Due to a scheduled upgrade to version 14.10, GitLab will be unavailabe on Monday 30.05., from 19:00 until 20:00.

values.yaml 10.9 KB
Newer Older
Sandro Mathys's avatar
Sandro Mathys committed
1
2
# Default values for shibboleth-sp. This is a YAML-formatted file.

3
4
5
6
7
8
9
10
11
12
13
##############
### global ###
##############

### Values in this section can be set by charts that depend on this chart.
global:
  # The FQDN which will point to this installation. Will be used by the route and the VirtualHost.
  # If you'd like to use a default route (and use the default wildcard tls certificate),
  # this MUST have the form: <host>.zh.shift.switchengines.ch
  domainName: ""

Sandro Mathys's avatar
Sandro Mathys committed
14
15
16
##############
### common ###
##############
17
18
19
20

# temporary flag to support legacy openshiftv3 and modern vanilla kubernetes
openshiftv3: true

Sandro Mathys's avatar
Sandro Mathys committed
21
22
23
24
nameOverride: ""
fullnameOverride: ""

image:
Sandro Mathys's avatar
Sandro Mathys committed
25
  repository: "cr.gitlab.switch.ch/helm-charts/shibboleth-sp/image/shibboleth-sp"
26
  tag: "1.0.3"
Sandro Mathys's avatar
Sandro Mathys committed
27
  pullPolicy: IfNotPresent
Sandro Mathys's avatar
Sandro Mathys committed
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

# Specify all secret(s) required to pull the images used for this installation.
# imagePullSecrets:
# - name: 

replicaCount: 1

autoscaling:
  enabled: false
  # minReplicas:
  # maxReplicas:
  # targetCPUUtilizationPercentage:
  # targetMemoryUtilizationPercentage:

# ""   == no podAntiAffinity
# soft == podAntiAffinity preferred
# hard == podAntiAffinity required
podAntiAffinityPreset: ""

# podAnnotations: {}

# podSecurityContext: {}

# These initContainers, containers and volumes are added to the Deployment in addition to those included in the Helm Chart.
# This could be useful to set up log shipping, for example.
initContainers: []
containers: []
volumes: []

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

66
# only if openshiftv3=true
Sandro Mathys's avatar
Sandro Mathys committed
67
68
route:
  enabled: false
Sandro Mathys's avatar
Sandro Mathys committed
69
70
  # Annotations to add to the route
  annotations: {}
Sandro Mathys's avatar
Sandro Mathys committed
71
72
73
74
75
76
77
78
79
80
81
82
  # If you set letsEncrypt=true, you should probably also set keep=true, in order to keep the certificate in place.
  keep: false
  letsEncrypt: false
  # If you configure anything other than the default values for termination and insecureEdgeTerminationPolicy below,
  # you might have to manually edit the route and add add certificate and private key data.
  # We can't expose these settings (particularly the private key data) here as such sensitive data should never be stored in a values file.
  # Sadly, OpenShift Routes don't support providing that data through Secrets, so we can't leverage those either.
  tls:
    path: ""
    termination: "edge"
    insecureEdgeTerminationPolicy: "Redirect"

83
# only if openshiftv3=false
Sandro Mathys's avatar
Sandro Mathys committed
84
# TODO: validation
85
86
87
88
89
90
91
92
ingress:
  enabled: false
  annotations: {}
  keep: false
  letsEncrypt:
    enabled: false
    clusterIssuer: ""

93
94
95
96
97
98
99
100
101
102
deployment:
  # To pick up ConfigMap and Secret changes, all pods in the Deployment need to be restarted. This can
  # be done manually, e.g. with `kubectl rollout restart deployment/<deployment>`, or automatically.
  automaticPodRollout:
    # This will trigger a rollout with every `helm install|upgrade`, independent of whether it's necessary or not.
    always: false
    # This will trigger a rollout if one of the built-in ConfigMap templates changes. Note that this won't
    # pick up changes to ConfigMaps or Secrets that are merely referenced but provided outside of this chart.
    onConfigMapChange: false

Sandro Mathys's avatar
Sandro Mathys committed
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
####################################
### backend / shibboleth (shibd) ###
####################################
backend:
  # Overwrites the image for this container.
  image: {}
    # repository: ""
    # pullPolicy: ""
    # tag: ""

  # The defaults represent maximum security.
  # Only change these if you know what you're doing.
  securityContext:
    runAsUser: 101  # _shibd
    runAsGroup: 101 # _shibd
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all

125
126
127
  readinessProbe: {}
  livenessProbe: {}

Sandro Mathys's avatar
Sandro Mathys committed
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
  resources: {}
    # requests:
    #   cpu:
    #   memory:
    # limits:
    #   cpu:
    #   memory:

  # These volumeMounts are added to the container in addition to those included in the Helm Chart.
  volumeMounts: []

  shibboleth:
    # The files from these configMaps will be mounted and replace the config files included in the Helm Chart.
    # They must be named attribute-map.xml, attribute-policy.xml, shibboleth2.xml and SWITCHaaiRootCA.crt.pem - other files will be ignored.
    configMap: ""

    # Must be set to the version installed in the image
    version: "3.2"

    # https://wiki.shibboleth.net/confluence/display/SP3/ApplicationDefaults
    applicationDefaults:
      entityID: ""       # e.g. "https://yourhost.example.org/shibboleth"
150
      homeURL: ""        # default: "/Shibboleth.sso/Session"
Sandro Mathys's avatar
Sandro Mathys committed
151
152
153
154
      remoteUser: ""     # default: "persistent-id uniqueID"

      # https://wiki.shibboleth.net/confluence/display/SP3/Sessions
      sessions:
155
156
157
158
159
160
        checkAddress: ""      # default: "true"
        consistentAddress: "" # default: "true"
        handlerSSL: ""        # default: "true"
        redirectLimit: ""     # default: "host"
        cookieProps: ""       # default: "https"
        sameSiteSession : ""  # default: N/A
Sandro Mathys's avatar
Sandro Mathys committed
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

      # https://wiki.shibboleth.net/confluence/display/SP3/Errors
      errors:
        supportContact: "" # e.g. "aai@yourhost.example.org"

      # X.509 certificate for SAML message signing/encrypting.
      # https://www.switch.ch/aai/guides/sp/configuration/#4
      # https://wiki.shibboleth.net/confluence/display/SP3/CredentialResolver
      credentialResolver:
        activeSecretName: ""
        # https://www.switch.ch/aai/guides/sp/certificate-rollover/
        additionalSecretName: ""

    # Toggles that mimick those on https://www.switch.ch/aai/guides/sp/configuration/#setupprofile
    publicAttributes: false
    eduIDOnly: false
    interfederation: false

Sandro Mathys's avatar
Sandro Mathys committed
179
180
181
182
    # "production" or "test"
    # See also: https://www.switch.ch/de/edu-id/docs/unis/tech/testing/
    eduIDVersion: "production"

Sandro Mathys's avatar
Sandro Mathys committed
183
184
185
186
187
188
    # Configures client-side session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
    sessionCache:
      enabled: false
      persistedAttributes: ""

Sandro Mathys's avatar
Sandro Mathys committed
189
190
191
192
      # https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer
      sealerKeys:
        # if enabled, sealer keys will be created and rotated in a secret automatically
        manage: true
193
194
195
196
197
198
        # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax
        schedule: "@daily"

        # https://wiki.shibboleth.net/confluence/display/SP3/seckeygen
        numberOfKeysToKeep: 14
        sizeOfKeysInBits: 128
Sandro Mathys's avatar
Sandro Mathys committed
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

        # Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global.
        # This image must include shib-seckeygen and kubectl.
        image: {}
        # repository: ""
        # pullPolicy: ""
        # tag: ""

        # The global serviceAccount has minimal permissions, but for the sealer keys we need one that can read, create and replace secrets.
        serviceAccount:
          # Specifies whether a service account and a role binding should be created
          create: true
          # Annotations to add to the service account and role binding
          annotations: {}
          # The name of the service account to use.
          # If not set and create is true, a name is generated using the fullname template
          name: ""

        # The name of the secret to use.
        # If not set and manage is true, a name is generated using the fullname template
        secret: ""

Sandro Mathys's avatar
Sandro Mathys committed
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
    # Configures memcached session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/MemcacheStorageService
    memcached:
      enabled: false
      hosts: ""
      prefix: "SHIBD:"

    # logger
    rootLogLevel: "INFO"
    consoleLogFormat: "%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n"

##############################################
### frontend / apache2 (httpd + mod_shibd) ###
##############################################
frontend:
  # Overwrites the image for this container.
  image: {}
    # repository: ""
    # pullPolicy: ""
    # tag: ""

  # The defaults represent maximum security.
  # Only change these if you know what you're doing.
  securityContext:
    runAsUser: 33  # www-data
    runAsGroup: 33 # www-data
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all

254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
  # overwriting this is not currently possible, but a fix seems close to merging, see:
  # https://github.com/helm/helm/issues/9136
  # https://github.com/helm/helm/pull/9138
  # It might be possible to overwrite it on the command line with --set
  readinessProbe:
    httpGet:
      scheme: HTTP
      port: apache
      # will also return HTTP 500 if shibboleth backend is dead
      path: /
    initialDelaySeconds: 10
    periodSeconds: 10

  # Overwriting this is not currently possible, but a fix seems close to merging, see:
  # https://github.com/helm/helm/issues/9136
  # https://github.com/helm/helm/pull/9138
  # It might be possible to overwrite it on the command line with --set
  livenessProbe:
    httpGet:
      scheme: HTTP
      port: apache
      # will counter-intuitively return HTTP 200 even if shibboleth backend is dead
      path: /Shibboleth.sso/Session
    initialDelaySeconds: 10
    periodSeconds: 10

  # TODO: remove when the issue mentioned above is fixed
  # TODO: also remove related code in templates/deployment.yaml
  # Enables / disables the livenessProbe and readinessProbe.
  # Will be removed in future.
  workaround:
    readinessProbe:
      enabled: true
    livenessProbe:
      enabled: true

Sandro Mathys's avatar
Sandro Mathys committed
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
  resources: {}
    # requests:
    #   cpu:
    #   memory:
    # limits:
    #   cpu:
    #   memory:

  # These volumeMounts are added to the container in addition to those included in the Helm Chart.
  volumeMounts: []

  apache:
    # The files from these configMaps will be mounted and replace the config files included in the Helm Chart.
    baseConfigMap: "" # must contain file `base.conf` - other files will be ignored
    mainConfigMap: ""
    modulesConfigMap: ""
    sitesConfigMap: ""

    # Whatever is configured here will be added as config files in addition to those included in the Helm Chart.
    # They are not used if the respective configMap was replaced with the settings above
    extraMainConfig: ""
    extraModulesConfig: ""
    extraSitesConfig: ""

Sandro Mathys's avatar
Sandro Mathys committed
314
315
316
    # enable SSL/TLS, i.e. load mod_ssl and enable SSLProxyEngine
    enableSSL: false

Sandro Mathys's avatar
Sandro Mathys committed
317
318
    # Settings for the actual apache/proxy config.
    # They are not used if `sitesConfigMap` is specified above.
Sandro Mathys's avatar
Sandro Mathys committed
319
320
321
322
    logLevel: ""          # default: "warn"
    logFormat: ""         # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    proxyPreserveHost: "" # default: "off"
    remoteURL: ""         # must be absolute (i.e. starting with http:// or https://)
Sandro Mathys's avatar
Sandro Mathys committed
323
    accessRules: ""
Sandro Mathys's avatar
Sandro Mathys committed
324
325
326
327
328
329
330
331
332
333
334
335
336

# helm tests
tests:
  enabled: false

  # imagePullSecrets:
  # - name:

  # requires sh, echo, cat, curl, grep in the path of the image
  image:
    repository: "docker.io/curlimages/curl"
    tag: "latest"
    pullPolicy: "IfNotPresent"