timeoutSeconds: 5 - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: { } - # -- Add custom scripts that have been mounted to run before the entrypoint. - # - /tmp/custom.sh - # - /tmp/custom2.sh - customScripts: [] - # -- Add custom pod's command. If passed, it will override the default conditional command. - customCommand: [] - # -- Add nodeSelector (see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) - nodeSelector: {} -# -- Responsible for regenerating auth-keys per x hours -auth-server-key-rotation: - # -- Add tolerations for the pods - tolerations: [] - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} - image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: ghcr.io/janssenproject/jans/cloudtools - # -- Image tag to use for deploying. - tag: 0.0.0-nightly - # -- Image Pull Secrets - pullSecrets: [ ] - # -- Auth server key rotation job schedule. It accepts any Cron syntax supported by Kubernetes. If empty, the schedule will run based on keysLife value. - cronJobSchedule: "" - # -- Auth server key rotation keys life in hours - keysLife: 48 - # -- Set key selection strategy used by Auth server - keysStrategy: NEWER - # -- Delay (in seconds) before pushing private keys to Auth server - keysPushDelay: 0 - # -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) - keysPushStrategy: NEWER - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 300m - # -- Memory limit. - memory: 300Mi - requests: - # -- CPU request. - cpu: 300m - # -- Memory request. - memory: 300Mi - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: {} - # -- Add custom scripts that have been mounted to run before the entrypoint. - # - /tmp/custom.sh - # - /tmp/custom2.sh - customScripts: [] - # -- Add custom job's command. If passed, it will override the default conditional command. - customCommand: [] - # -- Add nodeSelector (see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) - nodeSelector: {} # -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config: - # -- Add tolerations for the pods - tolerations: [] - # -- Add custom normal and secret envs to the service. - usrEnvs: - # -- Add custom normal envs to the service. - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service. - # variable1: value1 - secret: {} - # -- City. Used for certificate creation. - city: Austin - # -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. - salt: "" configmap: - # -- Jetty header size in bytes in the auth server - cnJettyRequestHeaderSize: 8192 # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). cnSqlDbSchema: "" # -- SQL database dialect. `mysql` or `pgsql` @@ -216,456 +28,30 @@ config: cnSqlDbTimezone: UTC # -- SQL password injected the secrets . cnSqldbUserPassword: Test1234# - # -- Enable SSL connection to SQL database. - cnSqlSslEnabled: false - # -- Mode used to connect to SQL database using SSL if cnSqlSslEnabled is set to true. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. - cnSqlSslMode: "" - # -- Base64-encoded string of CA certificate used to sign client/server certificate of MySQL/PostgreSQL server. Required if using client cert authentication. - cnSqlSslCaCert: "" - # -- Base64-encoded string of client certificate signed by CA. Required if using client cert authentication. - cnSqlSslClientCert: "" - # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. We advise to not commit real private keys in values.yaml. - cnSqlSslClientKey: "" - # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . - cnCacheType: NATIVE_PERSISTENCE - # -- The name of the Kubernetes ConfigMap that will hold the configuration layer - cnConfigKubernetesConfigMap: cn - # [google_envs] Envs related to using Google - # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. - cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= - # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. - cnGoogleProjectId: google-project-to-save-config-and-secrets-to - # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer - # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. - cnGoogleSecretVersionId: "latest" - # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. - cnGoogleSecretNamePrefix: gluu - # [google_secret_manager_envs] END - # [google_envs] END - # [aws_envs] Envs related to using AWS - # [aws_secret_manager_envs] - # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy - cnAwsAccessKeyId: "" - # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy - cnAwsSecretAccessKey: "" - #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. - cnAwsSecretsEndpointUrl: "" - # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. - cnAwsSecretsNamePrefix: gluu - # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. - cnAwsDefaultRegion: us-west-1 - # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html - cnAwsProfile: gluu - # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] - cnAwsSecretsReplicaRegions: [] - # [aws_secret_manager_envs] END - # [aws_envs] END - # [vault_envs] Envs related to Hashicorp vault - # -- Vault AppRole RoleID. - cnVaultRoleId: "" - # -- Vault AppRole SecretID. - cnVaultSecretId: "" - # -- Base URL of Vault. - cnVaultAddr: http://localhost:8200 - # -- Verify connection to Vault. - cnVaultVerify: false - # -- Path to file contains Vault AppRole role ID. - cnVaultRoleIdFile: /etc/certs/vault_role_id - # -- Path to file contains Vault AppRole secret ID. - cnVaultSecretIdFile: /etc/certs/vault_secret_id - # -- Vault namespace used to access the secrets. - cnVaultNamespace: "" - # -- Path to Vault KV secrets engine. - cnVaultKvPath: secret - # -- Base prefix name used to access secrets. - cnVaultPrefix: jans - # -- Path to Vault AppRole. - cnVaultAppRolePath: approle - # [vault_envs] END - # -- Value passed to Java option -XX:MaxRAMPercentage - cnMaxRamPercent: "75.0" - # -- SCIM protection mode OAUTH|TEST|UMA - cnScimProtectionMode: "OAUTH" - # -- Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. - #{ - # "default": "", - # "user": "", - # "site": "", - # "cache": "", - # "token": "", - # "session": "", - #} - cnPersistenceHybridMapping: "{}" - # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. - cnRedisSentinelGroup: "" - # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. - cnRedisSslTruststore: "" - # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. - cnRedisType: STANDALONE - # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. - cnRedisUrl: "redis.redis.svc.cluster.local:6379" - # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. - cnRedisUseSsl: false - # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. - cnSecretKubernetesSecret: cn - # -- Load balancer address for AWS if the FQDN is not registered. - lbAddr: "" - # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. - quarkusTransactionEnableRecovery: true - # -- Message type (one of POSTGRES, REDIS, or DISABLED) - cnMessageType: DISABLED - # -- Country code. Used for certificate creation. - countryCode: US - # -- Email address of the administrator usually. Used for certificate creation. - email: team@gluu.org - image: - # -- Image to use for deploying. - repository: ghcr.io/janssenproject/jans/configurator - # -- Image tag to use for deploying. - tag: 0.0.0-nightly - # -- Image Pull Secrets - pullSecrets: [ ] - # -- Organization name. Used for certificate creation. - orgName: Gluu - # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. - redisPassword: P@assw0rd - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 300m - # -- Memory limit. - memory: 300Mi - requests: - # -- CPU request. - cpu: 300m - # -- Memory request. - memory: 300Mi - # -- State code. Used for certificate creation. - state: TX # -- Configure any additional volumes that need to be attached to the pod volumes: [] # -- Configure any additional volumesMounts that need to be attached to the containers volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} - # -- CE to CN Migration section - migration: - # -- Boolean flag to enable migration from CE - enabled: false - # -- Directory holding all migration files - migrationDir: /ce-migration - # -- migration data-format depending on persistence backend. - # Supported data formats are ldif, postgresql+json, and mysql+json. - migrationDataFormat: ldif - - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: { } - # -- Add custom scripts that have been mounted to run before the entrypoint. - # - /tmp/custom.sh - # - /tmp/custom2.sh - customScripts: [ ] - # -- Add custom job's command. If passed, it will override the default conditional command. - customCommand: [] - # -- Add nodeSelector (see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) - nodeSelector: {} -# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). -config-api: - # -- Add tolerations for the pods - tolerations: [] - # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API - # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ - topologySpreadConstraints: {} - # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. - # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart - #tsc1: - # maxSkew: 1 - # minDomains: 1 # optional; beta since v1.25 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: DoNotSchedule - # matchLabelKeys: [] # optional; alpha since v1.25 - # nodeAffinityPolicy: [] # optional; alpha since v1.25 - # nodeTaintsPolicy: [] # optional; alpha since v1.25 - #tsc2: - #maxSkew: 1 - # -- Configure the PodDisruptionBudget - pdb: - enabled: true - maxUnavailable: "90%" - # -- Configure the HorizontalPodAutoscaler - hpa: - enabled: true - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 50 - # -- metrics if targetCPUUtilizationPercentage is not set - metrics: [] - # -- Scaling Policies - behavior: {} - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} - image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: ghcr.io/janssenproject/jans/config-api - # -- Image tag to use for deploying. - tag: 0.0.0-nightly - # -- Image Pull Secrets - pullSecrets: [ ] - # -- Service replica number. - replicas: 1 - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 1000m - # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. - memory: 1200Mi - requests: - # -- CPU request. - cpu: 1000m - # -- Memory request. - memory: 1200Mi - # -- Configure the liveness healthcheck for the auth server if needed. - livenessProbe: - # -- http liveness probe endpoint - httpGet: - path: /jans-config-api/api/v1/health/live - port: 8074 - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - readinessProbe: - # -- http readiness probe endpoint - httpGet: - path: jans-config-api/api/v1/health/ready - port: 8074 - initialDelaySeconds: 25 - periodSeconds: 25 - timeoutSeconds: 5 - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: { } - # -- Add custom scripts that have been mounted to run before the entrypoint. - # - /tmp/custom.sh - # - /tmp/custom2.sh - customScripts: [ ] - # -- Add custom pod's command. If passed, it will override the default conditional command. - customCommand: [] - # -- Add nodeSelector (see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) - nodeSelector: {} # -- Parameters used globally across all services helm charts. global: - # -- Add custom normal and secret envs to the service. - # Envs defined in global.userEnvs will be globally available to all services - usrEnvs: - # -- Add custom normal envs to the service. - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service. - # variable1: value1 - secret: {} - alb: - # -- Activates ALB ingress - ingress: false admin-ui: # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. enabled: false + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false auth-server: - # — Add custom annotations for kubernetes resources for the service - customAnnotations: - destinationRule: {} - podDisruptionBudget: {} - virtualService: {} - pod: {} - deployment: {} - horizontalPodAutoscaler: {} - service: {} - secret: {} - # -- Name of the auth-server service. Please keep it as default. - authServerServiceName: auth-server - # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. - enabled: true - # -- passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. - cnCustomJavaOptions: "" - # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. - appLoggers: - # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO - enableStdoutLogPrefix: "true" - # -- jans-auth.log target - authLogTarget: "STDOUT" - # -- jans-auth.log level - authLogLevel: "INFO" - # -- http_request_response.log target - httpLogTarget: "FILE" - # -- http_request_response.log level - httpLogLevel: "INFO" - # -- jans-auth_persistence.log target - persistenceLogTarget: "FILE" - # -- jans-auth_persistence.log level - persistenceLogLevel: "INFO" - # -- jans-auth_persistence_duration.log target - persistenceDurationLogTarget: "FILE" - # -- jans-auth_persistence_duration.log level - persistenceDurationLogLevel: "INFO" - # -- jans-auth_script.log target - scriptLogTarget: "FILE" - # -- jans-auth_script.log level - scriptLogLevel: "INFO" - # -- jans-auth_script.log target - auditStatsLogTarget: "FILE" - # -- jans-auth_audit.log level - auditStatsLogLevel: "INFO" - # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) - authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" - # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) - authEncKeys: "RSA1_5 RSA-OAEP" - # -- Enable endpoints in either istio or nginx ingress depending on users choice ingress: - # -- Enable Auth server endpoints /jans-auth - authServerEnabled: true - # -- Enable endpoint /.well-known/openid-configuration - openidConfigEnabled: true - # -- Enable endpoint /device-code - deviceCodeEnabled: true - # -- Enable endpoint /firebase-messaging-sw.js - firebaseMessagingEnabled: true - # -- Enable endpoint /.well-known/uma2-configuration - uma2ConfigEnabled: true - # -- Enable endpoint /.well-known/webfinger - webfingerEnabled: true - # -- Enable endpoint /.well-known/simple-web-discovery - webdiscoveryEnabled: true - # -- Enable endpoint /.well-known/fido-configuration - u2fConfigEnabled: true # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. authServerProtectedToken: true # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/register. authServerProtectedRegister: true - # -- Enable endpoint /.well-known/lock-server-configuration - lockConfigEnabled: false - # -- Enable endpoint /jans-lock - lockEnabled: false - # -- Lock config ingress resource labels. key app is taken - lockConfigLabels: { } - # -- Lock config ingress resource additional annotations. - lockConfigAdditionalAnnotations: { } - # -- Lock ingress resource labels. key app is taken - lockLabels: { } - # -- Lock ingress resource additional annotations. - lockAdditionalAnnotations: { } - # -- openid-configuration ingress resource labels. key app is taken - openidConfigLabels: { } - # -- openid-configuration ingress resource additional annotations. - openidAdditionalAnnotations: { } - # -- device-code ingress resource labels. key app is taken - deviceCodeLabels: { } - # -- device-code ingress resource additional annotations. - deviceCodeAdditionalAnnotations: { } - # -- Firebase Messaging ingress resource labels. key app is taken - firebaseMessagingLabels: { } - # -- Firebase Messaging ingress resource additional annotations. - firebaseMessagingAdditionalAnnotations: { } - # -- uma2 config ingress resource labels. key app is taken - uma2ConfigLabels: { } - # -- uma2 config ingress resource additional annotations. - uma2AdditionalAnnotations: { } - # -- webfinger ingress resource labels. key app is taken - webfingerLabels: { } - # -- webfinger ingress resource additional annotations. - webfingerAdditionalAnnotations: { } - # -- webdiscovery ingress resource labels. key app is taken - webdiscoveryLabels: { } - # -- webdiscovery ingress resource additional annotations. - webdiscoveryAdditionalAnnotations: { } - # -- u2f config ingress resource labels. key app is taken - u2fConfigLabels: { } - # -- u2f config ingress resource additional annotations. - u2fAdditionalAnnotations: { } - # -- Enable endpoint /.well-known/authzen-configuration - authzenConfigEnabled: true - # -- authzen config ingress resource labels. key app is taken - authzenConfigLabels: { } - # -- authzen config ingress resource additional annotations. - authzenAdditionalAnnotations: { } - # -- Auth server ingress resource labels. key app is taken - authServerLabels: { } - # -- Auth server ingress resource additional annotations. - authServerAdditionalAnnotations: { } - # -- Auth server protected token ingress resource labels. key app is taken - authServerProtectedTokenLabels: { } - # -- Auth server protected token ingress resource additional annotations. - authServerProtectedTokenAdditionalAnnotations: { } - # -- Auth server protected token ingress resource labels. key app is taken - authServerProtectedRegisterLabels: { } - # -- Auth server protected register ingress resource additional annotations. - authServerProtectedRegisterAdditionalAnnotations: { } - # -- Enable jans-lock as service running inside auth-server - lockEnabled: false - - auth-server-key-rotation: - # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. - enabled: true - # — Add custom annotations for kubernetes resources for the service - customAnnotations: - cronjob: {} - service: {} - secret: {} - # -- The initial auth server key rotation keys life in hours - initKeysLife: 48 - # -- Volume storage type if using AWS volumes. - awsStorageType: io1 - # -- Volume storage type if using Azure disks. - azureStorageAccountType: Standard_LRS - # -- Azure storage kind if using Azure disks - azureStorageKind: Managed casa: # -- Boolean flag to enable/disable the casa chart. enabled: false cloud: # -- Boolean flag if enabled will strip resources requests and limits from all services. testEnviroment: false - # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. - cnPrometheusPort: "" - # -- Document store type to use for shibboleth files DB. - cnDocumentStoreType: DB - # -- Persistence backend to run Gluu with hybrid|sql. - cnPersistenceType: sql # -- Open banking external signing jwks uri. Used in SSA Validation. cnObExtSigningJwksUri: "https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks" # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. @@ -688,97 +74,11 @@ global: cnObTransportAlias: "" # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. cnObTransportTrustStore: "" - config: - # — Add custom annotations for kubernetes resources for the service - customAnnotations: - clusterRoleBinding: {} - configMap: {} - job: {} - roleBinding: {} - role: {} - secret: {} - service: {} - serviceAccount: {} - # -- Boolean flag to enable/disable the configuration chart. This normally should never be false - enabled: true - # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - jobTtlSecondsAfterFinished: 300 - # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes - configAdapterName: kubernetes - # -- The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes - configSecretAdapter: kubernetes - # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. - cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json - # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. - cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file - # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. - cnAwsConfigFile: /etc/jans/conf/aws_config_file - # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. - cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions - config-api: - # — Add custom annotations for kubernetes resources for the service - customAnnotations: - destinationRule: {} - podDisruptionBudget: {} - virtualService: {} - pod: {} - deployment: {} - horizontalPodAutoscaler: {} - service: {} - # -- Name of the config-api service. Please keep it as default. - configApiServerServiceName: config-api - # -- Boolean flag to enable/disable the config-api chart. - enabled: true - # -- passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. - cnCustomJavaOptions: "" - # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. - appLoggers: - # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO - enableStdoutLogPrefix: "true" - # -- configapi.log target - configApiLogTarget: "STDOUT" - # -- configapi.log level - configApiLogLevel: "INFO" - # -- config-api_persistence.log target - persistenceLogTarget: "FILE" - # -- config-api_persistence.log level - persistenceLogLevel: "INFO" - # -- config-api_persistence_duration.log target - persistenceDurationLogTarget: "FILE" - # -- config-api_persistence_duration.log level - persistenceDurationLogLevel: "INFO" - # -- config-api_script.log target - scriptLogTarget: "FILE" - # -- config-api_script.log level - scriptLogLevel: "INFO" - adminUiAppLoggers: - # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO - enableStdoutLogPrefix: "true" - # -- config-api admin-ui plugin log level - adminUiLogTarget: "FILE" - # -- config-api admin-ui plugin log target - adminUiLogLevel: "INFO" - # -- config-api admin-ui plugin audit log target - adminUiAuditLogTarget: "FILE" - # -- config-api admin-ui plugin audit log level - adminUiAuditLogLevel: "INFO" - # -- Enable endpoints in either istio or nginx ingress depending on users choice - ingress: - # Enable config API endpoints /jans-config-api - configApiEnabled: true - # -- configAPI ingress resource labels. key app is taken - configApiLabels: { } - # -- ConfigAPI ingress resource additional annotations. - configApiAdditionalAnnotations: { } - # -- Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt", "kc-saml") - plugins: "admin-ui,fido2,scim,user-mgt" # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. fqdn: demoexample.gluu.org fido2: # -- Boolean flag to enable/disable the fido2 chart. enabled: false - # -- GCE storage kind if using Google disks - gcePdStorageType: pd-standard # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. isFqdnRegistered: false istio: @@ -804,55 +104,17 @@ global: enabled: true # -- Gluu distributions supported are: default|openbanking. distribution: openbanking - persistence: - # — Add custom annotations for kubernetes resources for the service - customAnnotations: - job: {} - service: {} - secret: {} - # -- Boolean flag to enable/disable the persistence chart. - enabled: true - # -- service account used by Kubernetes resources - serviceAccountName: default scim: # -- Boolean flag to enable/disable the SCIM chart. enabled: false # -- StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. - storageClass: - allowVolumeExpansion: true - allowedTopologies: [] - mountOptions: - - debug - # -- parameters: - #fsType: "" - #kind: "" - #pool: "" - #storageAccountType: "" - #type: "" - parameters: {} - provisioner: microk8s.io/hostpath - reclaimPolicy: Retain - volumeBindingMode: WaitForFirstConsumer saml: # -- Boolean flag to enable/disable the saml chart. enabled: false # -- Path to SQL password file - cnSqlPasswordFile: /etc/jans/conf/sql_password kc-scheduler: # -- Boolean flag to enable/disable the kc-scheduler cronjob chart. enabled: false - # -- Path to configuration schema file - cnConfiguratorConfigurationFile: /etc/jans/conf/configuration.json - # -- Path to dumped configuration schema file - cnConfiguratorDumpFile: /etc/jans/conf/configuration.out.json - # -- Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. - cnConfiguratorCustomSchema: - # -- The name of the secrets used for storing custom configuration schema. - secretName: "" - # -- Key to encrypt/decrypt configuration schema file using AES-256 CBC mode. Set the value to empty string to disable encryption/decryption, or 32 alphanumeric characters to enable it. - cnConfiguratorKey: "" - # -- Path to the file that contains the key to encrypt/decrypt the configuration schema file. - cnConfiguratorKeyFile: /etc/jans/conf/configuration.key # -- Enable cleanup job cleanup: # -- Boolean flag to enable/disable the cleanup cronjob chart. @@ -912,20 +174,6 @@ nginx-ingress: # -- Job to generate data and initial config for Gluu Server persistence layer. persistence: - # -- Add tolerations for the pods - tolerations: [] - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} image: # -- Image pullPolicy to use for deploying. pullPolicy: IfNotPresent @@ -935,104 +183,3 @@ persistence: tag: 0.0.0-nightly # -- Image Pull Secrets pullSecrets: [ ] - # -- Resource specs. - resources: - limits: - # -- CPU limit - cpu: 300m - # -- Memory limit. - memory: 300Mi - requests: - # -- CPU request. - cpu: 300m - # -- Memory request. - memory: 300Mi - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: { } - # -- Add custom scripts that have been mounted to run before the entrypoint. - # - /tmp/custom.sh - # - /tmp/custom2.sh - customScripts: [ ] - # -- Add custom job's command. If passed, it will override the default conditional command. - customCommand: [] - # -- Add nodeSelector (see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) - nodeSelector: {} - -# -- Cleanup expired entries in persistence -cleanup: - # -- Add tolerations for the pods - tolerations: [ ] - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} - image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: ghcr.io/janssenproject/jans/cloudtools - # -- Image tag to use for deploying. - tag: 0.0.0-nightly - # -- Image Pull Secrets - pullSecrets: [ ] - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 300m - # -- Memory limit. - memory: 300Mi - requests: - # -- CPU request. - cpu: 300m - # -- Memory request. - memory: 300Mi - # -- Interval of running the cleanup process (in minutes) - interval: 60 - # -- Max. numbers of entries to cleanup - limit: 1000 - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: {} - # -- Add custom scripts that have been mounted to run before the entrypoint. - # - /tmp/custom.sh - # - /tmp/custom2.sh - customScripts: [] - # -- Add custom job's command. If passed, it will override the default conditional command. - customCommand: [] - # -- Add nodeSelector (see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) - nodeSelector: {} diff --git a/docs/openbanking/install-cn.md b/docs/openbanking/install-cn.md index 9b5f6887d..4c1615f74 100644 --- a/docs/openbanking/install-cn.md +++ b/docs/openbanking/install-cn.md @@ -64,21 +64,23 @@ Use the listing below for a detailed estimation of the minimum required resource ```yaml nginx-ingress: ingress: - additionalAnnotations: - nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" - nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-ob-ca-certificates" - nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" - nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: + nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-ob-ca-certificates" + nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" ``` Adding these annotations will enable [client certificate authentication](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication). - Enable `authServerProtectedToken` and `authServerProtectedRegister`: ```yaml - global + global: auth-server: ingress: + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. authServerProtectedToken: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/register. authServerProtectedRegister: true ``` @@ -115,7 +117,7 @@ Use the listing below for a detailed estimation of the minimum required resource kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt ``` -1. Inject OBIE signed certs, keys and uri: +1. Inject OBIE certificates, keys and URI: 1. base64 encode all `.pem` and `.key` files. @@ -188,19 +190,6 @@ Use the listing below for a detailed estimation of the minimum required resource helm install gluu gluu-flex/gluu -n gluu -f openbanking-values.yaml ``` -### Install on microK8s(development/testing) - -On your Ubuntu VM, run the following commands: - -```bash -sudo su - -wget https://raw.githubusercontent.com/GluuFederation/flex/main/automation/startopenabankingdemo.sh && chmod u+x startopenabankingdemo.sh && ./startopenabankingdemo.sh -``` - -Running this script will install the Gluu Open Banking Platform with mTLS enabled along with the mysql backend as a persistence. - -After running the script, you can go ahead and [test the setup](#testing-the-setup). - ## Testing the setup After successful installation, you can access and test the Gluu Open Banking Platform using either [curl](https://docs.gluu.org/head/openbanking/curl/) or [Jans-CLI](https://docs.gluu.org/head/openbanking/jans-cli/). @@ -219,7 +208,7 @@ After successful installation, you can access and test the Gluu Open Banking Pla 1. Get a token. To pass the mTLS network boundary, you must use your Open Banking transport certificates (replace `obtransport.pem` and `obtransport.key` with your actual filenames): ```bash - TOKEN=$(curl -s -k -u $TESTCLIENT:$TESTCLIENTSECRET https:///jans-auth/restv1/token -d "grant_type=client_credentials&scope=[https://jans.io/oauth/jans-auth-server/config/properties.write](https://jans.io/oauth/jans-auth-server/config/properties.write)" --cert obtransport.pem --key obtransport.key | grep -o '"access_token":"[^"]*' | cut -d'"' -f4) + TOKEN=$(curl -s -k -u $TESTCLIENT:$TESTCLIENTSECRET https://demoexample.gluu.org/jans-auth/restv1/token -d "grant_type=client_credentials&scope=https://jans.io/oauth/jans-auth-server/config/properties.write" --cert obtransport.pem --key obtransport.key | grep -o '"access_token":"[^"]*' | cut -d'"' -f4) echo "My Token is: $TOKEN" ``` @@ -227,7 +216,7 @@ After successful installation, you can access and test the Gluu Open Banking Pla 1. Add the entry `staticKid` to force the AS to use a specific signing key. Please modify `XhCYDfFM7UFXHfykNaLk1aLCnZM` to the kid to be used: ```bash - curl -k -X PATCH "https:///jans-config-api/api/v1/jans-auth-server/config" \ + curl -k -X PATCH "https://demoexample.gluu.org/jans-config-api/api/v1/jans-auth-server/config" \ -H "accept: application/json" \ -H "Content-Type: application/json-patch+json" \ -H "Authorization: Bearer $TOKEN" \