Commit 76c8bfec authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

more README work

parent 17834e2b
......@@ -7,7 +7,7 @@
This is an _example_ Helm project that creates a Deployment of the
[Apache+Shibboleth Docker
container](https://code.stanford.edu/orange/docker-apache-shib) optimized
for GCP (google Cloud Platform). This project is intended as a template
for GCP (Google Cloud Platform). This project is intended as a template
for creating other Helm projects that use Docker containers based on the
Apache+Shibboleth Docker container.
......@@ -28,17 +28,97 @@ The architecture follows the standard GCP Ingress model:
+---------------------------------------------------------------------+
```
## Requirements
* [externalDNS](): an instance of externalDNS must be running in your Kubernetes cluster
so that the IP address used by the Ingress will be associated with the server name.
* a version of Kubernetes supporting ManagedCertificates; see also [Using
Google-managed SSL
certificates](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs).
## Helm
## Configuration
* `APP_ENV`
### Application Configuration
The following two settings are required and must be overridden:
* `APP_ENV`: the applications's "environment"; typically one of `dev'`,
`text`, `uat`, etc. Default: `dev`.
* `SERVER_NAME`: The fully-qualified endpoint name for this application.
Default: `apache-shib-demo-dev.example.com`.
### GCP Configuration
## Kubernetes Resources
### Deployment
The Deployment creates a replica set using the [apache-shib
Docker](https://code.stanford.edu/et-iedo/docker/docker-apache-shib)
container.
### Service
[`templates/service.yaml`]
A NodePort Service is created that listens on port 80. This service is
intended to sit behind an Ingress.
### Ingress
[`templates/ingress.yaml`]
The Ingress serves as the TLS endpoint for the service using the
registered name `SERVER_NAME`. The DNS entry imapping the IP address to
`SERVER_NAME` is created in Google DNS using
[externalDNS](https://github.com/kubernetes-sigs/external-dns).
This chart creates a ManagedCertificate object so that GCP will
automatically provision and update the TLS certificate that the HTTP Load
Balancer uses as the termination point.
The Ingress uses a FrontendConfig to enforce the use of TLS 1.2 or later.
We configure the Ingress to accept only connections via HTTPS. Connections
using HTTP will come back with a 404 error.(GKE supports
automatic HTTP-to-HTTPS redirects in version 1.18.10-gke.600; see
[Configuring Ingress
features](https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features)
for more information.
#### Ingress Health Check
The Ingress uses a health-check to the backend Service to determine if the
service is running properly. We cannot use the default health-check so we
create a custom health-check using a BackendConfig. See the
"BackendConfig" section below for more details.
### FrontendConfig
[`templates/frontend-crd.yaml`]
This configuration points to the Google SSL policy that enforces the
minimum version of TLS as well as allowed cipher suites. The name of this
policy is set in the `values.yaml` setting `sslpolicy`. This Google SSL
Policy is _not_ managed by this Helm chart, rather, it must be managed
externally. Default value: `minimum-tls-12`. This
### BackendConfig
* `SERVER_NAME`
[`templates/backend-crd.yaml`]
The Ingress uses a health-check to the backend Service to determine if the
service is running properly. By default this health-check makes a request
to the URL path "/" on port 80. That health-check does not work for our
SAML application as the request will simply be redirected to the SAML
IdP. To get around this, we create a custom health-check using a
BackendConfig. This BackendConfig tells the Ingress to make an HTTP GET to
the path `/Shibboleth.sso/Metadata` which is _not_ SAML-protected.
LATER.
## Secrets
### Secrets
This Helm chart does *not* setup or provision any Kubernetes secrets: you
must create them independently. The secrets needed are:
......
# Apply the SSL policy that we require TLS 1.2 or better. That
# policy is managed in the project terraform code.
# policy is typically managed in the project terraform code.
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: http-ssl-policy-minimum-12
spec:
sslPolicy: minimum-tls-12
sslPolicy: {{ .Values.sslpolicy }}
......@@ -8,7 +8,7 @@
APP_ENV: dev
# The endpoint name
SERVER_NAME: patchman-dev.example.com
SERVER_NAME: apache-shib-demo-dev.example.com
###
### Additional application settings (overriding is optional)
......@@ -33,6 +33,11 @@ image:
apache:
port: 80
# The name of the SSL Policy pointed to by the FrontendConfig. This policy
# must be created external to this chart. This is usually done using the
# Terraform "google_compute_ssl_policy" resource.
sslpolicy: minimum-tls-12
securityContext: {}
# capabilities:
# drop:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment