# Default values for shibboleth-sp. This is a YAML-formatted file. ############## ### global ### ############## ### Values in this section can be set by charts that depend on this chart. global: # The FQDN which will point to this installation. Will be used by the route and the VirtualHost. # If you'd like to use a default route (and use the default wildcard tls certificate), # this MUST have the form: .zh.shift.switchengines.ch domainName: "" ############## ### common ### ############## # temporary flag to support legacy openshiftv3 and modern vanilla kubernetes openshiftv3: true nameOverride: "" fullnameOverride: "" image: repository: "cr.gitlab.switch.ch/helm-charts/shibboleth-sp/image/shibboleth-sp" tag: "1.0.3" pullPolicy: IfNotPresent # Specify all secret(s) required to pull the images used for this installation. # imagePullSecrets: # - name: replicaCount: 1 autoscaling: enabled: false # minReplicas: # maxReplicas: # targetCPUUtilizationPercentage: # targetMemoryUtilizationPercentage: # "" == no podAntiAffinity # soft == podAntiAffinity preferred # hard == podAntiAffinity required podAntiAffinityPreset: "" # podAnnotations: {} # podSecurityContext: {} # These initContainers, containers and volumes are added to the Deployment in addition to those included in the Helm Chart. # This could be useful to set up log shipping, for example. initContainers: [] containers: [] volumes: [] serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # only if openshiftv3=true route: enabled: false # Annotations to add to the route annotations: {} # If you set letsEncrypt=true, you should probably also set keep=true, in order to keep the certificate in place. keep: false letsEncrypt: false # If you configure anything other than the default values for termination and insecureEdgeTerminationPolicy below, # you might have to manually edit the route and add add certificate and private key data. # We can't expose these settings (particularly the private key data) here as such sensitive data should never be stored in a values file. # Sadly, OpenShift Routes don't support providing that data through Secrets, so we can't leverage those either. tls: path: "" termination: "edge" insecureEdgeTerminationPolicy: "Redirect" # only if openshiftv3=false # TODO: validation ingress: enabled: false annotations: {} keep: false letsEncrypt: enabled: false clusterIssuer: "" deployment: # To pick up ConfigMap and Secret changes, all pods in the Deployment need to be restarted. This can # be done manually, e.g. with `kubectl rollout restart deployment/`, or automatically. automaticPodRollout: # This will trigger a rollout with every `helm install|upgrade`, independent of whether it's necessary or not. always: false # This will trigger a rollout if one of the built-in ConfigMap templates changes. Note that this won't # pick up changes to ConfigMaps or Secrets that are merely referenced but provided outside of this chart. onConfigMapChange: false #################################### ### backend / shibboleth (shibd) ### #################################### backend: # Overwrites the image for this container. image: {} # repository: "" # pullPolicy: "" # tag: "" # The defaults represent maximum security. # Only change these if you know what you're doing. securityContext: runAsUser: 101 # _shibd runAsGroup: 101 # _shibd runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - all readinessProbe: {} livenessProbe: {} resources: {} # requests: # cpu: # memory: # limits: # cpu: # memory: # These volumeMounts are added to the container in addition to those included in the Helm Chart. volumeMounts: [] shibboleth: # The files from these configMaps will be mounted and replace the config files included in the Helm Chart. # They must be named attribute-map.xml, attribute-policy.xml, shibboleth2.xml and SWITCHaaiRootCA.crt.pem - other files will be ignored. configMap: "" # Must be set to the version installed in the image version: "3.2" # https://wiki.shibboleth.net/confluence/display/SP3/ApplicationDefaults applicationDefaults: entityID: "" # e.g. "https://yourhost.example.org/shibboleth" homeURL: "" # default: "/Shibboleth.sso/Session" remoteUser: "" # default: "persistent-id uniqueID" # https://wiki.shibboleth.net/confluence/display/SP3/Sessions sessions: checkAddress: "" # default: "true" consistentAddress: "" # default: "true" handlerSSL: "" # default: "true" redirectLimit: "" # default: "host" cookieProps: "" # default: "https" sameSiteSession : "" # default: N/A # https://wiki.shibboleth.net/confluence/display/SP3/Errors errors: supportContact: "" # e.g. "aai@yourhost.example.org" # X.509 certificate for SAML message signing/encrypting. # https://www.switch.ch/aai/guides/sp/configuration/#4 # https://wiki.shibboleth.net/confluence/display/SP3/CredentialResolver credentialResolver: activeSecretName: "" # https://www.switch.ch/aai/guides/sp/certificate-rollover/ additionalSecretName: "" # Toggles that mimick those on https://www.switch.ch/aai/guides/sp/configuration/#setupprofile publicAttributes: false eduIDOnly: false interfederation: false # "production" or "test" # See also: https://www.switch.ch/de/edu-id/docs/unis/tech/testing/ eduIDVersion: "production" # Configures client-side session storage. # https://wiki.shibboleth.net/confluence/display/SP3/SessionCache sessionCache: enabled: false persistedAttributes: "" # https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer sealerKeys: # if enabled, sealer keys will be created and rotated in a secret automatically manage: true # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax schedule: "@daily" # https://wiki.shibboleth.net/confluence/display/SP3/seckeygen numberOfKeysToKeep: 14 sizeOfKeysInBits: 128 # Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global. # This image must include shib-seckeygen and kubectl. image: {} # repository: "" # pullPolicy: "" # tag: "" # The global serviceAccount has minimal permissions, but for the sealer keys we need one that can read, create and replace secrets. serviceAccount: # Specifies whether a service account and a role binding should be created create: true # Annotations to add to the service account and role binding annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # The name of the secret to use. # If not set and manage is true, a name is generated using the fullname template secret: "" # Configures memcached session storage. # https://wiki.shibboleth.net/confluence/display/SP3/MemcacheStorageService memcached: enabled: false hosts: "" prefix: "SHIBD:" # logger rootLogLevel: "INFO" consoleLogFormat: "%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n" ############################################## ### frontend / apache2 (httpd + mod_shibd) ### ############################################## frontend: # Overwrites the image for this container. image: {} # repository: "" # pullPolicy: "" # tag: "" # The defaults represent maximum security. # Only change these if you know what you're doing. securityContext: runAsUser: 33 # www-data runAsGroup: 33 # www-data runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - all # overwriting this is not currently possible, but a fix seems close to merging, see: # https://github.com/helm/helm/issues/9136 # https://github.com/helm/helm/pull/9138 # It might be possible to overwrite it on the command line with --set readinessProbe: httpGet: scheme: HTTP port: apache # will also return HTTP 500 if shibboleth backend is dead path: / initialDelaySeconds: 10 periodSeconds: 10 # Overwriting this is not currently possible, but a fix seems close to merging, see: # https://github.com/helm/helm/issues/9136 # https://github.com/helm/helm/pull/9138 # It might be possible to overwrite it on the command line with --set livenessProbe: httpGet: scheme: HTTP port: apache # will counter-intuitively return HTTP 200 even if shibboleth backend is dead path: /Shibboleth.sso/Session initialDelaySeconds: 10 periodSeconds: 10 # TODO: remove when the issue mentioned above is fixed # TODO: also remove related code in templates/deployment.yaml # Enables / disables the livenessProbe and readinessProbe. # Will be removed in future. workaround: readinessProbe: enabled: true livenessProbe: enabled: true resources: {} # requests: # cpu: # memory: # limits: # cpu: # memory: # These volumeMounts are added to the container in addition to those included in the Helm Chart. volumeMounts: [] apache: # The files from these configMaps will be mounted and replace the config files included in the Helm Chart. baseConfigMap: "" # must contain file `base.conf` - other files will be ignored mainConfigMap: "" modulesConfigMap: "" sitesConfigMap: "" # Whatever is configured here will be added as config files in addition to those included in the Helm Chart. # They are not used if the respective configMap was replaced with the settings above extraMainConfig: "" extraModulesConfig: "" extraSitesConfig: "" # enable SSL/TLS, i.e. load mod_ssl and enable SSLProxyEngine enableSSL: false # Settings for the actual apache/proxy config. # They are not used if `sitesConfigMap` is specified above. logLevel: "" # default: "warn" logFormat: "" # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" proxyPreserveHost: "" # default: "off" remoteURL: "" # must be absolute (i.e. starting with http:// or https://) accessRules: "" # helm tests tests: enabled: false # imagePullSecrets: # - name: # requires sh, echo, cat, curl, grep in the path of the image image: repository: "docker.io/curlimages/curl" tag: "latest" pullPolicy: "IfNotPresent"