Prerequisites
Preparations
Secrets for the TLS Certificate and Credentials for the Image Registry
Create a file named “tls-secret.yaml”, using this template:
apiVersion: v1
data:
tls.crt: <Complete TLS certificate chain, base64 encoded>
tls.key: <TLS certificate key, base64 encoded>
kind: Secret
metadata:
name: cdcm-certs
type: kubernetes.io/tls
Apply the secret:
sudo kubectl apply -f tls-secret.yaml -n cdcm
Create a file “regcred-secret.yaml”, using this template:
apiVersion: v1
data:
.dockerconfigjson: <Base64 encoded image registry credentials>
kind: Secret
metadata:
name: regcred
type: kubernetes.io/dockerconfigjson
Apply the secret:
sudo kubectl apply -f regcred-secret.yaml -n cdcm
Add the chart repo
sudo helm repo add cdcm https://repo.secure.mid.de/chartrepo/cdcm --username <user> --password <password> && sudo helm repo update
Customize Values File
Create a file “values.yaml”, using this template
global:
domain: "<your domain>"
env:
hosts:
cdcm:
subdomain: "<your subdomain>"
port: "8080"
mongoConnectionString: "mongodb+srv://USER:PASSWORD@<MongoDB Atlas cluster adress>/?retryWrites=true&w=majority&appName=Cluster0"
oauth10a:
active: true
enabled: true
outbound:
details:
- name: "mid-jts-outbound"
protectedUrlRoots: "" #multiple entries, comma seperated
consumerKey: "consumer-key"
consumerSecret: "secret"
rootServices: "https://elmdemo.smartfacts.com:9443/jts/rootservices"
inbound:
realm-name: ""
spacesData: '[{"key": "name of database","title": "Space title"}]'
authClientId: "cdcm"
authClientSecret: "client_secret"
authIssuerUri: ""
authUri: ""
authTokenUri: ""
authUserInfoUri: ""
authJwkSetUri: ""
authUsePkce: false # Indicates whether Proof Key for Code Exchange (PKCE) is used
authClientRolesAttribute: "roles" # Attribute name for client roles
authUserIdAttribute: "sub" # Attribute name for user ID
authUserNameAttribute: "name" # Attribute name for user name
authFirstNameAttribute: "given_name" # Attribute name for user's first name
authLastNameAttribute: "family_name" # Attribute name for user's last name
authMailAttribute: "email" # Attribute name for user's email address
jwtIssuerUri: ""
oauth10a:
active: true
enabled: true
outbound:
details:
- name: "mid-jts-outbound"
protectedUrlRoots: "" #multiple entries, comma seperated
consumerKey: "consumer-key"
consumerSecret: "secret"
rootServices: ""
inbound:
realm-name: ""
All environment variables are explained here
Environment Variables
Variable Name | Data Type | Description |
|---|
SPACES_DATA | string | Defines and creates spaces. JSON array with spaces (with key, title and databaseName) Example:
[
{
"key": "ExampleKey",
"title": "An example title",
"databaseName": "CDCM-database-name"
},
{
"key": "AnotherExampleKey",
"title": "An different title",
"databaseName": "Other-db"
}
]
|
ALLOWED_CORS_ORIGINS
| string | Specifies the origins that are allowed to access the server, for Cross-Origin Resource Sharing (CORS).
|
CONTEXT_PATH
| string | The base URI context path for the server. If not set, defaults to the root context. |
CORS_ENABLED | boolean | Enables or disables Cross-Origin Resource Sharing (CORS) at the security level. |
CSRF_ENABLED | boolean | Enables or disables Cross-Site Request Forgery (CSRF) protection. |
CSP_HEADER
| string | Set the Content-Security-Policy Header for the server to the value given. Not set by default. |
MONGO_CONNECTION_STRING | string | Defines the full mongodb connection string. Should include hostname (or multiple, if a replica set with multiple nodes is used) including port(s) and optionally the DB name.
If no port is provided the default port 27017 is used.
Format: mongodb://<hostname>:<port>/<db name>
Example: mongodb://localhost:27019/mydatabase
or for multiple hosts: mongodb://host1:27017,host2:27018,host3:27019/mydatabase
|
MONGO_TRANSACTIONS_ENABLED | boolean | Enables or disables MongoDB transactions. Defaults to false. Note: Can only be enabled if the mongodb deployment uses a replica set. |
MONGO_RUNNING_ON_ATLAS
| string (default: ‘autodetect’) | boolean (true / false) | Indicates whether the connection is against an Atlas Cluster (for Atlas Search), autodetects it via the connection-string by default, can be set manually to true / false |
OAUTH10A_ACTIVE and OAUTH10A_ENABLE | boolean | Control whether OAuth 1.0a is active and enabled in the application. |
OAUTH10A_CONSUMER_KEY | string | Consumer key for OAuth 1.0a authentication. |
OAUTH10A_CONSUMER_SECRET | string | Consumer secret for OAuth 1.0a authentication. |
OAUTH10A_NAME | string | The name for the OAuth 1.0a configuration. |
OAUTH10A_PROTECTED_URL_ROOT | string | Specifies the protected URLs for OAuth 1.0a authentication (comma seperated). |
OAUTH10A_ROOT_SERVICE_URL | string | URL for the OAuth 1.0a root services. |
PORT | integer | Sets the port on which the server will listen. Default is 8080 if not specified. |
PUBLIC_URL | string | The public-facing URL of the server, used for building absolute URLs. Default is http://localhost with the specified server port. |
X_FRAME_SAME_ORIGIN | string | Controls the 'X-Frame-Options' header for clickjacking protection. Defaults to true. |
LOGGING_LEVEL
| string | Sets logging level of the application. Available levels: TRACE DEBUG INFO (default) WARN ERROR FATAL OFF
|
ADMIN_LOGIN_ENABLED
| boolean | show the admin login option |
MONGO_SHARED_DATABASE
| string | Name of the default database. Currently only used for user data |
JWT_ISSUER_URI
| string | Issuer url of jwt tokens |
ENCRYPTION_KEY
| string | Used to encrypt sensitive data that is persisted in the db |
OAuth10a Configuration
Parameter | Type | Required? | Description |
oauth10a.active
| Boolean | Yes | If set to active the technical preconditions in order to process OAuth10a requests will be applied by the application |
oauth10a.enabled
| Boolean | Yes | Enables or disables use of OAuth1.0a |
oauth10a.outbound.details.name
| String | Yes | The name of the OAuth10a connection. Serves as a unique identifier for this configuration. |
oauth10a.outbound.details.protectedUrlRoots
| String (List) | No | List of protected URL roots, separated by commas. Leave empty if not applicable. |
oauth10a.outbound.details.consumerKey
| String | Yes | The consumer key for OAuth10a authentication. Used to identify the application. |
oauth10a.outbound.details.consumerSecret
| String | Yes | The consumer secret for OAuth10a authentication. Used to verify the application. |
oauth10a.outbound.details.rootServices
| String | No | Base URLs or services to be accessed. Leave empty if not applicable. |
Authentication Provider Configuration
Variable name | Data type | Description |
|---|
AUTH_CLIENT_ID
| string | Default client ID for authentication |
AUTH_CLIENT_SECRET
| string | Default client secret for authentication |
AUTH_ISSUER_URI
| string | URI of the issuer for authentication |
AUTH_TENANT_ID
| string | id of the Authorization provider tenant of the application |
AUTH_URI
| string | Authorization URI |
AUTH_TOKEN_URI
| string | Token URI for obtaining access and refresh tokens |
AUTH_USER_INFO_URI
| string | User info URI to obtain user details |
AUTH_JWK_SET_URI
| string | URI to obtain JSON Web Key Set |
AUTH_END_SESSION_URI
| string | End session URI for logging out |
AUTH_USE_PKCE
| boolean | Indicates whether Proof Key for Code Exchange (PKCE) is used |
ROLE_DELIMITER
| string | custom delimiter for the role strings. Default: “.” |
CONFIGURATION_AREA_WILDCARD
| string | wildcard for non confidential configuration areas. Default: “*” |
OAUTH_CLAIM_CONFIGURATION
| string | Claim configuration. See here for details. |
Install CDCM
helm upgrade --install --timeout 1m0s cdcm cdcm/cdcm -f values.yaml --version 1.0.6 -n cdcm --create-namespace --debug
Watch Deployment (in a new Session)
Open a second session on the server and enter the following command:
sudo watch kubectl get deployments -n cdcm
As soon as all deployments are available, the installation is ready.
0 Comments