From 1186a18ed42a749cd996ce0d8cb0a2c237069882 Mon Sep 17 00:00:00 2001 From: "e.kitova" Date: Fri, 31 Jan 2025 10:47:07 +0300 Subject: [PATCH] gefest-1518: keys api envs role model --- charts/keys/README.md | 63 ++++++++++++++++--------------- charts/keys/templates/helpers.tpl | 6 ++- charts/keys/values.yaml | 6 ++- 3 files changed, 40 insertions(+), 35 deletions(-) diff --git a/charts/keys/README.md b/charts/keys/README.md index 4674410f..04c99250 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -82,37 +82,38 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### API service settings -| Name | Description | Value | -| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | -| `api.adminUsers` | Usernames and passwords of admin users. Format: `username1:password1,username2:password2`. | `""` | -| `api.adminSessionTTL` | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h` | -| `api.logLevel` | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`. | `warning` | -| `api.signPrivateKey` | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API. | `""` | -| `api.oidc.enable` | If OIDC authentication is enabled. | `false` | -| `api.oidc.enableSignlePartnerMode` | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). | `false` | -| `api.oidc.url` | URL of the OIDC provider. | `""` | -| `api.oidc.retryCount` | Maximum number of retries for requests to OIDC provider. | `3` | -| `api.oidc.timeout` | Timeout for requests to OIDC provider. | `3s` | -| `api.oidc.defaultPartner` | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** | | -| `api.oidc.defaultPartner.id` | Default partner's Id. | `""` | -| `api.oidc.defaultPartner.name` | Default partner's Name. | `""` | -| `api.oidc.defaultPartner.role` | Role of the user in the default partner. Can be: 'user', 'admin'. | `""` | -| `api.replicas` | A replica count for the pod. | `1` | -| `api.revisionHistoryLimit` | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment). | `3` | -| `api.strategy.type` | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`. | `RollingUpdate` | -| `api.strategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be created over the desired number of pods when doing [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | `0` | -| `api.strategy.rollingUpdate.maxSurge` | Maximum number of pods that can be unavailable during the [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment) process. | `1` | -| `api.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | -| `api.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | -| `api.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | -| `api.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | -| `api.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` | -| `api.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` | -| `api.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` | -| `api.service.annotations` | Kubernetes [service annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | -| `api.service.labels` | Kubernetes [service labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | -| `api.service.type` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). | `ClusterIP` | -| `api.service.port` | Service port. | `80` | +| Name | Description | Value | +|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- | +| `api.adminUsers` | Usernames and passwords of admin users. Format: `username1:password1,username2:password2`. | `""` | +| `api.adminSessionTTL` | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h` | +| `api.logLevel` | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`. | `warning` | +| `api.signPrivateKey` | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API. | `""` | +| `api.oidc.enable` | If OIDC authentication is enabled. | `false` | +| `api.oidc.enableSinglePartnerMode` | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). | `false` | +| `api.oidc.enableExternalProvider` | Enable external oidc provider: do not have access to manage users. | `false` | +| `api.oidc.url` | URL of the OIDC provider. | `""` | +| `api.oidc.retryCount` | Maximum number of retries for requests to OIDC provider. | `3` | +| `api.oidc.timeout` | Timeout for requests to OIDC provider. | `3s` | +| `api.oidc.defaultPartner` | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** | | +| `api.oidc.defaultPartner.id` | Default partner's Id. | `""` | +| `api.oidc.defaultPartner.name` | Default partner's Name. | `""` | +| `api.oidc.defaultPartner.role` | Role of the user in the default partner. Can be: 'user', 'admin'. | `""` | +| `api.replicas` | A replica count for the pod. | `1` | +| `api.revisionHistoryLimit` | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment). | `3` | +| `api.strategy.type` | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`. | `RollingUpdate` | +| `api.strategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be created over the desired number of pods when doing [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | `0` | +| `api.strategy.rollingUpdate.maxSurge` | Maximum number of pods that can be unavailable during the [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment) process. | `1` | +| `api.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | +| `api.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | +| `api.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | +| `api.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | +| `api.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` | +| `api.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` | +| `api.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` | +| `api.service.annotations` | Kubernetes [service annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` | +| `api.service.labels` | Kubernetes [service labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` | +| `api.service.type` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). | `ClusterIP` | +| `api.service.port` | Service port. | `80` | ### Kubernetes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) settings diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl index d57c0d4e..9a2882bb 100644 --- a/charts/keys/templates/helpers.tpl +++ b/charts/keys/templates/helpers.tpl @@ -125,8 +125,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.featureFlags.enableAudit }}" - name: KEYS_FEATURE_FLAGS_PUBLIC_API_SIGN value: "{{ .Values.featureFlags.enablePublicAPISign }}" -- name: KEYS_FEATURE_FLAGS_EXTERNAL_COMPANIES - value: "{{ .Values.api.oidc.enableSignlePartnerMode }}" +- name: KEYS_FEATURE_FLAGS_SINGLE_PARTNER_MODE + value: "{{ .Values.api.oidc.enableSinglePartnerMode }}" +- name: KEYS_FEATURE_FLAGS_EXTERNAL_OIDC + value: "{{ .Values.api.oidc.enableExternalProvider }}" - name: KEYS_FEATURE_FLAGS_OIDC value: "{{ .Values.api.oidc.enable }}" {{- end }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index fc51d6d8..0b4b4349 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -157,7 +157,8 @@ api: # -----END CERTIFICATE----- # @param api.oidc.enable If OIDC authentication is enabled. - # @param api.oidc.enableSignlePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). + # @param api.oidc.enableSinglePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). + # @param api.oidc.enableExternalProvider Enable external oidc provider: do not have access to manage users. # @param api.oidc.url URL of the OIDC provider. # @param api.oidc.retryCount Maximum number of retries for requests to OIDC provider. # @param api.oidc.timeout Timeout for requests to OIDC provider. @@ -168,7 +169,8 @@ api: oidc: enable: false - enableSignlePartnerMode: false + enableSinglePartnerMode: false + enableExternalProvider: false url: '' retryCount: 3 timeout: 3s