Deploying the OSLC Connector for Innovator
- Rene Beckert
- 1 Prerequisites
- 2 Prepare the Deployment
- 2.1 Add library Repository for the OSLC Connector for Innovator
- 2.2 Customize Values File
- 2.2.1 Create the values file
- 2.2.2 Customize the values in the values file
- 2.2.2.1 Domain and subdomain
- 2.2.2.2 Image repository and login credentials
- 2.2.2.3 SSL certificates
- 2.2.2.4 OIDC Issuer
- 2.2.2.5 Configuring the OIDC client
- 2.2.2.6 Setting up a connection to the Innovator instance
- 2.2.2.7 Configure OIDC endpoints
- 2.2.2.8 PKCE
- 2.2.2.9 List of OSLC Connector for Innovator administrators
- 2.2.2.10 Encrypt oauth10a configuration data
- 2.2.2.11 User name attribute
- 2.2.2.12 Client scopes
- 2.2.2.13 Allowed CORS URLs
- 2.2.2.14 Ingress
- 2.2.2.15 certtool
- 3 Install the OSLC Connector for Innovator
Prerequisites
The following steps should already have been done before you install the OSLC Connector for Innovator. Please make sure that:
The OIDC client MUST fulfill the following requirements:
has to be a private client (so it has a key and secret)
has to be OIDC
grant type must be authorization code
the redirect URI must be https://<oslc connector url>/login/oauth2/code/custom
server certificates for your https://genoslc-innovator.<your domain> are present. The certificates must fulfill the requirements stated in this section: Creating and testing the Certificates for Smartfacts | Create the certificate
the DNS entry is set for https://genoslc-innovator.<your domain>
your OSLC Connector for Innovator deployment can reach the target Innovator instance; all necessary proxies are configured to allow the communication from the OSLC Connector to the Innovator and the Confluence instance
Prepare the Deployment
Add library Repository for the OSLC Connector for Innovator
You will need a username and password to download the helm chart and containers from MID's repository. You will receive username and password from your MID contact or from cops@mid.de.
sudo helm repo add library https://repo.secure.mid.de/chartrepo/library --username <USERNAME> --password <PASSWORD>
sudo helm repo updateCustomize Values File
Create the values file
Change to your user's home directory on the server and create a new text file
values-genoslc-innovator.yamlwith the following content:
global:
# Domain of the url (if your OSLC Connector for Innovator will be accessible with "genoslc-innovator.mycompany.com", then enter "mycompany.com" here.)
domain: ""
# registry: The Docker image registry to be used to download the images. Default is "repo.mid.de". Change it, if you use an internal Docker image registry as a mirror.
registry: ""
# repologin: Base64 encoded login credentials for the Docker image registry. You will get it for repo.mid.de from MID.
repologin: ""
# SSL certificates
cert:
crtFullChain: ""
key: ""
# Setup OIDC information
identity:
# OIDC Issuer URL, taken from the /.well-known/openid-configuration endpoint
OIDC_ISSUER: ""
oidc:
# OIDC Client ID registerd for this application
clientId: ""
# OIDC Client Secret registered for this application
clientSecret: ""
hosts:
genoslc:
# The subdomain where the OSLC Connector for Innovator will be accessible
subdomain: "genoslc-innovator"
env:
tool:
type: "innovator"
# In adaptedToolApiUri and adaptedToolRootUri insert the hostname of the OSLC Connector for Innovator (https://genoslc-innovator.<your domain>)
adaptedToolApiUri: ""
adaptedToolRootUri: ""
innovator:
# licenseServer: The hostname and Port of the Innovator License Server (e.g. "myinnovatorserver.mycompany.com:16000")
licenseServer: ""
# authorizationUri: The authorizion endpoint of you OIDC server
authorizationUri: ""
# tokenUri: The token endpoint of your OIDC server
tokenUri: ""
# userInfoUri: The user info endpoint of your OIDC server
userInfoUri: ""
# jwkUri: jwks_uri of your OIDC server
jwkUri: ""
pkceEnabled: true
configuration:
# administrators: A list of the email addresses of up to 5 users that are allowed to configure the OSLC Connector.
administrators: []
# oauth10aEncryptionKey: A random key to encrypt the configuration data of the OSLC Connector in the database. Once set, it schould never change anymore.
oauth10aEncryptionKey: ""
# userNameAttribute: The clain in the token the user is identified with. This claim must contain the email address of the user. If the claim has a different name with your OIDC provider, please adopt it here.
userNameAttribute: "email"
clientScope: "openid, profile, email"
# allowedCorsOrigins: All allowed CORS origins (see https://developer.mozilla.org/de/docs/Web/HTTP/CORS for more information regarding CORS). If your OIDC provider is Entra ID, then add "https://login.microsoftonline.com" here. For other OIDC providers please refer to the provider's manual.
allowedCorsOrigins: ""
trsEnabled: false
# valid values are: INFO, ERROR, DEBUG, TRACE
loggingLevelSpringFramework: "INFO"
port: "8080"
containerPort: "8080"
ingress:
enabled: true
# className: set the className of the ingress controller instance to be used in your cluster
className: ""
# Special certtool configuration
certtool:
# The certtool generates the TLS secret and the truststore to be used. It should only be activated on the first deployment and after a certificate update.
enabled: true
mongodb:
enabled: trueCustomize the values in the values file
Add the missing values in the values file. With the genoslc chart it is possible to deploy OSLC connectors for different tools. So some values (like env.tool.type: innovator or env.containerPort: 8080) are fix in the template to configure the deployment for the OSLC Connector for Innovator. Please leave these values unchanged in your values file. The values to be added are described in the next sections.
Domain and subdomain
In the global section you must specify the domain and subdomain that form the base URL where the OSLC Connector for Codebeamer will be accessible.
global:
domain: "yourcompany.com"
[...]
hosts:
genoslc:
subdomain: "genoslc-innovator"The example data shown will result in the URL “http://genoslc-innovator.yourcompany.com ”.
With the OSLC Plugin for Confluence or Jira, the subdomain of the OSLC Connector for Innovator must contain the string “genoslc” in its name.
Image repository and login credentials
If you use the MID image registry directly, the base64 string for the registry credentials is sent to you from MID. If you need them, please write to cops@mid.de.
If you use a private registry, you must encode the registry credentials yourself. To do this, replace the placeholders for <username> and <password> in this json-snippend and encode it in base64. Make sure the line endings are Unix line endings, not Windows.
SSL certificates
OIDC Issuer
The OIDC issuer must be configured in the global section in order to establish the connection between the application and the SSO. The issuer URL value has to be retrieved from the /.well-known/openid-configuration endpoint of the SSO (RFC 8414 - OAuth 2.0 Authorization Server Metadata (ietf.org))
Configuring the OIDC client
After configuring the OIDC client in your SSO provider you must set the OIDC client ID and client secret.
Setting up a connection to the Innovator instance
For the OSLC connector for Innovator, the values for adaptedToolRootUri and adaptedToolApiUri and must point to the OSLC Connector for innovator itslf (https://genoslc-innovator.<your domain>).
Enter the license server in the format “host:port”.
Configure OIDC endpoints
Configure the OIDC endpoints. To get the values call the wellknown url of your OIDC provider in your browser. Use the values from the field authorization_endpoint, token_endpoint , userinfo_endpoint and jwks_uri from the wellknown url.
PKCE
Sets the application to use PKCE when authenticating the user PKCE for OAuth 2.0 . Default value is true. Set pkceEnabled to false if the OIDC provider does not support PKCE.
List of OSLC Connector for Innovator administrators
Provide a list of up to 5 email addresses of users, which will have the administration right to change protected settings in the OSLC Connector. Inbound details and Outbound details can be managed only by administrators. At least one administrator user must be stated here.
Encrypt oauth10a configuration data
Set the encryption key that is used to encrypt and decrypt the oauth10a configuration data in the database. If you do not set an encryption key, the configuration data of the OSLC Connector is stored unencrypted in the database. As soon as the OSLC Connector has been provided with an encryption key, the key may no be changed anymore.
User name attribute
Used to set the JWT claim to be used for user identification. With the OSLC Connector for Innovator this claim must contain the email address of the user.
Example:
Client scopes
Sets the client scopes used in the authentication process. Default value "openid". The value is a comma separated list of scopes. The scope openid is mandatory, normally the scope profile enables the email claim in the token.
Example:
Allowed CORS URLs
This is a comma separated list of applications that are allowed to make requests to the OSLC Connector API like third party applications that read data from the OSLC Connector for Codebeamer.
Example:
Ingress
By default, the chart also deploys an ingress resource. The ingress ressource defines the endpoint under which the OSLC Connector for Innovator is reacheable. If you do not want to use the ingress of the deployment, then you can disable it. If you want to use it, add the ingressClassName of your ingress controller (e.g. nginx).
certtool
The certtool is a helper container provided by MID. It creates the tls secret and the secrets for the java truststore from certificate data giben in the values file.
Install the OSLC Connector for Innovator
Execute the Installation
Enter the following command to execute the Installation: