Commit 384198eb authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

more work on README

parent a85a0192
......@@ -105,17 +105,24 @@ service is running properly. We cannot use the default health-check so we
create a custom health-check using a BackendConfig. See the
["BackendConfig"](#backendconfig) section below for more details.
### FrontendConfig
### Custom Resource Definitions (CRDs)
[`templates/frontend-crd.yaml`](templates/frontend-crd.yaml)
This configuration points to the Google SSL policy that enforces the
We use two [Custom Resource Definitions (CRDs)][3]: a FrontendConfig and a
BackendConfig. These two CRDs are only suppoted in GKE. See also
["Configuring Ingress features"][4].
#### FrontendConfig CRD
[`templates/frontend-crd.yaml`](templates/frontend-crd.yaml) This
FrontendConfig CRD points to the Google SSL policy that enforces the
minimum version of TLS as well as allowed cipher suites. The name of this
policy is set in the `values.yaml` setting `sslpolicy`. This Google SSL
Policy is _not_ managed by this Helm chart, rather, it must be managed
externally. Default value: `minimum-tls-12`.
policy is set in the [`values.yaml`](values.yaml) setting
`sslpolicy`. This Google SSL Policy is _not_ managed by this Helm chart,
rather, it must be managed externally. Default value: `minimum-tls-12`.
Here is an example of how you might create this policy using terraform:
Here is an example of how you might create this policy using Terraform:
```
# example.tf
resource "google_compute_ssl_policy" "ssl_policy_minimum_tls_12" {
name = "minimum-tls-12"
profile = "MODERN"
......@@ -123,7 +130,7 @@ resource "google_compute_ssl_policy" "ssl_policy_minimum_tls_12" {
}
```
### BackendConfig
#### BackendConfig CRD
[`templates/backend-crd.yaml`](templates/backend-crd.yaml)
The Ingress uses a health-check to the backend Service to determine if the
......@@ -131,7 +138,7 @@ service is running properly. By default this health-check makes a request
to the URL path "/" on port 80. That health-check does not work for our
SAML application as the request will simply be redirected to the SAML
IdP. To get around this, we create a custom health-check using a
BackendConfig. This BackendConfig tells the Ingress to make an HTTP GET to
BackendConfig CRD. This BackendConfig tells the Ingress to make an HTTP GET to
the path `/Shibboleth.sso/Metadata` which is _not_ SAML-protected.
......@@ -156,3 +163,7 @@ The SAML entity ID for this Service Provider will be the URL
[1]: https://github.com/kubernetes-sigs/external-dns
[2]: https://code.stanford.edu/orange/docker-apache-shib
[3]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[4]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment