-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathvalues.yaml
248 lines (247 loc) · 8.9 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
###############################################################
# Copyright (c) 2022 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################
keycloak:
auth:
adminUser: admin
# -- centralidp Keycloak administrator password.
adminPassword: ""
# -- Secret containing the password for admin username 'admin'.
existingSecret: ""
# -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
production: false
# -- Setting the path relative to '/' for serving resources:
# as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'.
# ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
httpRelativePath: /auth/
replicaCount: 1
extraVolumes:
- name: themes
emptyDir: {}
extraVolumeMounts:
- name: themes
mountPath: /opt/bitnami/keycloak/themes/catenax-central
initContainers:
- name: import
image: docker.io/tractusx/portal-iam:v4.0.1
imagePullPolicy: IfNotPresent
command:
- sh
args:
- -c
- |
echo "Copying themes..."
cp -R /import/themes/catenax-central/* /themes
volumeMounts:
- name: themes
mountPath: /themes
service:
sessionAffinity: ClientIP
ingress:
# -- Enable ingress record generation
enabled: false
ingressClassName: ""
# -- Provide default path for the ingress record.
hostname: ""
# -- Optional annotations when using the nginx ingress class;
# Enable TLS configuration for the host defined at `ingress.hostname` parameter;
# TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`;
# Provide the name of ClusterIssuer to acquire the certificate required for this Ingress.
annotations: {}
# cert-manager.io/cluster-issuer: ""
# nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
# nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
# nginx.ingress.kubernetes.io/cors-allow-origin: "https://centralidp.example.org"
# nginx.ingress.kubernetes.io/enable-cors: "true"
# nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
# nginx.ingress.kubernetes.io/proxy-buffering: "on"
# nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
# nginx.ingress.kubernetes.io/use-regex: "true"
tls: false
rbac:
create: true
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
postgresql:
# -- PostgreSQL chart configuration (recommended for demonstration purposes only);
# default configurations:
# host: "centralidp-postgresql",
# port: 5432;
# Switch to enable or disable the PostgreSQL helm chart.
enabled: true
# -- Setting to Postgres version 15 as that is the aligned version,
# https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions).
# Keycloak helm-chart from Bitnami has moved on to version 16.
image:
tag: 15-debian-11
commonLabels:
app.kubernetes.io/version: "15"
auth:
# -- Non-root username.
username: kccentral
# -- Non-root user password.
password: ""
# -- Root user password.
postgresPassword: ""
# -- Database name.
database: iamcentralidp
# -- Secret containing the passwords for root usernames postgres and non-root username kccentral.
existingSecret: ""
architecture: standalone
externalDatabase:
# -- External PostgreSQL configuration
# IMPORTANT: non-root db user needs needs to be created beforehand on external database.
host: ""
# -- Database port number.
port: 5432
# -- Non-root username.
user: ""
# -- Database name.
database: ""
# -- Password for the non-root username.
password: ""
# -- Secret containing the database credentials.
existingSecret: ""
existingSecretHostKey: ""
existingSecretPortKey: ""
existingSecretUserKey: ""
existingSecretDatabaseKey: ""
existingSecretPasswordKey: ""
# -- Seeding job to create and update the CX-Central realm:
# besides creating the CX-Central realm, the job can be used to update
# the configuration of the realm when upgrading to a new version;
# Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details.
# Please also refer to the 'Post-Upgrade Configuration' section in the README.md
# for configuration possibly not covered by the seeding job.
realmSeeding:
enabled: true
sslRequired: external
# -- Set redirect addresses and - in the case of confidential clients - clients secrets
# for clients which are part of the basic CX-Central realm setup;
# SET client secrets for all non-testing and non-local purposes, default value is autogenerated.
clients:
registration:
redirects:
- https://portal.example.org/*
portal:
rootUrl: https://portal.example.org/home
redirects:
- https://portal.example.org/*
semantics:
redirects:
- https://portal.example.org/*
miw:
clientSecret: ""
redirects:
- https://managed-identity-wallets.example.org/*
bpdm:
clientSecret: ""
redirects:
- https://partners-pool.example.org/*
bpdmGate:
clientSecret: ""
redirects:
- https://partners-gate.example.org/*
bpdmOrchestrator:
clientSecret: ""
# -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value.
existingSecret: ""
# -- Client secrets for service accounts which are part of the basic CX-Central realm setup;
# SET client secrets for all non-testing and non-local purposes, default value is autogenerated.
serviceAccounts:
clientSecrets:
- clientId: sa-cl1-reg-2
clientSecret: ""
- clientId: sa-cl2-01
clientSecret: ""
- clientId: sa-cl2-02
clientSecret: ""
- clientId: sa-cl2-03
clientSecret: ""
- clientId: sa-cl2-04
clientSecret: ""
- clientId: sa-cl2-05
clientSecret: ""
- clientId: sa-cl3-cx-1
clientSecret: ""
- clientId: sa-cl5-custodian-2
clientSecret: ""
- clientId: sa-cl7-cx-1
clientSecret: ""
- clientId: sa-cl7-cx-5
clientSecret: ""
- clientId: sa-cl7-cx-7
clientSecret: ""
- clientId: sa-cl8-cx-1
clientSecret: ""
- clientId: sa-cl21-01
clientSecret: ""
- clientId: sa-cl22-01
clientSecret: ""
- clientId: sa-cl24-01
clientSecret: ""
- clientId: sa-cl25-cx-1
clientSecret: ""
- clientId: sa-cl25-cx-2
clientSecret: ""
- clientId: sa-cl25-cx-3
clientSecret: ""
# -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value.
existingSecret: ""
# -- Set value for the 'bpn' user attribute for the initial user and the base service account users.
bpn: BPNL00000003CRHK
# -- Set sharedidp address to enable the identity provider connection to CX-Operator realm.
sharedidp: https://sharedidp.example.org
# -- Set client secrets and bpn user attribute for additional service accounts;
# meant to enable possible test data, default value for client secrets is autogenerated.
extraServiceAccounts:
clientSecretsAndBpn: []
# - clientId: sa-test-01
# clientSecret: ""
# bpn: TBD1
# - clientId: sa-test-02
# clientSecret: ""
# bpn: TBD2
# -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value.
existingSecret: ""
image:
name: docker.io/tractusx/portal-iam-seeding:v4.0.1-iam
pullPolicy: IfNotPresent
initContainer:
image:
name: docker.io/tractusx/portal-iam:v4.0.1
pullPolicy: IfNotPresent
portContainer: 8080
keycloakServicePort: 80
keycloakServiceTls: false
# -- We recommend to review the default resource limits as this should a conscious choice.
resources:
requests:
cpu: 250m
memory: 850M
ephemeral-storage: 50Mi
limits:
cpu: 750m
memory: 850M
ephemeral-storage: 1024Mi