values.yaml 10.2 KB
Newer Older
Sandro Mathys's avatar
Sandro Mathys committed
1
2
# Default values for shibboleth-sp. This is a YAML-formatted file.

3
4
5
6
7
8
9
10
11
12
13
##############
### global ###
##############

### Values in this section can be set by charts that depend on this chart.
global:
  # The FQDN which will point to this installation. Will be used by the route and the VirtualHost.
  # If you'd like to use a default route (and use the default wildcard tls certificate),
  # this MUST have the form: <host>.zh.shift.switchengines.ch
  domainName: ""

Sandro Mathys's avatar
Sandro Mathys committed
14
15
16
17
18
19
20
21
##############
### common ###
##############
nameOverride: ""
fullnameOverride: ""

image:
  repository: "cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp"
22
  tag: "0.2.3"
Sandro Mathys's avatar
Sandro Mathys committed
23
  pullPolicy: IfNotPresent
Sandro Mathys's avatar
Sandro Mathys committed
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

# Specify all secret(s) required to pull the images used for this installation.
# imagePullSecrets:
# - name: 

replicaCount: 1

autoscaling:
  enabled: false
  # minReplicas:
  # maxReplicas:
  # targetCPUUtilizationPercentage:
  # targetMemoryUtilizationPercentage:

# ""   == no podAntiAffinity
# soft == podAntiAffinity preferred
# hard == podAntiAffinity required
podAntiAffinityPreset: ""

# podAnnotations: {}

# podSecurityContext: {}

# These initContainers, containers and volumes are added to the Deployment in addition to those included in the Helm Chart.
# This could be useful to set up log shipping, for example.
initContainers: []
containers: []
volumes: []

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

route:
  enabled: false
Sandro Mathys's avatar
Sandro Mathys committed
64
65
  # Annotations to add to the route
  annotations: {}
Sandro Mathys's avatar
Sandro Mathys committed
66
67
68
69
70
71
72
73
74
75
76
77
  # If you set letsEncrypt=true, you should probably also set keep=true, in order to keep the certificate in place.
  keep: false
  letsEncrypt: false
  # If you configure anything other than the default values for termination and insecureEdgeTerminationPolicy below,
  # you might have to manually edit the route and add add certificate and private key data.
  # We can't expose these settings (particularly the private key data) here as such sensitive data should never be stored in a values file.
  # Sadly, OpenShift Routes don't support providing that data through Secrets, so we can't leverage those either.
  tls:
    path: ""
    termination: "edge"
    insecureEdgeTerminationPolicy: "Redirect"

78
79
80
81
82
83
84
85
86
87
deployment:
  # To pick up ConfigMap and Secret changes, all pods in the Deployment need to be restarted. This can
  # be done manually, e.g. with `kubectl rollout restart deployment/<deployment>`, or automatically.
  automaticPodRollout:
    # This will trigger a rollout with every `helm install|upgrade`, independent of whether it's necessary or not.
    always: false
    # This will trigger a rollout if one of the built-in ConfigMap templates changes. Note that this won't
    # pick up changes to ConfigMaps or Secrets that are merely referenced but provided outside of this chart.
    onConfigMapChange: false

Sandro Mathys's avatar
Sandro Mathys committed
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
####################################
### backend / shibboleth (shibd) ###
####################################
backend:
  # Overwrites the image for this container.
  image: {}
    # repository: ""
    # pullPolicy: ""
    # tag: ""

  # The defaults represent maximum security.
  # Only change these if you know what you're doing.
  securityContext:
    runAsUser: 101  # _shibd
    runAsGroup: 101 # _shibd
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all

110
111
112
  readinessProbe: {}
  livenessProbe: {}

Sandro Mathys's avatar
Sandro Mathys committed
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
  resources: {}
    # requests:
    #   cpu:
    #   memory:
    # limits:
    #   cpu:
    #   memory:

  # These volumeMounts are added to the container in addition to those included in the Helm Chart.
  volumeMounts: []

  shibboleth:
    # The files from these configMaps will be mounted and replace the config files included in the Helm Chart.
    # They must be named attribute-map.xml, attribute-policy.xml, shibboleth2.xml and SWITCHaaiRootCA.crt.pem - other files will be ignored.
    configMap: ""

    # Must be set to the version installed in the image
    version: "3.2"

    # https://wiki.shibboleth.net/confluence/display/SP3/ApplicationDefaults
    applicationDefaults:
      entityID: ""       # e.g. "https://yourhost.example.org/shibboleth"
135
      homeURL: ""        # default: "/Shibboleth.sso/Session"
Sandro Mathys's avatar
Sandro Mathys committed
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
      remoteUser: ""     # default: "persistent-id uniqueID"

      # https://wiki.shibboleth.net/confluence/display/SP3/Sessions
      sessions:
        handlerSSL: ""    # default: "true"
        redirectLimit: "" # default: "host"
        cookieProps: ""   # default: "https"

      # https://wiki.shibboleth.net/confluence/display/SP3/Errors
      errors:
        supportContact: "" # e.g. "aai@yourhost.example.org"

      # X.509 certificate for SAML message signing/encrypting.
      # https://www.switch.ch/aai/guides/sp/configuration/#4
      # https://wiki.shibboleth.net/confluence/display/SP3/CredentialResolver
      credentialResolver:
        activeSecretName: ""
        # https://www.switch.ch/aai/guides/sp/certificate-rollover/
        additionalSecretName: ""

    # Toggles that mimick those on https://www.switch.ch/aai/guides/sp/configuration/#setupprofile
    publicAttributes: false
    eduIDOnly: false
    interfederation: false

    # Configures client-side session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
    sessionCache:
      enabled: false
      persistedAttributes: ""

Sandro Mathys's avatar
Sandro Mathys committed
167
168
169
170
      # https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer
      sealerKeys:
        # if enabled, sealer keys will be created and rotated in a secret automatically
        manage: true
171
172
173
174
175
176
        # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax
        schedule: "@daily"

        # https://wiki.shibboleth.net/confluence/display/SP3/seckeygen
        numberOfKeysToKeep: 14
        sizeOfKeysInBits: 128
Sandro Mathys's avatar
Sandro Mathys committed
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198

        # Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global.
        # This image must include shib-seckeygen and kubectl.
        image: {}
        # repository: ""
        # pullPolicy: ""
        # tag: ""

        # The global serviceAccount has minimal permissions, but for the sealer keys we need one that can read, create and replace secrets.
        serviceAccount:
          # Specifies whether a service account and a role binding should be created
          create: true
          # Annotations to add to the service account and role binding
          annotations: {}
          # The name of the service account to use.
          # If not set and create is true, a name is generated using the fullname template
          name: ""

        # The name of the secret to use.
        # If not set and manage is true, a name is generated using the fullname template
        secret: ""

Sandro Mathys's avatar
Sandro Mathys committed
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
    # Configures memcached session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/MemcacheStorageService
    memcached:
      enabled: false
      hosts: ""
      prefix: "SHIBD:"

    # logger
    rootLogLevel: "INFO"
    consoleLogFormat: "%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n"

##############################################
### frontend / apache2 (httpd + mod_shibd) ###
##############################################
frontend:
  # Overwrites the image for this container.
  image: {}
    # repository: ""
    # pullPolicy: ""
    # tag: ""

  # The defaults represent maximum security.
  # Only change these if you know what you're doing.
  securityContext:
    runAsUser: 33  # www-data
    runAsGroup: 33 # www-data
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all

232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
  # overwriting this is not currently possible, but a fix seems close to merging, see:
  # https://github.com/helm/helm/issues/9136
  # https://github.com/helm/helm/pull/9138
  # It might be possible to overwrite it on the command line with --set
  readinessProbe:
    httpGet:
      scheme: HTTP
      port: apache
      # will also return HTTP 500 if shibboleth backend is dead
      path: /
    initialDelaySeconds: 10
    periodSeconds: 10

  # Overwriting this is not currently possible, but a fix seems close to merging, see:
  # https://github.com/helm/helm/issues/9136
  # https://github.com/helm/helm/pull/9138
  # It might be possible to overwrite it on the command line with --set
  livenessProbe:
    httpGet:
      scheme: HTTP
      port: apache
      # will counter-intuitively return HTTP 200 even if shibboleth backend is dead
      path: /Shibboleth.sso/Session
    initialDelaySeconds: 10
    periodSeconds: 10

  # TODO: remove when the issue mentioned above is fixed
  # TODO: also remove related code in templates/deployment.yaml
  # Enables / disables the livenessProbe and readinessProbe.
  # Will be removed in future.
  workaround:
    readinessProbe:
      enabled: true
    livenessProbe:
      enabled: true

Sandro Mathys's avatar
Sandro Mathys committed
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
  resources: {}
    # requests:
    #   cpu:
    #   memory:
    # limits:
    #   cpu:
    #   memory:

  # These volumeMounts are added to the container in addition to those included in the Helm Chart.
  volumeMounts: []

  apache:
    # The files from these configMaps will be mounted and replace the config files included in the Helm Chart.
    baseConfigMap: "" # must contain file `base.conf` - other files will be ignored
    mainConfigMap: ""
    modulesConfigMap: ""
    sitesConfigMap: ""

    # Whatever is configured here will be added as config files in addition to those included in the Helm Chart.
    # They are not used if the respective configMap was replaced with the settings above
    extraMainConfig: ""
    extraModulesConfig: ""
    extraSitesConfig: ""

Sandro Mathys's avatar
Sandro Mathys committed
292
293
294
    # enable SSL/TLS, i.e. load mod_ssl and enable SSLProxyEngine
    enableSSL: false

Sandro Mathys's avatar
Sandro Mathys committed
295
296
    # Settings for the actual apache/proxy config.
    # They are not used if `sitesConfigMap` is specified above.
Sandro Mathys's avatar
Sandro Mathys committed
297
298
299
300
    logLevel: ""          # default: "warn"
    logFormat: ""         # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    proxyPreserveHost: "" # default: "off"
    remoteURL: ""         # must be absolute (i.e. starting with http:// or https://)
Sandro Mathys's avatar
Sandro Mathys committed
301
    accessRules: ""