From edb35d7f865018562d48c628bf3140aad8b56f62 Mon Sep 17 00:00:00 2001 From: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> Date: Thu, 3 Feb 2022 11:00:10 +0000 Subject: [PATCH] feat: add Helm chart for Core Janssen Distro (#753) * feat: add helm chart * feat: update descriptions and icons * feat: release first package --- .github/workflows/update_helm_chart.yml | 71 - automation/analyze_chart.py | 75 - automation/helpers.py | 85 - automation/prepare_chart.sh | 35 - automation/startjanssendemo.sh | 5 +- automation/yaml_parser.py | 112 - charts/index.yaml | 91 + charts/janssen-1.0.0-beta.14.tgz | Bin 0 -> 72360 bytes charts/janssen/Chart.yaml | 85 + charts/janssen/README.md | 434 +++ .../auth-server-key-rotation/.helmignore | 21 + .../auth-server-key-rotation/Chart.yaml | 20 + .../charts/auth-server-key-rotation/README.md | 48 + .../templates/_helpers.tpl | 68 + .../templates/cronjobs.yaml | 98 + .../templates/service.yaml | 25 + .../templates/user-custom-secret-envs.yaml | 22 + .../auth-server-key-rotation/values.yaml | 49 + charts/janssen/charts/auth-server/.helmignore | 21 + charts/janssen/charts/auth-server/Chart.yaml | 22 + charts/janssen/charts/auth-server/README.md | 60 + .../charts/auth-server/templates/_helpers.tpl | 68 + .../auth-server-destination-rules.yaml | 24 + .../auth-server-virtual-services.yaml | 94 + .../auth-server/templates/deployment.yml | 225 ++ .../charts/auth-server/templates/hpa.yaml | 39 + .../charts/auth-server/templates/service.yml | 31 + .../templates/user-custom-secret-envs.yaml | 23 + charts/janssen/charts/auth-server/values.yaml | 88 + charts/janssen/charts/client-api/.helmignore | 21 + charts/janssen/charts/client-api/Chart.yaml | 22 + charts/janssen/charts/client-api/README.md | 61 + .../charts/client-api/templates/_helpers.tpl | 68 + .../client-api-destination-rules.yaml | 24 + .../client-api/templates/deployment.yaml | 138 + .../charts/client-api/templates/hpa.yaml | 39 + .../client-api/templates/networkpolicy.yaml | 39 + .../charts/client-api/templates/service.yaml | 31 + .../templates/user-custom-secret-envs.yaml | 23 + charts/janssen/charts/client-api/values.yaml | 88 + charts/janssen/charts/config-api/.helmignore | 21 + charts/janssen/charts/config-api/Chart.yaml | 22 + charts/janssen/charts/config-api/README.md | 64 + .../charts/config-api/templates/_helpers.tpl | 68 + .../config-api-destination-rules.yaml | 24 + .../config-api/templates/deployment.yaml | 165 + .../charts/config-api/templates/hpa.yaml | 39 + .../charts/config-api/templates/service.yaml | 31 + charts/janssen/charts/config-api/values.yaml | 97 + charts/janssen/charts/config/.helmignore | 22 + charts/janssen/charts/config/Chart.yaml | 22 + charts/janssen/charts/config/README.md | 119 + .../charts/config/templates/_helpers.tpl | 97 + .../config/templates/clusterrolebinding.yaml | 47 + .../charts/config/templates/configmaps.yaml | 382 ++ .../config/templates/load-init-config.yml | 104 + .../charts/config/templates/rolebinding.yaml | 25 + .../charts/config/templates/roles.yaml | 21 + .../charts/config/templates/secrets.yaml | 102 + .../charts/config/templates/service.yaml | 27 + .../config/templates/user-custom-envs.yaml | 66 + charts/janssen/charts/config/values.yaml | 192 + charts/janssen/charts/fido2/.helmignore | 21 + charts/janssen/charts/fido2/Chart.yaml | 23 + charts/janssen/charts/fido2/README.md | 61 + .../charts/fido2/templates/_helpers.tpl | 68 + .../charts/fido2/templates/deployment.yml | 137 + .../templates/fido2-destination-rules.yaml | 24 + .../templates/fido2-virtual-services.yaml | 37 + .../janssen/charts/fido2/templates/hpa.yaml | 39 + .../charts/fido2/templates/service.yml | 31 + .../templates/user-custom-secret-envs.yaml | 23 + charts/janssen/charts/fido2/values.yaml | 86 + .../janssen/charts/nginx-ingress/.helmignore | 21 + .../janssen/charts/nginx-ingress/Chart.yaml | 22 + charts/janssen/charts/nginx-ingress/README.md | 68 + .../nginx-ingress/templates/_helpers.tpl | 32 + .../nginx-ingress/templates/ingress.yaml | 749 ++++ .../janssen/charts/nginx-ingress/values.yaml | 74 + charts/janssen/charts/opendj/.helmignore | 21 + charts/janssen/charts/opendj/Chart.yaml | 21 + charts/janssen/charts/opendj/README.md | 78 + .../charts/opendj/templates/_helpers.tpl | 68 + .../charts/opendj/templates/configmaps.yaml | 21 + .../charts/opendj/templates/cronjobs.yaml | 101 + .../janssen/charts/opendj/templates/hpa.yaml | 38 + .../templates/opendj-destination-rules.yaml | 25 + .../charts/opendj/templates/secrets.yaml | 20 + .../charts/opendj/templates/service.yaml | 114 + .../charts/opendj/templates/statefulset.yaml | 168 + .../charts/opendj/templates/storageclass.yaml | 59 + .../templates/user-custom-secret-envs.yaml | 22 + charts/janssen/charts/opendj/values.yaml | 157 + charts/janssen/charts/persistence/.helmignore | 22 + charts/janssen/charts/persistence/Chart.yaml | 21 + charts/janssen/charts/persistence/README.md | 51 + .../charts/persistence/templates/_helpers.tpl | 79 + .../charts/persistence/templates/jobs.yml | 107 + .../charts/persistence/templates/service.yaml | 27 + .../templates/user-custom-secret-envs.yaml | 22 + charts/janssen/charts/persistence/values.yaml | 49 + charts/janssen/charts/scim/.helmignore | 21 + charts/janssen/charts/scim/Chart.yaml | 22 + charts/janssen/charts/scim/README.md | 60 + .../charts/scim/templates/_helpers.tpl | 68 + .../charts/scim/templates/deployment.yml | 135 + charts/janssen/charts/scim/templates/hpa.yaml | 39 + .../templates/scim-destination-rules.yaml | 24 + .../scim/templates/scim-virtual-services.yaml | 47 + .../janssen/charts/scim/templates/service.yml | 31 + .../templates/user-custom-secret-envs.yaml | 23 + charts/janssen/charts/scim/values.yaml | 85 + charts/janssen/templates/_helpers.tpl | 32 + charts/janssen/values.schema.json | 3356 +++++++++++++++++ charts/janssen/values.yaml | 1040 +++++ 115 files changed, 11759 insertions(+), 381 deletions(-) delete mode 100644 .github/workflows/update_helm_chart.yml delete mode 100644 automation/analyze_chart.py delete mode 100644 automation/helpers.py delete mode 100644 automation/prepare_chart.sh delete mode 100644 automation/yaml_parser.py create mode 100644 charts/index.yaml create mode 100644 charts/janssen-1.0.0-beta.14.tgz create mode 100644 charts/janssen/Chart.yaml create mode 100644 charts/janssen/README.md create mode 100644 charts/janssen/charts/auth-server-key-rotation/.helmignore create mode 100644 charts/janssen/charts/auth-server-key-rotation/Chart.yaml create mode 100644 charts/janssen/charts/auth-server-key-rotation/README.md create mode 100644 charts/janssen/charts/auth-server-key-rotation/templates/_helpers.tpl create mode 100644 charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml create mode 100644 charts/janssen/charts/auth-server-key-rotation/templates/service.yaml create mode 100644 charts/janssen/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/auth-server-key-rotation/values.yaml create mode 100644 charts/janssen/charts/auth-server/.helmignore create mode 100644 charts/janssen/charts/auth-server/Chart.yaml create mode 100644 charts/janssen/charts/auth-server/README.md create mode 100644 charts/janssen/charts/auth-server/templates/_helpers.tpl create mode 100644 charts/janssen/charts/auth-server/templates/auth-server-destination-rules.yaml create mode 100644 charts/janssen/charts/auth-server/templates/auth-server-virtual-services.yaml create mode 100644 charts/janssen/charts/auth-server/templates/deployment.yml create mode 100644 charts/janssen/charts/auth-server/templates/hpa.yaml create mode 100644 charts/janssen/charts/auth-server/templates/service.yml create mode 100644 charts/janssen/charts/auth-server/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/auth-server/values.yaml create mode 100644 charts/janssen/charts/client-api/.helmignore create mode 100644 charts/janssen/charts/client-api/Chart.yaml create mode 100644 charts/janssen/charts/client-api/README.md create mode 100644 charts/janssen/charts/client-api/templates/_helpers.tpl create mode 100644 charts/janssen/charts/client-api/templates/client-api-destination-rules.yaml create mode 100644 charts/janssen/charts/client-api/templates/deployment.yaml create mode 100644 charts/janssen/charts/client-api/templates/hpa.yaml create mode 100644 charts/janssen/charts/client-api/templates/networkpolicy.yaml create mode 100644 charts/janssen/charts/client-api/templates/service.yaml create mode 100644 charts/janssen/charts/client-api/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/client-api/values.yaml create mode 100644 charts/janssen/charts/config-api/.helmignore create mode 100644 charts/janssen/charts/config-api/Chart.yaml create mode 100644 charts/janssen/charts/config-api/README.md create mode 100644 charts/janssen/charts/config-api/templates/_helpers.tpl create mode 100644 charts/janssen/charts/config-api/templates/config-api-destination-rules.yaml create mode 100644 charts/janssen/charts/config-api/templates/deployment.yaml create mode 100644 charts/janssen/charts/config-api/templates/hpa.yaml create mode 100644 charts/janssen/charts/config-api/templates/service.yaml create mode 100644 charts/janssen/charts/config-api/values.yaml create mode 100644 charts/janssen/charts/config/.helmignore create mode 100644 charts/janssen/charts/config/Chart.yaml create mode 100644 charts/janssen/charts/config/README.md create mode 100644 charts/janssen/charts/config/templates/_helpers.tpl create mode 100644 charts/janssen/charts/config/templates/clusterrolebinding.yaml create mode 100644 charts/janssen/charts/config/templates/configmaps.yaml create mode 100644 charts/janssen/charts/config/templates/load-init-config.yml create mode 100644 charts/janssen/charts/config/templates/rolebinding.yaml create mode 100644 charts/janssen/charts/config/templates/roles.yaml create mode 100644 charts/janssen/charts/config/templates/secrets.yaml create mode 100644 charts/janssen/charts/config/templates/service.yaml create mode 100644 charts/janssen/charts/config/templates/user-custom-envs.yaml create mode 100644 charts/janssen/charts/config/values.yaml create mode 100644 charts/janssen/charts/fido2/.helmignore create mode 100644 charts/janssen/charts/fido2/Chart.yaml create mode 100644 charts/janssen/charts/fido2/README.md create mode 100644 charts/janssen/charts/fido2/templates/_helpers.tpl create mode 100644 charts/janssen/charts/fido2/templates/deployment.yml create mode 100644 charts/janssen/charts/fido2/templates/fido2-destination-rules.yaml create mode 100644 charts/janssen/charts/fido2/templates/fido2-virtual-services.yaml create mode 100644 charts/janssen/charts/fido2/templates/hpa.yaml create mode 100644 charts/janssen/charts/fido2/templates/service.yml create mode 100644 charts/janssen/charts/fido2/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/fido2/values.yaml create mode 100644 charts/janssen/charts/nginx-ingress/.helmignore create mode 100644 charts/janssen/charts/nginx-ingress/Chart.yaml create mode 100644 charts/janssen/charts/nginx-ingress/README.md create mode 100644 charts/janssen/charts/nginx-ingress/templates/_helpers.tpl create mode 100644 charts/janssen/charts/nginx-ingress/templates/ingress.yaml create mode 100644 charts/janssen/charts/nginx-ingress/values.yaml create mode 100644 charts/janssen/charts/opendj/.helmignore create mode 100644 charts/janssen/charts/opendj/Chart.yaml create mode 100644 charts/janssen/charts/opendj/README.md create mode 100644 charts/janssen/charts/opendj/templates/_helpers.tpl create mode 100644 charts/janssen/charts/opendj/templates/configmaps.yaml create mode 100644 charts/janssen/charts/opendj/templates/cronjobs.yaml create mode 100644 charts/janssen/charts/opendj/templates/hpa.yaml create mode 100644 charts/janssen/charts/opendj/templates/opendj-destination-rules.yaml create mode 100644 charts/janssen/charts/opendj/templates/secrets.yaml create mode 100644 charts/janssen/charts/opendj/templates/service.yaml create mode 100644 charts/janssen/charts/opendj/templates/statefulset.yaml create mode 100644 charts/janssen/charts/opendj/templates/storageclass.yaml create mode 100644 charts/janssen/charts/opendj/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/opendj/values.yaml create mode 100644 charts/janssen/charts/persistence/.helmignore create mode 100644 charts/janssen/charts/persistence/Chart.yaml create mode 100644 charts/janssen/charts/persistence/README.md create mode 100644 charts/janssen/charts/persistence/templates/_helpers.tpl create mode 100644 charts/janssen/charts/persistence/templates/jobs.yml create mode 100644 charts/janssen/charts/persistence/templates/service.yaml create mode 100644 charts/janssen/charts/persistence/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/persistence/values.yaml create mode 100644 charts/janssen/charts/scim/.helmignore create mode 100644 charts/janssen/charts/scim/Chart.yaml create mode 100644 charts/janssen/charts/scim/README.md create mode 100644 charts/janssen/charts/scim/templates/_helpers.tpl create mode 100644 charts/janssen/charts/scim/templates/deployment.yml create mode 100644 charts/janssen/charts/scim/templates/hpa.yaml create mode 100644 charts/janssen/charts/scim/templates/scim-destination-rules.yaml create mode 100644 charts/janssen/charts/scim/templates/scim-virtual-services.yaml create mode 100644 charts/janssen/charts/scim/templates/service.yml create mode 100644 charts/janssen/charts/scim/templates/user-custom-secret-envs.yaml create mode 100644 charts/janssen/charts/scim/values.yaml create mode 100644 charts/janssen/templates/_helpers.tpl create mode 100644 charts/janssen/values.schema.json create mode 100644 charts/janssen/values.yaml diff --git a/.github/workflows/update_helm_chart.yml b/.github/workflows/update_helm_chart.yml deleted file mode 100644 index 98dc06b462e..00000000000 --- a/.github/workflows/update_helm_chart.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: updatehelmchart -on: [workflow_dispatch] -jobs: - createPullRequest: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@master - - - name: Set up Python 3.7 - uses: actions/setup-python@v2.3.1 - with: - python-version: 3.7 - - - name: Install dependencies - run: | - sudo apt-get update - sudo python3 -m pip install --upgrade pip - sudo pip3 install -r ./automation/requirements.txt - sudo apt-get update - sudo apt-get install jq - - - name: Clone cloud native repo - run: | - sudo bash automation/prepare_chart.sh - sudo python3 automation/analyze_chart.py - sudo cp -rf /home/runner/work/test/pygluu/kubernetes/templates/helm/gluu/. charts/jans - # sudo cp /home/runner/work/test/pygluu/kubernetes/__init__.py __version__.py - sudo rm -rf home/runner/work/test - - - name: Import GPG key - id: import_gpg - uses: crazy-max/ghaction-import-gpg@v4 - with: - gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} - git_user_signingkey: true - git_commit_gpgsign: true - - - name: Configure Git - run: | - git config user.name "mo-auto" - git config user.email "54212639+mo-auto@users.noreply.github.com" - git config --global user.signingkey "${{ steps.import_gpg.outputs.keyid }}" - git add -A - git commit -S -s -m "chore: update helm package" - - - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v3 - with: - token: ${{ secrets.MOWORKFLOWTOKEN }} - commit-message: 'feat(helm): update Helm Chart' - committer: GitHub - author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> - branch: update-helm-chart - title: 'feat(helm): update Helm Chart' - body: | - - Update Helm chart - - Auto-generated due to a change in the main repo https://github.com/GluuFederation/cloud-native-edition - - labels: | - enhancement - bot - assignees: moabu - reviewers: moabu - delete-branch: true - - - name: Check output - run: | - echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" \ No newline at end of file diff --git a/automation/analyze_chart.py b/automation/analyze_chart.py deleted file mode 100644 index 5a41adf7d47..00000000000 --- a/automation/analyze_chart.py +++ /dev/null @@ -1,75 +0,0 @@ -import fnmatch -import os -from pathlib import Path - -from helpers import get_logger -from yaml_parser import Parser - -logger = get_logger("cn-analyze-chart ") - - -def find_replace(directory, find, replace, filepatterm): - for path, _dirs, files in os.walk(os.path.abspath(directory)): - for filename in fnmatch.filter(files, filepatterm): - filepath = os.path.join(path, filename) - with open(filepath) as f: - s = f.read() - s = s.replace(find, replace) - with open(filepath, "w") as f: - f.write(s) - - -global_keys_list = ["cnJackrabbitCluster", "jackrabbit", "oxtrust", "oxshibboleth", "cr-rotate"] -config_keys_list = ["cnSyncShibManifests", "cnSyncCasaManifests", "cnOxtrustBackend", - "cnJackrabbitPostgresUser", "cnJackrabbitPostgresPasswordFile", - "cnJackrabbitPostgresDatabaseName", "cnJackrabbitPostgresHost", "cnJackrabbitPostgresPort", - "cnJackrabbitAdminId", "cnJackrabbitAdminPassFile", "cnJackrabbitSyncInterval", - "cnJackrabbitUrl", "cnJackrabbitAdminIdFile", "cnDocumentStoreType", "cnOxtrustApiEnabled", - "cnOxtrustApiTestMode", "cnPassportEnabled", "cnCasaEnabled", "cnRadiusEnabled", - "cnSamlEnabled"] - -non_janssen_charts = ["jackrabbit", "oxtrust", "oxshibboleth", "oxpassport", "casa", "cr-rotate", "radius"] -main_dir = "/home/runner/work/test/pygluu/kubernetes/templates/helm/gluu/" - -main_values_file = Path(main_dir + "values.yaml").resolve() -main_values_file_parser = Parser(main_values_file, True) - -# global values -for key in global_keys_list: - try: - del main_values_file_parser["global"][key] - except KeyError: - logger.info("Key {} has been removed previously or does not exist".format(key)) - -# config -for key in config_keys_list: - try: - del main_values_file_parser["config"]["configmap"][key] - except KeyError: - logger.info("Key {} has been removed previously or does not exist".format(key)) - -# Charts -for key in non_janssen_charts: - try: - del main_values_file_parser[key] - except KeyError: - logger.info("Key {} has been removed previously or does not exist".format(key)) - -main_values_file_parser.dump_it() - -main_chart_file = Path(main_dir + "Chart.yaml").resolve() -main_chart_file_parser = Parser(main_chart_file, True) -chart_dependencies = [] -for chart in main_chart_file_parser["dependencies"]: - if chart["name"] not in non_janssen_charts: - chart_dependencies.append(chart) -main_chart_file_parser["dependencies"] = chart_dependencies -main_chart_file_parser.dump_it() -find_replace(main_dir, "support@gluu.org", "support@jans.io", "*.*") -find_replace(main_dir, "https://www.gluu.org", "https://jans.io", "*.*") -find_replace(main_dir, "demoexample.gluu.org", "demoexample.jans.io", "*.*") -find_replace(main_dir, "https://gluu.org/docs/gluu-server", "https://jans.io", "*.*") -find_replace(main_dir, "Gluu", "Janssen", "*.*") -find_replace(main_dir, "gluu", "jans", "*.*") -find_replace(main_dir, "jansfederation", "gluufederation", "*.*") -find_replace(main_dir, "GLUU", "JANS", "*.*") diff --git a/automation/helpers.py b/automation/helpers.py deleted file mode 100644 index 0a804dcafaa..00000000000 --- a/automation/helpers.py +++ /dev/null @@ -1,85 +0,0 @@ -""" - - License terms and conditions for Janssen Cloud Native Edition: - https://www.apache.org/licenses/LICENSE-2.0 -""" -import subprocess -import shlex -import logging -import json -import errno -import shutil -from pathlib import Path - - -def update_json_file(settings, file): - """ - - Write settings out to a json file - :param settings: - """ - with open(Path(file), 'w+') as file: - json.dump(settings, file, indent=2) - - -def exec_cmd(cmd, output_file=None): - """ - - Execute command cmd - :param cmd: - :param output_file: - :return: - """ - args = shlex.split(cmd) - popen = subprocess.Popen(args, - stdin=subprocess.PIPE, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - stdout, stderr = popen.communicate() - retcode = popen.returncode - if stdout and output_file: - with open(output_file, "w+") as file: - file.write(str(stdout, "utf-8")) - - if retcode != 0: - logger.error(str(stderr, "utf-8")) - return stdout, stderr, retcode - - -def get_logger(name): - """ - - Set logger configs with name. - :param name: - :return: - """ - log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' - logging.basicConfig(level=logging.INFO, - format=log_format, - filename='setup.log', - filemode='w') - console = logging.StreamHandler() - console.setLevel(logging.INFO) - console.setFormatter(logging.Formatter(log_format)) - logging.getLogger(name).addHandler(console) - return logging.getLogger(name) - - -logger = get_logger("cn-helpers ") - - -def copy(src, dest): - """ - - Copy from source to destination - :param src: - :param dest: - """ - try: - shutil.copytree(src, dest) - except OSError as e: - # If the error was caused because the source wasn't a directory - if e.errno == errno.ENOTDIR: - shutil.copy(src, dest) - else: - logger.error('Directory not copied. Error: {}'.format(e)) diff --git a/automation/prepare_chart.sh b/automation/prepare_chart.sh deleted file mode 100644 index 63616fa673c..00000000000 --- a/automation/prepare_chart.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -set -e - -mkdir -p /home/runner/work/test -git clone --recursive --depth 1 --branch master https://github.com/GluuFederation/cloud-native-edition.git /home/runner/work/test/ -temp_chart_folder="/home/runner/work/test/pygluu/kubernetes/templates/helm/gluu/charts" -rm /home/runner/work/test/pygluu/kubernetes/templates/helm/gluu/openbanking-values.yaml -services="casa cr-rotate jackrabbit oxpassport oxshibboleth oxtrust radius" -for service in $services; do - rm -rf "${temp_chart_folder:?}/""$service" -done - -remove_all() { - sed '/{{ if eq .Values.global.cnJackrabbitCluster/,/{{- end }}/d' \ - | sed '/{{- if eq .Values.global.cnJackrabbitCluster/,/{{- end }}/d' \ - | sed '/{{- if .Values.global.oxshibboleth.enabled }}/,/{{- end }}/d' \ - | sed '/cnJackrabbitCluster/d' \ - | sed '/JACKRABBIT/d' \ - | sed '/Casa/d' \ - | sed '/Passport/d' \ - | sed '/Radius/d' \ - | sed '/Oxtrust/d' \ - | sed '/Shib/d' \ - | sed '/oxshibboleth/d' -} - -remove_all < $temp_chart_folder/auth-server/templates/deployment.yml > tmpfile && mv tmpfile \ -$temp_chart_folder/auth-server/templates/deployment.yml - -remove_all < $temp_chart_folder/config/templates/configmaps.yaml > tmpfile && mv tmpfile \ -$temp_chart_folder/config/templates/configmaps.yaml - -remove_all < $temp_chart_folder/config/values.yaml > tmpfile && mv tmpfile \ -$temp_chart_folder/config/values.yaml - diff --git a/automation/startjanssendemo.sh b/automation/startjanssendemo.sh index a86ae8c66fe..4040a2adecc 100644 --- a/automation/startjanssendemo.sh +++ b/automation/startjanssendemo.sh @@ -70,7 +70,6 @@ global: # -- Nginx ingress definitions chart nginx-ingress: ingress: - adminUiEnabled: false openidConfigEnabled: true uma2ConfigEnabled: true webfingerEnabled: true @@ -90,9 +89,9 @@ nginx-ingress: hosts: - $JANS_FQDN EOF -sudo helm repo add jans https://gluufederation.github.io/flex/flex-cn-setup/pygluu/kubernetes/templates/helm +sudo helm repo add janssen https://https://janssenproject.github.io/jans/charts sudo helm repo update -sudo helm install jans jans/gluu -n jans --version=5.0.2 -f override.yaml --kubeconfig="$KUBECONFIG" +sudo helm install janssen janssen/janssen -n jans -f override.yaml --kubeconfig="$KUBECONFIG" echo "Waiting for auth-server to come up. This may take 5-10 mins....Please do not cancel out...This will wait for the auth-server to be ready.." sleep 120 cat << EOF > testendpoints.sh diff --git a/automation/yaml_parser.py b/automation/yaml_parser.py deleted file mode 100644 index 8a50646054f..00000000000 --- a/automation/yaml_parser.py +++ /dev/null @@ -1,112 +0,0 @@ -""" - - License terms and conditions for Janssen Cloud Native Edition: - https://www.apache.org/licenses/LICENSE-2.0 - Yaml parser -""" -from pathlib import Path -import contextlib -import os -from ruamel.yaml import YAML -from ruamel.yaml.comments import CommentedMap -from collections import OrderedDict, Mapping -from helpers import get_logger -logger = get_logger("cn-yaml-parser ") - - -class Parser(dict): - def __init__(self, filename, check_value=None, check_value_name=None, check_key='kind'): - """ - - :param filename: - :param check_value: - :param check_value_name: - :param check_key: - """ - super().__init__() - self.filename = Path(filename) - self.yaml = YAML() - self.yaml.preserve_quotes = True - self.manifests_dict_list = [] - self.modify_dict = dict - self.tmp_yaml_file = Path("./tmp.yaml") - - if check_value: - if self.filename.exists(): - with open(filename) as file: - manifests_dicts = self.yaml.load_all(file) - for manifest in manifests_dicts: - try: - if manifest[check_key] == check_value: - if check_value_name: - if manifest['metadata']['name'] == check_value_name: - self.modify_dict = manifest - else: - self.manifests_dict_list.append(manifest) - else: - self.modify_dict = manifest - else: - self.manifests_dict_list.append(manifest) - except KeyError: - # Key kind is not found so its the values.yaml for helm which only has one dict item - self.modify_dict = manifest - with open(self.tmp_yaml_file, 'w') as file: - self.yaml.dump(self.modify_dict, file) - - with open(self.tmp_yaml_file) as f: - super(Parser, self).update(self.yaml.load(f) or {}) - - @property - def return_manifests_dict(self): - """ - - :return: - """ - if self.filename.exists(): - with open(self.filename) as file: - manifests_dicts = self.yaml.load_all(file) - for manifest in manifests_dicts: - self.manifests_dict_list.append(manifest) - - return self.manifests_dict_list - - def __setitem__(self, key, value): - """ - - :param key: - :param value: - """ - super(Parser, self).__setitem__(key, value) - - def dump_it(self): - """ - - """ - d = self.analyze_ordered_dict_object(self) - final_manifest_dict_list = self.manifests_dict_list + [d] - with open(self.filename, "w+") as f: - self.yaml.dump_all(final_manifest_dict_list, f) - with contextlib.suppress(FileNotFoundError): - os.remove(self.tmp_yaml_file) - - def analyze_ordered_dict_object(self, data): - if isinstance(data, OrderedDict) or isinstance(data, dict): - commented_map = CommentedMap() - for k, v in data.items(): - commented_map[k] = self.analyze_ordered_dict_object(v) - return commented_map - return data - - def __delitem__(self, key): - try: - super(Parser, self).__delitem__(key) - except KeyError as e: - logger.error(e) - - def update(self, other=None, **kwargs): - if other is not None: - for k, v in other.items() if isinstance(other, Mapping) else other: - self[k] = v - for k, v in kwargs.items(): - self[k] = v - super(Parser, self).update(self) \ No newline at end of file diff --git a/charts/index.yaml b/charts/index.yaml new file mode 100644 index 00000000000..cac256c71e1 --- /dev/null +++ b/charts/index.yaml @@ -0,0 +1,91 @@ +apiVersion: v1 +entries: + janssen: + - annotations: + artifacthub.io/changes: | + - Initial release of Janssen helm charts + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: janssenproject/auth-server:1.0.0-beta.14 + - name: auth-server-key-rotation + image: janssenproject/certmanager:1.0.0-beta.14 + - name: client-api + image: janssenproject/client-api:1.0.0-beta.14 + - name: configuration-manager + image: janssenproject/configurator:1.0.0-beta.14 + - name: config-api + image: janssenproject/config-api:1.0.0-beta.14 + - name: fido2 + image: janssenproject/fido2:1.0.0-beta.14 + - name: opendj + image: janssenfederation/opendj:1.0.0_dev + - name: persistence + image: janssenproject/persistence-loader:1.0.0-beta.14 + - name: scim + image: janssenproject/scim:1.0.0-beta.14 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Janssen Cloud Identity and Access Management + catalog.cattle.io/release-name: janssen + apiVersion: v2 + appVersion: 1.0.0 + created: "2022-02-03T10:51:56.3433582Z" + dependencies: + - condition: global.config.enabled + name: config + repository: "" + version: 1.0.0-beta.14 + - condition: global.config-api.enabled + name: config-api + repository: "" + version: 1.0.0-beta.14 + - condition: global.opendj.enabled + name: opendj + repository: "" + version: 1.0.0-beta.14 + - condition: global.auth-server.enabled + name: auth-server + repository: "" + version: 1.0.0-beta.14 + - condition: global.fido2.enabled + name: fido2 + repository: "" + version: 1.0.0-beta.14 + - condition: global.scim.enabled + name: scim + repository: "" + version: 1.0.0-beta.14 + - condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: "" + version: 1.0.0-beta.14 + - condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: "" + version: 1.0.0-beta.14 + - condition: global.client-api.enabled + name: client-api + repository: "" + version: 1.0.0-beta.14 + - condition: global.persistence.enabled + name: persistence + repository: "" + version: 1.0.0-beta.14 + description: Janssen Access and Identity Management + digest: 1b6c34f70b3477f38346cd43f2769b5187aa280f78f5b6f8006c71e057dd8e1d + home: https://jans.io + icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png + kubeVersion: '>=v1.21.0-0' + maintainers: + - email: support@jans.io + name: moabu + name: janssen + sources: + - https://jans.io + - https://github.com/JanssenProject/jans/charts/janssen + urls: + - janssen-1.0.0-beta.14.tgz + version: 1.0.0-beta.14 +generated: "2022-02-03T10:51:56.3186954Z" diff --git a/charts/janssen-1.0.0-beta.14.tgz b/charts/janssen-1.0.0-beta.14.tgz new file mode 100644 index 0000000000000000000000000000000000000000..efa3b46c9c0c2d8c148b6347d3dd76a90791c401 GIT binary patch literal 72360 zcmYhCV~{4mvZmX%t*VrWKa1|V~- znuoq!M0%8D@d!^&SIL~F7zvP|3}6PVDL9B5;(fe?oG)bKLdH;o+u;qrY15{+gLUR7 zyQcN*&zJR8xjf&759^l;Og;YXug;E_-%f5f!w=i^0#0A$(m#fDL?4A6j#^1Wyzzvj z!7!8zWZf;`K*k`5`4plKeF0~&?19GN?yy_7z(4}{c*ryia6rPqfq1}NKy{B$AON)B z{-nY16QDv70cm$k55_@5Z{#<5@qX3;L*=Ymf8lhC^nRokpy=W98RRY@=^jXd6f0on zXn^Q0K<<*`NV6-(v`FIy0F2u;8=1dMKi@tBM`0THjD$)|YR`enatjh2UOosl8=8ui z1w2(`>>tLcG`1}Bw`qW!_0*b1rQ=PVeApBSS3mE18mvfi%3lB=^7+z11TiL-`Hin5 z8RT(MR0S6f#TeTmFeJ>Z;4rZa3iFkbGtP@Q6HE>(y_|>-Pzl3?e+y?p9TF zquFsG)C_Rugb?t&-8kX>zW$%I@z~E=Kn!RKvEU|uG0G)kwM{g|-F4x#5Vk>HO>gTK zLJ1O-Zj<)AVXVbOWmw}=LaUk!O^?yMxr@{SXv#*=^qC7(1EfOJx0V>OnTFn!K{M(u zE&`^g8LPO-(~?p|?Hfg;@S$Ei$ub|zVdc;uGpSkai={WZnRKZm5q^< z8sS2aAZh#mQWi>o#{FJzq${o`v@H~i6VlNuV7|wYw=m$3h1uWg}FX*oh`Y0L> z=ubdOhvU4ZB2ot8z#@_Z62kU}GdZsucsojk*oqy78vBtC{gGcla!v`}QZ<<+5s5|U z=OYsdykPJQ@%gwrD9+Jp(ZvKz0UuW;XD951Lk&Tp=mYUehxQj4h(MG4Sw$<_~xS5ph5=Z%27b2QcKry;8!Qsv~M@5YsM$hy^K8 zbHO=?4577a2x!w5xLf6dq9B+BpxbjajL8I?4haHvMy~Uajdj-xD`7-a>h7p*2Ny*i!WqV>}PYzRiUA?$+1!P}&CcoJ^ahQ@IBUO^l$L z2tO%e@(-l85gHCXY%uCcwz6n=cGlo!pzr+>DMnxyVn71e1$Rp=tK1h|YUX#TMj{8s z$9aSAs$MW`%tlWQ;vNozSTx|p42LI{(Orhpa_ceQSGYx}>mamsGLN~w17F<)$HNY} zHp@=9ZDABPBs8;+Nx7fTGXxLGlT^4rV7OZz+6H5l zelJ-C2#Xjcbo=SfVZsR#($8aOnVAM=Z0@>^?)IE?e74k0-eM*)`uFaT4FGA+6Co^9 zh6pt%N>=cJ$U~jRJQm>$ET#2J-$l1)Kz;;|h)mfHU@0R1wGi&Cw4K(WvxWt}Eb8~~ z9TCjmd*{0ce#AQRyoWCkSha^^P>2KVK%#y+o3*b7Y8Ify8>FnPU?nHpQy0wBUbo(i z_3^L(;~5HO^`hQnIAJuTm4}Vr3wO81i|`yO=a10bWVHSDSxp*8x!+EBsuEg2Ofu0a z9_oqe7crt8OJENw%92`5x3SqqO?F&YKExsGFIP3xj8FA%xj$AaKh)kI(vjW_l2P6+ z?hdG>zsZiRc%4T_yuqWhSyyREHbL{DS)i(d^y}o;nOyx1s#t~!&mM<_;m;s4lyMUfGJl~uya0@MW#3}Jc?5Exnqw(KFos&J zTVtbvGF!CeTi*S~Plyaw*K~;LyO~toV+cGt?bGaa9!K-P)ZR%&wm3{-ztC zL;wsME+O7C6|V#@f@2{TA9Xkty1MbAkS3qsA1Kzu`23snh!1Mi1vk7zpT(QS-+>6{bHd79a0=WIzC{*I zFfEV`wxdYoX0dD<^S28WoI>l21nLMjNgD{AONx zW^^Yo0_h8gp5@h;~1!a5hpV3&cJvIxy-XUPi0DMv&RByp?{V+eM9nII@ zV?ffyt(3os>CJa+0E_MzbrBwhW|7*w{#at=z&kmuUSfTCy;pd-ZgHJGgNt8-Zkv1C zZ~FrZFFL|8BSnjC6k!x*Cw;wE{-C_3OU<)YnFob9XEA^!ki{cyUh%8De|Lfe2g2b@ zZ0~OF<`0Txf4C5DzCf&Y&8s@b(D4WbV(Lh~@FhPzsmo%n7Gu|CZR*?K}{{!S=Nh~hrni_pObFA~gG`wbTw+#*q|1}A_CtitGDcBK9eec0owJmmcaH}> zuObEh$Do}Hz09xUwmZM?-+fux?3R7>U8}Y)DXTE3gxlse&~NZ_^J1(}=;Q|y#+By_ z!S9qNSY%LeDn6X{#N#!Fo5|V1Ai+>5CZ1V)x%fxPU`7mqc$X%bc#G<;fySz60*Ep! zDM+Oh<4}lV7-icQr34cFWe(<-;k0v8_*@mH`sC!oj$7p|nwGR4RW6EJbW;M%D3jw< zNb^n5sIfkWmGjzixy78rx=qtcJkNJXQ8rIzc)!CvP`ZGi1JZqQ=d2=R-!&u9-$LRB z`QZCm5EV-b9{98M*qLD>MJVit0!7%4CjVI1C#RsHpi(O#ETB$ch>2Wi{U$;wR3vey zIr0DVlb{G7xPUZMP@P?~zWh{|gzKVcE(mpOmVIdbWncxb8bHV1i5G3^zyh2bONS|l zpOzuWWVpl}^(iW*!ANLoRephMLuH47?-==p;>+Y{>TLC9zyZ(ZMx&igm^EFE;FeUM2(hj`#m{PRC z)AEcH1)87lPy!V*P#qeuiE^lrTO95li-z2tfRCcXK)}x3nXv92 z`Xe3o<%@$QUXoJhzOVd7m}`Oql6?7d?TAp(CTl7S7TEZo!tTh};P-?D1OMhYfxL44 z5ze`19-O3QXLwX}2-31A8iLAae~0jNRymENXhy_G1%Yw-+RYIBN^;N5umpii<;oGo zb7MZsKxyP@{g$wWX*qejdY*f&W3TOeHO%Ijee}vrRK1}(D{BuOd8re-&IK(3K_Mis zs4?^(e7wY82v{)1)FqH%mjv7S4h!i38p*g-z<4?${$gGezXDzhkh9j_seXZioqYDC z&)0LfJ#a)ADWPS{0UKggZsV!7 zczD!-{i4J9Fc3@T;^buT+iOut(-kNQPqBpDy8h{00HT4Tb#~Q8d-Fo|q>C^uCnO{C zoK%@1-6?lo!Xi&5BfzWxTDa=!6SP8#7bHNgK4{P8T7*QLBx^NfCht7QE%S^$g z&feguj?j7oBB11R#ac5EQ%c2X?8~cgMWbzUxDbLh%b_OsQVz9ALlFd-~=wz~%h9;5>?bR(8Sp$m1HpKxC-nS>pdlii5vh8 z(;pW-q5zsrbrE4)a~+UPn_tPX47)wJxHEsYf7b=EwwjgBaW<;W5J3n49eEX_;jE;M zDiU%K3Sm-qjtkId#FSh%_iqyaC}#JEMf8*q?r0|!!*0PX-?YjjXpWneMQnj}{CO?h z0p6aI0t1l{nwd%UoF z2<=&a8Lu4{QK|<9<2=9D-+(pEHrsw4ci5)xWIKK6>mNpjLXKzyM%f8YOnT?&90BAx z*yAakz8Da>fzqt6Po|W8byfwEiiu~TpjbW0&m1r5;y-To&N2~ue>k#_kMtMuQ6H79 z9=)Wjb)1shBM65pIR&k&QWxPI3z5|VGscyS$d{&k2EFQGK%&s$zMYV+j0bpxHTaD} zUd1{jk*D(W$p6aIe8=lqn!YBwm?X2_keouDGqZ+@XkoN$I{PHZw{|~2&UkbD1%NMQ z)Ul+lu(&!vP(pptdu9+;Gv9UUfF3tF!#Mr=n4G0#vt8UDL*yezXa-ykeS6JJkefGx z3Q9;Pb6&Q>*NUy-j;}*SOqeUPKU5L9fVw-ccvP=^6+Xi6DRg~sK<88;U@C{fMhe6H zB!AyuclXBz zrz_7XyiC_k%WG@`2X2-BBv(E%2zoS{Dv=S#Vv)XR@89EDh?ojd_xsv^@tII*K4AR6c7j#&iN5t4@T9hPsH%_4!A&Wl)}X?6^_P956@4lP0zovQy$P~lC43y$$em@XZ_h_8z~ zt1r`S6{y+d=IA?Vz0u5fb$-96(Nd#BwTq#CNIk1|poB!!m>K?iG=FEH zA&wmlmv0!2V!6}F*JBZ#UDt&C3nE>R2G&mSbLX8+#G1SivUCXr%1n#$&z6P00t^VD zs9lFPSbIOgEU`%HDGcQ+)9FdTto*(ZeNdNdMn+KSw>*Xzq%=eh*o0(z|JtY_ac%{U z2kJU-a!_L6AHZorC+9$fcM2^cgz!W?RtVSOs`0L;vD^vu?!SoS8?60~&-*m;0PomQB7CCsL$SYKj5hP7zz_ktfGRFagTB)-ROtw9P*ZrcO+QCaY1dku+qpKeu{JYMa^s>gKl8!VY%eK_&0 z;0m0T4cu}4-mX@A253Ce1ac%KteaI~q2#RpoB#G^;r)4a>cA zde(62EbFdxG|Q9UuDT?J`R~*U?GA4R%EiXt6HqNX z{5O{ilG#=ILk3Bf!TNEp>O$=XNc&=P zqdl-c4-g#8E{!Tnz?9|>Xc|U`cZeJLrE|_MgyyXSmWLi7dc+k}V}d;BYt@6N%dgSP z!);ufOevn36Z(7Et!g3z>T~ia`3JjXlMH@u0~99`{=G#t26POxs-9cnVB30?Ao8@H z@flm99foG1IC{0nRC|cWM|rE^!Eba9MR+r0tX}RI zoHaC2GyUztYm=LS7FNOoEAa*WQC`V6%0(?zvmBcTYwyARP1^pnd1uyE--+)B^X+-{ zTGCH%HLBLH*7jE}kji3ol~`IcWD}9-#POnrzDWL;M`lmxt7S} zJ}#Ev;k+Ta1XEHk*?8DVXc#v?X?Lh=FJ_sHj0Vt&CZ_l2Xm)Tt5f{j6kj9mM35 zE|&}L3svtfz9ci%zEmPfVLr-=Eg}x`y*o%Hh&5qUDCN=-E~7DGA&9m9hO%Ye?JB!o zT#$rc9>sZEf~mNd5blAwWOK6<*!wFukZDK4lC9tgL7#G8P8SNlWV09_11w9h1!q$C zJUji$97^Jn7lrWsI|$fB@<{HyG6rbL0sXw2*-%mk020k$81Dh77_Caj)!>2GQg)&` z9$Toomm@C^UJ{G;x0(RyyRP7Lk9qeu3TOt7uFTfsOT=4d9O(q6;G|8f7O%@_{WKRy z$*mMzw?F9_byemY84(W-FxakGIuIzpcsW{Wj!ZA2%QTwiVtyS~@cgU>ex8+$mGuML zZfaT_afa7Ix@4(UKw6@Q?jh$^wAAO%S`b=Y)^oOAG6>*HRO2p~+nAk3C@9deQYfaw z4o#yh%hA^9(*`iOiOtz>n$Ie3OfvjJ*w-bfI{a9VP9&>7a~J$B?sw{7M!lCV9n1XH zbcpi=nNF(KN*4D!S{#OEBDC0$4%5^>XFRBQXCit}(sj8`q3_!0dj8kYhy?C<7Phs- z1kFH3u`RNbDNx>MUh(-k&Aoj(yU*cA#2ItP{1SI@$*~*^ZyF~v@$8`tj63j5`SAi^ zkUN4eD&|Zek3_&pmVudI?sx*4J$5LKp>3#Oe3h{u)1s3{ zFb11&nWL&+0b@olKd+3%WEHRIVE&@`Ae^xib+$BEw{Hj*LG%Sqx#VCewCut0vq~a2 zyKoKXr@oUVEQV8n_nsgoMK2Nt8(NQP)9=YNgl4d;+6Jq!Q1tUN-r@u-4L-RhahvX2 z#cG9kt^8K*5HJGcEdQx#WlS+`1~B3H7$y4U=HP<`JeV*f`Et z9-%2(hkO;^b{QP?mth^~d&TO7^MJ3`d^Ou#+8DV!MgVLY1r>~zej&i7K*HFR$hdWh zjf@x)$$XK`#OPOiH1=jDnsJ8JCBR1^D%)<LY%|r63yWw(5DOAyRk)mFXbM_j1tB2SNMz-SO~@3>ME*mADab}@QT z1UMQy5(hsIpS2s}McGx-U?-iLnR$8Y*n6H|<)uv!$DX)<`1`T?+i2Vq{|}g-Rk?K& zkFaDAfX!SB@1L6L#OaA6yds+Ys%5e`H^pU}WH1?ASv+o=Wx}>aM?F-mT&GQO`t3{} z3VzFYSDl)nEt)`b%Z$_3@0WY?tmhocuXmaId2(@5_VL4c@%0LL${fw~G2Ubx_ST{}a0*47ucYgs~ z|FUPPAIEolDtQJ1ajG&&1ns}I#!a8f&k!jFvceVqe5h2fh47 zU)1ADP5vqzop{FW1BhJm%*PNM|K)<84(=V(z6Jp`@#BaSHQ%b;ddQC>HfPQff1Aj& zLm54U#qko#AnuI=VZNDrPXhFe+mS3Nm4zKJ{oZD|(>)8V zr$U(MUnOE$(%W5}h&ycZ%yNF+g*Os%ex8C%>W^YaU3n2+{=t*^PNOJTACoYmcC3u} zJs56TTWjOYXFrPo#9#JM<>sEAmG;PYF#vF(|C z`>sWmmXmgbsv>J&VBLPy%$~^gIn!(U{dy<%`&Pw9OAYfc)Uqb)Mp|W|4>ltXF*(CQ z%SxVWK{-{Q7VpRm_uGcp23j;#MT_P8*jgN>*y4-yN%3D+cpPz$_H;Q^EY3W>jXr+c zvUD!mDWPZS5R4NYm)0C(+_4TS89$m%vKn2?W2_pQl9$?ZHY3u0AkSmjgm9FOppqb# zj*)~{Znqb9%}!=gL-OCeJtDz&L27kgeye3r4co}VGh}v@4Px%JK)6Z_^S(w8*0ZG9 z+3S!eTxE3Eke+})@eS*hlWSxm=y#~Z5Vrl{BhhwHUWkqys7h88J7IW%Vs@7IyX>q! z9dLV;SWC3KbqacCDhv!AykDME$V#~CJ?FBz!hjD{QwXJ@IUq(6o}rqJ@C=!u(jbh+ z&q^(D`@|z?!dJ~M>Hz~sEjF`ChshlzmS}qYnnv6m-RdMh0QE@52`(0^1 zGI>j{Dz*sG#aD=IB#vns2g%RKT;6KAcf(;u@lqYD#riD{^~s6=<1b41mDG9;DFGay zBdP#S|KRVh%TWe#W>YQ_1$rdKwLN0NUM~cqIHW;+IxO4S&9zJYhbt9L)& zpV8f8MRQc+6yhdx{}6^qX=AdE1I^;IKNJj^f>Ja34b5nX*ijs3zEBA7kXR5XqP`Ut zIGsOS5WN-5+qM#_a?GC!9LI!#qe+)5eG;W+RId^D!*lE>=!xb$5cUK~GCtxXWD-+R$mZc|D1c+M zP;=~NYhP8H;%0;g7gjIP6yLlaWYR>O(?!tm`+(*(bW&?d>`pcaNIB_ z1&Pf1%4MR0P|mXrv*&Ab@N4I4-{7XzXQzwT`o&fb!Kq^;pVw~v+JwiUoYA0 z+P-yn42k>+0D|D%!b{yZ32x+f4Z3zS_`=@Een;Mx}2vn64nDKa0w35V>dv8~IezfGMFu@sA6`FOboI#NO8$WH&7kPE6_F$IM9n zLCwtkV^X{PmusYK5(k;}l2}=F`Sw|bt|;tM)zrMC2lBJjdYVyk-gD^Saagoc`ULrv zC>O-c;ZeAlo`j`i-|!wOQm%g}b6V(7tTNKr-^?JO7sM2D1`0eug2?8YYyo>#fH1-; z80z*;Ai^x6qeXMl!G(nO&a?_t$b$RXJ3dLZkKeVQstCnRX7?p*Uoo4un27*)T0ZfC zZeMWF=s-uv69nHG(RW1~mIEm~B%RcfjCzThSsr&U+`ry!tHl~kc1AXoZz!GEF9*(s zXS}&D_&I~gEx^ZNqG{Y2kZiyRkqN|{T9Y@Zt5x`r{<5q?UK*Yl4y-1uXkwKt>?3V- z47U{pnES0;z4wEftwi1LyYZUi^zBFJv-@77^MhFZGhglZ5tp<3EZFTZT|K4zeczFB(dNGTA0_)UOF-nBkK;bPSf)ZS zU=th$h+4e<+|irxPI8t>80K!{U%*D|$l}1yCKW4?oY!eCld`O`@^EH1plSvu(X8iW zCnO#5AsbCRRzAtN#aRyGBQR{J`Hn7vVw5w)B;wqA+Vt0za$Z>F(xDdg{~u1dZOx$L zOK&Z58l&hXSQ)U^tDgRp8k}e~WO|9XxTmH8+366xCS=;B8ycp)vU=%N{Hzi86x1Xo zKfBgm@R?rWMcWKJY0H1~*e8}L_9xjz#xYE)2|{DRmTO$6R6-mzItuG)3gXZy^D+bB zRfL)ED*AU>&$$gWe?|eWB8Zcw=5Gw`di{t2Uk6|7>>^8KH7d9%R$(PK^a*5MoEPk8 zV3#HTiW~;=y`w$^S)24?CM$!K@~i^+O6qeq5=02uUGg`1WqOU>%nlaNiL2xexOrbk zjOnvz7}(gC0mwX>u3=Zzbh0&m#$vVWNIAL?#B$8ZD;qWW)^v;Y73CM~bXbcVBXsZJ z4<8&NMn$LeAhi!0iI2N=-;Z`+SyXf^#3c&!ZuHYlr48!kt}M9S9@pB0j!D65YjS3? zjG|wiIutU+%PY#wQ<X;-LNC*Zu4cWkfj1vPYxx_5lm6ooA#b5qii zdAO36jXQhRe~EdP^lO1%UU_<~xF;_5qg)JusaR=bmc6E*GR*M89``O-jJQhDPAM(f znX1rPo06$+cKIPj%Xt)x0f%)Z1SG)|x63IlDt5}V#MFQpVr;D^^2R)Du$6i6rn>me zW?&{^P3PjY#=y%&P~BQ(z`zbaa=^)qOdJP#l_uzjS4|4Dja;x0R&z;o868wWJ^xbo zt<(QSdJR_tQDGb!SKTHrf7`qcrk$td)lK}MBRNizm7{hIer1Y@+$3-weQfJ=(b;su zvRXMB6CAE-=el#r^Zm_kqh8yFaV_lAQ_Y859e1^P(J&3Jc?583#7wY~D7;3_a{%@5 zJ798JHPN5O+sMx_nv||{p}R%Fxb`Hs^H4L5nHrtqz0^EW3sTtC`L_3g>g?lw-+BYV z>8=1i?3J&R$VBbOGjMb2&!U6yL6c`n-hL$FGOUOwvK!zh(H1x;0LQYtc3}hRpC1s? za`s~W(Ht#EAhFw7^7H#N=Hx7#Z`3@yzpO{P2GzrBrI|qIb=SfEh>{I%1Tu5(Aq|=s zl6gIAfvvcmgct#rC#rS2$Cbiqm_+@55OzqX|1K!~AFVuXGyU4!wPUq`MO-$it&%(Xg;7)d3y;G=i6muzDtTp8ZFkW2s5ne&rws zb$>ofs75HK40nibG;4j zqMym!;8E{_^F{C22>ECl+IfQ5%@~*`R;QT8N@m_@w>-k=3g+9@f;{>CbdeRb$}KF} zSmi|9?Y#Q2wY~81c|Md9|Lkn^;-D;yncirPPlViGEhIl?^7)4?Nv{G z&qqwO*w|tsR>bvdd=$Pc+T7G{cJ**r)TO-Aoc@MZfn_%_oM%SPfNctSYPfn$uWCZU zsP5JFU>-%yh9)b!hmIy0Z(jH^u7y+b4AERsOk)pId-rbW?D{|^qc+}UAXWHup0mXV*4 zg34b=Ei18ky>D@I`gr@Q1A2K89{f1+qRlWqPzi_Sf>Ob=nx>C|=t*-dtbi;3FoasORK(WtkU-BAx;Y*(p#%I&h?)@@9`&3s+?9l8! zu$Yc+F1#x%GcdK|y*>z9aThkb6s^Aw7KBu;$z`it?8US0@2riZ|AmQ5<5e?#JtHOf z(?E$(p&B@M(3^u$Y!~meTG&6gIU={(VS^)F}jqATx6&f3nvyAA6LbO+qf*Ax78JW9bE=Cm6tCPWS_4eU$>I1siqpr}*N+2v)Q1WoAGf5iZAZVT}5`SkH<{c2zz5tD!Cd1mv& ziBn$sRXp6h!ZsCs7suqCcF_$rKWt$;^gN`CJMR>7?JAbhrbXg=g>{lQA3D#Z|Ng-@ z@;i(d3n9A7+9&9s#%@rG@c7i8qcK+@(PRu1k1hbQsMbHQ&LLhr-7ZO<3mvQF3Rom$6{0W%(@A4cx?DJ-yX}DNs-67N%Vv4MFA) zIS&Js(PmxO^YdCt4rm<1cF(Z$jVspGwqt|WWY2cR0K3dAA)|08iIcdm!XM>ri9e+3 zdq%z;5Pv#HRz9C!yS+9ID2E)%zgr1Aw?Uu0k)a@_2MvpVq9w4^`p72}y(1#>r0yrs zE}BHXy>TMxCMVfC7vNRd@;*JKL#h6}OdG22S?~B8JGs{*V5i2t;BRmw5jQ4h9%y6S z`m>;=9fzPNLnr%ap>4(%U`!o@IPz-(WYSJD-A*VqoZj?3gvPLXcg!1I95Rg$R z8YScRmVkUtbw~;i(A1?9LAzn5`@`mK5&?<1m~nohC#_wXw;Vc1B+$^{D4E+*n!BEpL!hH@_310}LyL`XHRfhaffMMM(?3#CTOmgr;-27lz^!#E~qe) z=3sm1>s%Zw%~6l@D7zD3uDvdiHt#-3J|y#|#}dPJSvt+=WD}DKywzJ%NV?y9uwPmu zZp`wd52eG_0@9qlLBgdGW z7R2_cJ0Hh=gn{pSn^tw?y7!LNZGt|uCFrqd{9W43PJ?-)sp+)hFr7Grw^NyELZ)lk;JjH*MJu1iV@Ee`pbrIDn*pTbHTmN5+t%au@j;)Tz$dd?qxGD9e(Xmrr8r#b%XE9w>utM4-Ibp}Q1Fg3*#^#y9CL#= z4R^~{?Ikm^PadNpbg1wETp`~$ zQI`C{buGw67-P8Ds236SeEXSgw1=Be8a$sjQWjH029Bwd$4<7dTzfy82}KH%J*tBV~8DSWE#t zS9AX!4YfhqZGTy_XHarJ@(>f+|1+I38uD|vyiU?T`PH>k z{zGl^u#SxT$3`<$|)FFx2**BY_YyA65{sq$#CmMO?uANI!@lT4Di-G#= zOl@6T{e637>mPzOTpkYMfO^CliFYUGU$_(Oa(Y60Gy>M|uXtjwm``annR?st4(T3!)9 z7&ou4rGPBNq>4?S%+%e$?Q$B!btx;O8v66#2czSd4mAWZr$j--RjT;6Cla+8?ys^= zJE@9QVR?TseHm&0IZrN@U2HToqzwY`b}?8uRtjw;!U`~brl=3Y&5gDWDts&gmp&3| z3uMp$L_?l4;P?sTs)|V72@U^MUSQC`;JO`W&)`@jvZG+~>G^E13b&Bt?)>OZcesP< z@frK5+g5f7FT(-YnNOw#hv)p7Foy?14aH8fU$>}3HF%j2!lr|e2X{%cZ@mutE(JHU zNVaRmNW0B*goQ#9$bspk7B)6Z#GNdk;Lx5GNaB8Ixu4XGTMg7mF1rTocgRg07_kbW zDoBz7m}+2g+U2qUY1L??zT#OA3X#}K4VYMDqXp1;+-}UFeI&Q09PLC;N;||j2f(Zp znGyVCq&heq55SZ>xy8;bta(o@r<-b4EA&jYP&$Z2T##sHSh~!B-ynJ!7!!b*+Z8i26qj@{X|stvsWYoBN!w;uVn$0|z<4=#vv+c>~lH zmIVIfdkKCQcAb=j!gV*`Sz+9u`pqgy!yQSmSh^}>wp~6iL|vlf@C!t7`J7$%j^gK( z@f08(N?(!>wcgg+RkWaStM0@x9h;l8XL}}Lz2l)^H915T!Rlvsym(Tu1ZI}va;SMnk&DzZ*Z~^ z`UxovHUEb6L<{u2;6F4cSMl28VI}F!uEP&jdvQDm)epQRCd7m);v9dDGW(Z(@uC*@ zJ{hG}e2xy`8fFLjeY;&4C+-n>0+%!P*P;OH_UeWRLwR@WTn<^jz1#;@`l0b^BSbM z64?S!1EgfQ@}`U&DA`QZ`PSdJ4dPrucEEvzmIyKuTYq1V4}Jzb}%#`meS%otj@@t zW(ks)*-sBHT=${zKW-{3-bpYG*0YipKH3;VlOH~0>0v-B4Mgobk~p=HmtKng4IP6Q#Vd?eNHfutP`bu%_WPwJ^W@_6M9 z*|Rn)1HUiO?@xz5mbJMT`WIi=ZFlH982$(cGV5kXE%nQBH`HDc=s=>rGdh%L!4Gh zH>>3z(MSBy(D-q(Z)%S(Umz89l)9GawQ+eNUDfGCmsMwEFSURcs!xW8o`@c;n1)G4 z9rZ(}u}Q{Eovy|))kJrQipDWsx=C+j?V(06MmTK98ZV=1@O%9k`le}GaNnSr0q}Q;dUB?2mmy|(ulI7m6O=}v}kiq_e&O3 z{#1w35pVEhskw?kqf*?3z53*V-BD}#CR#{6Wt+%RD|vp6qn7cunr+k(dDSLb%7$QC z^(NZe64if|_5a&uEJVJ8#`OETC#TI(OW8JR+~)2L_H^7v;rMIRdV2xge+N3tEl}0u zA=gtoY|878-;Ld$L!`hSMz0ymK1MIPEoYNwS^+JS=jrac$?XXR)r=mhrZ!rQjGl)o zHPf5%OB(}~|FRtDg5NHmTV7lSCeO8#+bL@w57@IQYh9BcF&RA>(;-pUX-gZ1DwsXL z=iT5jcWB!&N7*K>>dK*oXZlNJhO5fv^#)9F?>2@X{>?o9vG4z@5rz0A9NuxAxjQWZ^@qEO5j zdH79PByNJDajJyMB#&uFc_3rbT@lTea#zZ@J^AU37sF;*)y_IGB?Vd2xL!SF`S8ax z4d(eneUoZICQ{X;FT+zi=*yJWkBUgvWVj-lJq59BR}IsFl4x2mkMjT7#<;I6nmr!Q z^sqop6#I8Jd#|qm0_UD`jiL1mAqnoVdl@LIlAQttfCK}<2v0cvSGW9$)bwZv18Z5c zuExcSr5{M5+?%whC(+(c>`IO<6xv?u2uetk-&O2XLnJHzZ1Jp$^V1MqF>COJ3cHU0 z2x`_8>D2Unb;GwGW(!FyByD@1KDIZ0lfpnBq+tS|{kzvZ^)OK@X6jT+DMuya-by7D z;zYvrb+DSxvF{vJf;fXcA(Yxh-vCJjhDQ@0>0Xae4G#Y(*YlTS?KQBT!JrcWj2IHR zF6WtxQ8}Zb4j~U;PDu!*7P-WPCPyxZ9V#nts#FlcYy`{YJvxs`+7bo5nCm9P$6-gg zA7tb63gv$8ujbLh?vW%d#L*?_=(;h^Bl*v)cK0Fh_r*|<2e9>jE)P#1#b$Z9xODof zn^UDdLMx3{#RibZRRm)Y3H#Sg`1A2u`$@2XF+>2I@OMcFp%L0+nKe8FP1kChc)(n- zR>&dF(}H!AaJK}vm>@BhR{IWQog=hc$sWeYcdFbrDi$XCJ-d_#e~NK4k=m`@Bq2su zob=pP_m(1~}+( zC3&%L7E`C(@>NjFKx(&Q|0j2Q(N2{lRJ-C6F)d69%z25w?F9LRtM<9H2wZM9QT zz9RFoUAD!@PE5NI05$A$HE6-KI**pF9<4mdXsC3r)atl`mL6PR5%a~6c z3^WV)x*#OIC?vj%&;VA-mHvRyfab3B|Kch9ls@0tW|aBh9|cuE!je5G3D08_D0q^|p&Q?ZCL-!fnZ=6UwWqF=TJ;OL&SCQC8v z_5(LY)N0eC*fG#)XqH`;=Ll94Pg(SUhRada@a8A&Y^F0SRa;wU$5K&wu+!DFD&zl2 zkLAqsi==%^DfncPTax|{sPjU}FIJ>1axBeLOTcJGYFDM?xzrLuRe|%H{w|=+Dl2HF z+vwxH=j(&Ni%UY|w1Y;DZk=r1Osl0Q#*-Fz5G@0FR^epzk6XfwN&_<|s z-l#_K*Z|e8BB0=T5!h)AJ$MiRT!3{E9zGlpR7%VpQVd6UL>z{DSz8$_dVg0}?6!dQ z>~kIQUv|q6-iy)S09TD{vQSK&VK4wqe}MPi#^Z^(YR9mwX5NR-U0AOh!FAf3 zR%Z-~|N64bJN<9(AdIsMW<-?;rzQy12&b|&b&}~Cq?6xOz8OFrl4+U;Un7H8HpD}1 zN`njNkrz`?s+6eEW&A-7)vFQ3A6J+HXq=#L=;0%>FTIgtwT3t3tKUS5O=sjdEx#sm zYNor+@FA_JI&$haclk%j%Gc+Kn)TaMOI^kK8#rpJ4(3n;gbLWh1b^j-3iu5~GbP}Y z31>DX!2AA7n`m##s`FPjk~TH3#RxkmoHn8954ZSD2Wrt42s;aja0sDIhyq9rpuDzr z$a)g%oEKxx>v6+&a`O? zX;0MZswYxh)&?u9C*Y?$wLuF5$Dw!?+8YDaRBtJoDXCt~*z>8VUJpOKFv7=qaB67) zTDtt46+v@rPsil_ygwZ;4$$GxU;ZFXBd#HmM+1=~?09eq3It==g_EnxVgG+nVQzJA zmm}z1Gp>EUcTWpjby;3|%x-x%JYVn7v)XbGO@0jM@ji3f9W@gBf5vWR_}p^+sc>2W z#DHMz{SQ&TX_Kw*M9V>QFTFosk5Z|hkCyjjKqBgl!5j|5*aD@Qdp8?JE))&*1No`+=jq0gA-;wqG4DSmtHQp#)ipA@}m*xXIbPvO^(0ab6IK z#PMq-{^+B;;_!zyABTC{@D1T`pU0tc!O3l=mp;lcw!6jyXd;lx!BLV z6%4Y-wh}#Cr|8XCk;2DhkRAqD{Kl*M;nU6XFU!)k9z*4mh7m1`JG$)neUwNV|5W<2 z7Kx@o>EnTl_|!x$MoKt#)c$;rG`m!}9?uHpKgVH}_temcUzDXPF4-yZb$#dIwZhB7 zVHflTu$tEXbm{T=eHU^xeBWGMU8`LD=zRW$qk&l4eC_N+x0?rSi8jquza;p_Y?<}( zVL>9^ElW zy7lw35>sd$;h-rwk}-N%UtRYsi2(i&a7Oj!bx1^5j}e6YJAZ|Qhu74Q$@vx%MD8NA z&kdE%b>UE-bl zh#T;MwfX;55YBkT1IF3}vajlQYcX)ldpEbDf(Jj@LWok>v~&N(j-j|>qjH@9{tw-yCm-TwyavY+}z*g=j+z8vASWyd@<#g*!VE40f5Aqlwy3*di`n3^fT7i zN-O{{YN(v1B{|%0YNx0=t|* zYzrG}2$@^Qu2_=y8#fzktGQcO9SU?aS$J*8X2zpj>P|UUEjCXzRo?rh6e|X*Ovn_B zPLq4;HdG@vRd1MHn4g*mSi57nzH> z;q71&V1y^I32vJZVXgS42_yU>{ov#Q{^}em>_2E;SU7c|5rkIcd63wLn^Pyc&G1P& z=Et!`Pj5d^I3HGdJ7?=U<8oB^32!)AdCg=^)wkxPvo1v;Yb)_1T|9IT;-&T9}!WKHwf_YP;~x(SZjjU9Wi5e{zP|f*Q2%o41qxO z#D=2m2#-jJy|B7H*IznxKC84o@lL~w&bI!!)*C?aAHE&HIp%$Uq{Jh|!`u0*>OY@P z2*|&b53|V~Ddyw9?*5iFW;>IZMRH`KTMPS$n)1#z2M;)R;YhI`0j{b{%)%fHL|9C`O=j2~J{ebbOSW7T;Q31OF=AFr|JUT}_|qapKFfjwEWKE?d~^u# zqx3Al<(#ni^Zz4f>3yi9`SI+U7X3M8oG`?VMfFE34>7_Jd9arX_2E@qAmDNu$QVn} z%D=in(ymDbre!=b4NzLB-5VY<&NnU1vo6qnm0lyAQU+_o@7HcPYTH>*<#a&sFCOy_ zpIkD-B{U5WX>K@zM6^%0p`$X|B#k7LHf1vsL1_m~C#U845PfpBMvA}(`}G45J8DjS z@h|rmPhQFuZwCkO_yaHxPQXr+M`#HdE!-BePuMOc2WN>=Q9~#iaezL7P}OGu_&3JW zh#lu!<NEISu?$<7^pRwRR=1^Ia!e zEbDXE&SA#Ute13F%Yt=1dw~-f#MPMf(fpKTYBWJC!h*HigYS1=(O8Vk#2!d{0y^oj zoDjpy`PS}%7wN7uBpW)>8anr9F+}VIB{#1~`M9{vvIED5x(ytr40aC-Vm9BOXU7kN zHIC^gl!4s}Lu*7HG^N)ZZOEf2wXzoKurRBphSR@;!LrW)Z4p6bwIbQy5ILdn|Bz=y ze{u}75_=${&UWCQZ8Old7|XWdbVeP&c*Qi+IZ~oDNRq{9&6N5V zr6IpjyF^FgG&znS4-ZB(E^?7&Hj|5msHev0D>PlA9ZpwDP#H28)#(_36q%PCktz6a zP?=k_bv)d7TkQ@>LD|LH^$Gd>1)w7o%HQQgY&HP_is+wED2jRF?HmGx_3!L_fPY;4 z%4WS)mSj8`{GYVJEme#F#NXXaBs>Ot9xUJsQNl5yY#~-#eJJvoK`L@wc@AIO<9+t+JMo5q9I z2mk8_ysf7O(-=l)#gJCk>+0zb=;Lq_uqA@lgf7)jewr+fGNRBLQ0BT|L}m9!Z${bt z>g?vt5dKW{Ivb6txuSz5=9W5OppJ8RFliQ z<*|N^`{nrB>g2x7bN&n`_X2O?(Fo7M-R!vm0ESc17AbWF(Pnb+5gy^AXtl)nq0^?^ zNtCJe{6Ep}S06AAv}{@}WS#zkUt*GBfb-{nDPR=B3IKa0+_phQWbz*p4&yixD6#`B zR-1i!6D}(}&{QvD-s6k#3_Bu?*C){8lY52(4v*lFawEC-xN^TXZ`0Gu@zIMkU!J7q zp!;mT-zO|~6MlsIuD|Yw>b%O-zAsLu{H|g|zh>b*>-;R9vvx**-q62jp%21ePmh`5 zVk)(*SeWv14CdbOrt7jM>yFUu5!=ed4)rDO{IE6DF#)#N1up}MRISbu)Neb?{in$_ zfyihthH)BzE@{>AyBh5(*)9vre2-YTb4Du)n$sdIGyk|rpUoLZ-&o?nE@gEpm|X-e zb94*3U?<3acB1)o)0P7Z!i)Pz3nZ*#GK|fk=s8MarxaXyC^pk@xx(y1AO)@hqR7V( z>1Az`^5P-V;@@S@{Ico}oO*V@g7f3l(SHIgYwTS6wvu+@d@w9(FY4cxucON7l&5}4 zJ#a!zd%prFJw7|;r7&460XnO^e)2(Mb*m+5y9&XRvA^9>;r$?>e2iFPXhdHj;5=wf z1E4144!u1wULYw3>9ezF##;K}EFiI0CCr_NxZU_;OHf z$mbKS)9dIxdCDYPJ|)4+&T~KoC48lVRaVXrR1KYYfkEGZp@8>?8}^fYAZKBDgO?%$M{b)Ck;x-VYy=4LOzk0!;3 z-IYBM7q3#ENsIxg|CWK=^>c$^_M^Oz8kbgXB*gdZW|QJq#tL(TB`{2QAkWT~r<3T{ zrq{V4DRwn-gT3nMYvmi9ut{%5YN2f*SRZz#O} z|CZUVf!)<9t%wdB$7G`yaf;?(8#WiS5(5MM;ZXl%LZgda2V1zSOHVQ#bjVZxHQWS1 zcT6h?%t1hQ_g5)oizD!vqyV0L=fsLFB7)}mds3j8SQ79*bV8Xlk2cut9K1g`E;}p$ zCc9g6XB$aFNlg!WJ1o}wa4eG#m4TS#q_JrB(C^9P9UrooSSjE-K0u8q7$ElS!1A$n zq*BkqhaFkV46B@h=^u@wuwM-OXqRepK9Ou78!d5MtadwuXt@=46ak!f3VM;#U%APFpd%c zIou6v3!FN%<<<6<0%X=o|6Dx9iu(v5?yW{GA+Jq&U-Kjzv_k+tFS&?B#S z2*W&)9&r}=*@p+cImKV{k2t7`1hixzL;D{BpvNzV(B)QmqJY&3nZ2~Pas?(4|M8Ln zurSwm6!;*+8KYE((cHQe{*bOI{PMIYc0?!I91S!J3{9Tdt-6&5eVF`CM<9E^zos_+ z2e6I@3-ug-?YIc2ANwz5j9Fb8{Yp_6P@RQ=cPv4t5tKrY41*oJhZmGc1jyz=PXUN~ zrDxSte)zm@wzpejsH5}xp18l^)Js09a$3yakjR#7-~XtnYL@jbHF~Y}`dEht6OW<{ zAmroPB)&BL{DA>L>W)mbvsmHw!pZ;v3;M->!yFf`^#{8H0taaii~FM@)y9Pe?;z|G z{l$$DCr`({tJ{iyM*x8lkLHQnu7AB9HMUpWitXHDAX~RL^#{)3k_su#Sh4bX%DHwp zqiN3{1XQ`qh@CY#e=vzwg297*_D$Zp!`LUz?(Efs4@@VTYh)k)$ImwGM!cmcPt$x; zbhb9Y|3b%FRf===7|h~{b?;1u-W!-QZ^Vr;dK_F5m^6dp&4TRw_-B7Z8NwA2*(Pee zi>ngi67EkBAnqJQt<-F^XaU3Juhp|44Dh4nEJ-2OQ+&roC^w2jz;WGr5CS2l&2WB~ z!HyuMr!4*23Z-_fR6B@wr>vr}UIr&ICgc-1Dz7)`d5Nw%X9Lw~5L*iJkuN_nD@li_ zZ-G2Ht6KRFGX~@zsD<&TitZ*u#~|sod!fU6w%nj$183{DxLlrkixq8L`lNA&g>~9 z5Jmh&RuD7dk_thgeFZ;i*3~dRFJ;X;l{-NN%J`B=ru$8$yNtx)eWC)_Eu~yz}4l`hZ8X zAd>i`k>N^@()Ri#2yAw2Qdml+HD|J!XtfAptoYyC8#o_rvw#CD!_u9^X8^?Q)I|d& z4a2lN;NWQ`#o`&ur4AreS^+r1nV~tlx`N#!D;NrAfSd16E3y7_Jj~S)lIxVM%Q9@0 zux=t*m}s&9B?!{q|Kfp)?4T&UOf~7!Uaal?-L)qL{|0nJcKUtZvyp{z zxCH9s)T?i26PwWP<^INm^Ri#$@dEHTQMH7|xXs5rEC8>5>T6aSef1U2ezZQ&-JNfM z_v1}YM%4y9S}JB`r6bkS-Sw(9-@9I007)ge$(y}A!-rg!Miy3(L+A13Jb|0#O~ZGU z#3-vz&^h1OcV&V3jO6EgQ@BB+!U0Kb)0F3aQPg5kMkKm~l6Qm2vy}&3?+H*57n;f9 zyzl3odgIAN;MEWfUfnOltVB9v&rbk}e=h)z?csZJG**Yu7Wf|q4Pf}Hw%h@mbbwiM zSs&J?LzpY5`+8w^xg~3B6z5BnD54f4LuopagxT1&xjFHJ5Y>Pc_K44u=j1)zV>qZZ zW9i>9aKg)E=bSt>go>8+hlsGHoDK>M&TO+18j+Ljo2zN#^AzKVm#6X^U>x>R8L5NTz;dmz4?#vsz zVLIs?p||)CT=!sHXqNt{+~q_aB7%EuA)6o})1kS6nDMedVnSgNk;qq49L=QI9@P+x z$)ZQGc8LhG1Wn-ma)y8byLP;ZgGgj#$OB821@A-3F&AG9jq;%w6 zCYis4`>F(#4a;hDHYT-h1bF^WaEj|rJNri7!_1xL@Kj@^h!I<(oe;`FLSfgsetsZN z@!cGIOCnoDx8-K?<$mgWn_<0i-CX5!U6bjPTp&osyH-XQ^KWmEkQnX8t7xEh5<;BH zaYIG4ETkGjb|%8^dGLGg1=%xRK2w=@V5u|tu&>A6a4kEm;y?Hv-W0GB zVdEwwac$Qypz!jSQ-}5_JKd#C#$vaVm=xsuw>NduEjo8q#*)>aC1S2B7g45yoh3w> zLG96$dxDo?P#=nt@Z`Hf>Qf6`@Ntn&jfo(|eFaRPJE_%c^q56;fd>+8CYKRUvTZH| zwsF~ROkqj*Zj%l;$#ZmE`l>`6(?CsGLE|Yw35pjR*+|KoxB81|{JwftdFRDA%rDMZcywN7+rR6X7l+vtrbU($l zVWRA=snDCdRhqi_#uHmR@}XxTS0~hFX`Id&YMGok85|IBXKqpgdO{oyT0Hy7H9%av zc&q&grR%w@gJaM44a{)SDcOgqZ-G9F0yLF?Hix}|we7pNj7Z#Uy4r1111~r@Nqa^< zlPXNlRUVg~3~+hvav)`r@W4t&NV#6sPhK4XSoxhcKVqikOJ+Int*I#VQ|DP5T(=Lh z$a2Q-nDr9n^w#)~CcKutfw1PXY`u=%m`WpK6V;AKJ519&<+7Ot81 zPeEyULUE+IBW^qOs;V$fFJIZQs< zLO^F-4S(0SuQn5K~0=2~HJOuQ_=?;_-dmc{&JxOGa z%@n7}^Vcj$m**TND2Dv45j&zzI)UpRbmrV^()ukdRAilc&KlWnaDSM45n_hqJEOZ$%InKZQ;Z2epg6)oS3_GU z^IKP=9T-7<4(<8OT{E?`Qor?nJH_ez2vKbt-Z#mviywCc?Qc?WRy5`*5z_&UTf1fA zJ@LKK?#V_yL%3(<)koP;W>`?-msP+EhhW6fgL?f*C4$;6<_qGV|3T2t18hr^-^F&A zHs|Nzbd6B`fk>sDLLSK~6$+hefBWmn1bIV#f>)e?2w-3#r^8jORyXXqnl3-O=T0## z(Hgd8QSHP>A~2tR zX3>xLw=}p)m%`bjNwDe~@~(8gR3&FAxdr(-G*y#U5fTgpLW{}5A+Lq#@+ zs&B2aa#>+fA(zAS1a!HfhjVqkMm?fLr85 zkmcA=ZA?o?v}8S+2yJrj5g{>kJ}(jU6MhS&RJh)@f7d;F?Bbz!bcz^=~%l} zQwV3e8KG0zYImvCOJ|@2&F_FVfa&J%D399^AQfxq7G6x=yRFsI&i4&@q?o=sau_jG zx4w;A2`rR#F1~SI1?PWe zQl8QN@ZTWmxv#_>X!(QV3nOq8M8^$Lk3d)FFkkk;+F9J#)}}i< zaHb(f&+5;L@EOgxz;qocM>)OjCSu*uCBUP(tc<(VN5cztII^;%zjCvt2kP~MCV`FL zU@>abcesu@47@H3YSRxGSzwX{2>>E1_wu*d@rThU+wdbKthzCgD8oi1m)yIj!(~wb zVY|_<2MX5g6SUSr3^S+1W@pq#jsyr0G#8d=^YCFJIyz#M^a$Uek(nsVgJYU7YL0UK zxqUx_HfGbh8*Ko`ZrKr$LU}Bumt9$SO&Ze*&rNsbk z;ht;%^GHEGwoKsqrIc zX@cO_v&#)EYXJwak-i7n#2K`DnguOk`6-t<;c8>WQzjcw+_Ro=KUGGoT$~jU_uG5{`+%;p5cDs|5 zOQosaBnxL9@)Lqw&5fl}0ERg(_r|p%sX4Xgs z5lBx6MB&p&ES0Dk#y_H6J7z&8ZeTe|H|7Oh647gmNyS`4&>{oOl81Ts`vxN*dC~9| zk|yFrJ&d>flT-xb!-sg$gNWFx(f%^*k627CW(rutRv3dJ$3leSqd~{NTh?~I{J96Q ziadV);&=dh;}H3MaayE}7Bu95S@TAilLVJOXwMl^)I+*AI0$D4{n&(RJV-&xlQ#$Vc1w%uD`~!aQ zEafX+>%35ArhqnHPsU~7%doMu(;)Fs13=F^apj~)zH+)BvDWRTp|nWd+y8rmcaj)3 zGRKjHt59Jw3}xy2ZPbHl6GJH<*D4y49JQ0hE~3<}0%{f6Bvj`=f+uaxW_;Q{S-L`; zt-{X|WwM)@#~3eG%U7!{>yW`M{l*JO{&t$6{#pLGnrDWv-v0Uhs2#Y3M&QhqlNLE$ zasOhnK#18Oli%h*m-K--2e66|apo=~=*Da%VUD|4OsVXM{Dkjam7&bhr1wY^R^ibs)*O`NkN~Jg}#wf^Ioo)C*Q;oOh z&O|v~8f;nUZ`3(qG-8tagC%*hiVlS z$n^9Ke-k+BWPH?^dSfeaba)%GlH@P%72GuVRfwzYsDAPSt2t%Mp8r@G`l-LQt4j&= zw?>X5&B5OX4gBtV@AA^v-%}^Pk^jUjoJ>@r`OKhE6BIc$N|3rs7S0Wwv`Yu*&j z724G{qJfr&8I6T!#I0lC7_K-!V539q6bNUM(@o$o@Zqh{*tAyt zrUskQnxuTmsv&uCX-hkH8C5dG5XLx!tI$zWr-3{I+1RpKL1eL!Rz*>H9eZlN=@>6>C5!0NQ$c*1^f!2W!N#?9 zy$${kcMSLSb8%l_G#&`w3oeIpiGkv?5AAsK!R=7I8xUAfg8iaPZOCxH_=>}z05etx zUS^J|_$Z@Y+BCQDkb_y**VMGFlIlkS1m(}i$g%y4@#n$Y@m`-^FZ=n|$Lr3 z`x>Wj)7SU=6s_0GUf7yk&rYpwRU{cm?XB+$(PHAk{5(zTdd>JKdQB@u%0+$OK1rBdCRMedVqrl)S+un2D* zF!{`Y0A}&jmDVX#%wxm;)&L7vN=G&Z+ z>*Wjr%t7&Wjye0%CG+uLat{%L5VnEy0VhbvDqhf2e*jnREjHnI)bswj&IX#-UIZ5B z8DQzXrUkZfYpnLpGa-9cG~tX8YYtd$lus71+u+KEIYz}}3FQgQWLH z6zy<58AiTgw7dJu1tiGF&u`@nd$Wd~=V07WNfo32adyy<&J_!(LX}3KsN<51ncH`; zA4?pO0A*B-`_+mcL(W5oF|t)|dr&)petZXJoM5TbXL?kAXWJipNIW&lia#hLk1$LL zjP+Dw&uDAOs(~>7><1rwTGPhZ*1B~NPd*1f_`9&Oj?(4{3r&!pW zak7Q}!L=RBDJ-rkDQ*V2bM)*5`B1dq{U7%T$VLKs~^9N6!R7WHn7{gul56}QJyPY`a# zB4;I9^qY;1>Hjg@DNwQt9UUeskhaoXu7k>ADFK!rvRek)u`{U#N3&VGJXJFul|SSn z7ES}L(M>H(;teF3YuQ-8ROE~bZ>u#zRs3VMUWLp=xTM;+B92jQEjlZ=*evgsx zPut{J6Z&a{8@jwmX>Gh5SU+f{+>M5(IX#_>=-lH`lm=*$1G4P2*>Cm+?!Bhy+JMhZ z{_}Ot9A!P8-S>O*{T0#2L;%S#_1gHK0H)73HEFFRM_UK&h)T3F+9JDgSK$w*Vg`az z1R^LH+q!~&!-CCOe)3+H1iOysB=Bwg`Xd>ZAR_;yx*V-F#dL};=Vo*~oDa$tj|dbKyj$T^}?ue&;r#Ab^>afck_ zt8ySu?X^fHaw#65(@zouv)^5h)pVH^sw2cW2|eY42lpi=FP%&>*|j@}gJFa*zQdH~ z8vnI8gM&sQB5{Z4CLgc+Yxic+vQ{W*$N*U-H^$fHkT*)6nk^VoVPNJO+ z9}+nU76-bHX63AZ2s}h9kGv*x4c-Metq!hXI^$;tTJNuo$zaN zU$sHr8W`sWqTPtyQdpkq7UMM)h#>^rPwf=p5XZ3OIl8UHcl8f_JXdsqrr#%LQ2IPx zF&V8)t^WQY1DXV(&L?7L`VuZn#q6kY@aSLX68^SO?KL0>ao|@oS#WJClu|2vg25Zi zKk;dV16P;X4Lrb6pntN7<8i&}Ij#birg-^7a%1HQ?ECF^rv z*{TY(>!Wli8t%cjMe~Kc{C;@|cI%GiQ?pN{ zPxF>P4Vv}?rwg~CiYHs5+MYrg`1PzL zT*T{XxX%sSwx%Cj+biqund9l>iLJDaEV>P?pM~vpYrE@Dc*`BJuqL@-cDSE1pNrPU zoR1`Kc6-0nzyIJmw=H+^!+$^`8ut)9(BbN2O+0zrP9+Q&i7lVPMSz^ZtDAw43gOKK zi{e>Goh3Q%T)G`IY}#7^)O;oU3XP4#Gm!SPU>!)e{Yj4I7`EgWo(2ESq7!-3@ax_p zd{Flj+`WxNx!wYP8-aee|C%3c%+Bg%bBPHQ01HYieb{Pq@xwen?;9&CSbW)K)hrMuy4>s8VTq zLf5}VHXa~LrLp+mk<6T2nCq&o)P&g2e-)__SJgfQSZT^h-NL49i;w{xRRy zzml|Xi^}-U?>6y2a!BMXw98I$`6RyWV;t*UR!scVl`O3&V)x^G_dPkDn56#LU0w6u z{e-#a767l1@)Ct7*;6J7MHm%Dh8S;Wzu>3;ARb?{2>56eHqE=EIi+T0VMBupQa72i zZ{HH@w>s4CT;RdJ*U(haM7C*4T@qF97b<>83jLeUNdXfi!H2qtnCAf0>`qPLJUuue zj8`d74qR;L2N|R87Y=Hl4^N53U9?6+Pw|u_r!=vIL`@cjggv(y622>z2G5Xefhl(c zh(M|iVvM9S@*5AJQqqhF#EE0-5-#nmNM6X1_j8@SIfa+uB;r@0OyZE{oxw#seD{2h za09;%cb=WDGDgd4o2H6+Er&}^%>;gph{qMiZQin#JIcEUfwzOxks$SGty96#?295= zkQ73_&fobdhjiOp$g>qz{q-p_d!NSx-t}9_PtT=*mE|G{?;E;<1gx2MhUY#&i+D&? zBceq=w9b#|syNSzJ#xf}ez}K3(zbQU{1aoOPhh$B2RKmt)^q!j8}5#RyaPgFi~?s7 z3E=qnnKtF}`rg>K=yPBH!P|d(bvWSYbS=Ye*TL-ggP8bsQGp-DLxB6}eeiIS5=!1W z?|-_-_}WzQC)r^}4Xe{!ip<_TRfcSqpH*Rk99|=oroz-;{d9efABCrv)Zmm8#7B@j z+8g`Ic1X^x5(hSu1{muO_bqHxOXPmofvZT`lDr{Wm}^<`0G%+)A4;2`l4OlBEqw1j{$gDZMJIq;$6sgA4^F*utApO z&G-srXYqn09!7BGglO@T%jzqKh3U5U{z7O8x#2Tz5`{%nx0=~!Ax?u*w}%?kYsrua zfRc5B%Q80Pv&Nb56nV2nKP&&3FSFcZPTP?J%A!=POljL<>%l`JkMlsx=@tHWGtKnDBtyztY z*zf4VTkwK-1gS6ZXvnVEY_B<_fko$&$7<&(8XbIRAq2V`)-)|xgwaq>LdoI+i`lzh zMa8Hkrl(^hcMCoR&Dcg$C@EF3&g&b@c?K=n0YQud#CkD%yCVaQ!d$0(nlZA5RI@s3tw6Vfkn`k+XG*^3s81DzGAr0yYb!ED7XNb8^*YPW>t894s=474;n|z$3zb z>1VE1h`RB|z{f-^`{fpod}b|gZ%$+{8AfwErf4{KbzEz1jaCl{(MNkI39iubx*&xV zA=98ZaxH-t2~EvYYH}3rO?V^xF$l18lpc7%HDgOV$&gQ3Rw1aLNy9UsiI!{{{yurZ zQ!RplEeMB=Tm#;T=PEFArYqN^Y;!&F{#QKDjnImGjzE&kS}^FS26OVP6_RU^@)x)Z zSz@ln4-){WHQmWisisw+)%o`2RT~s|72JC^SZhfHrcYs(jM$;IN{ot?9(niF#mhVWXhV^Ltk>7Y}vgEs9xhS&~x)Le%hDmhsHl;=eL*1baC)x{iWcM3UL;OzHv zZ2p47%_1xe7sTOHKsV zRi>G`KtV37xl1gE4KZBg?_>qA2Qsf5EmMBmw3zp2ydJ%02d}JNpiGoa@kyt@Yc6@K z4USfEysCn&?bC8^qitliVNz~{emY7hnkH9w5r&&=`8CH_t;tk*4rykZi|meDr21ha zjXI3AptuXyO0>_r&){LVtp}<(4%w;8GX!J;h-{3x0;!-W{-~Q~^c+WKJ zq)|J&p|?OtbUC0_I{XY@4ja*x@EtX=|FFRehQ?MH@}=MWJP;23xVh=}dhh?h-xb3z zfm-^5_u*4+V1kI6U<)CdRXEJ`tZv`xdCCxRTs!#hh#8k4F8D$gff-|<5Qk#r&Dy(# zy}D|HWU|(~?_a*WE*||X2fHh|T`t5^Z;s-8@Ax(}r9Awsd3OHz#h+ku2AE&*wpWb- zrp}#*B~T%!fUWip8Vynpj1x?@-uoDb%Y>g0IGFP*OqdptuCT!(bnVa z^uN6G!^rbEd>R|-9@!RSC$>7Z>&r9A2|Q^g9&h_UOub`pq+!>t9ox2T+qP}n*2K0k zu`#iYiEZ0XCU$z~d7pQG-~QEAU0v0G?yg?fwT|OFV-MUn&Mf%1PMecbHSvG1N)$JQ zX80YxJrJIyf_cgD%;pydn13Gk*|X*Gi$+9|`VZ81+b|-8pm95&c zp-BGph_Drb=!s}kUqm+~X3_1{?xAj|*1{iX;_(Upv|dJi)_qex!G7ELiM(J;-umOu zDdD{EMqPW-zVJsS-V@OYf%P(Cf;n}(2E6<JtJM6t4f*)NXHk{{mY9FmOdYxD@=H-bufIW$S zX}?6B^)9IBzrx;LiCmrhiM~*%z@ji;xVvq=q~gP|6H_6jsxCazR8O zffPF>g+C{Z6fq^mJ|~=Qk8S&hh9v;9$7-~pEj{WKv1Y=D9Niw0NV_9%qNzA<~0{7bn!G1DecmqM`KguT5%bR7}v- zhMm(8#f&Mof)fiC)@B;r;}wA-0pSl)wqoSY0fBDRPc-K7a3)OF8OqiTei0sVEO4%) zT6}LVi{{`v$jk<@9^kiG#R}3C4OdT@l|ppfkBJ;5dIAd21FO;-Bv>M~i(vA{I_wQW z>12xHeYpa}490p=r)VD~CxBQj2he&P=ya6A2pE!4`D+MoT$%G>Y}fNLTq4>O1E`Qw z8_a8iEgf7cO-4Iqxe8~bu-~!+=KaTl8dl=wmQo~zHJ%1er5)Bd)r%k!?}3=PWBwiV zQ=5D{llEA|TK0O`BK31F)+I(`@to|pjXrr_i_@Mmt}p6@*Xi=ij0X*ID3xB~Zc#|9 zv8%Ls`y69a=+EV6$psyzxta`RN1(w-)F1WyH1w;V&r;uanR}i1G^a^^QWewgok9}dS*0ums-Z#chAS#tA81a?e^BtxbYnF#>0CVV)i z-;_}oRz}@kc%yifS-2g{iUs9baiw=~@Frj2MXVM+KOKGzpOvHlazN^1DXbaiUV`h;j zVNeO{EMOwS(ow!;O1th9^kx;5HUJ_|ZZYogXm}xs;foc5BIU4*@Kyj^RF>l_pQ3R` zxZRH*SR`@nFG&RI_idLp?ApB6V!ys1zXr06YGo?IhttuzU^LlqXn;~?E`z@y{1MXh zbr>`F(DZOKV7NWdjsVDbf2O|6V1ukW0c7iTZFYPH=rXqDzXC-05++uik?P}qrZUE# zh(%B#v^=j{imgjj$o$EH6kKLf42_&B?bf^~U|@$pNQz~uZ zgB~^!^F^V69{#@%$`aB_l_G^xPou=f7G@I%N-Z5sEyNwr`U;)G{|49Bq4n%Tt3!VC z#U>ZDtXC*WKy8NoUDXJ!&BblyAk4CvcWP-7S)PGc)eTcNcH1Z#Yj(95%pED59xad; zkD=!|)C@h&)$C*IwZniT^+21*R#Xr$EB+mpv}=AE8+t#|xp#>Cq)2@nwJ#IxHVIy% zPAhli@h7ZdbEn($Q{AM_Ia~uXZYOi)WDj?RL{tOMsTL0kK2k9p2sm`@M27=R z|CvEUaX7B<(y?Cp*?m%CT{B<9#rTAS1Oo)<7j`#sT;RF{8doN&;~9holPJJYSRD_{ z+4|tY2|`0&11Ig^%+=zm5UkIuCihHsHTO-tl@+#_XzF6Cy#O{sQ=g*Q#$9V!H=LXv z)~iE~YFRh&5~JOM9s}lYKv}ff@XXZqCFTeU`=pvMZJc+HU;7E8;M(c-$U+__k6RGd zhBdg$`)X+ci-#ST&Z!kBPOzsz*^(| zQ?bzOX~nwK^rV=ze;RjJsje5Ezdm+m2UG9Azra~BUN@i*n~x1H$_~0S))^#97;^J! zW2`}aFqA#?m~o|(aLbd!6C_;2Y>e4h*b5YCV2oEj3>FZUR>YiCD8AkM{)t7Q6>vOb zsSZSj&W}5HvJ|5sVR2Q(fPAo54F@CFn}D`fgBy#_K7*SZf#Cq3M9N<%XrwjR=9lwz zzZ&jMT)rBdWtA?@+_Gsy%DV!OQ`(FZa)SCai!i9VkB|xPG5M)63?1uL;%y;x(VJFZ z%Ve_^ejfdCPSQ^+3*jke3sp{d*Uuvs_|;%-G6T?+iFt)5#g5r?9O`{`-EOhKZD~kD z`Y+m$$mcOtaudiN6*U#~^pWGbU!;I~#oRB$tX-+LL2|Mn?`K0s57rOBiiYpU_%}e9 zU_3G52r8dybOB|Pwv?%zVPab6u$LdVsj&1*E5CJjv&0sO4UO`U%zCi5n(&;hnjRFbo?bXm}}6IGkz(J;A(q}UePgK#`Rw^Tf8@HDO(0btC#qx_osDcA7a;0Dy?mcJ?@-up41<42C z8Mo7^ZIx{W#ao{QuaRZkksF4q=hAWs4K*GT1MJpI2Oy}q2ef+w(0>oJQ z$p}8o1n72Y|4h@{*EQu|0OGvzPesL#7gdG|z)pD%V3*=h^*w74@bH$;;o0Vy|M;J= z?Kr?^0-)CY?U-^${WWz5u)Vc-2yp22YIr*Wyb#T@vPRykj+B$L3h)m%^{9(IHePAQ zi2wU$r5vZZQT(bJW*#SG9M$kp%WJgZH(%~-tJX;YvQ#0m=0(i{lh$r#=jDqX^I2qi zxAx%Jyp%U5TDUKHo!y5le3!!2MknjI?veY9=D+9jbyom69TC`usR!7H!nWlX#Azji%!80D&%QqaLEJZqy40VRT7xGyN>y(cd1Sda$#nm6Cg(ZGBYZay!v_#I9I&z*Vhqz ze5lLrd#1lqsTldm+_6X8S2BG*6M~ zMo~%aAdftBv9Z-=fzN5NBjB<55+oDjz4zcs?>e1CRD7}lEoD4(>M#juYz=CdaH|y`d=Q-f| zB)llU$f@+ick^G7RgXDc9D4#QZQhRXhn2+31lHg~rVG3PqVTCLEaCpTh`WS-i*wSA zMk@M-@V(Xld1fMsRxwQ?s-vc&;TMv!SQ^RcOt?5G>9QW`m6f;8&@H(C$-9{=O<@R)^+W zlmR?{38P%G2=> zn3+zwvU4wIgd!UeRk()_V5=h+z+>h#!0QGR^N;r3lrSq)o- zSX9iMS~Q1$#K5Sc=R})|?6ftFKdWv#0=C#IS`@<%#Yjvh>*nD|E-(?(;15)P(Z~cm zPd1W+Gc$)fmDc_|Nk^?}XiFB@WCuxS-O}3m^1onsIcS;v@=@SEJ62G;z(tgEVQ>L_ z1vWbi$enV-!d)D;*TFY}LAMgC~`mTLbyuTqla(yxx-mNzW4#mWYYs z!RA&p>!#Ai@hGaNmHxU&4Aokqw1RsYHXHUgM&B+gAUUy;sYmo|z@9kIlKmw zLpmpI0E&xjxMs&wLNM_xxc;vAozalpN^An9#uow)C5HN&P7Y-I&u=+m@_RI*9OSe; zHHMN>6Cme^WQ2ODDc}BI=w^}ZZxIc&gS)jV?cB&)a+RcMjhKPhze~@Bgwk0kfofTc z;q0oYutO9qQloMLQ-ztJDr-F6d~>zU*(#FhZymzP-L&0)1Mh=>diACvSbkMzKJKR$xbnDLo9Z)iGy|K@5u} zlXXkjK(5fjDlg=F$+V#VG4&#rNc~7^cIGz?G@D(Vwk`>@&Zu@6w~_r&LO?M`hlKT& zo`0g9|HqCQ*R%eyV;U2~wSMfFL1@);3A3(n>)$(k{Uz)t5}l-bU_^+Tj=tMsgvM+T zkQHOgsDf``r+L39Cr6^w?UB2^hEIew>SjEh?_hyEl;d^Rb?AT^u)dl9$Prc2nxx;( zNz<353{np|%LK06n8dGQ<-$-M9wyd{49lq8h@o$)mNvJF2P6nz21}K)FoKYvOLQK; zza%^>NUDuU5lA5P9CVwax7M_3ED%mZ`+KNW=(0q6NmWOcL(wmSt0+vlRyc} z+e_O=^WC9a!8_|AhQ)0~VoJEQ!%FFWsQRkfPQCtQD84p80{s38>L&sJtSY$+=Ib4| zx{LymU$-~fEK8a_o{La(!~gCgrc7=XO_viU06ugzzL={JXQtlAgn9uOw4L+?z6YU9$W%2p)f(C@G@UzE~ErcLpARJ`TRLwvAaa(T;zhKuMS|I70 zH7isI%Wip-a#fW#!(?x@T+##KCr`iG9F6O+(-F!D?qb-)b+x^REgE~6wIF)1{%h7- zdra?PVgv+2m}HY}h4GAe8dq-Fbd{09uJb{sU-E-=d~O-GC7z9m{%$0?ETSw3$byDX ze%;XSbl@kFbfr!{0_`J$G{Xf&RlxK|_W}#yY$rzftOwf(xdkaYq@24eQuTT2d}XDJ z^ewCC#%~{%p>6)uaoO$=81-oUgb^0}M>Dlp?uM@6`gOIF=)G+dG%w>;Thn_c5bA&Pm%y5AUvredYA2A8Xb zyb-U1)-OzV?8!pIx_s)6ycKWvVap0e{*slF^$8MrZp}#>LGYvI2ZmO1ctj=6_KhB( zCSAo@N4)iODEdi>UV9q{Ms>cy8kLAImeB&21+LnX9IcdQ_{7eA894a-KoZK#7!h1hdI4MWTti=i)xd~W56x$wkfxh?gO|P63PyW* zAIQ^?rtkCI6v>Oau${KtfGEw~9d;g<^N53TazM7Km77PK zp?`{Dk4zd>_~H}!vu8XWDd>s&9F#8|_sw&Veu41Izk*V5%j^DcMYrCBvY~_(tI zN790XR9FjL2BgIblLdxO*pRTsXbn=4(hs^+9FYdrV|CavG>+)HuJihbad^TSNRM1E^dEZc^vRJ4x5hjsI{S-4Ly#SEq%q z)jzCe%LVZxjIOO_nBC7f5;RzIrN7U$>6kHlDG>~kV=yzJqFPqpnyJfDYlwh)Yx2W#wot+0`zpAM0FR)b2 zbea^|LFRtp)J<%5an!K6Ij}x{5VG$xTosh!Dtj}fq{D1KY2rxGoMwWfkAMai(HK~p z05&c|^7oN>+(yTtg~EaJE;LQ#XvyTzFjG%8>c>de_6mf-D6^LC4{uiWN4MGJ?9wPuq*1 zj%5B3-eNtiwj5j#zVeh@j{FLHrz3-9au4gPQG;X}bp-Nod4=Xl?p=>9rGl3*Z}ixH}wib-PyJt#^m@r$7*?D-Wi74t1M*fXDWCJ$#cX1`s1v zhgim{8sBKq!s|DaW3rfef_V#v_d8%4?uXh-SS=Td$Qy(RM4=Wr7H`|Xo-07kTOIie zO{W9Lz0zoAjWj~?5QQFkfVKVp+4w$hCDE?k>;2hw5@_{A` znR|MJVh7CV1XxbP@vT3aEY|+)!$a9dw5v&KevL$Z*mh?gjcBv)C{=6k(5Kwrw=L|E zV4H$%g0TbU#inCUk|*UNduVLRwoYj4m-mx_g?fPADNY01KSfxqehgXKxF2x`BYRAq zHie5poB-RM5HcuDA?TvYc2I;bd6^VCV+fQk2*Wpo9JZW2 zr}SMsvw zSiJ&E?#y+_J}+lErG(pi7>^lPS?$?eHW_GA^*_=qa&E*prz1mj`Rh6xFtP}=D6@2j z9*W}%l>!or#XzRWG-Y81eLtX5^p-hIfuB1KY)r9WBis=erettT8XzT9g)jNkuqU0X zc96^0=_)mLj>F-Ga3z|FHn{F@C-0Ke!tB6RsycL1Jx0?P-#UV{0wd)R@uWR<-}`Tg za_5@G=+nJ|Dns#_SiJ}b`UNO8t!8wKu0?SiV zr`}k(^q-rN3mBpj0_@I$N-aK`{+x&1l^DJ6gqoW2PeQ~8J{z9|r$~EQ?`r9umMl{h zitn>=XfGN5``nyBSaM)$neAnj6dm(;9Gm)MXkisj2=IfG0Batk0rX~|P*6?%r}X$L zs&w2XbW+v|W*S;}4B;h~++Yl;m7kPJ}&&2zvr!Mcn>x)EQN${E}aS z5}_eDxYd_zc$LQwd_JVN??mb5koxiVng419i_TDSBFKa$svcd2rF6Hio_$77B`v4X zbKiXg@HKF1G-N+rPyZ0JhdfFDIZz`+JBphSm*jl=N< zCCuKp%{{R2Ia)ph+*}D<1AZ>7h|hZtoWLM>MVI}gwOcnAf5YBd z2N-5H;6!O*#y>Cec6x0J@_t+&Gy@jB1DrhWMEkl{1$(fr0A2YLKGqi~(V$?ZYF3F{ z)q1Q-Mxl$Tt!XXjpcnUQ)({w;BX8e71$`mk;x9)>Mt!UNn}PzJXSvTW?~;}u+abbL zx6CMwt=LawWF|^_a7}|(y&wTDKA)|-yj^R%w51j!l4O!2W(DlZm_>^5d@q+$3%s35 z`h+=d3Gwgcm>-fq|C!2lg82~Kj!AIz_w_HGmfN?TA@B955s7eD-2TMu5rrlOr<>kT zkSRO!!v(v%*ZIS#DFI(wg7}fthQe(yg7Kg2XdEtU{1^Vaf<0X42oRKlIUbP5bfpX2 z1s1L*8SPx$*L~{%_aFswiv2eWpHWH2=RU(6H}vo~cHGLv44Q}M`*nTey}Z1m;3+|T zy{liI4Q;#pXD>4oQ8r?plj`65UQFdDh^fbaa`EzKDm_F*4VYNX+^Lz>)D!BGrfg0_ zzOCKaBcBp$JX!jhw+g)Bw0ZPzB=+gAOzMa0?DNS%Ur8{Wr z=4@>)zl+T`zwbV~zR#5b)q+5chzgxO{#k*Vt;vqyqzMszu50{ROy%eMz(QogP00^C-(i z`nW!>OYlTof>JS+wve%yEl=Y2@#-EQr9*s2dmaYA=huh#u3pvJ;0EYSB#xL_%Kf0r zI-t zqbCqWGr;)y!s#U7hkuI?VYAvQwDmp%^-yQ&;Lnd6!-lb!Lg~M218bsf*PPEq*24A6 z)=b${t!QeCHkobET7yVOk2@R&HYcoYmSiaY)S9&p8C^&1QX{m@g_R8G zAU=cdUgTZb);jz9D214o^l$K3m}9T5t*_S};Xq*QUK3vHU*+q$y*w*?ga`*H&D_h9 zm}6WKLcexaQ!n@VGi-8J z^kFKOL3v!$KX}_DV%imwG|)oeyKy9k``?H-9su> z9n#9Rt>*Ar5p;HHsDy~cYsj1U=!Nlm;bN#D#M+xejgg*IipQZ?KSF#;=9Bs|71D}I zkr7PdQQ>eadwmpn4hk0et850##OG018R6Vt=~(fa0V$L8G6^uODeqfIrD%2KO}JD` z7E1k>u7{n3uckMe$l%Cc@xAAS=l4DXyj((qoM+*E9zrt;5u5o2#v7~U27Y|_<^qqp z03VHC?=#@vH6mp@LA^}1R_JR3Z_A#0^! zfU6&k!jrtyjtxfI+1K3d*P8J3^|nV>egF5oHsJB}Mi`Ra)8HH>WFQD=7tdaz3?h5&Dkt@Qu()0<12(WsR`MZ5d$SIQi+l1*bu{Et-kF(1u}`N zUo%Hal=g^-ZwMaRqg;4y%%P9z`2k&)#g*0VA@zI-YRNT0&T*Q}^5^q|<>S?%WQk*? z^5Qc*BvievQVsf5M*lHl7bWF~Wu~w$90p1fLp0wLmv&cF} z2OWyqIsP)8Q`jaxR|>?y^|T2Xb;HjCweF7*o!apfEI8}2$E#Nlxb&;SYHplMWMbG2sciMfBvZw#N z>O>apyB1RtUCtT(q;g408-OzT`Oyng@zQB#WQxpm%=Z;&(J_?xlr<|B6lE#_0;Os- zi;ijX{w(FYSGV|%)7eXn4mH~F;?oL)F+XQIn9fP*H%4O%P36vhnFpW6`j~x!E~SnM zD=Y9Og!d&7Whn^^rr_RoRqRQa*ZEEvUecH~#IgD@G7VyKPb62@^pcp%7$bVaB1bPXhHWajEpG**!Ny=!1^346E= zWG_;Xdg6iOpfeWDTE_WTqN(Tf7S{$lc4N{1R8!0^(}s`Sw8Y}$DoJ+mTl3OJ=fX1e zn&gCH-d|t*W>^(0(|m(6daDpg0m%Vhj&sTYeTfl zbFZf$a#bUHTMNt68M!;8Zorx5w4-OJjG*IA;Es*ZyEJ_W)R!RTst=C4Qq%nd9WdiC zzIRGxn`nsCv?!?5tlQ;5xnQkpK9%CU?XlF7oRFjQBrdCOY#;B?Y~2$!qD^H;(LK84 z!-e0+`1R?JU#~0sGic7Zd?D+9>BMopzhZaz zt0;f+55U1g-;vi5&#a~&6|GCGu>3nNk=;o`J4RzdkyP#4R%QhtHZd zm90!4Tzm0I+|pR=9z4Cky^K>VL!W#Zs(XI^7y~G&wiAW71L;F1_N~k9%D`xcZv9~- z)KI9kUR}K5N^FXy(+5t6SvnN!fye{hj!4st0z8LJr8+c&jsXghQ{8UgN?`9d>2BcF!1caiQWj7?TY*KWgRg!Y#RM7Y58Tve z3YnjVZW!nGJs-y4F7t z72_&i2uMS;a17aDA}x>h0zSIDt5yIG#dwjDO0xTVbh@vdb2WlxqGniISk1ei@ zEFXz|Lf=6{E+M-bRZe1%0i#&Wpqg$!@ZrcTCG;+{+&mHl()9p-o2b;p>$xp1G7MLA zb(iRy9mc{>jH<^xClT*|n`Fi)o6d2-?6O z09lXJa!myn74khZ2YAXpyT#E`ndZY6VqYaJrV1pxmMd#GP%Fz1)=U>d)lN5Wg@22) z68c=OVpt`nH`&S*SA)dBx%k6yeQqQU(ND5|eE;3Sjji^+7?w z@J{pw?pn{IqNBr}GgHU->S=i!y}cG(iB3cZRI~imT>jG{XX-$Nqe93UXFLkrS+H8P zCa8qUJ}-!7y+Dr2Vm0Nq-2$@DMa?fsGm{_aNMVu})nqb&M7vP58p$F%{E69YXiw8s zbHZc80jm(yC=32n!rfkRlK8&?9;FAmn8GOfU4bqCcsQqr;Sl=_LI%S#!|YnXfK)-e z?sBG9jdLKf&Mgs`;f#kT=8pCBp?H*3kfg`O(V9|00$QTTjEyOdcQk+ઇ!JI22 zYj2>uhYZofR_AsN1_`;pEd?MFLT{Foyx9Vv^`#OHQ*cB6pcjTrXk}p?W}8r02xy11 zCmckB+2p;Wji>@;szM%P8=}j&TgYHk>m0d9a{%fLC8ltOkMd5CQK}u<;>?)7LfE<*$T@cYHRV3B)JQLy-=T z=?EFB5_E$nbE;5@I2+IyNV>myoE(WOs_Fw#JT)(zgc%l_L*UrblNN{PyawA)Nw;NnFsmhje~I*x zJpF0+*l3pIlSqaWMJMc=w%&5B7^!4k5K`xfTN;vr=z}56l@YBo_5Y)wC48QX@q5S9EZ zttw)UXW=yuJVrkcBJ~EHeDu?6rx`2lh~gGkDn z^4Yz1!h4RN)C))KXRVBU@47>qYkqu1fDH95QC?>W#kV^Q+`mt``~$7+ldA14nWu*C zGHl!~5FwgeMGS|5WKHZ4nw2k$E}+4y1I!TU$#<{^X-NA$qBW;*+==E`t=m-mg9F&| z9BrbZqC&g6=3F)n7vRRY>h0Za`g1f5^=ZDDjaekKeI*TRt%~TB%wp2MP3VFxF7#>Y z14CTmP4atYTn^AS%kUbWr5x#Rxl`D`tPem6*$CFXvAsA@Q;A`cywXk%wzE`jFA zJ;47EO&Ch6rx@84CAwfO$#%x{qwv$}X>7)2Sgc?|OEy_=Lnmr+DZc19_L-y^Tq7&j z@+4xG#>ZMcV5N+V%fsgSH@^uZU;yb$rjmsbI(uq>2e}H6 zl2@b&bpIk+YlHvHgVFvfVdq zwo#Ic{9oc!Y*YpTABK_B? zI3)2^tdYt_nd*$ygahnsx*J1*2mg0HOg>jm{;4zr;V@~*OwS3RhVG@l6+3B({f{9Z z9V6^Y4Rb)gldF4q{}0TiFkh4%`(0xrM#=b;dPrN^6Vau5XR=(Vx>{!VVa(^;oKp@o zLQme-4ny9B3gVm7Kf02`BO)hpQXmzLnjM*T z<|+CECdxv8Ba`Y0mh^yHe8f_S)3SJb+euhg^vHHxhbTckKZ`3gx@Ex34mM?lZ$3P@ z&2rnGManwT>IZ~=u}_w>Qac10CW!F-nylD`7p22^<-K^X=y1?;t(@vaif4FiAdA_Y_vDOR;Xd7!mLul`;@y>qzFstYOP@W;B@Rzs`_nna|oBZ{|*LE zb~{{$+(>IERmNb}5_0HLfNTT{NBv`e{f*TLOd>sSAG*;st9{x#bS4Apo@dMBqs+6Vl6tIM|`qrrc*z>AHBZ|WOp zj0Tlo8>lx2Y_!p#YlNte%jj7(#dWm}5j=Ia*b)JsP-%0gvrJw}?CyzD!}Bs<)s_c( zg_l}emvRaPBO2RY5eD^e?xWyV8^dv)BlbPz(4c=mn*cyMA+QuGB!UQ`f7#Mk$3oR zie~fylK|Zm3J3YFg8}ZuBxWbVhv?R^P`~^%ddV{0o%jVZMLFVo#S0RwIKo0ZV*@1J z(+socXp6z~+=E>tpoT707&x}au_80LfvYEUpkL{fr%;*Te*>R*7;aZ;9H-w)3`ok= zvep^|gyP=kzb>0~0|Vj=>um!DfvC`@k^V%~u;uAqQ6K@}?$TZ(6o(A~im3qX2!=SU zjor(bm5{`V`n~_peUKr&oxWc)br2Z71T^n%^Iqwyo+@lq7yvdm84VpQR{%4Uxi#fa zKfh~Ma%VQ2fDe9*UmP{9%MS3+qbnyfgn!<*P83FeVnByn`x!hVbD7tb(sUZ*YnNPp zohL!~egcgBPLfth5g#yo3HKAL3;VwOA#`~Z@WlUrBLYIWQ`2=rYT^&Vv~BVH*)U4B zkqwe;wiC((D>Eq{jM)PC?lHqN9Izr9XCuoP;@BXovbJGZPaLV;wo{eErJ-LR2AZ(53KV~T0qUalBLs#iKN=<}=jR&F-ArZfm_+h{B7oPPi~eI+D97Eq zKGuO4MZ-`gPdY^UO#bx}#UqL8W4<4YfG0p{WFD^lY%>3#$7=d9VYN+B%+}^&pnx4Q@O_s~vfZdC_KzhLf8XMRNZs6cVN z(Cb8&@cL77j7_Kxfvq(fOf?=6LVJ|^6}26WnBij^Io;HSwj&Buim93u$W11@Mku{nad!0iY&3YJ_@zw^;WtYHPM0aW$Y zdB`K2ZLOYp?BqJCs|mMqVQN2WG8<{!?(7RaPz4OmnUPq0vmnAImhmBp8SyoExVXze z&(A7sMpqRL<3u|{YgJ%fat-l#AUN;Ld4QVMCLAyNn@GhC71G6Av7dtN9*-HCkL9Nc zXCna)#J#wrL&gqPg^nS}735ffxlV{LUu#?F!y7~QALC$S{of(iat6yY2|8-d#0a}^ zyDL(=&Cv0sJPI1|SJUvk%jvj?B~@Y+W*(By@Ni9@Jmpr*f1AyI$eZaCz&RID2mNz| zPuptZm=3MA31n8e3zAvOC8sUHc7c2ghMQsoEL9li`Ea|ILw(|1Vp%BB zBZI*+(ac9?YND|ay(cg-$+CJPl++oYeiRxC#Qj((U<@74UuAS?ajEWy-F?!$G)dXqE#a)7c#%4Cd(Rq-Z3{Oz*o|?uBJFx(42?;Rlc6_+ zO1ujFzFF^n*rcd~k|8~W=7OPQ!hb6-|5P$oKsjfYijbP%EhP)pqp87Oe^~i=FwNl~ zPIOL}bo@QWP=eJU%>@VHT z_`h}V+XbM0eNevZ+&_hWju;f{(Z0zIXqwjb|duN9pqhMMGvYKI41NNwbdZoPt` zJr${wXcGQk{*2+j{2AEj|L|u-SpVVAkmw|}NzRvnK5c@rH)Pnki<1gk3ZmpJ#$$LX zFc*jL71^Efl3kfUq4c)~+b9zS7Xjod+_Y21_T>@<;gJ(yHK33jf? zf=?b7N9TlG(g5BGJc{S_c;oqu4Gs+5ySx2=^PL^Y{+sViQdmpI?4O=JRL*mezySw9 zP^Y!1&KuAd+eKkvkYk7MqNs~$HV%r$g3Mi*6TehGCs8PIi_2@0}E%F?K=z|;Z3ANGuF?;|(oNxFFrkNq?J z#b0K9sQ0YJ9~& zy{je8|3YXJAk2hOlav!T`WChzdQ<#b2Ne`)Jf;JAJZL7BYvWQ-RhUoXd+8G2Mm?UX zDRgZs(@o0fR=ar;+Of|S_|R`iH#YYhk!?K;MkO)CS%id*!Y(k@A;Qi)&Jm&)$O1_j z%xCs>v^WA>H|~gZZfK7CH&6mWV7JI;nwWMmbGmkhVP0HrDXv*sfb=)uBOL4F38LUE zA=RCwKOXSl$vfRh15@+|ZuhUH&8h1l87`knoZ|Efx^RZ5__|0R@zHbRIyqGjbg5#& z2QJexNK!#cxHLKYskQL`15YI)6a2GN+bbejTOB7uL#+)SjZq1rGtb*N&0B0)l=9P1 zrxBlzK8q7Q5F~!1JE}rkq6vD*Or79**fRLk1WJnjL-xiLdY1%HC&q8~(70GE=_kww zQIQ0bx1yd$hjJ|%B_5!uRUW{8-lwMfwe!q0>f}F0Cti?}2ir)sU_Sr7Bf_WLu{u2< zMv>BLYwV&4MP`TKR=Zw?syufT!GufFX5=~(^oR6!cMPq*)Tnox9tpJwDTc)Tv?eS8 zIQ;DO0tt&I!na-!?P`x!znqaa&z20e1MG9B-ipj#zS78#NaF)uLHjqAtZ>reRJPy( zBtPt!R1xk$_amqgu5Gb?$2a|3o8;IUiwfqU(XF>qd_=vid(LY_O)8$IsFM5ew|Je8 zm22cO@jWznT=GJC_uBf-M698lv{W<~p;1z*HV0?2vdaVHa>O2qMN?v$uP;0Cu>UE`-q39cfuPGDVTF` z4h?OejBaPpTTd3Ze}S70AM|IT?G=XKN@e2A*IFKM2}3SS z&nRz82$`JbR5KhPUqD@Tgu$M$*1 z`ws!;dRZ4%QdrQP)&2}-*NzgB26DCQ>pRGg>AR3T+3(F`dRyuy_vYA;QZ@hLI9gs?`fE-BDl7fYsB`)i6Q;g6cRz6KPfCs_jIp0hG%VnQ6^=7w)z8xvdvU-U-L2a*fdiZ*V}4YwkJq zLOa|AYtqS2e>On}b~^ju5@``Do%E3nn-jvAto2&5k8L`2l$#jSUM~I>t-26YfY(T1D!h(pz$607- z?USlE*jH>I z{p!V;`?U``iQ&{xLqY{kScfJ?15kHDJ54}obI== zSD;XZ$e}2{nTonCNGAPCa1^|n1mo`lof#hr7c>=%3){n4(V& z816>+l26>8oX?*pfUs5h>`>Jrl+}1$Ad2NLpf3cbBglk9* za6D?ADBmA?Tr(9^HesjeiEX8cbxmn1CLS&M6ms-9+gq=HO;Ut&ecIRDhC%sN;rQgk z$~Lk;g?M`O&``YVctPCZSrzZ22&33Ih*puL7K$+5YziK=2BbxjCuEr)IqoDZlWfUw z$IP4~K+#77UT>pjrcjJtR;vyq3>5-<@&XMY!41vSa$H@CS%TKSkaQ`Si!i+9q#oga z*VRa0I>#pz8zUefQC?!oDRjMCXA*o?fzblsPdDQ&4oBVGV6qSTK8KIuUkB;tKAMHDw#Wiggd<7ID^Q$kR0!2yzVJm1o6( z+3-jCfD_BUb}zTUDwmsBVtaT%>tr2#u7T2f;q~p7#67(_dfSh?-R$#RT+{b~i0&j? zw>=1_>0okxFP3G3OE2~xD1-sn*OTr8UVgMNozMIhFyK3rf~>~A5(~>-%gh4&UHLg@ znP*h*TZw&^iyS^3CsNpA!ztsn`7!}e)R=#ya69d`@nQE>=MY%GIfs5BBD$>Rzg`L7 zCf}qmj-Ificw2V{RP)+&~w~3~O6Wi0 zrIiW?!dLE~`pcc+r#Mr}bFFV;)9xe{5y>>NP~Z2{`p)i?w80qRV+VZ$zWU2;9`sv5|NK^jc#EZ)x`~Rd4WY zuco8iklZgjQ1C}}WagXI7Td#bIwQavJxzqTx)bFIC6DVz4Jn$78LOcD6Bo_9o8p6R zS=%l!6yPIeNX+M!O$9lmx#KQx^aAx$81Eqq zKjAlqV=fU9&Vk^r2Z|=ZD54ieDMwSX1*C*O;>QE9be|nIhVc0!1PjPrCg)SJ{56w$ z_dz3k5s@d#Uo1K*_O=uo7zm-=l0;0&T6$vFCGP7laZ|X+$us5IDNCrJ`E-&0LD1WkdAoP)@r_s z5GL!I7rylWO&XUr>F%k$wk`NK=b+osZ0miO*mV+(+uRp(Pz>Y$fk$$j>N$rXRbxG@ zUtZpf+>a|)3IonHkb!UM!)~opGh&M%_(G(;trJ_GsSm+ znVlW0Kt@QDON?I)hi~%WGr=+^Ds0hWIowhIHoot|pCH&bj8R@*P1z%IQDkq5vF8$& zO&%^oK)7ObExRH?Y%_F5nNPY!wPKyJUjn=J&_ADE+s~en^T&Z|1p=M^=yp-A0A1|+ z8IvkWy%A}jAXG+i+CUmC(Ey%*b>#8E?;k;JX{Bl;m_9e!H->8i4XR7oGE^aE_mMjgT3WO)U;nf%uIzB0gB98aazO6O zC7uc|o+b_WfZ!CWT`(T5qG-{_S-cr#CJkqG{^`=h+|R6@!YLIJybAed^lx!2)5Gjw zLQmDqRMb%m;3u#>Gw6%-uOmu+VO;OZi8!kL#JaKU2ky7J37nwWP>5d^CL0DC1?UCA zoMwOc{g-~$nd3EERz?R4WO47HAL~XtJ=Q)w^{r3UhW{=z51>R;aNYJ|Z;uWYl>3?H z{pft?-5Q^f-&Kas0#Dz>_6pU z(urN24{I~eMr9PJ{+Oe%Eqtt#Itt&*7~*Oog+J0M&o41xc;O}F02X$p@Yd{m|A3r+h@Gb zlTMv9ZH6_CYc+VJ87s{=mhRmm-AF?$K9F2BmQrt$$i*llIJhI3(#`&)qw(&_JJ*bXN%v6YT?*yF*f{bD`ECC~4nabB;t2$CA z%kFE{pyD=>CYK6it*bf|vt)Ai%{$NDmiu;wJ|8-`ko7LE_DIdQ6sn~gPt^Uzzt1vx4>$e zc_A)AkK3zTul&c}qo48qsT;)gg4>Zn+GhY@=^hK!>1m)WIG6e51K0+zcp+QDWbkn4 zQrNwM;d5X61}=-g`2N`btS>t9+Qosn9r4iBR7Z6OzP!9_d;>QGrGTIEUw{Hj@ds-) zZ(LWHvWMVNX+Oq8@Z_WGB)EFX?ghAnsSiInz>HuohPj>0&vi)eO9S^(B6r?~8GAoO zb$u{8`|tU?9PXBj==@jWuMFM0Khm#r8i=`ck^?UZ4UgwLTVo-`>DIIl%6}4xo)f`r zcyg!dprIx=h!*{YgBktp@Gl2fanT877B#F!@-ONuQfT=bcq7OAV{PTK;R$So5V-?n z$Bc(h>sG84_{xkR0g(&CQuIE(4O^z|XnG#o182?=ZAboE4a<8zmvSN!=+pjSvM0eJ$+XRKFNcic^y+|-L^yaT93p5p9(FX|bQ&^q zPlnzOJW;@`A98>Acz^DD*mgO}&Bwwj=0q_RO;FIV0}4u3>@qnR52dB2#l_Fw7Cf$) z%s(exfp#7xfIb^YqX3c~HsgA-gPND` z_^3wye9_y7F2M3C(eN4gQt=GjkaErYY`{22Rk27}u|$EEC*o)!XTbw<12}&Kx?Wy> z=FJowP10GAdFm~N_3g^OX&w%9I0?#@lA%Dt5@n`0t@HFpBduK!XZgHh3q;Wg6z&lQ zkPsuKn#1l**RtLCcrZvxql;KO%FJP4(=nW_bLh=WJxBEUKR5V7mmD_ih5lx%$Gy8C zFzm#5NW{`WyS$hUSt5!Q?bu0|jvn|2o6n@^JbUZVja=xvXReHV&zdM@(BlD(ITb?j zELuLdGY7;draVNIcKWlD-Di(1|3(;6i)EU$gCVk`ydE?7z5Be4TA(q^{j(Cs?;Se%Xcst)sV%~hI0 zG)zdUr&=tpPF^6&c@&MVuW~bXt<97BLFJ)(JB#}kCoAzZL*{&He7Tkl3Cql{XsP$> z0RPxK9xqt{@akTw%{dg{kmK;`hVzgmr2S|!QH)`xPOzM4QcyKkGrCYuQ4zm+WH;~#FN_cgXfgq2P(61- ze)XT#Y+(ACX*({4Ukoa*xEP#^faxP;dm+_0_Ep=GJ7pS%eH^N@9+;LgeV2&%T^67g z!zyd;cK<;kwTfiVWwwt1QYh$A!1y&nR_9`drTmEJj|_{m7s4*gvWVa;B$kNcbfC;E zE6^YAXT0}T9d;AzF-e9XUs4gUv327olahJQ=#5NaWM_zN_r;#1sE00*;&Y zS1f@tW~6ZptRv64vscYOS@{^xF1bqLCLQCdpvpYP&<-3o-@Gx}UM4Zkme*k9fAt)U zb+4K>`-1;-$R&IL?v>(Uy5vl4kT-=kT#KQ1Fg%&|R8}Hz!n+;BF0}3S!z8089}^EEcYfY|B!nMTwcRdH3vZaJRd5(Xg{KlpA zAJQ{j$!x>U{94Sc;EymJBUHQmxL;L_{@9#*4$Ip%Trsv~%x&0?i0>@*uC(SbOpIaHM19)5zX7>+o5Z=u=w60T{D8=!#%U+%#Yn#y+kWf zs?3Q9U*A8T3``Axk-uUgMszmOK4Zcolhx!dP$j)GFE>VJ0(%tn$pHmPW7l*l$;d#= zDWp3`O*_u)lA#HSbpdiI-I)@j3hNXK<^=r;d#Qrho{t8?%c;GqwnnZ`ZO z=|^+;dzKQD2UY#8E2+*M!75G`4E|_r2d{0~ya1Lki=qRrA63b~rZ#L4aL5_T;m~j;_@ zs-!7sgX}Z!eoUOCfl4OyBw*q9igHQ`ghBvivaEYR+r#wNBU6?Kz0r!myy|U!6^3Vo zf}o>7183pXL*JzZ2XE)e#9_?+(@2V?L)b^7ht?At>`{=D)y@<|pX<{I_&t#mo&44R zHi#;fajQ+(-*s|Sl-k$53+Vdt^jTu57vEyYqFVOJl`!zN4?p^*zaX}8{X#S89}m*a zH_XIrw`)<9-k<#P0!o`6#-G3%!gR4&ON# zzOmN9_?boic60<51U+}kvSGr`yHWi!UwU0S(=##eaI**V&RFAv z-hvKm*z}~ij$Q@uc)CqC9c-aHXL0y<{4DeSS`DG*E-Vny=k_{)ElY~Z2Cc?v6fc}) z=*0V;Q2@rtv)MB@e1|(`?V1%dXm`Kkz%GM^vO9Zu4|qaI9eHck>|-SrGGf3(2EjV_+6y0Y3bE&Aj|VeAUwF zV7`ExgR8>^56h6m;{~g0^^GIeFg0;Z(fN8Fbgg2z_jIg4R#?kSR&tJ^>FkO*V}0Z} zvwOvoGRHS^%;qrGu41xF|C?$c3i$SG0GxHMgQA|{G}_SN#Smz3Jb7%JqfQrG(h+;!i`klWR(!Oa`GJ6|(+r$P2Rry`d8xUD?hV2H-cv->3&0pEC< z<`REnS*fNHBm3sGQ^l-rrVAQIj0h>UZd8gypxhT8D|V$Q9zlg&OuZ6~IY0MWR!oYD zO|cvJReTr5L(T-7a%b;j6cF3qn^0~o!6wO6WORW~Vj$O6O?QN~Z0&me`1gRmO z!I}Irng@`qrn+)wt-*1K{kq4Npi*N&ISSpgu^FV}hDM2~hh8OBk+f=|==j!6JX{Is z>1L*j$zL1!vS2kkC?d()J&gVhHV3@Ekg|W^m6eo>t|nM7=8rq=-U4LXDx1$O?VG-0 zYl{_^!EHLavvuC|F%D%;C-C_`wc54z%&!{}#XYU)KBqMYkN-IJ+WL8ZcoBDNCVeqk zWMm%j0>qgw`0HZLnfF*%{~{o9sGohjddg-2=N%f+;A;^x6eFS3XhMbM^uEWr6(VNu z?Cap{>G6KDJNFSv896bOvvZLD8$@SEGA81$UI_+?On%fY+1+$4VlH;BE_S%-BA{S5 zs<#K+xw7l|9fp5ft(i|r^jmilRNNYkSc3ijqZ%xy(zUBx`*CG!$G8Y~1$U*?OoD*F z?;8>H^*__1aqhKy0h*^0AyOK>6=f?u*FSRJx_eonzimxC1S?aQ zW_?uE@?We7W>j_$WQAy&pN9Btf@FTlR3<-#?W5k9imdJ1r9E3S{_u2Y|D9bWtz%H8 zNnPb6J{qNj_uGmJZlNFc2jXpirv@Z9N&w zzy(&#h^GeUmSM?{AVd}VAdbwt)Zc|p8gt{Fg6Pa+k$*>CA~f+!%x!uOM7zd}Y8N8k zCo>RBLkwvpF%-Cep#wP4`#I<1`p=c4$Q_cab$~b7BgDs%Fl9IfJ^6Jt$L=KyVJX0P zpCLp&4uM%ov3#VvQ-!ki`Eur_QhdH{ag_{FE%y3?cqmS$87&6oKFo9i)go1b(i%#+ zB2%P{-zplcJ`KU)jF!o4tq}~x)m*>E=oCu&k3MRrEYJuTroaS7c6$PTh~TM<5AslO z{n9P?FJ1i+m^MUa{8ZxC&A)pI;o4;R8Pxpadjpm-p<6%~Raen1+tVxDqRy^uYw?cT zM&;o@l47oks@#@#b)~1YZ?mk^l=;J{lsJ6*(KD(Jzc!JX8O!!zSeQuZn~jc`*L@=E zcW(8x42im=F>YNC9iw6TForS>*?_j=@O6>l(ZodBW@!X2LD#g-M$Kf z_`*Na@h#Z5oQ+bDp<4QduWd#wJ9?(gQFD*kM9BQ-ZiMMwxuF4Yw+AxpS$N>AtSQO? zd?Sj7jpW;}kjPj)5x5!XGHeJ6L@A9yz(^8N>Y@PHgL}J~p8V!0MCmY0Huwe6I7Na5 zca z=e(}7ouSCWyS_2d(-k1XMT!Y60mi+9&JTlZ-5z zz8gd90c!P>BHUqap%|&yn9^Veu(s4;nK>jluE@3o#5%0n?=y(FRsFa8bz3iN zP2Lt^a!=OGBaszvG%budDC$R(x5o@G@|0=jAC(gm@vPu2nr04GWziF3lC!=zE+c zYEQgD4avV}UVAKS-Y4ZLD%Lm6up?J%zs*tu`IyE9n_d#@roy%VLRwkhmN$CfP!nwo zXY{78Ts*zP9y(0EMVEYI2rJZpru>G=Q#?D0;1B_)9dji?BNz4K`|r9)rIzf%WwZ$d zLHh~%Q|Nr)g?P+W5Bf3Z5F)6e3BSeTRLa3{P>rNrUl|dH%}MZxfk1>R`Chx6z0juM zy+Bt$?TMXFY3u>34Xcm-`+ZgRbZ&ktE2SDqQ)w-Mlhnk5KNCA#)yX(MFR53`*oF`G zb&)i$hoF>>>-=_8Hu0NIXyin)s>zVi7J{IL^OrbO65P?)EO7U`ip@8%z{If<+9UNr zdtJxO6r~>yQdyyROkT>iD!N?*%Ak)>xai;^%Rabn#J8>N4xyEgrmeM;rYqnXeCz?Z zHUv)UV;}}~4^>b1rK!zY#Tu2OrW7GEPY(a&A@NpDMX%^A%Fp=pP4g8!`w%69ur$mN zJ;c`s{+?Oyp$$b3Uo5aD{Y;E4z!)I@I@!g+hR5FMQg%UJ_azkH@2242upzV_7`86_ zWgD^A&weH$2FhIl+7*+36S^jvk2ku6t=)mL8NpigF%n@y*XheResc_*2-&(kiB$v! zF1y$+Ed`pfS)Bk!na=0Gn5%Jw#pH>c0oUSG-5)v4`> z&pHHWUZcE%xHE8J`nx8)~$_8N^lwo2ncd8 z-V}!=mXMQ8&ttb@W$J&FQW=WKin)-_T6Xq9%FrLWHAj*gMOmcLIRMDOqpXEjl@20| zPiOU{wR`R_QT=)53U~ZvB;YRMSQuV@sr-l>O=s>~n#qH~1G3n6aP}|kTXXjk`@(6d zPsz{AfXG$5ou17)`#YlhfsT`!{Oc3*m{R+5L20sb>z(cohQM>qQ8mzRm_0p8xvHRC z3bt;2uN>WY_tOT2u`eSrZNy!{N$Uqn3&X&B06~d{41#)i4VRi7oVh9|SP#xt~84MkF$KnUA+~J{) zehPV+&0GkLjSi)n-JQJap|b|)$kPW49REF$7X$<`4i_4Mt`4rdUIp4fDPT+H9T;BD zJ^T>T&OLHH#byf0@Vx?N40!po(X8&$z!XP$6buaUXLxb7<5mb8v9QY8Jq2zNc)fxz z(>;lAoA=h#J%Lz`Ew>EtJIgJ>+#Vqxb7!c$59@r_LRr{2h|p~PZnW7bm3JTSm^P^t zn4%u$Kp|eZMl4ApZS&oJy<4=h{*Xli5Z!qKaJITQk>$hgRl@ngh0h=QJJFq?6wzv? zqBB+=Q1TGxl`bb=2^_c!{v8sNE53aUq8Jr|2W{o!*jbPag_xyEqJp+^U%kRSKY)Vk zK%n<>`U>MnVK3O++|5lc1H9%X!2B_!-HYT2`fCY%&9ZHK&DJk5-+t@+c(kitew;{G z;Ge-x%q^VT9S;!Hb>v!hXsjMDUk#SPDr1Q-2A!SOK@+5eKc50 zu_6CreBF~SZ|tZxSzCR+Xa3t>vV-`hn25DvTG7C>P@&a)fQupg?8{g#OqH?cGb~?@ zk)z)kGn=fDVQc(UicPyYUb;RpQh+h1xZD=pTqgA)bb#j7R4hOjP2cTTZKFu(ZdsM_UhgkN_xSxG#O5G6*-Bwdafip98xR)C z=}V~HrXP5q6)rQC_hXCeVgSkBntwb;Ywi-_z!#8}j=HMqi>PN`vH{u0hAjN?3%Gq1 z3o7HwOy^!EqiN*J?fcqn9DM_{_`b~|^hZ9+JtK-g1#mX$?Udvvpc~@k$OGJ7Q=V%M zaGW_2Ii|A^>us2C@Hs;anfH6N`%IYVxvxcw!MAbFQIMgGaZ=*biSVS=NeHxc?qaOv z3!E{ey3D4K?U03ICG3=15}?eXd%vu;o%xziU)@J-;t{7>U#TQwHM4qGy1;F!`2z3p z*a!Qgj#f!*J#GyiW3TZ(iZ=WUoWcR3+Su#zDx)|L>WZB6(YTUralRM-z(bPxZx7 zgnpLK>rhAB5G|5C7o0`>fQ6dJ=Vfjz`~d(nTm#*b9gTt`dfTvz`~xd#<|f(oEm zJkJBEd&OYUtB8j(ovBC01!P#bFkC~hWe8~$hCLMFB?`{Qd39QcRr_$N|0&n+f<03_4nD25wePQO*iU9&Oz$WABK5F zxBb_`OIP!Xyqp)xlxkMP)VC(X7*dR)9-d5gWpZn{Mb z=Q(F9gw$~!j8H}QXG3%_9r*AfLM>;4UnI$v59E#ru`@#W5^~c)sKV)%zqr!K9JlSclHkAA4=pr1FBM4g*KP+<=7hgnntBA13>0^`0+~zcJfADd8aYv`$l-#Q-;rH_X8t{gu^7%9O=fIC(I3wq zuJeARR0iohmS7|A$SZBDmpGqv+n&W$aJOCe5C zF{AUgDxeq~e`jZ!e{3ij>eCcjbRuX^>`=nxdS~usU}vcCsl6IIRcJCgsWBalO<4IE zx`6{JIAXHRoIqw^^n?5f{at%#yAQtE5Vg&`8moG5!SeX-u9g;X(K7mKAM3xGhf1D2 z?@({CO2FXIHp$N0S3K=KvgABE`)2)zjnFbOyNE+GJZf1h$Q0)g9RFdQ0=l zzHa-mIlzfubH){CX-nRSEc++3{3hXqP~-*oiFE|_9URUHGNxFNvw0rt;#>U~H=g36 z)QGR#8MZL~zsq11xGYcfYFgxClGM)0?_5`5Vr3SbnndiDo2&&fY_Y`Be0%{bo@MY} zKT4P$OJ#>SOob7PYp{=pPUpu=u2v_T6{+&v7Xnfk!U5sGllybU7Xp5#77a^?NWWoZ zJOae%LP~Pf<8a%^;KN;gU7vB1Opv7ozdFdHKI!h>CmeGLcAv(M;cS5;b^5W@kS`hu zAacLYKPU)w18qKA{dT9wZE|F%pS^y5fvN02DwjMiA-NjVWnB-CLx?i;h;&~Wup8PM zbZCCNS*1pZG89SAu8}b!1s5pGSadKa)IaUHs;4U_y(wh-|5-@6Kj~1#-2AJyp2WG{ zG+)UcKD-$P#W(8BdZRq-p?hO&|q{Re_= zw>W8|Z8rA=wook5#8=(hs&#Ta{6@MlK%DFpl&x=9YjxEwZDZ{CGcRHuj?BPuT$F%DoV1h+6Bf_g3Z0)Z4mC|nM42U|@~!c0o$8kgS@lOQ z{a?4966i(BeXwOjVOZZH&DhLp<1sa4=OWl_D&!lUOmna{VzAT> zK$Z&{bG%t+xD#o6|6c*?WQQzD3!3aZ2rY5_zqO(thLW{DxI!-E;5% zapc}_0~51_GC_1p8*&tKrsVy&=ptjo#`6DfWxYg`t$u1*5Db6J{6KY77YqbF z^^XAi*k1sPx^qZOngGr@htOLhqu=pqK>K+JX;ICea_@tsD%6l;>6YVoKRHji5np5d z=N1)3o7f*zzi*FGPYR?kL)KgU`Pz%s^ydXP@HeOgpNdfpLj9v_&Fdd%YI0Fy4BVJf z<9c_A*UgqPPxV8(@@WIbh7g^|>=ls{+9AzQNz~t(aL)rVXcn|7iSl^#A5L2`QgH<< zb%*>NoHCk_o5kafX%@BSU&!pax;%YsX_$8SrTf0PQh%0Hv>5#1<&ku+NJzZ+9Q=abo!Y6(wS*tzzMHTzI&TFm zZDwT^Xxedb( z^N}sQ)5O_*J4&$RSBX6xtXaSA7Js@iqBb5%z9u^ZL9UE~M-pDa6Ss~{8Vat@iNK8z ze9WNXCEfPm{k0qC9b!NjQygt)!(E=ll8dwAHxa{-T4S0jf-hq()4#1k(4oz+O^1x$ z$-NHO_Gy@1&Fry`jM7O5GK=T) zpv=CfntV(2|@VGHvAp?9XFPR zkTn>L!Adk^=((n5RUm4NS~T4JHi)7yIQYeV_&w{(oYBs4g}j;Hl~%qvT&GwHiQmO} zD7gTPb0J?_7?=GeR|Z=cwq}i3O)wCX<=0B8Bgieug|*XGqU(^5JoH$7{Y(1(F0Gaf z5wa_`jd15*+rUFjrE!)XLuhrBQF}D)b6E$~YM%Fz z#?s4oF#(T@J~SdOA7hH=scOftY*G9UHT^0zyYEd6Z5yeRpAKBx#fu&D&e_r>k^RMZ zh&vU#t1kW&)U$0!#z00dh5H=MX8HyX5us~C(+%`qlbrjxGdCCR0=e85XnsOP?2WZ; z-##L|O+f0(oHQ-T|4MM2zm*D!vbc^{_MsT5JW65BGNyPPHu#>Y*!9fM^IWLl?N0=V zRsj?vU+BVABug1E@I}VNbuNc+(sWC9s%UX{GLKA%H_GIJ=sfoL^{f&hrkKEw+(kN0pz^j^rEXq=VT{8`_B+ z{^{=$B5y5R>39CMv_fYu5OCAb-#LQ~Miw2491;dQnY{DO(s;0TysEC`F@BJvNL8iI zARDC;(E1pZ?1l9AzW!@&a-i;LR`qWC6ydVD$(3gQ*MsZ(8p5qQZ;)V(gE%&tb&L`) zgp198R-Myyy;1d)rCfoB zeddro9n3$J-@%}syspeW@Ybr;(`S!HDO~ExhkunJp7)Q>6bEnCo4I)^-P=&;{)2jd z07g=pJj+{qyrF8GjsL=5zxltgSGt@RTYeM@mr9R5b6@Pc)0C0|&T9#VammTO*gk4A zg4AF@6~&p_K{gC{LPOvF6lCm5!qq3l>52|rYnad?Vc7v*v3ueKf9?D7-*m)wl9{t+ zQYR&7hG&X)CXba>BxTkl>tLLYuQSxL{Mftp$IoR3w z3sC%R3k4k8ZMkr|xR`G4HbR68Acc9tMY9rK#EKXDWDGOeouw3~5e~Pz91%R+C!iT)S zWj)k$Z+`y?(yZ8T)Bd)x@OxB4l!B(TFPVcix%+G{B9WxK(*~A3BOhxkx4DM9-xoVA z2TsiLL)KfvgAcH$`^bsa6^L$ROg5L?QY%dsXG9P`0#3q2pE0PEm-bQoW2cXYV{6?E zH3RC1|BBU#0JF$gF2~UPj{C>D=Dj~7X1w$x57V8f$U0dlxN+K4ykv2>rnk9fldZ88 z7kRHVGo`^exVDPeN;K&-McWU;D)?P9a>gL}TO}7l^ABmatF{;dgdcK>c^NmC$Mook zv6y>%EqU3u2t&YSeaJoZm*O}}_h9k9*t(z;X76v$5qAu7Db$-o-$(cL5AI>*n&R5! zO9w?ELAP%C62kd}W&2T+4KDhMoi=1|-1l!t2T$O+Ze4#O;b72^VND0s3h?~$yy5xE z3gI&u^T4Cy7A++OFw=yZRvgKREit#J}_b=BxR&Lg|6<_`!d zJtgP?1g_B=?RT8>;ATE;#2K4+IdtF6HdkM-CSYejX@U~`i z!({N&V$S;qV41Z3>eDPUWzBp?I9K8MLK5FaJxBY+djYpCgfJoPr)a3o4jCWPRfB;tk~A z)g)+Gs7+0@p2|$~2*i^w+$X2Q_82S0T$%V|kD-mO$L7T%nx~ursIZk!%>f^rff<%_ zt+oNSN0UH-wTrhcZP79C`fvXfjMq1m@&{nU`Be0CE?nEi+th#W+ych#{&O+;W2>WQ zv2h&SzH!@CP1jDIHpl$tB=&ejgE5m!@m5Qi-X8GQjGg&@Ds?at)P)Mu8W`STUvGmowXmc-o_oKFN3$A zg+Kfik!UZrysi>Kv}Ujt%YIaFkzNQa%V;%%eG9pUFBitC>#kRj_HBA#MruRYZ_WZv zY{&ZbVWcmx|{8+UZAR)HMSaQd9#CCk%zAr*y?f9t^~V^6>~9k2iT z@J8>zk~bMam}9{4yL8pf)Q!bTKjWAsL`UJ1MX;zW!KcI2U|dHAAi0W^`6i4-1iP3d z{nJR{(0zM2@&*M7KNDA5oe7BhOsabLktW3J){QaSxxQNo`R_THO>sDJ5a+%?;W`$m z|1O+UMdHdD+6YCl$)o(}-S{z;KrdNA%jgelLBOw+(1qSWFRwG7r*{qgIl$tNiG!?I zppqUP2GCrK=K@Nf_*TMw_B@2<3_NN9@d<1FP-2Js zuF~V$0`8s=os+c=TPNKOnvhNAlcmtGEhf& zjzNFPMi$nyV0sO2zjcUX^+dvJan^DN+4;f#eEDGA1EaaVf^h%SJ74(=mfHcyUZwWF zR`U6BwE5PoVYQEPRzsXfS z4^ZY9Gzp$L-8msNOoClycNX9gTHoIR$95MZS71rY~c zi0*%PK@41C`GH#OltUpY1ZJsv&VjZ62Mpt;{U0!Vy6K!JUiBv=sKTfp7zE^WYQG31lJm^$rU8^-1gl!EEs$(wRVpLZbD%EY%zm* zX*koBCdxTuE)?0|z{zsMnTBGls7Lr!C4H%WP=;m(rp=(171e;T+=VQ~raJ97u(O5J zA~y9{l6_WF8F~J*Yc4g%UjhTb!0li03NyY>P&<;MFN3#YUyA!DBETW!n;f@H;Xee) zE2AI3Dsh!nFC#|`-h|3dzh(B_DoTYm-L!Dt5Zm3xW>y^I@d7vtkF5za;stM)c^d@# z$Ox{vxhWH-pFxKV997%v@Z$8XX@Xqxtt$LVNw;*f^5-T2GF3h2JyV#7`vX0j z5L(FVnXZ_F`c#*+&gK+vE(p1Qk30w;w%eIX26wKr$U@QtmkSfLF$(SC8~Z*w@*?=y zw_wh4seSaZIqcdPOr>G2qocPG)FR1*Z}y^M{1X0+BwYpMz?~f{I#k@pacs~rQ0RIp#V+X%gB0VP;d|(gnjs^}aNO`i4^}`JlD?VSm8w+xRu51s zz#g?LcD0J&6ZN$#Oxk5VAjAwcAIW-kY_PGO$)Qa7?fkPo75Vr+i16dAMt~nNNHnki zxlxmsF(m`LY;4jy^aVenP~oKP(8dxK<*7IFBIqkbIM>=uDqXNt@0S)60D~PvHvVKm zzIUA=`cP0g3J;>lKunv%*ht&#z@(&7#et*Oc5lj_5zCw-Olb0;)N#o|R!e{I#K?ed z9v_kt_O~f4g-@oq{5M^8l2MfE>)toZf?G>%cV}-*g&*IUlWz#QRVrV!j!w5_>UCb; z)dsC*ZDEeK2NZk8c(n9wRZJIsroWBG6h|}UBo^^I2(5Zlj96Ce|6M2z4$CU{sdJ1vC?hz$J)5xiHkD7Ra+XeKtbv3fWIxDqL{p=>PLb*a>yCf z=Vz=HxJWlH#)`B`V|aG{_9O17rg9Ki+4N+r1?-?UcX!vW$koqIqJiR?9#qr3$$UZqx+du|%V=wnEIm^ASXzd7If;C|e&h6!!2x zh9!J^#Vp?34mJ_Y33Sv*5|^}^{E?AIF}AX!r7%A{DJy4@%y4iBtbEAj!QGelKg&U= zSOoW6rqqAfJ-Igir!W=~1b;m@%#8{VrYT1`i_gDIhAeN01ocJ={cKZ$x{HOjwXjs; z@|%Ssj?xQ(cZZW~Tbr)ySC3?rXxlNcr2h#P_-tNgg&&35w+J#Uf;T50$%nx6RyW{9 zOnpC2&KL>`{x3yMJrmfThDp3t7w%Z-X^Y8x{usr$AA;uZ9ee68B6SjL0e%W|Rw4diIxC#S3Hy}%L1mHSD6AMKBAws%c1eaH)`LCu} zr$!1_kwUoM&U*N2ve{Or`LXCO6M)h*-1U>kfM2QaiN4>moo|41tOZupV+h3Qi|Uw$ z#OD@bUUT8LU+$-d+eN|socAX{<#&UL>6=7&;tqg#iyCDXO6A`2^!e;?KKM;-sF^h# zOosNfMMmao_V~{uX$tJy)kHG|&h8M21b3!fi*8%af84)l((wEm+&LSk&9;c>nG%TE zB1wOQcD1AoEcz9WJVeEX=^l8~Rp@@%>t?(Z6@47rkGx}bT{4Bo!Dl3)NZ;8bQJpx{ zDgRqLUJ5r?qm%(n;Y}amg6m=;v+Io$KMjl5`wsSe~gXa`$6j z`bi$jR>|~$_fp6&e82a;kM6A_0_mP?c}>Ji#1rWr5|%!`Um*T#n^H?%k+ZwFk4pW2 zUub6|=FfI0X*O;!KH_;PvP4*8xR|N9@dH?iRn9-b=lPaOHR#LHHmadhWK<~`DEStu zaI-gC>SOE!C4{i81^&h z%^i`=6yiM~lA^7UpR0M|NcZYOP@~1o5Q9cv&7w2uzc7ehQb`!kBi4I%?x<7&TNS19V8KkS%i^ADb7dLo>qeXN0s ztMW+ZLUlS6^vFr548oI)U+tyX@rkDQ4j7k3)DwQMQ}=DVDC)GNT((I*{x?ZH^p%rGMb&aYkX=9y|tE{WPnd0s|g~^c_!^o_B!mZ zG-WPW4LFIi#8F`OVDF`_Fp*@IdWw*fs9yf_j$jYJk`X`VcHh*_`B$Q6;;0uwM)oOl z;P1M}qqPVxvsl@6f@66w(lYfeuH}JvzHZ9P`gHuf7QKaqfq*~hEYmdYUC?!4EgXBC zxJ9?GB%Sd88zq0&gDWW)1hn7yygk_xw#iwZ6tKuVzJ_nxGq0_#me0%(VMNiK3Hy-q+|^rN+l3w?OZ>BX?g}^cV}8?+WYQ> zx^m4UljjLp!7c*?W~&k~ZrutAA!LpjDk7`J zzMXC)DLO|(LRv^}aQFI*%9LiubrDsje?YQIwqW+(at66pdc%3RYS+4hx@c2~7?mM# z&cL>IbWI<2O;_ME1S_7aUg`(={Z1h#!RwQ-4sHcde?te^wOS&T(6?}A;IbTw^ zmkWm4QKCuvLM&T;XP-!)udg7jo$QDsCrje~)JPJIpU1(AOoB0E#U&zy14ONg<0Sv} z;AQysXFwG}-cEblljnBXJG~G3koA#9W#G#{#utjXs-3zAKDx@|kF2Pp@S@?O{r5eH z3aCIJY;KQT{Q=@71y6lkt}1W2vs74tNtl?Q?k4-397pY(oXG7T9BMH?){AE8-UYIk zob~zm(jin!fMYnFoOzSW!tFqsBdW8rnXy>s%$Vm_w~8UqkG(G}oQ?yUVG*0a!zUZr zGtVC*^^hrTe2knWLxDkqa(Yt(0)j=Xn~$Ed3-jAF7Gj_Ct}JL64IHG$7XY%>%DC;h zYRgaos}y9At?on1C1q`;gk1cOTkdOXeT*@?CuZ=CH5@pkcFU=bR#)^ots_vVU3NcB zKjUHNgbic~9Mv0sfg}=839L9MVNK|rC{yVGSd* z!so}3!RbZ&?+yDb-jHJ)`FRWVlJel{Azov#Ljrzh{l?Zi_+wBfI>eK4bfk`lK$NQH* z4c(ByC*zZeH_I(Btvxb*8c8`1u-DxaSo!PP|A9PlKpq)?!#_?si?)cub8Q#n(y>gPZ%`j$?~x^R82 zLf=7e&eXm~Tkjh}QGm=83&L;FNw)a-$I|4&(G;T7e(?QtZf73q-fMmj`5YKAW9 z?vPHA0VD)TNu`Gr7?6;LK|*Q}1c!zpq(%WLY2G{j&N=Jeb?$%gylXvc@BMtg`}2L- zql;v$Df0@6=$`nra%kts5KwA>naRYMjf6;bg9opSw>HyW=6fY=*|*OzX(2_xY_t`# zmTknIh}zO$41QfBRnWPEz;Ica=k#O;$zegzhA8hnF&f=0IgdD6Q!|47j*n0-c@HET z)q1`Wm~TLoG94G*E2BG*!D&SLD@S4}L)4ri|4lp1CrgzZ8y6twrJK({vs!N3=}J5w z3J7j-0)T?$PCrU^hp#cbfQFbV zrJbt}Mt2=m8vK!N4~nus=U>3~Iw@cyC=(IQ5}z@%C};kI<3eRLX{t}%3qIml0BGy(wz?my zz}J*kX@zer-*2mbxw%QZ;W%})DZSz7h9@vI_M5TBbmo`|RB6UK`T752H!*y!srnrRovQaTGbZ>weL*9^t;jUF3l7suHaqiG1Wn@~pS z)SmaYu0?Z_X@L5VyiBb;>953?J45FuDxL4{4KB*|?V=^55;{kz6~D|*x*GO`jJUWh zgq2UMk4f;nmrCuY?sV^&Bl}BNJs6c+WoxFNi(4s>AWK zJ=&n7^N5sOgH-X&2GvZR>-LeWvA_x=FZx4@rK#De^Y*uD^X4K0BO|I$AKwqkm8#dc zA8vuotO8H6cYa%N%35|rz5mVlxM+F0QLfTBjqx$F&Yzi;aI2E9R|juTQnRj8Uv*oJ zV3uZrD?b5d;PZ%cW^hr`V(V(9>aFR5nc$hj*v)ykVB-t}dI!k7ZCHC)32}gN(ivsP2Nb3(@KxcRz`_PIWiPNcxC|pQiw+%(DG?|0mJe)UwaDzd11Hp zNw=`KfY;<=`UR@x%={YlDTYR#!V?V4q}_T^wGG#(t8(QIPvn!)0E>e1*!U6wa|&?i59)_Rw5ClnrmlpW=F07r+C1E_ zNpgJU<;LEZDgr)?iS>y=wdDy{ajxqoQJ2u}9oE(21UHS?dn_jThPJ%(|Zu%rZhzx}WRBuE5kGbp|uMQvBMzWXdr@_l%pJXM@@x%hhPg%Nd5 zrI|BHo@}KuFVaMO2wmmn(*{b~u??DH&DM^_Ki>0S1XZ_D9$JCnGgI|27M=-6P3di4 z$v@^iI||s_^Zay;@*pH117hP1!8fOo-)+ibEoSNuVou)#oJlF4s}gle&(gr%ji$m0 z1*gQqsgCT^gTnA}ZOl~7BkDI*25(akFyku#rICs}kS)Pr$#9yeK-WBI(}9h7i_Kf^esk2;vwX za&m}pQi?d?icEHXO*hjJOy4KE2r^+)zUyCRd0+&SG&7lMACfU%&+i70mcZ&8W+cZBoDug?8~lJ$VL1Tm zQRC1~XpqNL+wlA6lYe@gx2I7w!k9kN0Iq3TMNr+K;|EfH5~@px z8Cr_5`UGHc0pOjTNHp*%<{%z`4LjB%QM!=_uquD^>eg&DOrcWIwrUdKJzW&Dh^)Rs zbu$9}D>K#}e=Uu&3zXlCo3VQSQc1VO9h>xpXQ&77_B9&AxungxF@taTktd(f{yRc8 z2alRY_F4z%Tug(uBsRXVfyLp$>n51}%{Gi!Mg@iJ0Z3bdH?L635pOVA94v(ZK>YG6KgNj0p~O-iHR;Hg}RLfGy|R44U(R zc;eAhNZ|KWX`@X>vEi`${4Ya6ChcCyW5IBIczSMwP1;zcWl0R@LB z`4(HChvL4cqVO}lsE8fUcBh{>b6TY_P>}zwXif{HP!yLA1>;``jIhjV{+W9#9g)M4 z5^`~Fa?XIvt>!f=DrBujlRsH#z32M;5&DZN-+3(GC>!p|*3xT!*DcNvF&dT4m##!A z?=nBe^nPSPQ=G(t8)$^U)@|a!YX;wA=R2D1PyAW^1vr_+yt-pC>Q2~Lra#ey7|Tay9l+&|Zh-xj;z7U~Y?=fd;F6N}3Oqhn5q_xX zzR<1iyxgy1{>b!05!P{`$cPb1xTWlV#cM7R(^yl_`$Sk$d7Ce&N!Gtd2#bl)@Nre< zqYmyIG!LL5^#d<-IWp@2{`EVxe+&54(ba@Cq}2+TrFa+xq%tK9@AR47?XPPpITXJW z|T8;xTzJZJg_$6cq?Ro@+gN&jD6W2_g2zp9XU z#^tp(t}>~y#Dxg0*h-GemfFb?1TIbxPLH15qY+}7Q~Z=KDN<3aiG>k*G$J>l4O8VK z)Iyd&5ZE;I7Tt*6!^Thr0}R^yZs%=d zAu}VBi+>@-i;_$&Wu=Bm-Q+Lqpj>`(L6WRiNKhs}#o%KJ9E6U><2?dAkNY7Au zX&pYO6sE;zTIkPh0XpPg#+}6%W#Vm(j)gBeC~{v5oH)1+PWC*3kC2X!k(z2n z4vNE)bL|3`-Jc1S&3WO?i@LT3njEq>`xaK43tiU1WLIa`7jfF31=X=2Q!goFdu>y% zLi(kg8Dy_Fx$dQQHZagt#Ofe%MQ!+EhRbrAQY&oqoz?FbMzaVb!b3dR0vAh$AYI=a z)i&a=m|u@ZSN}+A=q4LfU*)7Gep!11*}d>qm5-#_hAY9j58>pO7B@4um~}S03t+(C zY7FPxM?TUX+!`K1?tkVH|;91f~L+bS@@sCJ-T`a-5A%=Ohxu-tzh4^ZtfxMTR{! zpbjl|=In+``FJG_j9lc34V^^Ky)FDoUzx4wW_NNKQEm|Y9g&i1@ir%sLc7APJPaXG z`no5>;2zeA%lq=&MC?7ff#%@59l`|21n97Yva1|x^E&I~p^R0%PWIEuyKA^Bi6mZ5 zn$eT+0tQxbuUGFCNTYg?KX;8`aGRYU7V~uIGVL!)8EoSHxja0W-KWEkhQV7QmW(t7 znE&iZ;7T?m@AmqM|^%5dAAlSIDXPW{Amm)P~Tj_vC#T-KmK zPJZH)qI!+QWX&k1@eq1VM&}c1T=J4rOzl5EQ3CF!|SnE?N8;bX((nW?Gi&WLDsl%E`KA5t7ExXURH) zd5f)eT`}r?Vf0#{BggNix1So>bXB9(^;}5<4HKXrKzv_g7IL9A)LkPYEKKUi+VkS`L#TQi!)o1+sSOi{cEZc3+~$-o%Grw( z>;-jZtC1!!p$ZeENgT`ordQpVzR_A|h)4X@J$Y0WB6exicn>zLm$K|`XqM+3*MT=Q zEZ&F1s9!^1N?)3Q57Stx{$`RaRG}7o+Jr1bE*MI7L-2`=ehXEVtF%+;#2 z@{5ft8pVudN+@?98!r*)HMqlb=}Vy{eJ~9addXy4sKWmZW2gD4MM;Ezog=E_Xj6U* zy=%?-IYYm@k=a@`rF{psF#cgVpPzHPZTPw8aeDS_%jS_sQY06sg)gwi-h!&LIMKL+ zO|dIF>ve{n=x@l;wQ(v;y(j^ns;m9y?gV#*v_}nsKrg!tg6Fgr|DcwUu59w&4$tvI z$G2Cl4e7Z0jLQC!xUwWFinvB**h8I?Rzp4c%F}VIg-bbd-4CxEdT;0KA)Yjg6Ht2z zq$I4+?NrN9fn7j`FRRhMX5L$+ayXJ|Lb>5}E+Z1nnX@zEN>6xE%BCXo=Q5CtH;PVL zSMRV4HvROxeB?6AzE`~#cqCF4)sYRt-xw4C zwV&&%Noo4%QqhezERLyM9EqeN%SFx*>gF(+4@4rhZ2*H=1~sQgplgjvO`xkpM**n3 z<-pgHd&};$C-9|tB(o{Z)KF}f8*1oZ6+>mVwb2@8T>cChK_BCp;NC;UkF=i;l!YhQ z!?afT=1e{d)!8x+TB&r%bK(N$aNVDm;_)|^Fb{+0#D==B{$8kuS)%?mewn59z*Z(o z?s0eLbZr#<+KN%xb1K7{+-j-}tPYrg($DDb3rU?&)hCM+8Y*f5uY0|Olu^v9nemGHI?IJ3+jll4ND2-auXmZG zfdC($kceCQa8kScn1^%wUN^?(qK7PPNw$cNa~u4%`wEeEBq8l0jR>rT9L%a9yv6~&+4z`Cor}8WqW=D^ya#G_X_&- zK)e3oV^vuMCN5kS3D4&KtjfRtlD^gjdBi}TqR@UzQT-P8bt>E9@&HLg8#S`WUI z;ZBtPdRxne_7hw4XIr>x7*!3gEm!uw!$8Ut@z^@zNd(rTM=cd8QuDa10fg#UD<~&a zUSTpvh>xT^~3 zsg>UbzGcmto0KgDVyupIFOdOLgMc>tbzQd*_dP)x&B)L+DCwRycL(95BKtAX&4Y=_ zN@!9@Qkf&9`PpGP!*zU65c zzhKn)%w$mmkdG5Aeb4}0dSpPoe+{>iBKdzAZtXjaNJZGkDD`is^Yir{6ee!h>sF9< zKtHG8DCyV7364O(B#pPcvANB_sNbBJV!7KXeCUOphXEGYbT6}|B`nGM})v&y)1M_li-6(~66HnDb+ z@Z(YE^uEtoI?xD-f&b>-BjXvKgGxVre?b=h?NoS`Y<0h0w&{Ys45|mMKjTc8I__bF zXbV6M8gQ+PsJ1~5jq|4Cad%7eB{G6*&UwOMczI=f5-cF z9#NSVAA8z609{5U9WkDlV!{pK$z(g}f-U3aBakPe&{v6~1o61k@Lg0&;%WzKej{~v yNon%9p8?ehIjCsp%+!}dzjdrHIxn|iSeT5Hl#lui5MW^e0QYe9EtVP~*8c$1=v1.21.0-0" +annotations: + artifacthub.io/changes: | + - Initial release of Janssen helm charts + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: janssenproject/auth-server:1.0.0-beta.14 + - name: auth-server-key-rotation + image: janssenproject/certmanager:1.0.0-beta.14 + - name: client-api + image: janssenproject/client-api:1.0.0-beta.14 + - name: configuration-manager + image: janssenproject/configurator:1.0.0-beta.14 + - name: config-api + image: janssenproject/config-api:1.0.0-beta.14 + - name: fido2 + image: janssenproject/fido2:1.0.0-beta.14 + - name: opendj + image: janssenfederation/opendj:1.0.0_dev + - name: persistence + image: janssenproject/persistence-loader:1.0.0-beta.14 + - name: scim + image: janssenproject/scim:1.0.0-beta.14 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/release-name: janssen + catalog.cattle.io/display-name: Janssen Cloud Identity and Access Management +apiVersion: v2 +appVersion: "1.0.0" +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +home: https://jans.io +sources: + - https://jans.io + - https://github.com/JanssenProject/jans/charts/janssen +maintainers: + - name: moabu + email: support@jans.io +description: Janssen Access and Identity Management +name: janssen +version: 1.0.0-beta.14 +dependencies: + - name: config + condition: global.config.enabled + version: 1.0.0-beta.14 + + - name: config-api + condition: global.config-api.enabled + version: 1.0.0-beta.14 + + - name: opendj + condition: global.opendj.enabled + version: 1.0.0-beta.14 + + - name: auth-server + condition: global.auth-server.enabled + version: 1.0.0-beta.14 + + - name: fido2 + condition: global.fido2.enabled + version: 1.0.0-beta.14 + + - name: scim + condition: global.scim.enabled + version: 1.0.0-beta.14 + + - name: nginx-ingress + condition: global.nginx-ingress.enabled + version: 1.0.0-beta.14 + + - name: auth-server-key-rotation + condition: global.auth-server-key-rotation.enabled + version: 1.0.0-beta.14 + + - name: client-api + condition: global.client-api.enabled + version: 1.0.0-beta.14 + + - name: persistence + condition: global.persistence.enabled + version: 1.0.0-beta.14 + diff --git a/charts/janssen/README.md b/charts/janssen/README.md new file mode 100644 index 00000000000..23d238c7cd8 --- /dev/null +++ b/charts/janssen/README.md @@ -0,0 +1,434 @@ +# janssen + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Janssen Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | support@jans.io | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | auth-server | 1.0.0-beta.14 | +| | auth-server-key-rotation | 1.0.0-beta.14 | +| | client-api | 1.0.0-beta.14 | +| | config | 1.0.0-beta.14 | +| | config-api | 1.0.0-beta.14 | +| | fido2 | 1.0.0-beta.14 | +| | nginx-ingress | 1.0.0-beta.14 | +| | opendj | 1.0.0-beta.14 | +| | persistence | 1.0.0-beta.14 | +| | scim | 1.0.0-beta.14 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/auth-server","tag":"1.0.0-beta.14"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/certmanager","tag":"1.0.0-beta.14"},"keysLife":48,"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| client-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/client-api","tag":"1.0.0-beta.14"},"livenessProbe":{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. | +| client-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| client-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| client-api.dnsConfig | object | `{}` | Add custom dns config | +| client-api.dnsPolicy | string | `""` | Add custom dns policy | +| client-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| client-api.hpa.behavior | object | `{}` | Scaling Policies | +| client-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| client-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| client-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| client-api.image.repository | string | `"janssenproject/client-api"` | Image to use for deploying. | +| client-api.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| client-api.livenessProbe | object | `{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| client-api.livenessProbe.exec | object | `{"command":["curl","-k","https://localhost:8443/health-check"]}` | Executes the python3 healthcheck. | +| client-api.readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| client-api.replicas | int | `1` | Service replica number. | +| client-api.resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. | +| client-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| client-api.resources.limits.memory | string | `"400Mi"` | Memory limit. | +| client-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| client-api.resources.requests.memory | string | `"400Mi"` | Memory request. | +| client-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| client-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| client-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| client-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| client-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnCacheType":"NATIVE_PERSISTENCE","cnCasaEnabled":false,"cnClientApiAdminCertCn":"client-api","cnClientApiApplicationCertCn":"client-api","cnClientApiBindIpAddresses":"*","cnConfigGoogleSecretNamePrefix":"janssen","cnConfigGoogleSecretVersionId":"latest","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCertFile":"/etc/certs/couchbase.crt","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbasePasswordFile":"/etc/janssen/conf/couchbase_password","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseSuperUserPasswordFile":"/etc/janssen/conf/couchbase_superuser_password","cnCouchbaseUrl":"cbjanssen.default.svc.cluster.local","cnCouchbaseUser":"janssen","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceLdapMapping":"default","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretGoogleSecretNamePrefix":"janssen","cnSecretGoogleSecretVersionId":"latest","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqlPasswordFile":"/etc/jans/conf/sql_password","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@jans.io","image":{"pullSecrets":[],"repository":"janssenproject/configurator","tag":"1.0.0-beta.14"},"ldapPassword":"P@ssw0rds","orgName":"Janssen","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/config-api","tag":"1.0.0-beta.14"},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"400Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"400Mi"` | Memory request. | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnCasaEnabled | bool | `false` | Enable Casa flag . | +| config.configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . | +| config.configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. | +| config.configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy | +| config.configmap.cnConfigGoogleSecretNamePrefix | string | `"janssen"` | Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Janssen. | +| config.configmap.cnCouchbaseCertFile | string | `"/etc/certs/couchbase.crt"` | Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbasePasswordFile | string | `"/etc/janssen/conf/couchbase_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseSuperUserPasswordFile | string | `"/etc/janssen/conf/couchbase_superuser_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password. | +| config.configmap.cnCouchbaseUrl | string | `"cbjanssen.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"janssen"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerPassPhrase | string | `"Test1234#"` | Passphrase for Janssen secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceLdapMapping | string | `"default"` | Boolean flag to enable/disable passport chart | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretGoogleSecretNamePrefix | string | `"janssen"` | Prefix for Janssen secret in Google Secret Manager. Defaults to janssen. If left janssen-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnSecretGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Enable SAML-related features; UI menu, etc. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"jans"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"jans"` | SQL database username. | +| config.configmap.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | SQL password file holding password from config.configmap.cnSqldbUserPassword . | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected as config.configmap.cnSqlPasswordFile . | +| config.configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@jans.io"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| config.orgName | string | `"Janssen"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/fido2","tag":"1.0.0-beta.14"},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","client-api":{"appLoggers":{"clientApiLogLevel":"INFO","clientApiLogTarget":"STDOUT"},"clientApiServerServiceName":"client-api","enabled":false},"cloud":{"testEnviroment":false},"cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnPersistenceType":"sql","config":{"enabled":true},"config-api":{"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT"},"configApiServerServiceName":"config-api","enabled":true},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","fido2":{"appLoggers":{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2"},"fqdn":"demoexample.jans.io","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"namespace":"istio-system"},"lbIp":"22.22.22.22","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"scim":{"appLoggers":{"ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"upgrade":{"enabled":false},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.client-api.appLoggers | object | `{"clientApiLogLevel":"INFO","clientApiLogTarget":"STDOUT"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.client-api.appLoggers.clientApiLogLevel | string | `"INFO"` | client-api.log level | +| global.client-api.appLoggers.clientApiLogTarget | string | `"STDOUT"` | client-api.log target | +| global.client-api.clientApiServerServiceName | string | `"client-api"` | Name of the client-api service. Please keep it as default. | +| global.client-api.enabled | bool | `false` | Boolean flag to enable/disable the client-api chart. | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. | +| global.cnPersistenceType | string | `"sql"` | Boolean flag if enabled will enable jackrabbit in cluster mode with Postgres. | +| global.config | object | `{"enabled":true}` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Janssen configuration layer. google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Janssen secret layer. google|kubernetes | +| global.fido2.appLoggers | object | `{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fqdn | string | `"demoexample.jans.io"` | Fully qualified domain name to be used for Janssen installation. This address will be used to reach Janssen services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side cars with Janssen services. | +| global.istio.namespace | string | `"istio-system"` | Boolean flag that enables using istio gateway for Janssen. This assumes istio ingress is installed and hence the LB is available. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for Jackrabbit and OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: | +| global.upgrade.enabled | bool | `false` | Boolean flag used when running upgrading through versions command. Used when upgrading with LDAP as the persistence to load the 101x ldif. | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| nginx-ingress | object | `{"ingress":{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"hosts":["demoexample.jans.io"],"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{},"tls":[{"hosts":["demoexample.jans.io"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "janssen/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.jans.io"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenfederation/opendj","tag":"1.0.0_dev"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"multiCluster":{"clusterId":"","enabled":false,"namespaceIntId":0,"replicaCount":1,"serfAdvertiseAddrSuffix":"regional.janssen.org:30946","serfKey":"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk=","serfPeers":["janssen-opendj-regional-0-regional.janssen.org:30946","janssen-opendj-regional-0-regional.janssen.org:31946"]},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"janssenfederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"1.0.0_dev"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/JanssenFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.multiCluster.clusterId | string | `""` | This id needs to be unique to each kubernetes cluster in a multi cluster setup west, east, south, north, region ...etc If left empty it will be randomly generated. | +| opendj.multiCluster.enabled | bool | `false` | Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` | +| opendj.multiCluster.namespaceIntId | int | `0` | Namespace int id. This id needs to be a unique number 0-9 per janssen installation per namespace. Used when janssen is installed in the same kubernetes cluster more than once. | +| opendj.multiCluster.replicaCount | int | `1` | The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of janssen, the address of the pod would be janssen-opendj-regional-0-regional.janssen.org | +| opendj.multiCluster.serfAdvertiseAddrSuffix | string | `"regional.janssen.org:30946"` | OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} | +| opendj.multiCluster.serfKey | string | `"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk="` | Serf key. This key will automatically sync across clusters. | +| opendj.multiCluster.serfPeers | list | `["janssen-opendj-regional-0-regional.janssen.org:30946","janssen-opendj-regional-0-regional.janssen.org:31946"]` | Serf peer addresses. One per cluster. | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/JanssenFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/persistence-loader","tag":"1.0.0-beta.14"},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and intial config for Janssen Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"janssenproject/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/scim","tag":"1.0.0-beta.14"},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/auth-server-key-rotation/.helmignore b/charts/janssen/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/auth-server-key-rotation/Chart.yaml b/charts/janssen/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 00000000000..a0cb716cd67 --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,20 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: auth-server-key-rotation +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: Responsible for regenerating auth-keys per x hours +type: application +keywords: + - Auth keys Rotation +home: https://jans.io +sources: + - https://github.com/JanssenProject/docker-jans-certmanager + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/auth-server-key-rotation +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" \ No newline at end of file diff --git a/charts/janssen/charts/auth-server-key-rotation/README.md b/charts/janssen/charts/auth-server-key-rotation/README.md new file mode 100644 index 00000000000..2b9906ec2ee --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/README.md @@ -0,0 +1,48 @@ +# auth-server-key-rotation + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/janssen/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 00000000000..3f22c7b89b5 --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 00000000000..dc4553a2785 --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,98 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +kind: CronJob +apiVersion: batch/v1beta1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/janssen/charts/auth-server-key-rotation/templates/service.yaml b/charts/janssen/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 00000000000..4b1f6ff0762 --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..ef30b32c0af --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/auth-server-key-rotation/values.yaml b/charts/janssen/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 00000000000..f4fd4033490 --- /dev/null +++ b/charts/janssen/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,49 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/janssen/charts/auth-server/.helmignore b/charts/janssen/charts/auth-server/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/auth-server/Chart.yaml b/charts/janssen/charts/auth-server/Chart.yaml new file mode 100644 index 00000000000..bc23c838935 --- /dev/null +++ b/charts/janssen/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: auth-server +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +type: application +keywords: + - Autherization + - OpenID +home: https://jans.io +sources: + - https://github.com/JanssenProject/jans-auth-server + - https://github.com/JanssenProject/docker-jans-auth-server + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/auth-server +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: 1.0.0 diff --git a/charts/janssen/charts/auth-server/README.md b/charts/janssen/charts/auth-server/README.md new file mode 100644 index 00000000000..5aff24c8dd2 --- /dev/null +++ b/charts/janssen/charts/auth-server/README.md @@ -0,0 +1,60 @@ +# auth-server + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/auth-server/templates/_helpers.tpl b/charts/janssen/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 00000000000..ecc6ffe0f15 --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/janssen/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 00000000000..b84f1650e7d --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/janssen/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 00000000000..01ff48f9f4d --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,94 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service. + http: + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/auth-server/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/auth-server/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/auth-server/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/auth-server" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/auth-server/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/auth-server/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/auth-server/templates/deployment.yml b/charts/janssen/charts/auth-server/templates/deployment.yml new file mode 100644 index 00000000000..7bb435c4e9f --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/deployment.yml @@ -0,0 +1,225 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/janssen/charts/auth-server/templates/hpa.yaml b/charts/janssen/charts/auth-server/templates/hpa.yaml new file mode 100644 index 00000000000..b864c5d86de --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{ if .Values.hpa.enabled -}} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/auth-server/templates/service.yml b/charts/janssen/charts/auth-server/templates/service.yml new file mode 100644 index 00000000000..e3ecd51a790 --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/service.yml @@ -0,0 +1,31 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/janssen/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..2a58f6b4793 --- /dev/null +++ b/charts/janssen/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,23 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/auth-server/values.yaml b/charts/janssen/charts/auth-server/values.yaml new file mode 100644 index 00000000000..1281d867254 --- /dev/null +++ b/charts/janssen/charts/auth-server/values.yaml @@ -0,0 +1,88 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/janssen/charts/client-api/.helmignore b/charts/janssen/charts/client-api/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/client-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/client-api/Chart.yaml b/charts/janssen/charts/client-api/Chart.yaml new file mode 100644 index 00000000000..f44fa4efc6b --- /dev/null +++ b/charts/janssen/charts/client-api/Chart.yaml @@ -0,0 +1,22 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: client-api +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. +type: application +keywords: + - client + - API +home: https://github.com/JanssenProject/jans/jans-client-api +sources: + - https://github.com/JanssenProject/jans/jans-client-api + - https://github.com/JanssenProject/jans/docker-jans-client-api + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/client-api +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" diff --git a/charts/janssen/charts/client-api/README.md b/charts/janssen/charts/client-api/README.md new file mode 100644 index 00000000000..68ce3882fef --- /dev/null +++ b/charts/janssen/charts/client-api/README.md @@ -0,0 +1,61 @@ +# client-api + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/client-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| livenessProbe | object | `{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["curl","-k","https://localhost:8443/health-check"]}` | Executes the python3 healthcheck. | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"400Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"400Mi"` | Memory request. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/client-api/templates/_helpers.tpl b/charts/janssen/charts/client-api/templates/_helpers.tpl new file mode 100644 index 00000000000..67460b0fb1c --- /dev/null +++ b/charts/janssen/charts/client-api/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "client-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "client-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "client-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "client-api.labels" -}} +app: {{ .Release.Name }}-{{ include "client-api.name" . }} +helm.sh/chart: {{ include "client-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "client-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "client-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/client-api/templates/client-api-destination-rules.yaml b/charts/janssen/charts/client-api/templates/client-api-destination-rules.yaml new file mode 100644 index 00000000000..6d9222a118d --- /dev/null +++ b/charts/janssen/charts/client-api/templates/client-api-destination-rules.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-client-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "client-api" "clientApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/client-api/templates/deployment.yaml b/charts/janssen/charts/client-api/templates/deployment.yaml new file mode 100644 index 00000000000..2a07ae19c95 --- /dev/null +++ b/charts/janssen/charts/client-api/templates/deployment.yaml @@ -0,0 +1,138 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "client-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "client-api.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: client-api + app: {{ .Release.Name }}-{{ include "client-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "client-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "client-api.usr-envs" . | indent 12 }} + {{- include "client-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 8444 + - containerPort: 8443 + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "client-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "client-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/janssen/charts/client-api/templates/hpa.yaml b/charts/janssen/charts/client-api/templates/hpa.yaml new file mode 100644 index 00000000000..3684042f906 --- /dev/null +++ b/charts/janssen/charts/client-api/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{ if .Values.hpa.enabled -}} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "client-api.fullname" . }} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "client-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/client-api/templates/networkpolicy.yaml b/charts/janssen/charts/client-api/templates/networkpolicy.yaml new file mode 100644 index 00000000000..27f04416d94 --- /dev/null +++ b/charts/janssen/charts/client-api/templates/networkpolicy.yaml @@ -0,0 +1,39 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: client-api-policy + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app: client-api + ingress: + - from: + - podSelector: + matchLabels: + app: auth-server + ports: + - protocol: TCP + port: 8443 + - from: + - namespaceSelector: + matchLabels: + app: ingress-kong + - podSelector: + matchLabels: + app: ingress-kong + ports: + - protocol: TCP + port: 8443 \ No newline at end of file diff --git a/charts/janssen/charts/client-api/templates/service.yaml b/charts/janssen/charts/client-api/templates/service.yaml new file mode 100644 index 00000000000..ec5acfac847 --- /dev/null +++ b/charts/janssen/charts/client-api/templates/service.yaml @@ -0,0 +1,31 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "client-api" "clientApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 8444 + name: tcp-{{ include "client-api.name" . }}-admin-gui + - port: 8443 + name: tcp-{{ include "client-api.name" . }}-app-connector + selector: + app: {{ .Release.Name }}-{{ include "client-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/janssen/charts/client-api/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/client-api/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..39e80b5b9ba --- /dev/null +++ b/charts/janssen/charts/client-api/templates/user-custom-secret-envs.yaml @@ -0,0 +1,23 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/client-api/values.yaml b/charts/janssen/charts/client-api/values.yaml new file mode 100644 index 00000000000..1b5fd273d79 --- /dev/null +++ b/charts/janssen/charts/client-api/values.yaml @@ -0,0 +1,88 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/client-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi +service: + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - curl + - -k + - https://localhost:8443/health-check + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + tcpSocket: + port: 8443 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/janssen/charts/config-api/.helmignore b/charts/janssen/charts/config-api/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/config-api/Chart.yaml b/charts/janssen/charts/config-api/Chart.yaml new file mode 100644 index 00000000000..42c93b596a1 --- /dev/null +++ b/charts/janssen/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: config-api +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) +type: application +keywords: + - configuration + - API +home: https://jans.io +sources: + - https://github.com/JanssenProject/jans/jans-config-api + - https://github.com/JanssenProject/jans/docker-jans-config-api + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/config-api +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" diff --git a/charts/janssen/charts/config-api/README.md b/charts/janssen/charts/config-api/README.md new file mode 100644 index 00000000000..3ef9cb89599 --- /dev/null +++ b/charts/janssen/charts/config-api/README.md @@ -0,0 +1,64 @@ +# config-api + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/config-api/templates/_helpers.tpl b/charts/janssen/charts/config-api/templates/_helpers.tpl new file mode 100644 index 00000000000..ff25cbc7786 --- /dev/null +++ b/charts/janssen/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxauth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxauth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/config-api/templates/config-api-destination-rules.yaml b/charts/janssen/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 00000000000..8fe2e45e17d --- /dev/null +++ b/charts/janssen/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/config-api/templates/deployment.yaml b/charts/janssen/charts/config-api/templates/deployment.yaml new file mode 100644 index 00000000000..eb7558cb141 --- /dev/null +++ b/charts/janssen/charts/config-api/templates/deployment.yaml @@ -0,0 +1,165 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + - mountPath: {{ index .Values "global" "admin-ui" "adminUiApiKeyFile" }} + name: admin-ui-license-api-key + subPath: admin_ui_api_key + - mountPath: {{ index .Values "global" "admin-ui" "adminUiProductCodeFile" }} + name: admin-ui-license-product-code + subPath: admin_ui_product_code + - mountPath: {{ index .Values "global" "admin-ui" "adminUiSharedKeyFile" }} + name: admin-ui-license-shared-key + subPath: admin_ui_shared_key + - mountPath: {{ index .Values "global" "admin-ui" "adminUiManagementKeyFile" }} + name: admin-ui-license-management-key + subPath: admin_ui_management_key + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + - name: admin-ui-license-api-key + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_api_key + path: admin_ui_api_key + - name: admin-ui-license-product-code + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_product_code + path: admin_ui_product_code + - name: admin-ui-license-shared-key + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_shared_key + path: admin_ui_shared_key + - name: admin-ui-license-management-key + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_management_key + path: admin_ui_management_key + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/janssen/charts/config-api/templates/hpa.yaml b/charts/janssen/charts/config-api/templates/hpa.yaml new file mode 100644 index 00000000000..c1d63542b43 --- /dev/null +++ b/charts/janssen/charts/config-api/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{ if .Values.hpa.enabled -}} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/config-api/templates/service.yaml b/charts/janssen/charts/config-api/templates/service.yaml new file mode 100644 index 00000000000..da784dae4d7 --- /dev/null +++ b/charts/janssen/charts/config-api/templates/service.yaml @@ -0,0 +1,31 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/janssen/charts/config-api/values.yaml b/charts/janssen/charts/config-api/values.yaml new file mode 100644 index 00000000000..dec3e601d18 --- /dev/null +++ b/charts/janssen/charts/config-api/values.yaml @@ -0,0 +1,97 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- Janssen Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/JanssenFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/janssen/charts/config/.helmignore b/charts/janssen/charts/config/.helmignore new file mode 100644 index 00000000000..b8204d7442b --- /dev/null +++ b/charts/janssen/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/janssen/charts/config/Chart.yaml b/charts/janssen/charts/config/Chart.yaml new file mode 100644 index 00000000000..a588285dee0 --- /dev/null +++ b/charts/janssen/charts/config/Chart.yaml @@ -0,0 +1,22 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: config +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. +type: application +keywords: + - configuration + - secrets +home: /docker-jans-configurator +sources: + - /docker-jans-configurator + - https://github.com/JanssenProject/jans/docker-jans-configurator + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/config +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" diff --git a/charts/janssen/charts/config/README.md b/charts/janssen/charts/config/README.md new file mode 100644 index 00000000000..2c68a326eb5 --- /dev/null +++ b/charts/janssen/charts/config/README.md @@ -0,0 +1,119 @@ +# config + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . | +| configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. | +| configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy | +| configmap.cnConfigGoogleSecretNamePrefix | string | `"janssen"` | Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Janssen. | +| configmap.cnCouchbaseCertFile | string | `"/etc/certs/couchbase.crt"` | Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbasePasswordFile | string | `"/etc/janssen/conf/couchbase_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseSuperUserPasswordFile | string | `"/etc/janssen/conf/couchbase_superuser_password"` | The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password. | +| configmap.cnCouchbaseUrl | string | `"cbjanssen.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"janssen"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnDocumentStoreType | string | `"JCA"` | Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerPassPhrase | string | `"Test1234#"` | Passphrase for Janssen secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJackrabbitAdminId | string | `"admin"` | Jackrabbit admin uid. | +| configmap.cnJackrabbitAdminIdFile | string | `"/etc/janssen/conf/jackrabbit_admin_id"` | The location of the Jackrabbit admin uid config.cnJackrabbitAdminId. The file path must end with jackrabbit_admin_id. | +| configmap.cnJackrabbitAdminPasswordFile | string | `"/etc/janssen/conf/jackrabbit_admin_password"` | The location of the Jackrabbit admin password jackrabbit.secrets.cnJackrabbitAdminPassword. The file path must end with jackrabbit_admin_password. | +| configmap.cnJackrabbitPostgresDatabaseName | string | `"jackrabbit"` | Jackrabbit postgres database name. | +| configmap.cnJackrabbitPostgresHost | string | `"postgresql.postgres.svc.cluster.local"` | Postgres url | +| configmap.cnJackrabbitPostgresPasswordFile | string | `"/etc/janssen/conf/postgres_password"` | The location of the Jackrabbit postgres password file jackrabbit.secrets.cnJackrabbitPostgresPassword. The file path must end with postgres_password. | +| configmap.cnJackrabbitPostgresPort | int | `5432` | Jackrabbit Postgres port | +| configmap.cnJackrabbitPostgresUser | string | `"jackrabbit"` | Jackrabbit Postgres uid | +| configmap.cnJackrabbitSyncInterval | int | `300` | Interval between files sync (default to 300 seconds). | +| configmap.cnJackrabbitUrl | string | `"http://jackrabbit:8080"` | Jackrabbit internal url. Normally left as default. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceLdapMapping | string | `"default"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSamlEnabled | bool | `false` | Enable SAML-related features; UI menu, etc. | +| configmap.cnSecretGoogleSecretNamePrefix | string | `"janssen"` | Prefix for Janssen secret in Google Secret Manager. Defaults to janssen. If left janssen-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnSecretGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"jans"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"jans"` | SQL database username. | +| configmap.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | SQL password file holding password from config.configmap.cnSqldbUserPassword . | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected as config.configmap.cnSqlPasswordFile . | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@jans.io"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Janssen"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/config/templates/_helpers.tpl b/charts/janssen/charts/config/templates/_helpers.tpl new file mode 100644 index 00000000000..3d589814438 --- /dev/null +++ b/charts/janssen/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{- if index .Values "global" "client-api" "enabled"}} +{{ $newList = append $newList ("client-api" |quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/config/templates/clusterrolebinding.yaml b/charts/janssen/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 00000000000..2fbae1fc786 --- /dev/null +++ b/charts/janssen/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,47 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/janssen/charts/config/templates/configmaps.yaml b/charts/janssen/charts/config/templates/configmaps.yaml new file mode 100644 index 00000000000..5c92762a867 --- /dev/null +++ b/charts/janssen/charts/config/templates/configmaps.yaml @@ -0,0 +1,382 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if eq .Values.global.configSecretAdapter "google" }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_SECRET_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnSecretGoogleSecretVersionId | quote }} + CN_SECRET_GOOGLE_SECRET_MANAGER_PASSPHRASE: {{ .Values.configmap.cnGoogleSecretManagerPassPhrase | quote }} + CN_SECRET_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnSecretGoogleSecretNamePrefix | quote }} + CN_CONFIG_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnConfigGoogleSecretVersionId | quote }} + CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnConfigGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_SQL_PASSWORD_FILE: {{ .Values.configmap.cnSqlPasswordFile }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + {{- if not .Values.global.jackrabbit.enabled }} + CN_DOCUMENT_STORE_TYPE: LOCAL + {{- else }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.configmap.cnDocumentStoreType | quote }} + {{- end }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | squote + }} + {{- if index .Values "global" "client-api" "enabled" }} + CN_CLIENT_API_SERVER_URL: {{ cat ( index .Values "global" "client-api" "clientApiServerServiceName" ) ":8443" | quote | nospace }} + CN_CLIENT_API_BIND_IP_ADDRESSES: {{ .Values.configmap.cnClientApiBindIpAddresses | quote }} + CN_CLIENT_API_APP_LOGGERS: {{ index .Values "global" "client-api" "appLoggers" + | toJson + | replace "clientApiLogTarget" "client_api_log_target" + | replace "clientApiLogLevel" "client_api_log_level" + | squote + }} + {{- end }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_CERT_FILE: {{ .Values.configmap.cnCouchbaseCertFile | quote }} + CN_COUCHBASE_PASSWORD_FILE: {{ .Values.configmap.cnCouchbasePasswordFile | quote }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.configmap.cnCouchbaseSuperUserPasswordFile | quote }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + CN_SSL_CERT_FROM_SECRETS: "true" + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_PERSISTENCE_LDAP_MAPPING: {{ .Values.configmap.cnPersistenceLdapMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_CLIENT_API_APPLICATION_CERT_CN: {{ .Values.configmap.cnClientApiApplicationCertCn | quote }} + CN_CLIENT_API_ADMIN_CERT_CN: {{ .Values.configmap.cnClientApiAdminCertCn | quote }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | squote + }} + {{- end }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if janssen secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from janssen secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Janssen Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.jans.io") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/config/templates/load-init-config.yml b/charts/janssen/charts/config/templates/load-init-config.yml new file mode 100644 index 00000000000..d46312e2d5f --- /dev/null +++ b/charts/janssen/charts/config/templates/load-init-config.yml @@ -0,0 +1,104 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: 120 + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/janssen/charts/config/templates/rolebinding.yaml b/charts/janssen/charts/config/templates/rolebinding.yaml new file mode 100644 index 00000000000..04bcdb6f777 --- /dev/null +++ b/charts/janssen/charts/config/templates/rolebinding.yaml @@ -0,0 +1,25 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/janssen/charts/config/templates/roles.yaml b/charts/janssen/charts/config/templates/roles.yaml new file mode 100644 index 00000000000..dce45119e2e --- /dev/null +++ b/charts/janssen/charts/config/templates/roles.yaml @@ -0,0 +1,21 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/janssen/charts/config/templates/secrets.yaml b/charts/janssen/charts/config/templates/secrets.yaml new file mode 100644 index 00000000000..c5eceb821e2 --- /dev/null +++ b/charts/janssen/charts/config/templates/secrets.yaml @@ -0,0 +1,102 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/janssen/charts/config/templates/service.yaml b/charts/janssen/charts/config/templates/service.yaml new file mode 100644 index 00000000000..da5dedf8914 --- /dev/null +++ b/charts/janssen/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/config/templates/user-custom-envs.yaml b/charts/janssen/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 00000000000..7443f69c981 --- /dev/null +++ b/charts/janssen/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,66 @@ +{{ if .Values.global.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/janssen/charts/config/values.yaml b/charts/janssen/charts/config/values.yaml new file mode 100644 index 00000000000..501124acfec --- /dev/null +++ b/charts/janssen/charts/config/values.yaml @@ -0,0 +1,192 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# Required environment variables for generating Janssen server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: jans + # -- SQL database username. + cnSqlDbUser: jans + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password file holding password from config.configmap.cnSqldbUserPassword . + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- SQL password injected as config.configmap.cnSqlPasswordFile . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api . + cnClientApiAdminCertCn: client-api + # -- Client-api OAuth client application certificate common name. This should be left to the default value client-api. + cnClientApiApplicationCertCn: client-api + # -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy + cnClientApiBindIpAddresses: "*" + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Janssen. + cnCouchbaseBucketPrefix: jans + # -- Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required. + cnCouchbaseCertFile: /etc/certs/couchbase.crt + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password + cnCouchbasePasswordFile: /etc/janssen/conf/couchbase_password + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password. + cnCouchbaseSuperUserPasswordFile: /etc/janssen/conf/couchbase_superuser_password + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbjanssen.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: janssen + # -- Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily. + cnDocumentStoreType: JCA + # -- Jackrabbit admin uid. + cnJackrabbitAdminId: admin + # -- The location of the Jackrabbit admin uid config.cnJackrabbitAdminId. The file path must end with jackrabbit_admin_id. + cnJackrabbitAdminIdFile: /etc/janssen/conf/jackrabbit_admin_id + # -- The location of the Jackrabbit admin password jackrabbit.secrets.cnJackrabbitAdminPassword. The file path must end with jackrabbit_admin_password. + cnJackrabbitAdminPasswordFile: /etc/janssen/conf/jackrabbit_admin_password + # -- Jackrabbit postgres database name. + cnJackrabbitPostgresDatabaseName: jackrabbit + # -- Postgres url + cnJackrabbitPostgresHost: postgresql.postgres.svc.cluster.local + # -- The location of the Jackrabbit postgres password file jackrabbit.secrets.cnJackrabbitPostgresPassword. The file path must end with postgres_password. + cnJackrabbitPostgresPasswordFile: /etc/janssen/conf/postgres_password + # -- Jackrabbit Postgres port + cnJackrabbitPostgresPort: 5432 + # -- Jackrabbit Postgres uid + cnJackrabbitPostgresUser: jackrabbit + # -- Interval between files sync (default to 300 seconds). + cnJackrabbitSyncInterval: 300 + # -- Jackrabbit internal url. Normally left as default. + cnJackrabbitUrl: "http://jackrabbit:8080" + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Janssen secret in Google Secret Manager. Defaults to janssen. If left janssen-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: janssen + # -- Passphrase for Janssen secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: janssen + # [google_secret_manager_envs] END + # [google_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Boolean flag to enable/disable passport chart + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + cnPersistenceLdapMapping: default + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Enable SAML-related features; UI menu, etc. + cnSamlEnabled: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@jans.io +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Janssen +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/janssen/charts/fido2/.helmignore b/charts/janssen/charts/fido2/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/fido2/Chart.yaml b/charts/janssen/charts/fido2/Chart.yaml new file mode 100644 index 00000000000..f25e955b473 --- /dev/null +++ b/charts/janssen/charts/fido2/Chart.yaml @@ -0,0 +1,23 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: fido2 +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +type: application +keywords: + - fido2 + - u2f +home: https://jans.io/ +sources: + - https://jans.io/ + - https://github.com/JanssenProject/jans/jans-fido2 + - https://github.com/JanssenProject/jans/docker-jans-fido2 + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/fido2 +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" diff --git a/charts/janssen/charts/fido2/README.md b/charts/janssen/charts/fido2/README.md new file mode 100644 index 00000000000..9bfba7bcd45 --- /dev/null +++ b/charts/janssen/charts/fido2/README.md @@ -0,0 +1,61 @@ +# fido2 + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/fido2/templates/_helpers.tpl b/charts/janssen/charts/fido2/templates/_helpers.tpl new file mode 100644 index 00000000000..0d9982eade4 --- /dev/null +++ b/charts/janssen/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/fido2/templates/deployment.yml b/charts/janssen/charts/fido2/templates/deployment.yml new file mode 100644 index 00000000000..3b2d2414263 --- /dev/null +++ b/charts/janssen/charts/fido2/templates/deployment.yml @@ -0,0 +1,137 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/janssen/charts/fido2/templates/fido2-destination-rules.yaml b/charts/janssen/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 00000000000..19bfedf1954 --- /dev/null +++ b/charts/janssen/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/fido2/templates/fido2-virtual-services.yaml b/charts/janssen/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 00000000000..f490549c002 --- /dev/null +++ b/charts/janssen/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/janssen/charts/fido2/templates/hpa.yaml b/charts/janssen/charts/fido2/templates/hpa.yaml new file mode 100644 index 00000000000..ecb1f92f4ea --- /dev/null +++ b/charts/janssen/charts/fido2/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{ if .Values.hpa.enabled -}} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/fido2/templates/service.yml b/charts/janssen/charts/fido2/templates/service.yml new file mode 100644 index 00000000000..b413c18bb45 --- /dev/null +++ b/charts/janssen/charts/fido2/templates/service.yml @@ -0,0 +1,31 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/janssen/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..0afee918512 --- /dev/null +++ b/charts/janssen/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,23 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/fido2/values.yaml b/charts/janssen/charts/fido2/values.yaml new file mode 100644 index 00000000000..28fba970645 --- /dev/null +++ b/charts/janssen/charts/fido2/values.yaml @@ -0,0 +1,86 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/janssen/charts/nginx-ingress/.helmignore b/charts/janssen/charts/nginx-ingress/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/nginx-ingress/Chart.yaml b/charts/janssen/charts/nginx-ingress/Chart.yaml new file mode 100644 index 00000000000..c0de3664973 --- /dev/null +++ b/charts/janssen/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,22 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: nginx-ingress +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: Nginx ingress definitions chart +type: application +keywords: + - nginx + - ingress +home: https://jans.io +sources: + - https://github.com/kubernetes/ingress-nginx + - https://kubernetes.io/docs/concepts/services-networking/ingress/ + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/nginx-ingress +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" diff --git a/charts/janssen/charts/nginx-ingress/README.md b/charts/janssen/charts/nginx-ingress/README.md new file mode 100644 index 00000000000..c7e31b9639a --- /dev/null +++ b/charts/janssen/charts/nginx-ingress/README.md @@ -0,0 +1,68 @@ +# nginx-ingress + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress.additionalAnnotations | object | `{}` | | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.adminUiEnabled | bool | `true` | Enable Admin UI endpoints. COMING SOON. | +| ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| ingress.annotations | object | `{}` | | +| ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.authServerProtectedRedisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register | +| ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token | +| ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| ingress.configApiEnabled | bool | `true` | | +| ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.hosts[0] | string | `"demoexample.jans.io"` | | +| ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.path | string | `"/"` | | +| ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.tls[0].hosts[0] | string | `"demoexample.jans.io"` | | +| ingress.tls[0].secretName | string | `"tls-certificate"` | | +| ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | +| service.port | int | `8080` | | +| service.type | string | `"ClusterIP"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/nginx-ingress/templates/_helpers.tpl b/charts/janssen/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 00000000000..7b38455692b --- /dev/null +++ b/charts/janssen/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/janssen/charts/nginx-ingress/templates/ingress.yaml b/charts/janssen/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 00000000000..0a7007bf0b7 --- /dev/null +++ b/charts/janssen/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,749 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +{{ if .Values.ingress.adminUiEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin(|$)(.*) + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.openidConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/openid-configuration /jans-auth/.well-known/openid-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.uma2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/uma2-configuration /jans-auth/restv1/uma2-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.webfingerEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/webfinger /jans-auth/.well-known/webfinger$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.webdiscoveryEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/simple-web-discovery /jans-auth/.well-known/simple-web-discovery$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.scimConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/scim-configuration /jans-scim/restv1/scim-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.scimEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-jans-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.configApiEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-jans-config-api + labels: + app: {{ $fullName }}-jans-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.u2fConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido-configuration /jans-auth/restv1/fido-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido2-configuration /jans-fido2/restv1/configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.authServerEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.authServerProtectedToken -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.authServerProtectedRegister -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/janssen/charts/nginx-ingress/values.yaml b/charts/janssen/charts/nginx-ingress/values.yaml new file mode 100644 index 00000000000..5d24bc6e14a --- /dev/null +++ b/charts/janssen/charts/nginx-ingress/values.yaml @@ -0,0 +1,74 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# Default values for nginx-ingress. +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 8080 +ingress: + # -- Enable Admin UI endpoints. COMING SOON. + adminUiEnabled: true + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token + authServerProtectedToken: false + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register + authServerProtectedRegister: false + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRedisterLabels: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # in the format of {cert-manager.io/cluster-issuer: nameOfClusterIssuer, kubernetes.io/tls-acme: "true"} + additionalAnnotations: {} + annotations: {} + path: / + hosts: + - demoexample.jans.io + tls: + - secretName: tls-certificate + hosts: + - demoexample.jans.io diff --git a/charts/janssen/charts/opendj/.helmignore b/charts/janssen/charts/opendj/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/opendj/Chart.yaml b/charts/janssen/charts/opendj/Chart.yaml new file mode 100644 index 00000000000..20bf05deedb --- /dev/null +++ b/charts/janssen/charts/opendj/Chart.yaml @@ -0,0 +1,21 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: opendj +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +type: application +keywords: + - LDAP + - OpenDJ +home: https://jans.io +sources: + - https://github.com/JanssenFederation/docker-opendj + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/opendj +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" \ No newline at end of file diff --git a/charts/janssen/charts/opendj/README.md b/charts/janssen/charts/opendj/README.md new file mode 100644 index 00000000000..4a897ba2404 --- /dev/null +++ b/charts/janssen/charts/opendj/README.md @@ -0,0 +1,78 @@ +# opendj + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenfederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"1.0.0_dev"` | Image tag to use for deploying. | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/JanssenFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| multiCluster.clusterId | string | `""` | This id needs to be unique to each kubernetes cluster in a multi cluster setup west, east, south, north, region ...etc If left empty it will be randomly generated. | +| multiCluster.enabled | bool | `false` | Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` | +| multiCluster.namespaceIntId | int | `0` | Namespace int id. This id needs to be a unique number 0-9 per janssen installation per namespace. Used when janssen is installed in the same kubernetes cluster more than once. | +| multiCluster.replicaCount | int | `1` | The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-CLUSTERID-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of janssen, the address of the pod would be janssen-opendj-regional-0-regional.janssen.org | +| multiCluster.serfAdvertiseAddrSuffix | string | `"regional.janssen.org:30946"` | OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} | +| multiCluster.serfKey | string | `"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk="` | Serf key. This key will automatically sync across clusters. | +| multiCluster.serfPeers | list | `["janssen-opendj-regional-0-regional.janssen.org:30946","janssen-opendj-regional-0-regional.janssen.org:31946"]` | Serf peer addresses. One per cluster. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/JanssenFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/opendj/templates/_helpers.tpl b/charts/janssen/charts/opendj/templates/_helpers.tpl new file mode 100644 index 00000000000..7ec959c4df0 --- /dev/null +++ b/charts/janssen/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/opendj/templates/configmaps.yaml b/charts/janssen/charts/opendj/templates/configmaps.yaml new file mode 100644 index 00000000000..59b2d6aa3b3 --- /dev/null +++ b/charts/janssen/charts/opendj/templates/configmaps.yaml @@ -0,0 +1,21 @@ +{{- if .Values.multiCluster.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-serf-peers + namespace: {{ .Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + serf-peers-static.json: | + {{ .Values.multiCluster.serfPeers | toJson }} +{{- end }} diff --git a/charts/janssen/charts/opendj/templates/cronjobs.yaml b/charts/janssen/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 00000000000..4486beebde1 --- /dev/null +++ b/charts/janssen/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,101 @@ +{{- if .Values.backup.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +kind: CronJob +apiVersion: batch/v1beta1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Janssen was installed. This is normally cn. + # Found in Janssen chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Janssen was installed. This is normally cn. + # Found in Janssen chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Janssen was installed. This is normally cn. + # Found in Janssen chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + {{- if .Values.multiCluster.enabled }} + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port "304{{$.Values.multiCluster.namespaceIntId}}0" --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + {{- else }} + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + {{- end }} + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/opendj/templates/hpa.yaml b/charts/janssen/charts/opendj/templates/hpa.yaml new file mode 100644 index 00000000000..900f6699679 --- /dev/null +++ b/charts/janssen/charts/opendj/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/opendj/templates/opendj-destination-rules.yaml b/charts/janssen/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 00000000000..e5c4f49167e --- /dev/null +++ b/charts/janssen/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,25 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/opendj/templates/secrets.yaml b/charts/janssen/charts/opendj/templates/secrets.yaml new file mode 100644 index 00000000000..f0e09d9f038 --- /dev/null +++ b/charts/janssen/charts/opendj/templates/secrets.yaml @@ -0,0 +1,20 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +{{- if .Values.multiCluster.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-serf-key + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + serf-key: {{ .Values.multiCluster.serfKey | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/opendj/templates/service.yaml b/charts/janssen/charts/opendj/templates/service.yaml new file mode 100644 index 00000000000..831a64385cf --- /dev/null +++ b/charts/janssen/charts/opendj/templates/service.yaml @@ -0,0 +1,114 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ range $k, $v := until ( .Values.multiCluster.replicaCount | int ) }} +--- +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + {{- if $.Values.multiCluster.enabled }} + name: {{ $.Values.global.opendj.ldapServiceName }}-regional-{{$v}} + {{- else }} + name: {{ $.Values.global.opendj.ldapServiceName }} + {{- end }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} + {{- if $.Values.multiCluster.enabled }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- end }} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- if $.Values.multiCluster.enabled }} + - port: 1636 + name: tcp-ldaps + targetPort: 1636 + protocol: TCP + nodePort: 306{{$.Values.multiCluster.namespaceIntId}}{{$v}} + - port: 309{{$.Values.multiCluster.namespaceIntId}}{{$v}} + name: tcp-replication + targetPort: 309{{$.Values.multiCluster.namespaceIntId}}{{$v}} + protocol: TCP + nodePort: 309{{$.Values.multiCluster.namespaceIntId}}{{$v}} + - port: 304{{$.Values.multiCluster.namespaceIntId}}{{$v}} + name: tcp-admin + targetPort: 304{{$.Values.multiCluster.namespaceIntId}}{{$v}} + nodePort: 304{{$.Values.multiCluster.namespaceIntId}}{{$v}} + protocol: TCP + - port: 7946 + name: tcp-serf + targetPort: 7946 + protocol: TCP + nodePort: 307{{$.Values.multiCluster.namespaceIntId}}{{$v}} + - port: 7946 + name: udp-serf + targetPort: 7946 + protocol: UDP + nodePort: 307{{$.Values.multiCluster.namespaceIntId}}{{$v}} + type: NodePort + {{- else }} + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + {{- end }} + selector: + {{- if $.Values.multiCluster.enabled }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- else }} + app: {{ include "opendj.name" $ }} + {{- end }} +{{- end }} +{{- if .Values.multiCluster.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.opendj.ldapServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "opendj.labels" . | indent 4}} +spec: + ports: + - port: 1636 + name: tcp-ldaps + targetPort: 1636 + protocol: TCP + - port: 1389 + name: tcp-ldap + targetPort: 1389 + protocol: TCP + - port: 8989 + name: tcp-replication + targetPort: 8989 + protocol: TCP + - port: 4444 + name: tcp-admin + targetPort: 4444 + protocol: TCP + - port: 7946 + name: tcp-serf + targetPort: 7946 + protocol: TCP + - port: 7946 + name: udp-serf + targetPort: 7946 + protocol: UDP + clusterIP: None + selector: + app: {{ include "opendj.name" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/opendj/templates/statefulset.yaml b/charts/janssen/charts/opendj/templates/statefulset.yaml new file mode 100644 index 00000000000..41998ea57dc --- /dev/null +++ b/charts/janssen/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,168 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ range $k, $v := until ( .Values.multiCluster.replicaCount | int ) }} +--- +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: apps/v1 +kind: StatefulSet +metadata: + {{- if $.Values.multiCluster.enabled }} + name: {{ include "opendj.fullname" $ }}-regional-{{$v}} + {{- else }} + name: {{ include "opendj.fullname" $ }} + {{- end }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} + {{- if $.Values.multiCluster.enabled }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- end }} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- if $.Values.multiCluster.enabled }} + app: {{ include "opendj.name" $ }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- else }} + app: {{ include "opendj.name" $ }} + {{- end }} + serviceName: {{ include "opendj.name" $ }} + {{- if $.Values.multiCluster.enabled }} + replicas: 1 + {{- else }} + replicas: {{ $.Values.replicas }} + {{- end }} + template: + metadata: + labels: + {{- if $.Values.multiCluster.enabled }} + app: {{ include "opendj.name" $ }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- else }} + app: {{ include "opendj.name" $ }} + {{- end }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with $.Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ $.Values.dnsPolicy | quote }} + {{- with $.Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with $.Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if $.Values.multiCluster.enabled }} + - name: serfkey + secret: + secretName: {{ $.Release.Name }}-serf-key + - name: serfpeers + configMap: + name: {{ $.Release.Name }}-serf-peers + {{- end }} + {{- if $.Values.global.upgrade.enabled }} + - name: ox-ldif-cm + configMap: + name: {{ $.Release.Name }}-oxjans + {{- end }} + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + {{- if $.Values.multiCluster.enabled }} + - name: GLUU_SERF_ADVERTISE_ADDR + value: "{{ $.Release.Name }}-opendj-{{$.Values.multiCluster.clusterId}}-regional-{{$v}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }}:307{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + - name: GLUU_LDAP_ADVERTISE_ADMIN_PORT + value: "304{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + - name: GLUU_LDAP_ADVERTISE_LDAPS_PORT + value: "306{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + - name: GLUU_LDAP_ADVERTISE_REPLICATION_PORT + value: "309{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + {{- end }} + lifecycle: + preStop: + exec: + command: ["python3", "/app/scripts/deregister_peer.py"] + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- if $.Values.multiCluster.enabled }} + - mountPath: "/etc/janssen/conf/serf-key" + name: serfkey + subPath: serf-key + - mountPath: "/etc/janssen/conf/serf-peers-static.json" + name: serfpeers + subPath: serf-peers-static.json + {{- end }} + {{- if $.Values.global.upgrade.enabled }} + - name: ox-ldif-cm + mountPath: /opt/opendj/config/schema/101-jans.ldif + subPath: 101-jans.ldif + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/opendj/templates/storageclass.yaml b/charts/janssen/charts/opendj/templates/storageclass.yaml new file mode 100644 index 00000000000..318ccc286f1 --- /dev/null +++ b/charts/janssen/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,59 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/janssen/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..06c22ca035e --- /dev/null +++ b/charts/janssen/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/opendj/values.yaml b/charts/janssen/charts/opendj/values.yaml new file mode 100644 index 00000000000..9a8fb386056 --- /dev/null +++ b/charts/janssen/charts/opendj/values.yaml @@ -0,0 +1,157 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenfederation/opendj + # -- Image tag to use for deploying. + tag: 1.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +multiCluster: + # -- Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` + enabled: false + # -- OpenDJ Serf advertise address suffix that will be added to each opendj replica. + # i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + serfAdvertiseAddrSuffix: "regional.janssen.org:30946" + # -- Serf key. This key will automatically sync across clusters. + serfKey: Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk= + # -- Serf peer addresses. One per cluster. + serfPeers: + - "janssen-opendj-regional-0-regional.janssen.org:30946" + - "janssen-opendj-regional-0-regional.janssen.org:31946" + # -- The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows + # the patterm RELEASE-NAME-opendj-CLUSTERID-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + # If set to 1, with a release name of janssen, the address of the pod would be janssen-opendj-regional-0-regional.janssen.org + replicaCount: 1 + # -- This id needs to be unique to each kubernetes cluster in a multi cluster setup + # west, east, south, north, region ...etc If left empty it will be randomly generated. + clusterId: "" + # -- Namespace int id. This id needs to be a unique number 0-9 per janssen installation per namespace. + # Used when janssen is installed in the same kubernetes cluster more than once. + namespaceIntId: 0 +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/JanssenFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/JanssenFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/janssen/charts/persistence/.helmignore b/charts/janssen/charts/persistence/.helmignore new file mode 100644 index 00000000000..50af0317254 --- /dev/null +++ b/charts/janssen/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/janssen/charts/persistence/Chart.yaml b/charts/janssen/charts/persistence/Chart.yaml new file mode 100644 index 00000000000..e3a0265895f --- /dev/null +++ b/charts/janssen/charts/persistence/Chart.yaml @@ -0,0 +1,21 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: persistence +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: Job to generate data and initial config for Janssen Server persistence layer. +type: application +keywords: + - persistence prep +home: https://jans.io +sources: + - https://github.com/JanssenProject/jans/docker-jans-persistence-loader + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/persistence +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" + diff --git a/charts/janssen/charts/persistence/README.md b/charts/janssen/charts/persistence/README.md new file mode 100644 index 00000000000..b112b105105 --- /dev/null +++ b/charts/janssen/charts/persistence/README.md @@ -0,0 +1,51 @@ +# persistence + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Job to generate data and initial config for Janssen Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenfederation/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/persistence/templates/_helpers.tpl b/charts/janssen/charts/persistence/templates/_helpers.tpl new file mode 100644 index 00000000000..ca0c55207ca --- /dev/null +++ b/charts/janssen/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/persistence/templates/jobs.yml b/charts/janssen/charts/persistence/templates/jobs.yml new file mode 100644 index 00000000000..46064a35821 --- /dev/null +++ b/charts/janssen/charts/persistence/templates/jobs.yml @@ -0,0 +1,107 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: 120 + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.global.jackrabbit.enabled }} + - name: cn-jackrabbit-admin-pass + mountPath: /etc/janssen/conf/jackrabbit_admin_password + subPath: jackrabbit_admin_password + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.global.jackrabbit.enabled }} + - name: cn-jackrabbit-admin-pass + secret: + secretName: cn-jackrabbit-admin-pass + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/janssen/charts/persistence/templates/service.yaml b/charts/janssen/charts/persistence/templates/service.yaml new file mode 100644 index 00000000000..b266650a69e --- /dev/null +++ b/charts/janssen/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..9d9253f0b82 --- /dev/null +++ b/charts/janssen/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/persistence/values.yaml b/charts/janssen/charts/persistence/values.yaml new file mode 100644 index 00000000000..73869c15bfb --- /dev/null +++ b/charts/janssen/charts/persistence/values.yaml @@ -0,0 +1,49 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- Job to generate data and initial config for Janssen Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenfederation/persistence + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/janssen/charts/scim/.helmignore b/charts/janssen/charts/scim/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/charts/janssen/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/janssen/charts/scim/Chart.yaml b/charts/janssen/charts/scim/Chart.yaml new file mode 100644 index 00000000000..2658c2e987a --- /dev/null +++ b/charts/janssen/charts/scim/Chart.yaml @@ -0,0 +1,22 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v2 +name: scim +version: 1.0.0-beta.14 +kubeVersion: ">=v1.21.0-0" +description: System for Cross-domain Identity Management (SCIM) version 2.0 +type: application +keywords: + - SCIM + - API +home: https://jans.io +sources: + - https://github.com/JanssenProject/jans/jans-scim + - https://github.com/JanssenProject/jans/docker-jans-scim + - https://github.com/JanssenFederation/flex/tree/main/flex-cn-setup/pyjanssen/kubernetes/templates/helm/janssen/charts/scim +maintainers: + - name: Mohammad Abudayyeh + email: support@jans.io + url: https://github.com/moabu +icon: https://github.com/JanssenProject/jans/raw/main/docs/logo/janssen_project_favicon_transparent_50px_50px.png +appVersion: "1.0.0" diff --git a/charts/janssen/charts/scim/README.md b/charts/janssen/charts/scim/README.md new file mode 100644 index 00000000000..763e54c478d --- /dev/null +++ b/charts/janssen/charts/scim/README.md @@ -0,0 +1,60 @@ +# scim + +![Version: 1.0.0-beta.14](https://img.shields.io/badge/Version-1.0.0--beta.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@jans.io | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.14"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/janssen/charts/scim/templates/_helpers.tpl b/charts/janssen/charts/scim/templates/_helpers.tpl new file mode 100644 index 00000000000..d779e8f5e08 --- /dev/null +++ b/charts/janssen/charts/scim/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/janssen/charts/scim/templates/deployment.yml b/charts/janssen/charts/scim/templates/deployment.yml new file mode 100644 index 00000000000..27d3d807dd1 --- /dev/null +++ b/charts/janssen/charts/scim/templates/deployment.yml @@ -0,0 +1,135 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/janssen/charts/scim/templates/hpa.yaml b/charts/janssen/charts/scim/templates/hpa.yaml new file mode 100644 index 00000000000..f878b2ac5dd --- /dev/null +++ b/charts/janssen/charts/scim/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{ if .Values.hpa.enabled -}} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/scim/templates/scim-destination-rules.yaml b/charts/janssen/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 00000000000..9be1a64362a --- /dev/null +++ b/charts/janssen/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/janssen/charts/scim/templates/scim-virtual-services.yaml b/charts/janssen/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 00000000000..d753293e3d0 --- /dev/null +++ b/charts/janssen/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,47 @@ +{{- if .Values.global.istio.ingress }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service. + http: + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/janssen/charts/scim/templates/service.yml b/charts/janssen/charts/scim/templates/service.yml new file mode 100644 index 00000000000..1e8e11d45cc --- /dev/null +++ b/charts/janssen/charts/scim/templates/service.yml @@ -0,0 +1,31 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/janssen/charts/scim/templates/user-custom-secret-envs.yaml b/charts/janssen/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 00000000000..2c642a5ce7f --- /dev/null +++ b/charts/janssen/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,23 @@ +{{ if .Values.usrEnvs.secret }} +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/janssen/charts/scim/values.yaml b/charts/janssen/charts/scim/values.yaml new file mode 100644 index 00000000000..2cf3d294a70 --- /dev/null +++ b/charts/janssen/charts/scim/values.yaml @@ -0,0 +1,85 @@ +# License terms and conditions for Janssen Cloud Native Edition: +# https://www.apache.org/licenses/LICENSE-2.0 +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/janssen/templates/_helpers.tpl b/charts/janssen/templates/_helpers.tpl new file mode 100644 index 00000000000..c5b8d3d3036 --- /dev/null +++ b/charts/janssen/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/janssen/values.schema.json b/charts/janssen/values.schema.json new file mode 100644 index 00000000000..57901625569 --- /dev/null +++ b/charts/janssen/values.schema.json @@ -0,0 +1,3356 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Janssen Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Server.", + "type":"object", + "properties":{ + + } + }, + "client-api":{ + "description":"Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting.", + "type":"object", + "properties":{ + + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Janssen services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqlPasswordFile":{ + "description":"SQL server password file location. This file path must end with sql_password", + "type":"string", + "pattern":".*sql_password\\b.*" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnCasaEnabled":{ + "description":"Enable Casa. Janssen Casa is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Server.", + "type":"boolean" + }, + "cnClientApiAdminCertCn":{ + "description":"Client-api OAuth client admin certificate common name. This should be left to the default value client-api", + "type":"string", + "pattern":"^[a-z-]+$" + }, + "cnClientApiApplicationCertCn":{ + "description":"Client-api OAuth client application certificate common name. This should be left to the default value client-api", + "type":"string", + "pattern":"^[a-z-]+$" + }, + "cnClientApiBindIpAddresses":{ + "description":"Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy", + "$ref":"#/definitions/ip-pattern" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Janssen.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCertFile":{ + "description":"Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required.", + "type":"string", + "pattern":".*couchbase.crt\\b.*" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbasePasswordFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password", + "type":"string", + "pattern":".*couchbase_password\\b.*" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily.", + "type":"string", + "pattern":"^(LOCAL|JCA)$" + }, + "cnJackrabbitAdminId":{ + "description":"Jackrabbit admin uid.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnJackrabbitAdminIdFile":{ + "description":"The location of the Jackrabbit admin uid config.cnJackrabbitAdminId. The file path must end with jackrabbit_admin_id.", + "type":"string", + "pattern":".*jackrabbit_admin_id\\b.*" + }, + "cnJackrabbitAdminPassFile":{ + "description":"The location of the Jackrabbit admin password jackrabbit.secrets.cnJackrabbitAdminPassword. The file path must end with jackrabbit_admin_password.", + "type":"string", + "pattern":".*jackrabbit_admin_password\\b.*" + }, + "cnJackrabbitPostgresDatabaseName":{ + "description":"Jackrabbit postgres database name.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnJackrabbitPostgresHost":{ + "description":"Postgres url", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnJackrabbitPostgresPasswordFile":{ + "description":"The location of the Jackrabbit postgres password file jackrabbit.secrets.cnJackrabbitPostgresPassword. The file path must end with postgres_password.", + "type":"string", + "pattern":".*postgres_password\\b.*" + }, + "cnJackrabbitPostgresPort":{ + "description":"Jackrabbit Postgres port", + "type":"integer" + }, + "cnJackrabbitPostgresUser":{ + "description":"Jackrabbit Postgres uid", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnJackrabbitSyncInterval":{ + "description":"Interval between files sync (default to 300 seconds).", + "type":"integer" + }, + "cnJackrabbitUrl":{ + "description":"Jackrabbit internal url. Normally left as default.", + "type":"string", + "pattern":"^(http:\/\/)?[a-z0-9-:]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnSecretGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnSecretGoogleSecretNamePrefix":{ + "description":"Prefix for Janssen secret in Google Secret Manager. Defaults to janssen. If left janssen-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Janssen secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnConfigGoogleSecretVersionId":{ + "description":"Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnConfigGoogleSecretNamePrefix":{ + "description":"Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPassportEnabled":{ + "description":"Boolean flag to enable/disable Passport chart", + "type":"boolean" + }, + "cnPersistenceLdapMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string", + "pattern":"^(default|user|site|cache|statistic)$" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSamlEnabled":{ + "description":"Enable SAML-related features; UI menu, etc.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "cr-rotate":{ + "description":"CacheRefreshRotation is a special container to monitor cache refresh on oxTrust containers. This may be depreciated.", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "client-api":{ + "type":"object", + "properties":{ + "clientApiServerServiceName":{ + "description":"Name of the client-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the client-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "clientApiLogTarget":{ + "description":"client-api.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "clientApiLogLevel":{ + "description":"client-api.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnJackrabbitCluster":{ + "description":"Boolean flag if enabled will enable jackrabbit in cluster mode with Postgres.", + "type":"boolean" + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Janssen with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Janssen configuration layer. google|kubernetes", + "type":"string", + "pattern":"^(kubernetes|google)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Janssen secret layer. google|kubernetes", + "type":"string", + "pattern":"^(kubernetes|google)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "cr-rotate":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the cr-rotate chart.", + "type":"boolean" + } + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Janssen installation. This address will be used to reach Janssen services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Janssen services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Janssen. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "jackrabbit":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the jackrabbit chart. For more information on how it is used inside Janssen https://jans.io/4.2/installation-guide/install-kubernetes/#working-with-jackrabbit. ", + "type":"boolean" + }, + "jackRabbitServiceName":{ + "description":"Name of the Jackrabbit service. Please keep it as default.", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Janssen distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "storageClass":{ + "description":"StorageClass section for Jackrabbit and OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + }, + "upgrade":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag used when running helm upgrade command. This allows upgrading the chart without immutable objects errors.", + "type":"boolean" + } + } + } + } + }, + "jackrabbit":{ + "description":"Jackrabbit Oak is a complementary implementation of the JCR specification. It is an effort to implement a scalable and performant hierarchical content repository for use as the foundation of modern world-class web sites and other demanding content applications. https://jackrabbit.apache.org/jcr/index.html .", + "type":"object", + "properties":{ + + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Janssen interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Janssen Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Janssen Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + }, + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/client-api-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/cr-rotate-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/jackrabbit-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.jans.io" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "config":{ + "properties":{ + "configmap":{ + "properties":{ + "cnCasaEnabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "client-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "client-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "client-api":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "cr-rotate-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "cr-rotate":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "cr-rotate":{ + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "crRotateServiceName":{ + "description":"Name of the cr-rotate service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "jackrabbit-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "jackrabbit":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "jackrabbit":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "secrets":{ + "type":"object", + "properties":{ + "cnJackrabbitAdminPass": { + "description":"Jackrabbit admin uid password", + "$ref":"#/definitions/password" + }, + "cnJackrabbitPostgresPass":{ + "description":"Jackrabbit Postgres uid password", + "$ref":"#/definitions/password" + } + } + }, + "storage":{ + "type":"object", + "properties":{ + "size":{ + "description":"Jackrabbit volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "openidConfigEnabled", + "uma2ConfigEnabled", + "webfingerEnabled", + "webdiscoveryEnabled", + "configApiEnabled", + "u2fConfigEnabled", + "authServerEnabled", + "authServerProtectedToken", + "authServerProtectedRegister", + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints. COMING SOON.", + "type":"boolean" + }, + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "multiCluster":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Enable OpenDJ multiCluster mode. This flag enabbles loading keys under `opendj.multiCluster`", + "type":"boolean" + }, + "serfAdvertiseAddrSuffix":{ + "description":"OpenDJ Serf advertise address for the cluster", + "type":"string" + }, + "serfKey":{ + "description":"Serf key. This key will automatically sync across clusters.", + "type":"string" + }, + "serfPeers":{ + "description":"Serf peer addresses. One per cluster.", + "type":"array", + "items":{ + "type":"string" + } + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "config":{ + "properties":{ + "configmap":{ + "properties":{ + "cnPassportEnabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/janssen/values.yaml b/charts/janssen/values.yaml new file mode 100644 index 00000000000..f05368602fa --- /dev/null +++ b/charts/janssen/values.yaml @@ -0,0 +1,1040 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. +client-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/client-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - curl + - -k + - https://localhost:8443/health-check + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + readinessProbe: + tcpSocket: + port: 8443 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: jans + # -- SQL database username. + cnSqlDbUser: jans + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password file holding password from config.configmap.cnSqldbUserPassword . + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- SQL password injected as config.configmap.cnSqlPasswordFile . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- Enable Casa flag . + cnCasaEnabled: false + # -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api . + cnClientApiAdminCertCn: client-api + # -- Client-api OAuth client application certificate common name. This should be left to the default value client-api. + cnClientApiApplicationCertCn: client-api + # -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy + cnClientApiBindIpAddresses: "*" + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Janssen. + cnCouchbaseBucketPrefix: jans + # -- Location of `couchbase.crt` used by Couchbase SDK for tls termination. The file path must end with couchbase.crt. In mTLS setups this is not required. + cnCouchbaseCertFile: /etc/certs/couchbase.crt + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The location of the Couchbase restricted user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password + cnCouchbasePasswordFile: /etc/janssen/conf/couchbase_password + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password. + cnCouchbaseSuperUserPasswordFile: /etc/janssen/conf/couchbase_superuser_password + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbjanssen.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: janssen + # -- Document store type to use for shibboleth files JCA or LOCAL. Note that if JCA is selected Apache Jackrabbit will be used. Jackrabbit also enables loading custom files across all services easily. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Janssen secret in Google Secret Manager. Defaults to janssen. If left janssen-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: janssen + # -- Passphrase for Janssen secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: janssen + # [google_secret_manager_envs] END + # [google_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Boolean flag to enable/disable passport chart + cnPersistenceLdapMapping: default + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Enable SAML-related features; UI menu, etc. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@jans.io + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- LDAP admin password if OpennDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Janssen + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + client-api: + # -- Name of the client-api service. Please keep it as default. + clientApiServerServiceName: client-api + # -- Boolean flag to enable/disable the client-api chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- client-api.log target + clientApiLogTarget: "STDOUT" + # -- client-api.log level + clientApiLogLevel: "INFO" + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Boolean flag if enabled will enable jackrabbit in cluster mode with Postgres. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- The config backend adapter that will hold Janssen configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Janssen secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- Fully qualified domain name to be used for Janssen installation. This address will be used to reach Janssen services. + fqdn: demoexample.jans.io + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side cars with Janssen services. + enabled: false + # -- Boolean flag that enables using istio gateway for Janssen. This assumes istio ingress is installed and hence the LB is available. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- StorageClass section for Jackrabbit and OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + upgrade: + # -- Boolean flag used when running upgrading through versions command. Used when upgrading with LDAP as the persistence to load the 101x ldif. + enabled: false + +# -- Jackrabbit Oak is a complementary implementation of the JCR specification. It is an effort to implement a scalable and performant hierarchical content repository for use as the foundation of modern world-class web sites and other demanding content applications +# https://jackrabbit.apache.org/jcr/index.html +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Enable Admin UI endpoints. COMING SOON. + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: {} + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: {} + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: {} + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: {} + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: {} + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: {} + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: {} + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: {} + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: {} + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: {} + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- SCIM config ingress resource labels. key app is taken + scimLabels: {} + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: {} + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- configAPI ingress resource labels. key app is taken + configApiLabels: {} + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: {} + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: {} + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: {} + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: {} + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: {} + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Auth server ingress resource labels. key app is taken + authServerLabels: {} + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: {} + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "janssen/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.jans.io + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.jans.io + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenfederation/opendj + # -- Image tag to use for deploying. + tag: 1.0.0_dev + # -- Image Pull Secrets + pullSecrets: [] + multiCluster: + # -- Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` + enabled: false + # -- OpenDJ Serf advertise address suffix that will be added to each opendj replica. + # i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + serfAdvertiseAddrSuffix: "regional.janssen.org:30946" + # -- Serf key. This key will automatically sync across clusters. + serfKey: Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk= + # -- Serf peer addresses. One per cluster. + serfPeers: + - "janssen-opendj-regional-0-regional.janssen.org:30946" + - "janssen-opendj-regional-0-regional.janssen.org:31946" + # -- The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows + # the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + # If set to 1, with a release name of janssen, the address of the pod would be janssen-opendj-regional-0-regional.janssen.org + replicaCount: 1 + # -- This id needs to be unique to each kubernetes cluster in a multi cluster setup + # west, east, south, north, region ...etc If left empty it will be randomly generated. + clusterId: "" + # -- Namespace int id. This id needs to be a unique number 0-9 per janssen installation per namespace. + # Used when janssen is installed in the same kubernetes cluster more than once. + namespaceIntId: 0 + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/JanssenFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/JanssenFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- Job to generate data and intial config for Janssen Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.0-beta.14 + # -- Image Pull Secrets + pullSecrets: [] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: {} + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {}