diff --git a/charts/gluu-all-in-one/README.md b/charts/gluu-all-in-one/README.md index d68b8a8e3..e91156052 100644 --- a/charts/gluu-all-in-one/README.md +++ b/charts/gluu-all-in-one/README.md @@ -224,8 +224,9 @@ Kubernetes: `>=v1.22.0-0` | fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | | fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | | fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | -| fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| fido2.ingress | object | `{"fido2ConfigEnabled":false,"fido2Enabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | | fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| fido2.ingress.fido2Enabled | bool | `false` | Enable endpoint /jans-fido2 | | fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | | fullNameOverride | string | `""` | | | hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -276,8 +277,10 @@ Kubernetes: `>=v1.22.0-0` | nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | | nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | | nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | | nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | | nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | | nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | | nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | | nginx-ingress.ingress.ingressClassName | string | `"nginx"` | | diff --git a/charts/gluu-all-in-one/templates/nginx-ingress.yaml b/charts/gluu-all-in-one/templates/nginx-ingress.yaml index cd6560ba0..69e550a39 100644 --- a/charts/gluu-all-in-one/templates/nginx-ingress.yaml +++ b/charts/gluu-all-in-one/templates/nginx-ingress.yaml @@ -519,6 +519,53 @@ spec: --- +{{ if .Values.fido2.ingress.fido2Enabled -}} +{{ $fullName := include "flex-all-in-one.fullname" . -}} +{{- $ingressPath := index .Values "nginx-ingress" "ingress" "path" -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2 + labels: + app: {{ $fullName }}-fido2 +{{- if index .Values "nginx-ingress" "ingress" "additionalLabels" }} +{{ toYaml index .Values "nginx-ingress" "ingress" "additionalLabels" | indent 4 }} +{{- end }} +{{- if index .Values "nginx-ingress" "ingress" "fido2Labels" }} +{{ toYaml index .Values "nginx-ingress" "ingress" "fido2Labels" | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "fido2" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if index .Values "nginx-ingress" "ingress" "fido2AdditionalAnnotations" }} +{{ toYaml index .Values "nginx-ingress" "ingress" "fido2AdditionalAnnotations" | indent 4 }} +{{- end }} +{{- if index .Values "nginx-ingress" "ingress" "additionalAnnotations" }} +{{ toYaml index .Values "nginx-ingress" "ingress" "additionalAnnotations" | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ index .Values "nginx-ingress" "ingress" "ingressClassName" }} +{{- if index .Values "nginx-ingress" "ingress" "tlsSecretName" }} + tls: + - hosts: + - {{ .Values.fqdn | quote }} + secretName: {{ index .Values "nginx-ingress" "ingress" "tlsSecretName" }} +{{- end }} + rules: + - host: {{ .Values.fqdn | quote }} + http: + paths: + - path: /jans-fido2 + pathType: Exact + backend: + service: + name: {{ .Values.service.name }} + port: + number: 8080 +{{- end }} + +--- + {{ if index .Values "auth-server" "ingress" "authServerEnabled" -}} {{ $fullName := include "flex-all-in-one.fullname" . -}} {{- $ingressPath := index .Values "nginx-ingress" "ingress" "path" -}} diff --git a/charts/gluu-all-in-one/values.yaml b/charts/gluu-all-in-one/values.yaml index b6efbc256..5923cb695 100644 --- a/charts/gluu-all-in-one/values.yaml +++ b/charts/gluu-all-in-one/values.yaml @@ -416,6 +416,8 @@ fido2: ingress: # -- Enable endpoint /.well-known/fido2-configuration fido2ConfigEnabled: false + # -- Enable endpoint /jans-fido2 + fido2Enabled: false scim: # -- Name of the scim service. Please keep it as default. scimServiceName: scim @@ -601,6 +603,10 @@ nginx-ingress: fido2ConfigLabels: { } # -- fido2 config ingress resource additional annotations. fido2ConfigAdditionalAnnotations: { } + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } # -- Auth server ingress resource labels. key app is taken authServerLabels: { } # -- Auth server ingress resource additional annotations. diff --git a/charts/gluu/README.md b/charts/gluu/README.md index 06122100d..6ec8d1ad9 100644 --- a/charts/gluu/README.md +++ b/charts/gluu/README.md @@ -306,7 +306,7 @@ Kubernetes: `>=v1.21.0-0` | fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","licenseSsa":"","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false,"fido2Enabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","licenseSsa":"","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | | global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | | global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | | global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | @@ -420,8 +420,9 @@ Kubernetes: `>=v1.21.0-0` | global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | | global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | | global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | -| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false,"fido2Enabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | | global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fido2.ingress.fido2Enabled | bool | `false` | Enable endpoint /jans-fido2 | | global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | | global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | | global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | @@ -510,7 +511,7 @@ Kubernetes: `>=v1.21.0-0` | link.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | link.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | link.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | | nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | | nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | | nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | @@ -527,8 +528,10 @@ Kubernetes: `>=v1.21.0-0` | nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | | nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | | nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | | nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | | nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | | nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | | nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | | nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | diff --git a/charts/gluu/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/charts/fido2/templates/fido2-virtual-services.yaml index 88a91a994..fe906fa68 100644 --- a/charts/gluu/charts/fido2/templates/fido2-virtual-services.yaml +++ b/charts/gluu/charts/fido2/templates/fido2-virtual-services.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +{{- if .Values.global.istio.ingress }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -25,16 +25,30 @@ spec: - {{ .Release.Name }}-global-gtw {{- end }} http: + {{- if .Values.global.fido2.ingress.fido2ConfigEnabled }} - name: {{ .Release.Name }}-istio-fido2-configuration match: - uri: prefix: /.well-known/fido2-configuration rewrite: uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.fido2.ingress.fido2Enabled }} + - name: {{ .Release.Name }}-istio-fido2 + match: + - uri: + prefix: "/jans-fido2" route: - destination: host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local port: number: 8080 weight: 100 + {{- end }} {{- end }} diff --git a/charts/gluu/charts/nginx-ingress/README.md b/charts/gluu/charts/nginx-ingress/README.md index 6e55c6a79..2d6b14966 100644 --- a/charts/gluu/charts/nginx-ingress/README.md +++ b/charts/gluu/charts/nginx-ingress/README.md @@ -27,7 +27,7 @@ Kubernetes: `>=v1.21.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | fullnameOverride | string | `""` | | -| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | | ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | | ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | | ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | @@ -36,6 +36,7 @@ Kubernetes: `>=v1.21.0-0` | ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | | ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | | ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | | ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | | ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | | ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | diff --git a/charts/gluu/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/charts/nginx-ingress/templates/ingress.yaml index 94e244e65..8069c0038 100644 --- a/charts/gluu/charts/nginx-ingress/templates/ingress.yaml +++ b/charts/gluu/charts/nginx-ingress/templates/ingress.yaml @@ -616,6 +616,62 @@ spec: --- +{{ if .Values.global.fido2.ingress.fido2Enabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2 + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2Labels }} +{{ toYaml .Values.ingress.fido2Labels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "fido2" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.fido2AdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-fido2 + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} {{ $fullName := include "nginx-ingress.fullname" . -}} {{- $ingressPath := .Values.ingress.path -}} diff --git a/charts/gluu/charts/nginx-ingress/values.yaml b/charts/gluu/charts/nginx-ingress/values.yaml index 02ce71b13..901a6ca1a 100644 --- a/charts/gluu/charts/nginx-ingress/values.yaml +++ b/charts/gluu/charts/nginx-ingress/values.yaml @@ -49,6 +49,8 @@ ingress: fido2Enabled: false # -- fido2 ingress resource labels. key app is taken fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } # -- Auth server config ingress resource labels. key app is taken authServerLabels: { } # -- Auth server ingress resource additional annotations. diff --git a/charts/gluu/values.yaml b/charts/gluu/values.yaml index 7f0ed87aa..e68a0383e 100644 --- a/charts/gluu/values.yaml +++ b/charts/gluu/values.yaml @@ -1129,6 +1129,8 @@ global: ingress: # -- Enable endpoint /.well-known/fido2-configuration fido2ConfigEnabled: false + # -- Enable endpoint /jans-fido2 + fido2Enabled: false # -- GCE storage kind if using Google disks gcePdStorageType: pd-standard # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. @@ -1337,6 +1339,10 @@ nginx-ingress: fido2ConfigLabels: { } # -- fido2 config ingress resource additional annotations. fido2ConfigAdditionalAnnotations: { } + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } # -- Auth server ingress resource labels. key app is taken authServerLabels: { } # -- Auth server ingress resource additional annotations.