values.yaml 8.91 KB
Newer Older
Sandro Mathys's avatar
Sandro Mathys committed
1
2
# Default values for shibboleth-sp. This is a YAML-formatted file.

3
4
5
6
7
8
9
10
11
12
13
##############
### global ###
##############

### Values in this section can be set by charts that depend on this chart.
global:
  # The FQDN which will point to this installation. Will be used by the route and the VirtualHost.
  # If you'd like to use a default route (and use the default wildcard tls certificate),
  # this MUST have the form: <host>.zh.shift.switchengines.ch
  domainName: ""

Sandro Mathys's avatar
Sandro Mathys committed
14
15
16
17
18
19
20
21
##############
### common ###
##############
nameOverride: ""
fullnameOverride: ""

image:
  repository: "cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp"
22
  tag: "0.2.3"
Sandro Mathys's avatar
Sandro Mathys committed
23
  pullPolicy: IfNotPresent
Sandro Mathys's avatar
Sandro Mathys committed
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

# Specify all secret(s) required to pull the images used for this installation.
# imagePullSecrets:
# - name: 

replicaCount: 1

autoscaling:
  enabled: false
  # minReplicas:
  # maxReplicas:
  # targetCPUUtilizationPercentage:
  # targetMemoryUtilizationPercentage:

# ""   == no podAntiAffinity
# soft == podAntiAffinity preferred
# hard == podAntiAffinity required
podAntiAffinityPreset: ""

# podAnnotations: {}

# podSecurityContext: {}

# These initContainers, containers and volumes are added to the Deployment in addition to those included in the Helm Chart.
# This could be useful to set up log shipping, for example.
initContainers: []
containers: []
volumes: []

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

route:
  enabled: false
Sandro Mathys's avatar
Sandro Mathys committed
64
65
  # Annotations to add to the route
  annotations: {}
Sandro Mathys's avatar
Sandro Mathys committed
66
67
68
69
70
71
72
73
74
75
76
77
  # If you set letsEncrypt=true, you should probably also set keep=true, in order to keep the certificate in place.
  keep: false
  letsEncrypt: false
  # If you configure anything other than the default values for termination and insecureEdgeTerminationPolicy below,
  # you might have to manually edit the route and add add certificate and private key data.
  # We can't expose these settings (particularly the private key data) here as such sensitive data should never be stored in a values file.
  # Sadly, OpenShift Routes don't support providing that data through Secrets, so we can't leverage those either.
  tls:
    path: ""
    termination: "edge"
    insecureEdgeTerminationPolicy: "Redirect"

78
79
80
81
82
83
84
85
86
87
deployment:
  # To pick up ConfigMap and Secret changes, all pods in the Deployment need to be restarted. This can
  # be done manually, e.g. with `kubectl rollout restart deployment/<deployment>`, or automatically.
  automaticPodRollout:
    # This will trigger a rollout with every `helm install|upgrade`, independent of whether it's necessary or not.
    always: false
    # This will trigger a rollout if one of the built-in ConfigMap templates changes. Note that this won't
    # pick up changes to ConfigMaps or Secrets that are merely referenced but provided outside of this chart.
    onConfigMapChange: false

Sandro Mathys's avatar
Sandro Mathys committed
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
####################################
### backend / shibboleth (shibd) ###
####################################
backend:
  # Overwrites the image for this container.
  image: {}
    # repository: ""
    # pullPolicy: ""
    # tag: ""

  # The defaults represent maximum security.
  # Only change these if you know what you're doing.
  securityContext:
    runAsUser: 101  # _shibd
    runAsGroup: 101 # _shibd
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all

  resources: {}
    # requests:
    #   cpu:
    #   memory:
    # limits:
    #   cpu:
    #   memory:

  # These volumeMounts are added to the container in addition to those included in the Helm Chart.
  volumeMounts: []

  shibboleth:
    # The files from these configMaps will be mounted and replace the config files included in the Helm Chart.
    # They must be named attribute-map.xml, attribute-policy.xml, shibboleth2.xml and SWITCHaaiRootCA.crt.pem - other files will be ignored.
    configMap: ""

    # Must be set to the version installed in the image
    version: "3.2"

    # https://wiki.shibboleth.net/confluence/display/SP3/ApplicationDefaults
    applicationDefaults:
      entityID: ""       # e.g. "https://yourhost.example.org/shibboleth"
132
      homeURL: ""        # default: "/Shibboleth.sso/Session"
Sandro Mathys's avatar
Sandro Mathys committed
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
      remoteUser: ""     # default: "persistent-id uniqueID"

      # https://wiki.shibboleth.net/confluence/display/SP3/Sessions
      sessions:
        handlerSSL: ""    # default: "true"
        redirectLimit: "" # default: "host"
        cookieProps: ""   # default: "https"

      # https://wiki.shibboleth.net/confluence/display/SP3/Errors
      errors:
        supportContact: "" # e.g. "aai@yourhost.example.org"

      # X.509 certificate for SAML message signing/encrypting.
      # https://www.switch.ch/aai/guides/sp/configuration/#4
      # https://wiki.shibboleth.net/confluence/display/SP3/CredentialResolver
      credentialResolver:
        activeSecretName: ""
        # https://www.switch.ch/aai/guides/sp/certificate-rollover/
        additionalSecretName: ""

    # Toggles that mimick those on https://www.switch.ch/aai/guides/sp/configuration/#setupprofile
    publicAttributes: false
    eduIDOnly: false
    interfederation: false

    # Configures client-side session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
    sessionCache:
      enabled: false
      persistedAttributes: ""

Sandro Mathys's avatar
Sandro Mathys committed
164
165
166
167
      # https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer
      sealerKeys:
        # if enabled, sealer keys will be created and rotated in a secret automatically
        manage: true
168
169
170
171
172
173
        # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax
        schedule: "@daily"

        # https://wiki.shibboleth.net/confluence/display/SP3/seckeygen
        numberOfKeysToKeep: 14
        sizeOfKeysInBits: 128
Sandro Mathys's avatar
Sandro Mathys committed
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195

        # Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global.
        # This image must include shib-seckeygen and kubectl.
        image: {}
        # repository: ""
        # pullPolicy: ""
        # tag: ""

        # The global serviceAccount has minimal permissions, but for the sealer keys we need one that can read, create and replace secrets.
        serviceAccount:
          # Specifies whether a service account and a role binding should be created
          create: true
          # Annotations to add to the service account and role binding
          annotations: {}
          # The name of the service account to use.
          # If not set and create is true, a name is generated using the fullname template
          name: ""

        # The name of the secret to use.
        # If not set and manage is true, a name is generated using the fullname template
        secret: ""

Sandro Mathys's avatar
Sandro Mathys committed
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
    # Configures memcached session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/MemcacheStorageService
    memcached:
      enabled: false
      hosts: ""
      prefix: "SHIBD:"

    # logger
    rootLogLevel: "INFO"
    consoleLogFormat: "%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n"

##############################################
### frontend / apache2 (httpd + mod_shibd) ###
##############################################
frontend:
  # Overwrites the image for this container.
  image: {}
    # repository: ""
    # pullPolicy: ""
    # tag: ""

  # The defaults represent maximum security.
  # Only change these if you know what you're doing.
  securityContext:
    runAsUser: 33  # www-data
    runAsGroup: 33 # www-data
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all

  resources: {}
    # requests:
    #   cpu:
    #   memory:
    # limits:
    #   cpu:
    #   memory:

  # These volumeMounts are added to the container in addition to those included in the Helm Chart.
  volumeMounts: []

  apache:
    # The files from these configMaps will be mounted and replace the config files included in the Helm Chart.
    baseConfigMap: "" # must contain file `base.conf` - other files will be ignored
    mainConfigMap: ""
    modulesConfigMap: ""
    sitesConfigMap: ""

    # Whatever is configured here will be added as config files in addition to those included in the Helm Chart.
    # They are not used if the respective configMap was replaced with the settings above
    extraMainConfig: ""
    extraModulesConfig: ""
    extraSitesConfig: ""

Sandro Mathys's avatar
Sandro Mathys committed
253
254
255
    # enable SSL/TLS, i.e. load mod_ssl and enable SSLProxyEngine
    enableSSL: false

Sandro Mathys's avatar
Sandro Mathys committed
256
257
    # Settings for the actual apache/proxy config.
    # They are not used if `sitesConfigMap` is specified above.
Sandro Mathys's avatar
Sandro Mathys committed
258
259
260
261
    logLevel: ""          # default: "warn"
    logFormat: ""         # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    proxyPreserveHost: "" # default: "off"
    remoteURL: ""         # must be absolute (i.e. starting with http:// or https://)
Sandro Mathys's avatar
Sandro Mathys committed
262
    accessRules: ""