CNC Console IAM helm configurable values
custom-cncc-iam_values_1.1.0.yaml with helm chart version 1.1.0
keycloak:
image:
repository: ocspf-registry.us.oracle.com:5000/ocscp/cncc/cncc-iam
tag: 1.1.0
pullPolicy: Always
## Username for the initial CNCConsole-IAM admin user
username: admin
# Specifies an existing secret to be used for the admin password
existingSecret: cncc-iam-secret
# The key in the existing secret that stores the password
existingSecretKey: iamAdminPasswordKey
serviceAccount:
# Specifies whether a service account should be created
create: false
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
## Persistence configuration
persistence:
# The database vendor. Can be either "mysql", "mariadb", or "h2"
dbVendor: mysql
## The database name, host and port
## If dbVendor is 'mysql", then database should be created in mysql prior to installing cncn-iam
dbName: cnccdb
dbHost: ""
dbPort: ""
## Database Credentials are loaded from a Secret residing in the same Namespace as keycloak.
## The Chart can read credentials from an existing Secret OR it can provision its own Secret.
## Specify existing Secret
# If set, specifies the Name of an existing Secret to read db credentials from.
existingSecret: cncc-db-secret
existingSecretPasswordKey: dbPasswordKey # read keycloak db password from existingSecret under this Key
existingSecretUsernameKey: dbUserNameKey # read keycloak db user from existingSecret under this Key
service:
httpPort: 8285
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 1
memory: 1Gi
ingress-gateway:
global:
# Docker registry name
dockerRegistry: ocspf-registry.us.oracle.com:5000/ocscp
# If https is enabled, this Port would be HTTP/1.0 Port (unsecured)
# If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL)
publicHttpSignalingPort: 8080
publicHttpsSignallingPort: 8443
serviceAccountName: ''
#Specify type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
type: LoadBalancer
#Enable or disable IP Address allocation from Metallb Pool
metalLbIpAllocationEnabled: true
#Address Pool Annotation for Metallb
metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: oam"
#If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress
#Else random IP will be assigned by the metalLB from its IP Pool
staticIpAddressEnabled: false
staticIpAddress: 10.75.212.60
#If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort
#Else random node port will be assigned by K8
staticNodePortEnabled: false
staticHttpNodePort: 30085
staticHttpsNodePort: 30053
image:
# image name
name: cncc/cncc-apigateway-api-tag
# tag name of image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
initContainersImage:
# inint Containers image name
name: cncc/apigw-configurationinit-init-tag
# tag name of init Container image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
updateContainersImage:
# update Containers image name
name: cncc/apigw-configurationupdate-update-tag
# tag name of update Container image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
service:
ssl:
tlsVersion: TLSv1.2
privateKey:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
rsa:
fileName: rsa_private_key_pkcs1.pem
ecdsa:
fileName: ssl_ecdsa_private_key.pem
certificate:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
rsa:
fileName: ssl_rsa_certificate.crt
ecdsa:
fileName: ssl_ecdsa_certificate.crt
caBundle:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
fileName: caroot.cer
keyStorePassword:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
fileName: ssl_keystore.txt
trustStorePassword:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
fileName: ssl_truststore.txt
initialAlgorithm: RSA256
ports:
# ContainerPort represents a network port in a single container
containerPort: 8081
containersslPort: 8443
actuatorPort: 9090
#Set the root log level
log:
level:
root: WARN
ingress: INFO
readinessProbe:
# tells the kubelet that it should wait second before performing the first probe
initialDelaySeconds: 30
# Number of seconds after which the probe times out
timeoutSeconds: 3
# specifies that the kubelet should perform a liveness probe every xx seconds
periodSeconds: 10
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 3
livenessProbe:
# tells the kubelet that it should wait second before performing the first probe
initialDelaySeconds: 30
# Number of seconds after which the probe times out
timeoutSeconds: 3
# specifies that the kubelet should perform a liveness probe every xx seconds
periodSeconds: 15
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 3
# Resource details
resources:
limits:
cpu: 2
initServiceCpu: 1
updateServiceCpu: 1
memory: 2Gi
updateServiceMemory: 1Gi
initServiceMemory: 1Gi
requests:
cpu: 1
initServiceCpu: 0.5
updateServiceCpu: 0.5
memory: 1Gi
updateServiceMemory: 0.5Gi
initServiceMemory: 0.5Gi
target:
averageCpuUtil: 80
# Number of Pods must always be available, even during a disruption.
minAvailable: 1
# Min replicas to scale to maintain an average CPU utilization
minReplicas: 1
# Max replicas to scale to maintain an average CPU utilization
maxReplicas: 5
# To Initialize SSL related infrastructure in init/update container
initssl: false
#Server Configuration for http and https support
enableIncomingHttp: true # 'true' only in case of http
enableIncomingHttps: false # 'true' only in case of https
allowedCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ingressGwCertReloadEnabled: false
ingressGwCertReloadPath: /ingress-gw/certificate/reload
routesConfig:
# Examples for routes cncc-iam.
# Note: Enable addRequestHeader when ever https is enabled
#- id: cncc-iam_route
# uri: http://cncc-iam-http.cncc.svc.cluster.local:8285
# path: /
# #filters:
# # addRequestHeader: # Enable this filter only incase of https
# # - name: X-Forwarded-Proto
# # value: https
#- id: cncc-iam_route
# uri: http://cncc-iam-http.cncc.svc.cluster.local:8285
# path: /cncc/auth/**
# #filters:
# # addRequestHeader:
# # - name: X-Forwarded-Proto
# # value: https
- id: cncc-iam_login_route
uri: http://<helmrelease>-http.<namespace>.<domain>:8285
path: /
filters:
prefixPath: /cncc/auth/admin
# addRequestHeader: # Enable this filter only incase of https
# - name: X-Forwarded-Proto
# value: https
- id: cncc-iam_route
uri: http://<helmrelease>-http.<namespace>.<domain>:8285
path: /cncc/auth/**
#filters:
# addRequestHeader: # Enable this filter only incase of https
# - name: X-Forwarded-Proto
# value: httpsNote:
When CNCC IAM is enabled with HTTPS, all the routes must be appended withaddRequestHeader filter. Then the updated
routesConfig under ingress section in values.yaml will
be as
follows:
routesConfig:
- id: cncc-iam_login_route
uri: http://<helmrelease>-http.<namespace>.<domain>:8285
path: /
filters:
prefixPath: /cncc/auth/admin
addRequestHeader: # Enable this filter only incase of https
- name: X-Forwarded-Proto
value: https
- id: cncc-iam_route
uri: http://<helmrelease>-http.<namespace>.<domain>:8285
path: /cncc/auth/**
filters:
addRequestHeader: # Enable this filter only incase of https
- name: X-Forwarded-Proto
value: https