Commit 4c92d6fc authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add APP_NAMESPACE chart value

parent d4561d27
......@@ -4,7 +4,7 @@
## Introduction
This is an Helm project that creates a Deployment of the
This is a Helm project that creates a Deployment of the
[Apache+Shibboleth Docker container][2] optimized for GCP (Google Cloud
Platform). This project is intended to be used as a [_subchart_][5] for
other Helm charts.
......@@ -51,14 +51,14 @@ certificates](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-cer
### Application Configuration
The following two settings are required and must be overridden:
The following two settings are required and should be overridden:
* `APP_ENV`: the applications's "environment"; typically one of `dev`,
`text`, `uat`, etc. Default: `dev`.
* `APP_NAMESPACE`: this is used to distinguish different instances of this
chart from others. For example, `myapp1-dev`, `myapp2-dev`,
myapp1-uat`. Default: `apache-shib`.
* `SERVER_NAME`: The fully-qualified endpoint name for this application.
Default: `apache-shib-dev.example.com`.
Default: `apache-shib.example.com`.
## Kubernetes Resources
......@@ -72,8 +72,13 @@ traffic.
### Service
[`templates/service.yaml`](templates/service.yaml) A NodePort Service is
created that listens on port 80. This service sites between the Ingress
and the Pod.
created that listens on port 80. This service sits between the Ingress and
the Pod.
### ManagedCertificate
We create a MangedCertificate resource with the name `APP_NAMESPACE` and
subject `SERVER_NAME`.
### Ingress
......@@ -146,10 +151,10 @@ the path `/Shibboleth.sso/Metadata` which is _not_ SAML-protected.
This Helm chart does *not* setup or provision any Kubernetes secrets: you
must create them independently. The secrets needed are:
* `apache-shib-<APP_ENV>-saml-key`: the private key portion of the SAML
* `APP_NAMESPACE-saml-key`: the private key portion of the SAML
Service provider public/private key pair.
* `apache-shib-<APP_ENV>-saml-crt`: the public key portion of the SAML
* `APP_NAMESPACE-saml-crt`: the public key portion of the SAML
Service provider public/private key pair.
......
{{- $APP_NAMESPACE := print .Chart.Name "-" .Values.APP_ENV -}}
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: {{ $APP_NAMESPACE }}
name: {{ .Values.APP_NAMESPACE }}
spec:
domains:
- {{ .Values.SERVER_NAME }}
......
{{- $APP_NAMESPACE := print .Chart.Name "-" .Values.APP_ENV -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $APP_NAMESPACE }}
name: {{ .Values.APP_NAMESPACE }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
......@@ -50,7 +49,7 @@ spec:
volumes:
- name: saml-crt
secret:
secretName: "{{ $APP_NAMESPACE }}-saml-crt"
secretName: "{{ .Values.APP_NAMESPACE }}-saml-crt"
- name: saml-key
secret:
secretName: "{{ $APP_NAMESPACE }}-saml-key"
secretName: "{{ .Values.APP_NAMESPACE }}-saml-key"
{{- $APP_NAMESPACE := print .Chart.Name "-" .Values.APP_ENV -}}
{{- if .Values.ingress.enabled -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
......@@ -7,14 +6,14 @@ apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $APP_NAMESPACE }}
name: {{ .Values.APP_NAMESPACE }}
annotations:
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.SERVER_NAME }}"
networking.gke.io/managed-certificates: {{ $APP_NAMESPACE }}
external-dns.alpha.kubernetes.io/hostname: {{ .Values.SERVER_NAME }}
networking.gke.io/managed-certificates: {{ .Values.APP_NAMESPACE }}
kubernetes.io/ingress.allow-http: "false"
networking.gke.io/v1beta1.FrontendConfig: "http-ssl-policy-minimum-12"
networking.gke.io/v1beta1.FrontendConfig: http-ssl-policy-minimum-12
spec:
backend:
serviceName: {{ $APP_NAMESPACE }}
serviceName: {{ .Values.APP_NAMESPACE }}
servicePort: 80
{{- end }}
{{- $APP_NAMESPACE := print .Chart.Name "-" .Values.APP_ENV -}}
apiVersion: v1
kind: Service
metadata:
name: {{ $APP_NAMESPACE }}
name: {{ .Values.APP_NAMESPACE }}
annotations:
cloud.google.com/backend-config: '{"ports": {"80":"http-hc-config-shib"}}'
spec:
......
......@@ -4,11 +4,11 @@
###
### Application settings (these MUST be overridden)
# APP_ENV is typically something like "dev", "test", "prod", etc.
APP_ENV: dev
# APP_NAMESPACE is typically something like "myapp1-dev" or the like.
APP_ENV: apache-shib
# The endpoint name
SERVER_NAME: apache-shib-dev.example.com
SERVER_NAME: apache-shib.example.com
###
### Additional application settings (overriding is optional)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment