Commit ff01b5a6 authored by Sandro Mathys's avatar Sandro Mathys
Browse files

add ssl backend capabilities

parent 3fc82618
......@@ -52,6 +52,7 @@ metadata:
{{- include "shibboleth-sp.frontend.labels" . | nindent 4 }}
data:
000-basics.conf: |
# These modules are essential
# LoadModule log_config_module modules/mod_log_config.so # built-in
# LoadModule unixd_module modules/mod_unixd.so # built-in
LoadModule authn_core_module modules/mod_authn_core.so
......@@ -60,6 +61,10 @@ data:
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
{{- if .Values.frontend.apache.enableSSL }}
001-ssl.conf: |
LoadModule ssl_module modules/mod_ssl.so
{{- end }}
010-shibboleth.conf: |
LoadModule mod_shib modules/mod_shib.so
......@@ -92,15 +97,19 @@ data:
CustomLog "/dev/stdout" custom
ErrorLog "/dev/stderr"
ProxyPreserveHost "{{ .Values.frontend.apache.proxyPreserveHost | default "off" }}"
{{- if .Values.frontend.apache.enableSSL }}
SSLProxyEngine "on"
{{- end }}
<VirtualHost _default_:8080>
UseCanonicalName On
UseCanonicalName on
ServerName https://{{ tpl .Values.global.domainName . }}
ServerAlias https://*.{{ tpl .Values.global.domainName . }}
ServerAlias http://{{ tpl .Values.global.domainName . }}
ServerAlias http://*.{{ tpl .Values.global.domainName . }}
ProxyPreserveHost On
ProxyPass "/" "{{ .Values.frontend.apache.remoteURL }}"
ProxyPassReverse "/" "{{ .Values.frontend.apache.remoteURL }}"
......
......@@ -32,6 +32,6 @@ spec:
# replace secret with new sealer keys
kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys --dry-run=client -o yaml | kubectl replace --save-config -f-
# restart all pods in deployment in order to pick up new secret
kubectl rollout restart {{ include "shibboleth-sp.fullname" . }}
kubectl rollout restart deploy {{ include "shibboleth-sp.fullname" . }}
restartPolicy: OnFailure
{{- end -}}
......@@ -233,9 +233,13 @@ frontend:
extraModulesConfig: ""
extraSitesConfig: ""
# enable SSL/TLS, i.e. load mod_ssl and enable SSLProxyEngine
enableSSL: false
# Settings for the actual apache/proxy config.
# They are not used if `sitesConfigMap` is specified above.
logLevel: "" # default: "warn"
logFormat: "" # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
remoteURL: "" # must be absolute (i.e. starting with http:// or https://)
logLevel: "" # default: "warn"
logFormat: "" # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
proxyPreserveHost: "" # default: "off"
remoteURL: "" # must be absolute (i.e. starting with http:// or https://)
accessRules: ""
......@@ -24,7 +24,9 @@ backend:
frontend:
apache:
remoteURL: https://www.switch.ch
enableSSL: true
remoteURL: "https://os.zhdk.cloud.switch.ch/swift/v1/shibboleth-sp-helm-chart-demo-page/"
accessRules: |
Require shib-attr homeOrganization switch.ch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment