Commit 76c8bfec authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

more README work

parent 17834e2b
......@@ -7,7 +7,7 @@
This is an _example_ Helm project that creates a Deployment of the
[Apache+Shibboleth Docker
container]( optimized
for GCP (google Cloud Platform). This project is intended as a template
for GCP (Google Cloud Platform). This project is intended as a template
for creating other Helm projects that use Docker containers based on the
Apache+Shibboleth Docker container.
......@@ -28,17 +28,97 @@ The architecture follows the standard GCP Ingress model:
## Requirements
* [externalDNS](): an instance of externalDNS must be running in your Kubernetes cluster
so that the IP address used by the Ingress will be associated with the server name.
* a version of Kubernetes supporting ManagedCertificates; see also [Using
Google-managed SSL
## Helm
## Configuration
### Application Configuration
The following two settings are required and must be overridden:
* `APP_ENV`: the applications's "environment"; typically one of `dev'`,
`text`, `uat`, etc. Default: `dev`.
* `SERVER_NAME`: The fully-qualified endpoint name for this application.
Default: ``.
### GCP Configuration
## Kubernetes Resources
### Deployment
The Deployment creates a replica set using the [apache-shib
### Service
A NodePort Service is created that listens on port 80. This service is
intended to sit behind an Ingress.
### Ingress
The Ingress serves as the TLS endpoint for the service using the
registered name `SERVER_NAME`. The DNS entry imapping the IP address to
`SERVER_NAME` is created in Google DNS using
This chart creates a ManagedCertificate object so that GCP will
automatically provision and update the TLS certificate that the HTTP Load
Balancer uses as the termination point.
The Ingress uses a FrontendConfig to enforce the use of TLS 1.2 or later.
We configure the Ingress to accept only connections via HTTPS. Connections
using HTTP will come back with a 404 error.(GKE supports
automatic HTTP-to-HTTPS redirects in version 1.18.10-gke.600; see
[Configuring Ingress
for more information.
#### Ingress Health Check
The Ingress uses a health-check to the backend Service to determine if the
service is running properly. We cannot use the default health-check so we
create a custom health-check using a BackendConfig. See the
"BackendConfig" section below for more details.
### FrontendConfig
This configuration points to the Google SSL policy that enforces the
minimum version of TLS as well as allowed cipher suites. The name of this
policy is set in the `values.yaml` setting `sslpolicy`. This Google SSL
Policy is _not_ managed by this Helm chart, rather, it must be managed
externally. Default value: `minimum-tls-12`. This
### BackendConfig
The Ingress uses a health-check to the backend Service to determine if the
service is running properly. By default this health-check makes a request
to the URL path "/" on port 80. That health-check does not work for our
SAML application as the request will simply be redirected to the SAML
IdP. To get around this, we create a custom health-check using a
BackendConfig. This BackendConfig tells the Ingress to make an HTTP GET to
the path `/Shibboleth.sso/Metadata` which is _not_ SAML-protected.
## Secrets
### Secrets
This Helm chart does *not* setup or provision any Kubernetes secrets: you
must create them independently. The secrets needed are:
# Apply the SSL policy that we require TLS 1.2 or better. That
# policy is managed in the project terraform code.
# policy is typically managed in the project terraform code.
kind: FrontendConfig
name: http-ssl-policy-minimum-12
sslPolicy: minimum-tls-12
sslPolicy: {{ .Values.sslpolicy }}
......@@ -8,7 +8,7 @@
APP_ENV: dev
# The endpoint name
### Additional application settings (overriding is optional)
......@@ -33,6 +33,11 @@ image:
port: 80
# The name of the SSL Policy pointed to by the FrontendConfig. This policy
# must be created external to this chart. This is usually done using the
# Terraform "google_compute_ssl_policy" resource.
sslpolicy: minimum-tls-12
securityContext: {}
# capabilities:
# drop:
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment