forked from OpsMx/spinnaker-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues_saml.yaml
72 lines (67 loc) · 2.87 KB
/
values_saml.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Configure ingress to allow access to both gate and deck from your machine:
ingress:
enabled: true
host: spinnaker.example.com
annotations:
ingress.kubernetes.io/ssl-redirect: 'true'
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
tls:
- secretName: deck-tls
hosts:
- spinnaker.example.com
ingressGate:
enabled: true
host: gate.spinnaker.example.com
annotations:
ingress.kubernetes.io/ssl-redirect: 'true'
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
tls:
- secretName: gate-tls
hosts:
- gate.spinnaker.example.com
# Configure halyard to support saml
halyard:
# Provide a config map with Hal commands that will be run the core config (storage)
# The config map should contain a script in the config.sh key
additionalSecrets:
create: true
data:
keystore.p12: aW4tc2VjcmV0cwo= # base64 encoded keystore in pkcs12 format
password.txt: aW4tc2VjcmV0cwo= # base64 encoded password for the keystore
metadata.xml: aW4tc2VjcmV0cwo= # base64 encoded metadata.xml file from your SAML authenticator
additionalConfigMaps:
create: true
data:
config.src: |-
KEYSTORE_ALIAS=saml # Alias in the keystore for the cert
GATE_URL="https://gate.spinnaker.example.com" # URL to access your gate
DECK_URL="https://spinnaker.example.com" # Url to access your deck
# Put the keystore, metadata, and keystore password in these files under additioanlSecrets
KEYSTORE_FILE=/opt/halyard/additionalSecrets/keystore.p12
PASSWORD_FILE=/opt/halyard/additionalSecrets/password.txt
METADATA_FILE=/opt/halyard/additionalSecrets/metadata.xml
additionalScripts:
create: true
data:
configure_saml.sh: |
# This source file contains these variables:
# -> GATE_URL DECK_URL KEYSTORE_FILE PASSWORD_FILE METADATA_FILE KEYSTORE_ALIAS
# I put config.src in additionalConfigMaps so you can break it out into a separate values.yaml file
# You should create both halyard.additionalConfigMaps.data.config.src AND halyard.additionalConfigMaps.create = true
source /opt/halyard/additionalConfigMaps/config.src
KEYSTORE_PASSWORD="$( cat "$PASSWORD_FILE" )"
$HAL_COMMAND config security ui edit --override-base-url "$DECK_URL"
$HAL_COMMAND config security api edit --override-base-url "$GATE_URL"
$HAL_COMMAND config security authn saml edit \
--keystore "$KEYSTORE_FILE" \
--keystore-alias "$KEYSTORE_ALIAS" \
--keystore-password "$KEYSTORE_PASSWORD" \
--metadata "$METADATA_FILE" \
--issuer-id "$GATE_URL" \
--no-validate \
--service-address-url "$GATE_URL"
$HAL_COMMAND config security authn saml enable