Skip to content

Installation Guide#

Cloud Native Distribution#

Getting Started with Kubernetes#

System Requirements for cloud deployments#

Note

For local deployments like minikube and microk8s or cloud installations for demoing Gluu may set the resources to the minimum and hence can have 8GB RAM, 4 CPU, and 50GB disk in total to run all services.

Please calculate the minimum required resources as per services deployed. The following table contains default recommended resources to start with. Depending on the use of each service the resources may be increased or decreased.

Service CPU Unit RAM Disk Space Processor Type Required
Auth-server 2.5 2.5GB N/A 64 Bit Yes
config - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs
persistence - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs
nginx 1 1GB N/A 64 Bit Yes if not ALB or Istio

Configure cloud or local kubernetes cluster with database:#

Amazon Web Services (AWS) - EKS#

Setup Cluster#

  • Follow this guide to install a cluster with worker nodes. Please make sure that you have all the IAM policies for the AWS user that will be creating the cluster and volumes.

Requirements#

  • The above guide should also walk you through installing kubectl , aws-iam-authenticator and aws cli on the VM you will be managing your cluster and nodes from. Check to make sure.

    aws-iam-authenticator help
    aws-cli
    kubectl version
    
  • Optional[alpha]: If using Istio please install it prior to installing Gluu. You may choose to use any installation method Istio supports. If you have insalled istio ingress , a loadbalancer will have been created. Please save the address of loadblancer for use later during installation.

Amazon Aurora#

Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud, that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases. Gluu fully supports Amazon Aurora, and recommends it in production.

  1. Create an Amazon Aurora database with MySQL compatibility version >= Aurora(MySQL 5.7) 2.07.1 and capacity type Serverless. Make sure the EKS cluster can reach the database endpoint. You may choose to use the same VPC as the EKS cluster. Save the master user, master password, and initial database name for use in Gluus helm chart.

  2. Inject the Aurora endpoint, master user, master password, and initial database name for use in Gluus helm chart.

    Helm values configuration Description default
    config.configmap.cnSqlDbHost Aurora database endpoint i.e gluu.cluster-xxxxxxx.eu-central.rds.amazonaws.com empty
    config.configmap.cnSqlDbPort Aurora database port 3306
    config.configmap.cnSqlDbName Aurora initial database name jans
    config.configmap.cnSqlDbUser Aurora master user jans
    config.configmap.cnSqldbUserPassword Aurora master password Test1234#

MicroK8s#

Requirements#

  1. Create a fresh Ubuntu 20.04 on AWS.

  2. Run the following command:

    sudo su -
    wget https://raw.githubusercontent.com/GluuFederation/cloud-native-edition/master/automation/startopenabankingdemo.sh && chmod u+x startopenabankingdemo.sh && ./startopenabankingdemo.sh  
    
  3. Map your vm ip to the fqdn demoexample.gluu.org

Install Gluu using Helm#

  1. Optional if not using istio ingress: Install nginx-ingress Helm Chart.

    kubectl create ns <nginx-namespace>
    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
    helm repo update
    helm install <nginx-release-name> ingress-nginx/ingress-nginx --namespace=<nginx-namespace>
    
  2. Copy the values.yaml below into a file named override-values.yaml

  3. Modify the values to fit the deployment. This is the time to inject your database connection parameters. You will find the file marked where you need to change the values.

  4. Create a namespace and install:

    kubectl create ns gluu
    helm repo add gluu https://gluufederation.github.io/cloud-native-edition/pygluu/kubernetes/templates/helm
    helm repo update
    helm install <release-name> gluu/gluu -n <namespace> -f override-values.yaml --version=5.0.0
    

Non registered FQDN#

If the provided FQDN for Gluu is not globally resolvable map Gluus FQDN at /etc/hosts file to the IP of the lb or microk8s vm as shown below.

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
192.168.99.100    demo.openbanking.org # IP and example domain
127.0.0.1 localhost
255.255.255.255   broadcasthost
::1             localhost

Enabling mTLS in ingress-nginx#

  1. Please note that enabling the following annotations in the values.yaml will enable client certificate authentication. Uncomment the following from the helm charts override-values.yaml

        additionalAnnotations:
          # Enable client certificate authentication. Keep this optional. We force it on the path level for /token and /register endpoints.
          nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional"
          # Create the secret containing the trusted ca certificates
          nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-ob-ca-certificates"
          # Specify the verification depth in the client certificates chain
          nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
          # Specify if certificates are passed to upstream server
          nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    
  2. Set nginx-ingress.ingress.authServerProtectedToken and nginx-ingress.ingress.authServerProtectedRegister in the helm charts override-values.yaml to true.

  3. Create a secret containing the OB CA certificates (issuing, root, and signing CAs) and the OB AS transport crt. For more information read here.

    cat web_https_ca.crt issuingca.crt rootca.crt signingca.crt >> ca.crt
    kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file=tls.crt=web_https.crt --from-file=tls.key=web_https.key --from-file=ca.crt=ca.crt
    
  4. Inject OBIE signed certs, keys and uri:

    1. When using OBIE signed certificates and keys, there are many objects that can be injected. The certificate signing pem file i.e obsigning.pem, the signing key i.e obsigning-oajsdij8927123.key, the certificate transport pem file i.e obtransport.pem, the transport key i.e obtransport-sdfe4234234.key, the transport truststore p12 i.e ob-transport-truststore.p12, and the jwks uri https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks.

    2. base64 encrypt all .pem and .key files as they will be injected as base64 strings inside the helm override-values.yaml.

      cat obsigning.pem | base64 | tr -d '\n' > obsigningbase64.pem
      cat obsigning-oajsdij8927123.key | base64 | tr -d '\n' > obsigningbase64.key
      cat obtransport.pem | base64 | tr -d '\n' > obtransportbase64.pem
      cat obtransport-sdfe4234234.key | base64 | tr -d '\n' > obtransportbase64.key
      
    3. Copy the base64 string in obsigningbase64.pem into the helm chart override-values.yaml at global.cnObExtSigningJwksCrt

    4. Copy the base64 string in obsigningbase64.key into the helm chart override-values.yaml at global.cnObExtSigningJwksKey

    5. Inject the base64 string passphrase of obsigningbase64.key into the helm chart override-values.yaml at global.cnObExtSigningJwksKeyPassPhrase

    6. Copy the base64 string in obtransportbase64.pem into the helm chart override-values.yaml at global.cnObTransportCrt

    7. Copy the base64 string in obtransportbase64.key into the helm chart override-values.yaml at global.cnObTransportKey

    8. Inject the base64 string passphrase of obtransportbase64.key into the helm chart override-values.yaml at global.cnObTransportKeyPassPhrase

    9. Generate your transport truststore or convert it to .p12 format. Please name it as ob-transport-truststore.p12

      cat obissuingca.pem obrootca.pem obsigningca.pem > transport-truststore.crt
      keytool -importcert -file transport-truststore.crt -keystore ob-transport-truststore.p12 -alias obkeystore
      
    10. base64 encrypt the ob-transport-truststore.p12

      cat ob-transport-truststore.p12 | base64 | tr -d '\n' > obtransporttruststorebase64.pem
      
    11. Copy the base64 string in obtransporttruststorebase64.pem into the helm chart override-values.yaml at global.cnObTransportTrustStore

    12. Add the jwks uri to the helm chart override-values.yaml at global.cnObExtSigningJwksUri

    13. Add the kid as the alias for the JKS used for the OB AS external signing crt. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G. This kid value should exist inside the jwks uri endpoint.

    14. Specify the signing key that will be used by the AS override-values.yaml at global.cnObStaticSigningKeyKid.

    Helm values configuration Description default Associated files created in auth-server pod at /etc/certs
    global.cnObExtSigningJwksUri external signing jwks uri string empty obextjwksuri.crt parsed from the URI and added to the JVM
    global.cnObExtSigningJwksCrt Used in SSA Validation. base64 string for the external signing jwks crt. Activated when .global.cnObExtSigningJwksUri is set empty ob-ext-signing.crt
    global.cnObExtSigningJwksKey Used in SSA Validation. base64 string for the external signing jwks key . Activated when .global.cnObExtSigningJwksUri is set empty ob-ext-signing.key. With the above crt ob-ext-signing.jks, and ob-ext-signing.pkcs12 get created.
    global.cnObExtSigningJwksKeyPassPhrase Needed if global.cnObExtSigningJwksKey has a passphrase . Activated when .global.cnObExtSigningJwksUri is set empty ob-ext-signing.pin.
    global.cnObExtSigningAlias This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G empty Alias of the entry inside the keystore ob-ext-signing.jks.
    global.cnObStaticSigningKeyKid This is a kid value.Used to force the AS to use a specific signing key i.e XkwIzWy44xWSlcWnMiEc8iq9s2G empty Alias of the entry inside the keystore ob-ext-signing.jks.
    global.cnObTransportCrt Used in SSA Validation. base64 string for the transport crt. Activated when .global.cnObExtSigningJwksUri is set empty ob-transport.crt
    global.cnObTransportKey Used in SSA Validation. base64 string for the transport key. Activated when .global.cnObExtSigningJwksUri is set empty ob-transport.key. With the above crt ob-transport.jks, and ob-transport.pkcs12 get created.
    global.cnObTransportKeyPassPhrase Needed if global.cnObTransportKey has a passphrase . Activated when .global.cnObExtSigningJwksUri is set empty ob-transport.pin.
    global.cnObTransportTrustStore Used in SSA Validation. base64 string for the transport truststore crt. Activated when .global.cnObExtSigningJwksUri is set empty ob-transport-truststore.p12

    Please note that the password for the keystores created can be fetched by executing the following command:

    AUTH_JKS_PASS=$(kubectl get secret cn -o json -n gluu | grep '"auth_openid_jks_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d)
    
    The above password is needed in custom scripts such as in client registeration.

Changing the signing key kid for the AS dynamically#

Specify a the signing key that will be used by the AS:

  1. Get a client and its associated password. Here, we will use the client id and secret created for config-api.

    TESTCLIENT=$(kubectl get cm cn -o json -n gluu | grep '"jca_client_id":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]')
    TESTCLIENTSECRET=$(kubectl get secret cn -o json -n gluu | grep '"jca_client_pw":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d)
    
  2. Get a token , here the crt and key used need to be a crt and key that can pass mTLS:

    curl -k -u $TESTCLIENT:$TESTCLIENTSECRET https://<FQDN>/jans-auth/restv1/token -d "grant_type=client_credentials&scope=https://jans.io/oauth/jans-auth-server/config/properties.write" --cert mtls.pem --key mtls.key
    
  3. Add the entry staticKid to force the AS to use a specific signing key. Please modify XhCYDfFM7UFXHfykNaLk1aLCnZM to the kid to be used:

    curl -k -X PATCH "https://<FQDN>/jans-config-api/api/v1/jans-auth-server/config" -H  "accept: application/json" -H  "Content-Type: application/json-patch+json" -H "Authorization:Bearer 170e8412-1d55-4b19-ssss-8fcdeaafb954" -d "[{\"op\":\"add\",\"path\":\"/staticKid\",\"value\":\"XhCYDfFM7UFXHfykNaLk1aLCnZM\"}]"
    
  4. Preform a rolling restart for the auth-server and config-api

    kubectl rollout restart deployment <gluu-relase-name>-auth-server -n <gluu-namespace>
    kubectl rollout restart deployment <gluu-relase-name>-config-api -n <gluu-namespace>
    #kubectl rollout restart deployment gluu-auth-server -n gluu
    

Enable https.#

certificates and keys of interest in https Notes
web_https.crt (nginx) web server certificate. This is commonly referred to as server.crt
web_https.key (nginx) web server key. This is commonly referred to as server.key
web_https.csr (nginx) web server certificate signing request. This is commonly referred to as server.csr
web_https_ca.crt Certificate authority certificate that signed/signs the web server certificate.
web_https_ca.key Certificate authority key that signed/signs the web server certificate.

Please note you might be using cert-manager here by specifying your issuer as an annotation at nginx-ingress.ingress.additionalAnnotations . By default self-signed certs for https get automatically generated and used.

Uninstalling the Chart#

To uninstall/delete my-release deployment:

helm delete <my-release>

If during installation the release was not defined, release name is checked by running $ helm ls then deleted using the previous command and the default release name.

Loading web https certs and keys.#

certificates and keys of interest for https Notes
web_https.crt (nginx) web server certificate. This is commonly referred to as server.crt
web_https.key (nginx) web server key. This is commonly referred to as server.key
web_https.csr (nginx) web server certificate signing request. This is commonly referred to as server.csr
web_https_ca.crt Certificate authority certificate that signed/signs the web server certificate.
web_https_ca.key Certificate authority key that signed/signs the web server certificate.

Note

This will load web_https.crt, web_https.key, web_https.csr, web_https_ca.crt, and web_https_ca.key to /etc/certs. This step is important in order for mTLS to fully work as nginx-ingress will pass the client certificate down to the auth-server and the auth-server will validate the client certificate.

  1. Create a secret with web_https.crt, web_https.key, web_https.csr, web_https_ca.crt, and web_https_ca.key. Note that this may already exist in your deployment.

        kubectl create secret generic web-cert-key --from-file=web_https.crt --from-file=web_https.key --from-file=web_https.csr --from-file=ca.crt=web_https_ca.crt --from-file=ca.key=web_https_ca.key -n <gluu-namespace> 
    
  2. Create a file named load-web-key-rotation.yaml with the following contents :

    # License terms and conditions for Gluu Cloud Native Edition:
    # https://www.apache.org/licenses/LICENSE-2.0
    apiVersion: batch/v1
    kind: Job
    metadata:
      name: load-web-key-rotation
    spec:
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "false"                  
        spec:
          restartPolicy: Never
          volumes:
          - name: web-cert
            secret:
              secretName: web-cert-key
              items:
                - key: web_https.crt
                  path: web_https.crt
          - name: web-key
            secret:
              secretName: web-cert-key
              items:
                - key: web_https.key
                  path: web_https.key
          - name: web-csr
            secret:
              secretName: web-cert-key
              items:
                - key: web_https.csr
                  path: web_https.csr
          - name: web-ca-cert
            secret:
              secretName: web-cert-key
              items:
                - key: ca.crt
                  path: ca.crt
          - name: web-ca-key
            secret:
              secretName: web-cert-key
              items:
                - key: ca.key
                  path: ca.key                              
          containers:
            - name: load-web-key-rotation
              image: janssenproject/certmanager:1.0.0_b11
              envFrom:
              - configMapRef:
                  name: gluu-config-cm  #This may be different in your Helm setup
              volumeMounts:
                - name: web-cert
                  mountPath: /etc/certs/web_https.crt
                  subPath: web_https.crt
                - name: web-key
                  mountPath: /etc/certs/web_https.key
                  subPath: web_https.key
                - name: web-csr
                  mountPath: /etc/certs/web_https.csr
                  subPath: web_https.csr
                - name: web-ca-cert
                  mountPath: /etc/certs/ca.crt
                  subPath: ca.crt
                - name: web-ca-key
                  mountPath: /etc/certs/ca.key
                  subPath: ca.key   
              args: ["patch", "web", "--opts", "source:from-files"]
    
  3. Apply job

        kubectl apply -f load-web-key-rotation.yaml -n <gluu-namespace>
    

Example using self signed certs and keys:#

  1. Follow the above steps to enable the annotations and protected endpoints before running the helm install command.

  2. Wait for services to be in a running state.

  3. Get self signed certs and generate client crt and key. This assumes the namespace Gluu has been installed in is gluu.

    mkdir certs
    cd certs
    kubectl get secret cn -o json -n gluu | grep '"ssl_ca_cert":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > web_https_ca.crt
    kubectl get secret cn -o json -n gluu | grep '"ssl_ca_key":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > web_https_ca.key
    kubectl get secret cn -o json -n gluu | grep '"ssl_cert":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > web_https.crt
    kubectl get secret cn -o json -n gluu | grep '"ssl_key":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > web_https.key
    openssl req -new -newkey rsa:4096 -keyout jans_cli_client.key -out jans_cli_client.csr -nodes -subj '/CN=Openbanking'
    openssl x509 -req -sha256 -days 365 -in jans_cli_client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out jans_cli_client.crt
    kubectl create secret generic ca-secret -n gluu --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
    cd ..
    
  4. Try curling a protected endpoint.

    1. Get a client and its associated password. Here, we will use the client id and secret created for config-api.

      TESTCLIENT=$(kubectl get cm cn -o json -n gluu | grep '"jca_client_id":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]')
      TESTCLIENTSECRET=$(kubectl get secret cn -o json -n gluu | grep '"jca_client_pw":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d)
      
    2. Curl the protected /token endpoint.

      curl -X POST -k --cert jans_cli_client.crt --key jans_cli_client.key -u $TESTCLIENT:$TESTCLIENTSECRET https://demo.openbanking.org/jans-auth/restv1/token -d grant_type=client_credentials
      {"access_token":"07688c3e-69ea-403b-a35a-fa3877982c7a","token_type":"bearer","expires_in":299}
      
  5. Try using the jans-cli:

    1. Download jans-cli.pyz. This package can be built manually.

    2. Run the jans-cli in interactive mode and try it out:

      python3 jans-cli-linux-amd64.pyz --host demo.openbanking.org --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --cert-file jans_cli_client.crt --key-file jans_cli_client.key -noverify
      

Example using self provided certs and keys:#

  1. Follow the above steps to enable the annotations and protected endpoints before running the helm install command.

  2. Wait for services to be in a running state.

  3. Move all your certs and keys inside one folder called certs or any name that is convenient . The necessary certs and keys are highlighted in the table. This assumes the namespace Gluu has been installed in is gluu.

  4. Follow instructions to rotate all associated certs and keys. This is normally done right after installation. Please note that the fqdn inside the crts and keys must be the same as the one provided during installation.

  5. Move all your certs and keys inside one folder. Generate jans cli client side crt, key and create the secret for nginx ingress. This assumes the namespace Gluu has been installed in is gluu.

    cd certs
    openssl req -new -newkey rsa:4096 -keyout jans_cli_client.key -out jans_cli_client.csr -nodes -subj '/CN=Openbanking'
    openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out jans_cli_client.crt
    kubectl create secret generic ca-secret -n gluu --from-file=tls.crt=web_https.crt --from-file=tls.key=web_https.key --from-file=ca.crt=ca.crt
    cd ..
    
  6. By default secret used for TLS tls-certificate is created upon installation. This secret must be updated with with the server cert and key tls.crt=web_https.crt and tls.key=web_https.key.

    kubectl delete secret tls-certificate -n gluu
    kubectl create secret generic tls-certificate --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n gluu
    
  7. Try curling a protected endpoint.

    1. Get a client and its associated password. Here, we will use the client id and secret created for config-api.

      TESTCLIENT=$(kubectl get cm cn -o json -n gluu | grep '"jca_client_id":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]')
      TESTCLIENTSECRET=$(kubectl get secret cn -o json -n gluu | grep '"jca_client_pw":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d)
      
    2. Curl the protected /token endpoint.

      curl -X POST --cert jans_cli_client.crt --key jans_cli_client.key -u $TESTCLIENT:$TESTCLIENTSECRET https://demo.openbanking.org/jans-auth/restv1/token -d grant_type=client_credentials
      {"access_token":"07688c3e-69ea-403b-a35a-fa3877982c7a","token_type":"bearer","expires_in":299}
      
  8. Try using the jans-cli:

    1. Download jans-cli.pyz. This package can be built manually.

    2. Run the jans-cli in interactive mode and try it out:

      python3 jans-cli-linux-amd64.pyz --host demo.openbanking.org --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --cert-file jans_cli_client.crt --key-file jans_cli_client.key
      

Using jans-cli#

jans-cli is a Command Line Interface for Gluu Configuration. It also has menu-driven interface that makes it easier to understand how to use Gluu Server through the Interactive Mode.

  1. Download jans-cli.pyz. This package can be built manually.

  2. Get a client and its associated password. Here, we will use the client id and secret created for config-api.

    TESTCLIENT=$(kubectl get cm cn -o json -n gluu | grep '"jca_client_id":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]')
    TESTCLIENTSECRET=$(kubectl get secret cn -o json -n gluu | grep '"jca_client_pw":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d)
    
  3. Run the jans-cli in interactive mode and try it out:

    python3 jans-cli-linux-amd64.pyz --host demo.openbanking.org --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET -CC jans_cli_client.crt -CK jans_cli_client.key
    

Adding custom scopes upon installation#

  1. Download the original scopes file

    wget https://raw.githubusercontent.com/JanssenProject/docker-jans-persistence-loader/master/templates/scopes.ob.ldif
    
  2. Adjust that file to add the custom scopes needed.

  3. Create a configmap to hold the file:

    kubectl create cm custom-scopes -n gluu --from-file=scopes.ob.ldif
    
  4. Inside your override yaml you have the ability to inject additional volumes and volume mounts. Inside the persistence key add the following:

    persistence:
        volumes:
            - name: custom-scopes
                configMap:
                    name: custom-scopes
        volumeMounts:
            - name: custom-scopes
                mountPath: "/app/templates/scopes.ob.ldif"
                subPath: scopes.ob.ldif
    
  5. Now you are ready to install with the custom scopes added.

Helm values.yaml#

Key Type Default Description
auth-server object {"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","repository":"janssenproject/auth-server","tag":"1.0.0_b11"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.
auth-server.dnsConfig object {} Add custom dns config
auth-server.dnsPolicy string "" Add custom dns policy
auth-server.hpa object {"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50} Configure the HorizontalPodAutoscaler
auth-server.hpa.behavior object {} Scaling Policies
auth-server.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set
auth-server.image.pullPolicy string "IfNotPresent" Image pullPolicy to use for deploying.
auth-server.image.repository string "janssenproject/auth-server" Image to use for deploying.
auth-server.image.tag string "1.0.0_b11" Image tag to use for deploying.
auth-server.livenessProbe object {"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5} Configure the liveness healthcheck for the auth server if needed.
auth-server.livenessProbe.exec object {"command":["python3","/app/scripts/healthcheck.py"]} Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py
auth-server.readinessProbe object {"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5} Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py
auth-server.replicas int 1 Service replica number.
auth-server.resources object {"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}} Resource specs.
auth-server.resources.limits.cpu string "2500m" CPU limit.
auth-server.resources.limits.memory string "2500Mi" Memory limit.
auth-server.resources.requests.cpu string "2500m" CPU request.
auth-server.resources.requests.memory string "2500Mi" Memory request.
auth-server.usrEnvs object {"normal":{},"secret":{}} Add custom normal and secret envs to the service
auth-server.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1
auth-server.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1
auth-server.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers
auth-server.volumes list [] Configure any additional volumes that need to be attached to the pod
Key Type Default Description
config object {"city":"Austin","configmap":{"cnCacheType":"NATIVE_PERSISTENCE","cnConfigGoogleSecretNamePrefix":"gluu","cnConfigGoogleSecretVersionId":"latest","cnConfigKubernetesConfigMap":"cn","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnMaxRamPercent":"75.0","cnPassportEnabled":false,"cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnSamlEnabled":false,"cnSecretGoogleSecretNamePrefix":"gluu","cnSecretGoogleSecretVersionId":"latest","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqlPasswordFile":"/etc/jans/conf/sql_password","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"repository":"janssenproject/configuration-manager","tag":"1.0.0_b11"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Configuration parameters for setup and initial configuration secret and config layers used by Gluu services.
config.city string "Austin" City. Used for certificate creation.
config.configmap.cnCacheType string "NATIVE_PERSISTENCE" Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE .
config.configmap.cnConfigKubernetesConfigMap string "cn" The name of the Kubernetes ConfigMap that will hold the configuration layer
config.configmap.cnJettyRequestHeaderSize int 8192 Jetty header size in bytes in the auth server
config.configmap.cnSecretKubernetesSecret string "cn" Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.
config.configmap.cnSqlDbDialect string "mysql" SQL database dialect. mysql or pgsql
config.configmap.cnSqlDbHost string "my-release-mysql.default.svc.cluster.local" SQL database host uri.
config.configmap.cnSqlDbName string "jans" SQL database name.
config.configmap.cnSqlDbPort int 3306 SQL database port.
config.configmap.cnSqlDbTimezone string "UTC" SQL database timezone.
config.configmap.cnSqlDbUser string "jans" SQL database username.
config.configmap.cnSqlPasswordFile string "/etc/jans/conf/sql_password" SQL password file holding password from config.configmap.cnSqldbUserPassword .
config.configmap.cnSqldbUserPassword string "Test1234#" SQL password injected as config.configmap.cnSqlPasswordFile .
config.configmap.lbAddr string "" Loadbalancer address for AWS if the FQDN is not registered.
config.countryCode string "US" Country code. Used for certificate creation.
config.dnsConfig object {} Add custom dns config
config.dnsPolicy string "" Add custom dns policy
config.email string "support@gluu.org" Email address of the administrator usually. Used for certificate creation.
config.image.repository string "janssenproject/configuration-manager" Image to use for deploying.
config.image.tag string "1.0.0_b11" Image tag to use for deploying.
config.orgName string "Gluu" Organization name. Used for certificate creation.
config.resources object {"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}} Resource specs.
config.resources.limits.cpu string "300m" CPU limit.
config.resources.limits.memory string "300Mi" Memory limit.
config.resources.requests.cpu string "300m" CPU request.
config.resources.requests.memory string "300Mi" Memory request.
config.state string "TX" State code. Used for certificate creation.
config.usrEnvs object {"normal":{},"secret":{}} Add custom normal and secret envs to the service.
config.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1
config.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1
config.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers
config.volumes list [] Configure any additional volumes that need to be attached to the pod
Key Type Default Description
config-api object {"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","repository":"janssenproject/config-api","tag":"1.0.0_b11"},"livenessProbe":{"httpGet":{"path":"/health-check/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/health-check/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).
config-api.dnsConfig object {} Add custom dns config
config-api.dnsPolicy string "" Add custom dns policy
config-api.hpa object {"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50} Configure the HorizontalPodAutoscaler
config-api.hpa.behavior object {} Scaling Policies
config-api.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set
config-api.image.pullPolicy string "IfNotPresent" Image pullPolicy to use for deploying.
config-api.image.repository string "janssenproject/config-api" Image to use for deploying.
config-api.image.tag string "1.0.0_b11" Image tag to use for deploying.
config-api.livenessProbe object {"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5} Configure the liveness healthcheck for the auth server if needed.
config-api.livenessProbe.httpGet object {"path":"/jans-config-api/api/v1/health/live","port":8074} http liveness probe endpoint
config-api.readinessProbe.httpGet object {"path":"/jans-config-api/api/v1/health/ready","port":8074} http readiness probe endpoint
config-api.replicas int 1 Service replica number.
config-api.resources object {"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}} Resource specs.
config-api.resources.limits.cpu string "1000m" CPU limit.
config-api.resources.limits.memory string "400Mi" Memory limit.
config-api.resources.requests.cpu string "1000m" CPU request.
config-api.resources.requests.memory string "400Mi" Memory request.
config-api.usrEnvs object {"normal":{},"secret":{}} Add custom normal and secret envs to the service
config-api.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1
config-api.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1
config-api.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers
config-api.volumes list [] Configure any additional volumes that need to be attached to the pod
Key Type Default Description
global object {"alb":{"ingress":false},"auth-server":{"authServerServiceName":"auth-server","enabled":true},"awsStorageType":"io1","cloud":{"testEnviroment":false},"cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","config":{"enabled":true},"config-api":{"configApiServerServiceName":"config-api","enabled":true},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"openbanking","fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"enabled":false,"ingress":false,"namespace":"istio-system"},"lbIp":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false},"persistence":{"enabled":true},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"upgrade":{"enabled":false},"usrEnvs":{"normal":{},"secret":{}}} Parameters used globally across all services helm charts.
global.alb.ingress bool false Activates ALB ingress
global.auth-server.authServerServiceName string "auth-server" Name of the auth-server service. Please keep it as default.
global.auth-server.enabled bool true Boolean flag to enable/disable auth-server chart. You should never set this to false.
global.cloud.testEnviroment bool false Boolean flag if enabled will strip resources requests and limits from all services.
global.cnObExtSigningAlias string "" Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G
global.cnObExtSigningJwksCrt string "" Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when .global.cnObExtSigningJwksUri is set.
global.cnObExtSigningJwksKey string "" Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set.
global.cnObExtSigningJwksKeyPassPhrase string "" Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set.
global.cnObExtSigningJwksUri string "" Open banking external signing jwks uri. Used in SSA Validation.
global.cnObStaticSigningKeyKid string "" Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G
global.cnObTransportAlias string "" Open banking transport Alias used inside the JVM.
global.cnObTransportCrt string "" Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.
global.cnObTransportKey string "" Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.
global.cnObTransportKeyPassPhrase string "" Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.
global.cnObTransportTrustStore string "" Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.
global.cnPersistenceType string "sql" Persistence backend to run Gluu with ldap
global.config-api.configApiServerServiceName string "config-api" Name of the config-api service. Please keep it as default.
global.config-api.enabled bool true Boolean flag to enable/disable the config-api chart.
global.config.enabled bool true Boolean flag to enable/disable the configuration chart. This normally should never be false
global.configAdapterName string "kubernetes" The config backend adapter that will hold Gluu configuration layer. google
global.configSecretAdapter string "kubernetes" The config backend adapter that will hold Gluu secret layer. google
global.distribution string "openbanking" Gluu distributions supported are: default
global.fqdn string "demoexample.gluu.org" Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.
global.isFqdnRegistered bool false Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.
global.istio.enabled bool false Boolean flag that enables using istio side cars with Gluu services.
global.istio.ingress bool false Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.
global.istio.namespace string "istio-system" The namespace istio is deployed in. The is normally istio-system.
global.lbIp string "" The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if global.fqdn is globally resolvable.
global.nginx-ingress.enabled bool true Boolean flag to enable/disable the nginx-ingress definitions chart.
global.persistence.enabled bool true Boolean flag to enable/disable the persistence chart.
global.upgrade.enabled bool false Boolean flag used when running helm upgrade command. This allows upgrading the chart without immutable objects errors.
global.usrEnvs object {"normal":{},"secret":{}} Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services
global.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1
global.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1
Key Type Default Description
nginx-ingress object {"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiEnabled":true,"adminUiLabels":{},"authServerEnabled":true,"authServerLabels":{},"authServerProtectedRedisterLabels":{},"authServerProtectedRegister":false,"authServerProtectedToken":false,"authServerProtectedTokenLabels":{},"configApiEnabled":true,"configApiLabels":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"hosts":["demoexample.gluu.org"],"openidConfigEnabled":true,"openidConfigLabels":{},"path":"/","scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerEnabled":true,"webfingerLabels":{}}} Nginx ingress definitions chart
nginx-ingress.ingress.additionalAnnotations object {} Additional annotations that will be added across all ingress definitions in the format of
nginx-ingress.ingress.additionalLabels object {} Additional labels that will be added across all ingress definitions in the format of
nginx-ingress.ingress.authServerEnabled bool true Enable Auth server endpoints /jans-auth
nginx-ingress.ingress.authServerLabels object {} Auth server config ingress resource labels. key app is taken
nginx-ingress.ingress.authServerProtectedRedisterLabels object {} Auth server protected token ingress resource labels. key app is taken
nginx-ingress.ingress.authServerProtectedRegister bool false Enable mTLS onn Auth server endpoint /jans-auth/restv1/register
nginx-ingress.ingress.authServerProtectedToken bool false Enable mTLS on Auth server endpoint /jans-auth/restv1/token
nginx-ingress.ingress.authServerProtectedTokenLabels object {} Auth server protected token ingress resource labels. key app is taken
nginx-ingress.ingress.configApiLabels object {} configAPI ingress resource labels. key app is taken
nginx-ingress.ingress.openidConfigEnabled bool true Enable endpoint /.well-known/openid-configuration
nginx-ingress.ingress.openidConfigLabels object {} openid-configuration ingress resource labels. key app is taken
nginx-ingress.ingress.tls list [{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}] Secrets holding HTTPS CA cert and key.
nginx-ingress.ingress.u2fConfigEnabled bool true Enable endpoint /.well-known/fido-configuration
nginx-ingress.ingress.u2fConfigLabels object {} u2f config ingress resource labels. key app is taken
nginx-ingress.ingress.uma2ConfigEnabled bool true Enable endpoint /.well-known/uma2-configuration
nginx-ingress.ingress.uma2ConfigLabels object {} uma2 config ingress resource labels. key app is taken
nginx-ingress.ingress.webdiscoveryEnabled bool true Enable endpoint /.well-known/simple-web-discovery
nginx-ingress.ingress.webdiscoveryLabels object {} webdiscovery ingress resource labels. key app is taken
nginx-ingress.ingress.webfingerEnabled bool true Enable endpoint /.well-known/webfinger
nginx-ingress.ingress.webfingerLabels object {} webfinger ingress resource labels. key app is taken
Key Type Default Description
persistence object {"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","repository":"janssenproject/persistence-loader","tag":"1.0.0_b11"},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Job to generate data and intial config for Gluu Server persistence layer.
persistence.dnsConfig object {} Add custom dns config
persistence.dnsPolicy string "" Add custom dns policy
persistence.image.pullPolicy string "IfNotPresent" Image pullPolicy to use for deploying.
persistence.image.repository string "janssenproject/persistence-loader" Image to use for deploying.
persistence.image.tag string "1.0.0_b11" Image tag to use for deploying.
persistence.resources object {"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}} Resource specs.
persistence.resources.limits.cpu string "300m" CPU limit
persistence.resources.limits.memory string "300Mi" Memory limit.
persistence.resources.requests.cpu string "300m" CPU request.
persistence.resources.requests.memory string "300Mi" Memory request.
persistence.usrEnvs object {"normal":{},"secret":{}} Add custom normal and secret envs to the service
persistence.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1
persistence.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1
persistence.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers
persistence.volumes list [] Configure any additional volumes that need to be attached to the pod
# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.
auth-server:
  # -- Configure the HorizontalPodAutoscaler
  hpa:
    enabled: true
    minReplicas: 1
    maxReplicas: 10
    targetCPUUtilizationPercentage: 50
    # -- metrics if targetCPUUtilizationPercentage is not set
    metrics: []
    # -- Scaling Policies
    behavior: {}
  # -- Add custom normal and secret envs to the service
  usrEnvs:
    # -- Add custom normal envs to the service
    # variable1: value1
    normal: {}
    # -- Add custom secret envs to the service
    # variable1: value1
    secret: {}
  # -- Add custom dns policy
  dnsPolicy: ""
  # -- Add custom dns config
  dnsConfig: {}
  image:
    # -- Image pullPolicy to use for deploying.
    pullPolicy: IfNotPresent
    # -- Image  to use for deploying.
    repository: janssenproject/auth-server
    # -- Image  tag to use for deploying.
    tag: 1.0.0_b11
    # -- Image Pull Secrets
    pullSecrets: [ ]     
  # -- Service replica number.
  replicas: 1
  # -- Resource specs.
  resources:
    limits:
      # -- CPU limit.
      cpu: 2500m
      # -- Memory limit.
      memory: 2500Mi
    requests:
      # -- CPU request.
      cpu: 2500m
      # -- Memory request.
      memory: 2500Mi
  # -- Configure the liveness healthcheck for the auth server if needed.
  livenessProbe:
    # -- Executes the python3 healthcheck.
    # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py
    exec:
      command:
        - python3
        - /app/scripts/healthcheck.py
    initialDelaySeconds: 30
    periodSeconds: 30
    timeoutSeconds: 5
  # -- Configure the readiness healthcheck for the auth server if needed.
  # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py
  readinessProbe:
    exec:
      command:
        - python3
        - /app/scripts/healthcheck.py
    initialDelaySeconds: 25
    periodSeconds: 25
    timeoutSeconds: 5
  # -- Configure any additional volumes that need to be attached to the pod
  volumes: []
  # -- Configure any additional volumesMounts that need to be attached to the containers
  volumeMounts: []

# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services.
config:
  # -- Add custom normal and secret envs to the service.
  usrEnvs:
    # -- Add custom normal envs to the service.
    # variable1: value1
    normal: {}
    # -- Add custom secret envs to the service.
    # variable1: value1
    secret: {}
  # -- City. Used for certificate creation.
  city: Austin
  configmap:
    # -- Jetty header size in bytes in the auth server
    cnJettyRequestHeaderSize: 8192
    # -- SQL database dialect. `mysql` or `pgsql`
    cnSqlDbDialect: mysql
    # -- SQL database host uri.
    cnSqlDbHost: my-release-mysql.default.svc.cluster.local
    # -- SQL database port.
    cnSqlDbPort: 3306
    # -- SQL database name.
    cnSqlDbName: jans
    # -- SQL database username.
    cnSqlDbUser: jans
    # -- SQL database timezone.
    cnSqlDbTimezone: UTC
    # -- SQL password file holding password from config.configmap.cnSqldbUserPassword .
    cnSqlPasswordFile: /etc/jans/conf/sql_password
    # -- SQL password  injected as config.configmap.cnSqlPasswordFile .
    cnSqldbUserPassword: Test1234#
    # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` .
    cnCacheType: NATIVE_PERSISTENCE
    # -- The name of the Kubernetes ConfigMap that will hold the configuration layer
    cnConfigKubernetesConfigMap: cn
    # -- Value passed to Java option -XX:MaxRAMPercentage
    cnMaxRamPercent: "75.0"
    # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.
    cnSecretKubernetesSecret: cn
    # -- Loadbalancer address for AWS if the FQDN is not registered.
    lbAddr: ""
  # -- Country code. Used for certificate creation.
  countryCode: US
  # -- Email address of the administrator usually. Used for certificate creation.
  email: support@gluu.org
  image:
    # -- Image  to use for deploying.
    repository: janssenproject/configuration-manager
    # -- Image  tag to use for deploying.
    tag: 1.0.0_b11
    # -- Image Pull Secrets
    pullSecrets: [ ]     
  # -- Organization name. Used for certificate creation.
  orgName: Gluu
  # -- Resource specs.
  resources:
    limits:
      # -- CPU limit.
      cpu: 300m
      # -- Memory limit.
      memory: 300Mi
    requests:
      # -- CPU request.
      cpu: 300m
      # -- Memory request.
      memory: 300Mi
  # -- State code. Used for certificate creation.
  state: TX
  # -- Configure any additional volumes that need to be attached to the pod
  volumes: []
  # -- Configure any additional volumesMounts that need to be attached to the containers
  volumeMounts: []
  # -- Add custom dns policy
  dnsPolicy: ""
  # -- Add custom dns config
  dnsConfig: {}

# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).
config-api:
  # -- Configure the HorizontalPodAutoscaler
  hpa:
    enabled: true
    minReplicas: 1
    maxReplicas: 10
    targetCPUUtilizationPercentage: 50
    # -- metrics if targetCPUUtilizationPercentage is not set
    metrics: []
    # -- Scaling Policies
    behavior: {}
  # -- Add custom normal and secret envs to the service
  usrEnvs:
    # -- Add custom normal envs to the service
    # variable1: value1
    normal: {}
    # -- Add custom secret envs to the service
    # variable1: value1
    secret: {}
  # -- Add custom dns policy
  dnsPolicy: ""
  # -- Add custom dns config
  dnsConfig: {}
  image:
    # -- Image pullPolicy to use for deploying.
    pullPolicy: IfNotPresent
    # -- Image  to use for deploying.
    repository: janssenproject/config-api
    # -- Image  tag to use for deploying.
    tag: 1.0.0_b11
    # -- Image Pull Secrets
    pullSecrets: [ ]     
  # -- Service replica number.
  replicas: 1
  # -- Resource specs.
  resources:
    limits:
      # -- CPU limit.
      cpu: 1000m
      # -- Memory limit.
      memory: 400Mi
    requests:
      # -- CPU request.
      cpu: 1000m
      # -- Memory request.
      memory: 400Mi
  # -- Configure the liveness healthcheck for the auth server if needed.
  livenessProbe:
    # -- http liveness probe endpoint
    httpGet:
      path: /jans-config-api/api/v1/health/live
      port: 8074
    initialDelaySeconds: 30
    periodSeconds: 30
    timeoutSeconds: 5
  readinessProbe:
    # -- http readiness probe endpoint
    httpGet:
      path: jans-config-api/api/v1/health/ready
      port: 8074
    initialDelaySeconds: 25
    periodSeconds: 25
    timeoutSeconds: 5
  # -- Configure any additional volumes that need to be attached to the pod
  volumes: []
  # -- Configure any additional volumesMounts that need to be attached to the containers
  volumeMounts: []

# -- Parameters used globally across all services helm charts.
global:
  # -- Add custom normal and secret envs to the service.
  # Envs defined in global.userEnvs will be globally available to all services
  usrEnvs:
    # -- Add custom normal envs to the service.
    # variable1: value1
    normal: {}
    # -- Add custom secret envs to the service.
    # variable1: value1
    secret: {}
  alb:
    # -- Activates ALB ingress
    ingress: false

  auth-server:
    # -- Name of the auth-server service. Please keep it as default.
    authServerServiceName: auth-server
    # -- Boolean flag to enable/disable auth-server chart. You should never set this to false.
    enabled: true
  cloud:
    # -- Boolean flag if enabled will strip resources requests and limits from all services.
    testEnviroment: false
  # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.
  cnPersistenceType: sql
  # -- Open banking external signing jwks uri. Used in SSA Validation.
  cnObExtSigningJwksUri: ""
  # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.
  cnObExtSigningJwksCrt: ""
  # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
  cnObExtSigningJwksKey: ""
  # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
  cnObExtSigningJwksKeyPassPhrase: ""
  # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G
  cnObExtSigningAlias: ""
  # -- Open banking  signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G
  cnObStaticSigningKeyKid: ""
  # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.
  cnObTransportCrt: ""
  # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.
  cnObTransportKey: ""
  # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.
  cnObTransportKeyPassPhrase: ""
  # -- Open banking transport Alias used inside the JVM.
  cnObTransportAlias: ""
  # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.
  cnObTransportTrustStore: ""
  config:
    # -- Boolean flag to enable/disable the configuration chart. This normally should never be false
    enabled: true
  # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes
  configAdapterName: kubernetes
  # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes
  configSecretAdapter: kubernetes
  config-api:
    # -- Name of the config-api service. Please keep it as default.
    configApiServerServiceName: config-api
    # -- Boolean flag to enable/disable the config-api chart.
    enabled: true
  # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.
  fqdn: demoexample.gluu.org
  # -- Boolean flag to enable mapping global.lbIp  to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.
  isFqdnRegistered: false
  istio:
    # -- Boolean flag that enables using istio side cars with Gluu services.
    enabled: false
    # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.
    ingress: false
    # -- The namespace istio is deployed in. The is normally istio-system.
    namespace: istio-system
  # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.
  lbIp: ""
  nginx-ingress:
    # -- Boolean flag to enable/disable the nginx-ingress definitions chart.
    enabled: true
  distribution: openbanking
  persistence:
    # -- Boolean flag to enable/disable the persistence chart.
    enabled: true
  upgrade:
    # -- Boolean flag used when running helm upgrade command. This allows upgrading the chart without immutable objects errors.
    enabled: false

# -- Nginx ingress definitions chart
nginx-ingress:
  ingress:
    # -- Enable endpoint /.well-known/openid-configuration
    openidConfigEnabled: true
    # -- openid-configuration ingress resource labels. key app is taken
    openidConfigLabels: { }
    # -- Enable endpoint /.well-known/uma2-configuration
    uma2ConfigEnabled: true
    # -- uma2 config ingress resource labels. key app is taken
    uma2ConfigLabels: { }
    # -- Enable endpoint /.well-known/webfinger
    webfingerEnabled: true
    # -- webfinger ingress resource labels. key app is taken
    webfingerLabels: { }
    # -- Enable endpoint /.well-known/simple-web-discovery
    webdiscoveryEnabled: true
    # -- webdiscovery ingress resource labels. key app is taken
    webdiscoveryLabels: { }
    # Enable config API endpoints /jans-config-api
    configApiEnabled: true
    # -- configAPI ingress resource labels. key app is taken
    configApiLabels: { }
    # -- Enable endpoint /.well-known/fido-configuration
    u2fConfigEnabled: true
    # -- u2f config ingress resource labels. key app is taken
    u2fConfigLabels: { }
    # -- Enable Auth server endpoints /jans-auth
    authServerEnabled: true
    # -- Auth server config ingress resource labels. key app is taken
    authServerLabels: { }
    # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token
    authServerProtectedToken: false
    # -- Auth server protected token ingress resource labels. key app is taken
    authServerProtectedTokenLabels: { }
    # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register
    authServerProtectedRegister: false
    # -- Auth server protected token ingress resource labels. key app is taken
    authServerProtectedRedisterLabels: { }
    # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"}
    additionalLabels: { }
    # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}
    # Enable client certificate authentication
    # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional"
    # Create the secret containing the trusted ca certificates
    # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate"
    # Specify the verification depth in the client certificates chain
    # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
    # Specify if certificates are passed to upstream server
    # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    additionalAnnotations: {}
    path: /
    hosts:
    - demoexample.gluu.org
    # -- Secrets holding HTTPS CA cert and key.
    tls:
    - secretName: tls-certificate
      hosts:
      - demoexample.gluu.org
# -- Job to generate data and intial config for Gluu Server persistence layer.
persistence:
  # -- Add custom normal and secret envs to the service
  usrEnvs:
    # -- Add custom normal envs to the service
    # variable1: value1
    normal: {}
    # -- Add custom secret envs to the service
    # variable1: value1
    secret: {}
  # -- Add custom dns policy
  dnsPolicy: ""
  # -- Add custom dns config
  dnsConfig: {}
  image:
    # -- Image pullPolicy to use for deploying.
    pullPolicy: IfNotPresent
    # -- Image  to use for deploying.
    repository: janssenproject/persistence-loader
    # -- Image  tag to use for deploying.
    tag: 1.0.0_b11
    # -- Image Pull Secrets
    pullSecrets: [ ]    
  # -- Resource specs.
  resources:
    limits:
      # -- CPU limit
      cpu: 300m
      # -- Memory limit.
      memory: 300Mi
    requests:
      # -- CPU request.
      cpu: 300m
      # -- Memory request.
      memory: 300Mi
  # -- Configure any additional volumes that need to be attached to the pod
  volumes: []
  # -- Configure any additional volumesMounts that need to be attached to the containers
  volumeMounts: []