Skip to content

Commit

Permalink
feat: improve default config for ingress and redirects (#208)
Browse files Browse the repository at this point in the history
- improve default configuration for ingress
- improve default redirects and environment config
#86
  • Loading branch information
evegufy authored Oct 15, 2024
1 parent a12cf32 commit 789c09e
Show file tree
Hide file tree
Showing 6 changed files with 52 additions and 65 deletions.
22 changes: 7 additions & 15 deletions charts/centralidp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,19 +62,11 @@ dependencies:
| keycloak.initContainers[0].volumeMounts[0].name | string | `"themes"` | |
| keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes"` | |
| keycloak.service.sessionAffinity | string | `"ClientIP"` | |
| keycloak.ingress.enabled | bool | `false` | |
| keycloak.ingress.ingressClassName | string | `"nginx"` | |
| keycloak.ingress.hostname | string | `"centralidp.example.org"` | Provide default path for the ingress record. |
| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://centralidp.example.org"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"128k"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffers-number" | string | `"20"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | |
| keycloak.ingress.tls | bool | `true` | |
| keycloak.ingress.enabled | bool | `false` | Enable ingress record generation |
| keycloak.ingress.ingressClassName | string | `""` | |
| keycloak.ingress.hostname | string | `""` | Provide default path for the ingress record. |
| keycloak.ingress.annotations | object | `{}` | Optional annotations when using the nginx ingress class; Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. |
| keycloak.ingress.tls | bool | `false` | |
| keycloak.rbac.create | bool | `true` | |
| keycloak.rbac.rules[0].apiGroups[0] | string | `""` | |
| keycloak.rbac.rules[0].resources[0] | string | `"pods"` | |
Expand All @@ -100,8 +92,8 @@ dependencies:
| keycloak.externalDatabase.existingSecretUserKey | string | `""` | |
| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | |
| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | |
| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
| realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. |
| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
| realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. |
Expand Down
38 changes: 20 additions & 18 deletions charts/centralidp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,24 +58,26 @@ keycloak:
service:
sessionAffinity: ClientIP
ingress:
# -- Enable ingress record generation
enabled: false
ingressClassName: nginx
ingressClassName: ""
# -- Provide default path for the ingress record.
hostname: centralidp.example.org
annotations:
# -- Enable TLS configuration for the host defined at `ingress.hostname` parameter;
# TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`;
# Provide the name of ClusterIssuer to acquire the certificate required for this Ingress.
cert-manager.io/cluster-issuer: ""
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://centralidp.example.org"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
nginx.ingress.kubernetes.io/use-regex: "true"
tls: true
hostname: ""
# -- Optional annotations when using the nginx ingress class;
# Enable TLS configuration for the host defined at `ingress.hostname` parameter;
# TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`;
# Provide the name of ClusterIssuer to acquire the certificate required for this Ingress.
annotations: {}
# cert-manager.io/cluster-issuer: ""
# nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
# nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
# nginx.ingress.kubernetes.io/cors-allow-origin: "https://centralidp.example.org"
# nginx.ingress.kubernetes.io/enable-cors: "true"
# nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
# nginx.ingress.kubernetes.io/proxy-buffering: "on"
# nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
# nginx.ingress.kubernetes.io/use-regex: "true"
tls: false
rbac:
create: true
rules:
Expand Down Expand Up @@ -145,11 +147,11 @@ realmSeeding:
clients:
registration:
redirects:
- https://portal.example.org
- https://portal.example.org/*
portal:
rootUrl: https://portal.example.org/home
redirects:
- https://portal.example.org
- https://portal.example.org/*
semantics:
redirects:
- https://portal.example.org/*
Expand Down
18 changes: 5 additions & 13 deletions charts/sharedidp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,19 +68,11 @@ dependencies:
| keycloak.initContainers[0].volumeMounts[1].name | string | `"themes-catenax-shared-portal"` | |
| keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/themes-catenax-shared-portal"` | |
| keycloak.service.sessionAffinity | string | `"ClientIP"` | |
| keycloak.ingress.enabled | bool | `false` | |
| keycloak.ingress.ingressClassName | string | `"nginx"` | |
| keycloak.ingress.hostname | string | `"sharedidp.example.org"` | Provide default path for the ingress record. |
| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://sharedidp.example.org"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"128k"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffers-number" | string | `"20"` | |
| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | |
| keycloak.ingress.tls | bool | `true` | |
| keycloak.ingress.enabled | bool | `false` | Enable ingress record generation |
| keycloak.ingress.ingressClassName | string | `""` | |
| keycloak.ingress.hostname | string | `""` | Provide default path for the ingress record. |
| keycloak.ingress.annotations | object | `{}` | Optional annotations when using the nginx ingress class; Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. |
| keycloak.ingress.tls | bool | `false` | |
| keycloak.rbac.create | bool | `true` | |
| keycloak.rbac.rules[0].apiGroups[0] | string | `""` | |
| keycloak.rbac.rules[0].resources[0] | string | `"pods"` | |
Expand Down
34 changes: 18 additions & 16 deletions charts/sharedidp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,24 +66,26 @@ keycloak:
service:
sessionAffinity: ClientIP
ingress:
# -- Enable ingress record generation
enabled: false
ingressClassName: nginx
ingressClassName: ""
# -- Provide default path for the ingress record.
hostname: sharedidp.example.org
annotations:
# -- Enable TLS configuration for the host defined at `ingress.hostname` parameter;
# TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`;
# Provide the name of ClusterIssuer to acquire the certificate required for this Ingress.
cert-manager.io/cluster-issuer: ""
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://sharedidp.example.org"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
nginx.ingress.kubernetes.io/use-regex: "true"
tls: true
hostname: ""
# -- Optional annotations when using the nginx ingress class;
# Enable TLS configuration for the host defined at `ingress.hostname` parameter;
# TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`;
# Provide the name of ClusterIssuer to acquire the certificate required for this Ingress.
annotations: {}
# cert-manager.io/cluster-issuer: ""
# nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
# nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
# nginx.ingress.kubernetes.io/cors-allow-origin: "https://sharedidp.example.org"
# nginx.ingress.kubernetes.io/enable-cors: "true"
# nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
# nginx.ingress.kubernetes.io/proxy-buffering: "on"
# nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
# nginx.ingress.kubernetes.io/use-regex: "true"
tls: false
rbac:
create: true
rules:
Expand Down
4 changes: 2 additions & 2 deletions environments/helm-values/centralidp/values-int.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,12 @@ realmSeeding:
clients:
registration:
redirects:
- https://portal.int.catena-x.net
- https://portal.int.catena-x.net/*
- http://localhost:3000/*
portal:
rootUrl: https://portal.int.catena-x.net/home
redirects:
- https://portal.int.catena-x.net
- https://portal.int.catena-x.net/*
- http://localhost:3000/*
semantics:
redirects:
Expand Down
1 change: 0 additions & 1 deletion environments/helm-values/sharedidp/values-int.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ keycloak:
postgresPassword: "<path:portal/data/int/iam/sharedidp-keycloak#postgres-admin-user>"

realmSeeding:
enabled: true
realms:
cxOperator:
centralidp: "https://centralidp.int.catena-x.net"
Expand Down

0 comments on commit 789c09e

Please sign in to comment.