Commit 8e16ab50 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

more work on README

parent 76c8bfec
......@@ -14,7 +14,6 @@ Apache+Shibboleth Docker container.
The architecture follows the standard GCP Ingress model:
```
Kubernetes
+---------------------------------------------------------------------+
| |
| +---------------+ |
......@@ -28,24 +27,32 @@ The architecture follows the standard GCP Ingress model:
+---------------------------------------------------------------------+
```
THe client connects via HTTPS to the External HTTPS Load Balancer
provisioned by the Ingress. The Ingress sends requests to the Service over
port 80. Apache runs in the Pod and services the requests via HTTP. Note
that wven though the traffic from the Ingress to the Service and fro the
Service to the Pod is over HTTP, the traffic is encrypted; see ["Encryption
from the load balancer to the
backends"](https://cloud.google.com/load-balancing/docs/ssl-certificates#backend-encryption)
for more information.
## Requirements
* [externalDNS](): an instance of externalDNS must be running in your Kubernetes cluster
so that the IP address used by the Ingress will be associated with the server name.
* An instance of [externalDNS][1] running in your Kubernetes cluster so
that the IP address used by the Ingress will be associated with the server
name.
* a version of Kubernetes supporting ManagedCertificates; see also [Using
* A version of Kubernetes supporting ManagedCertificates; see also [Using
Google-managed SSL
certificates](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs).
## Helm
## Configuration
### Application Configuration
The following two settings are required and must be overridden:
* `APP_ENV`: the applications's "environment"; typically one of `dev'`,
* `APP_ENV`: the applications's "environment"; typically one of `dev`,
`text`, `uat`, etc. Default: `dev`.
......@@ -53,40 +60,41 @@ The following two settings are required and must be overridden:
Default: `apache-shib-demo-dev.example.com`.
### GCP Configuration
## Kubernetes Resources
### Deployment
The Deployment creates a replica set using the [apache-shib
[`templates/deployment.yaml`](templates/deployment.yaml) The Deployment
creates a replica set using the [apache-shib
Docker](https://code.stanford.edu/et-iedo/docker/docker-apache-shib)
container.
container. The container runs Apache and Shibboleth and listens on port 80
to HTTP traffic.
### Service
[`templates/service.yaml`]
[`templates/service.yaml`](templates/service.yaml)
A NodePort Service is created that listens on port 80. This service is
intended to sit behind an Ingress.
### Ingress
[`templates/ingress.yaml`]
The Ingress serves as the TLS endpoint for the service using the
registered name `SERVER_NAME`. The DNS entry imapping the IP address to
`SERVER_NAME` is created in Google DNS using
[externalDNS](https://github.com/kubernetes-sigs/external-dns).
[`templates/ingress.yaml`](templates/ingress.yaml) The Ingress serves as
the TLS endpoint for the service using the registered name
`SERVER_NAME`. The DNS entry imapping the IP address to `SERVER_NAME` is
created in Google DNS using [externalDNS][1].
This chart creates a ManagedCertificate object so that GCP will
automatically provision and update the TLS certificate that the HTTP Load
Balancer uses as the termination point.
The Ingress uses a FrontendConfig to enforce the use of TLS 1.2 or later.
The Ingress uses a FrontendConfig to enforce the use of TLS 1.2 or later;
see the section ["FrontendConfig"](#FrontendConfig) below for more
information.
We configure the Ingress to accept only connections via HTTPS. Connections
using HTTP will come back with a 404 error.(GKE supports
automatic HTTP-to-HTTPS redirects in version 1.18.10-gke.600; see
[Configuring Ingress
using HTTP will come back with a 404 error. (GKE supports automatic
HTTP-to-HTTPS redirects in version 1.18.10-gke.600; see [Configuring
Ingress
features](https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features)
for more information.
......@@ -95,11 +103,11 @@ for more information.
The Ingress uses a health-check to the backend Service to determine if the
service is running properly. We cannot use the default health-check so we
create a custom health-check using a BackendConfig. See the
"BackendConfig" section below for more details.
["BackendConfig"](#BackendConfig) section below for more details.
### FrontendConfig
[`templates/frontend-crd.yaml`]
[`templates/frontend-crd.yaml`](templates/frontend-crd.yaml)
This configuration points to the Google SSL policy that enforces the
minimum version of TLS as well as allowed cipher suites. The name of this
policy is set in the `values.yaml` setting `sslpolicy`. This Google SSL
......@@ -108,7 +116,7 @@ externally. Default value: `minimum-tls-12`. This
### BackendConfig
[`templates/backend-crd.yaml`]
[`templates/backend-crd.yaml`](templates/backend-crd.yaml)
The Ingress uses a health-check to the backend Service to determine if the
service is running properly. By default this health-check makes a request
to the URL path "/" on port 80. That health-check does not work for our
......@@ -132,3 +140,5 @@ must create them independently. The secrets needed are:
The SAML entity ID for this Service Provider will be the URL
`https://SERVER_NAME` (no trailing forward slash).
[1]: https://github.com/kubernetes-sigs/external-dns
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment