values.yaml

# Default values for uaa-chart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

## UAA image to use
image:
  repository: cloudfoundry/uaa
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: "75.12.0"

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

## Enable OpenLDAP server for testing 
##
## Deploys an openldap deployment with 2 users john/password and jane/password
## see more configuration with in the ./template/ldap-config file. 
ldap:
  enabled: true
  image: 
    repository: osixia/openldap
    pullPolicy: IfNotPresent
    tag: "1.4.0"

## 
## Enable a test SAML IdP to experiment with 
simplesaml:
  ##
  ## enables an test SAML IdP be deployed and configured with UAA
  ##
  enabled: true
  ##
  ## URL for the test IdP
  ##
  url: https://simplesaml.miclip.io
  ##
  ## SimpleSAML image
  ##
  image: 
    repository: kenchan0130/simplesamlphp
    pullPolicy: IfNotPresent
    tag: "latest"
  service:
    type: ClusterIP
    port: 8080
  ##
  ## enables Ingress for the test IdP
  ##
  ingress:    
    enabled: true
    className: "contour"
    annotations: 
      cert-manager.io/cluster-issuer: letsencrypt-staging
    hosts:
      - host: simplesaml.miclip.io
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls: 
    - secretName: chart-simplesaml-tls
      hosts:
        - simplesaml.miclip.io
  
##
## Configuration for UAA
##
uaa:
  port: 8080
  url: https://uaa.miclip.io
  ##
  ## String that Identifies the ServiceProvider (UAA)
  ##
  entityID: auth-uaa
  ##
  ## Configure any default local users to be created 
  ##
  scim:
    users:
     # - "admin|password|scim.write,scim.read,openid,uaa.admin"
  ##
  ## LDAP configuration 
  ##
  ldap:
    profile:
      file: ldap/ldap-search-and-bind.xml
    base:
      url: 'ldap://uaa-ldap:389/'
      userDn: 'cn=admin,dc=example,dc=org'
      password: 'admin'
      searchBase: 'ou=People,dc=example,dc=org'
      searchFilter: 'cn={0}'
    groups:
      file: 'ldap/ldap-groups-map-to-scopes.xml'
      searchBase: 'ou=Groups,dc=example,dc=org'
      groupSearchFilter: 'member={0}'
      searchSubtree: true
      maxSearchDepth: 10
      autoAdd: true
      ignorePartialResultException: true
  ##
  ## OAUTH clients 
  ##
  oauth:
    clients:
      pinniped:
        access-token-validity: 1200
        authorized-grant-types: authorization_code,refresh_token
        override: true
        redirect-uri: "http://127.0.0.1:12345/callback"
        refresh-token-validity: 3600
        scope: openid,email,profile,roles
        secret: ""
        autoapprove: true
      # concourse:
      #   access-token-validity: 1200
      #   authorized-grant-types: authorization_code,refresh_token
      #   override: true
      #   redirect-uri: "https://concourse.miclip.io/sky/issuer/callback"
      #   refresh-token-validity: 3600
      #   scope: openid,email,profile,roles
      #   secret: secret
      # credhub_cli:
      #   override: true
      #   authorized-grant-types: password,refresh_token
      #   scope: credhub.read,credhub.write
      #   authorities: uaa.resource
      #   access-token-validity: 86400
      #   refresh-token-validity: 172800
      #   secret: ""
      # credhub_client:
      #   override: true
      #   authorized-grant-types: client_credentials
      #   secret: secret
      #   scope: uaa.none
      #   authorities: credhub.read,credhub.write
      #   access-token-validity: 86400
  ##
  ## Configure the service provider (UAA)
  ##
  saml:
    # certificates for this service provider, generated if not provided.
    # activeKeyId: key-1-values-file
    # keys:
    #   key-1-values-file:
    #     key: |
    #       -----BEGIN RSA PRIVATE KEY-----
    #       MIIEowIBAAKCAQEAv0ZQ+wXrBm5bBAcm6UFGdhyMoE/g2wrI2PB+VKVfqNN2FccJ
    #       BWPCd1reHWHaAhKzzY5lFwW/u65Nd2pvR+zStQuoGpJ9uBNffLYDM0LqNEw5TILO
    #       .............
    #       rKJ68ZEolL0sIpvkzUOeBhkY0iTkgFKPOi8AxN76VBAA5vJqsMekgzHBcCs7rxCg
    #       wxung9DUYJUbF6OMsYXZ2aXMERwyyATGG8PmCLyvb4rzgGf+SDCC
    #       -----END RSA PRIVATE KEY-----
    #     passphrase: password
    #     certificate: |
    #       -----BEGIN CERTIFICATE-----
    #       MIIDCTCCAfGgAwIBAgIQJTTnBM6PezmBrgUR6s/VSDANBgkqhkiG9w0BAQsFADAg
    #       MR4wHAYDVQQDExVodHRwczovL3VhYS5taWNsaXAuaW8wHhcNMjIwNTI1MTM1OTAx
    #       ..........
    #       uzDWmZ1z/DsP4oyErSa4enahOaXvetRSahDQYq5ZRSoKT0pVIgii1tcsxvLZg+Bf
    #       ujpCXKM3dHAY9mshaQ==
    #       -----END CERTIFICATE-----
    
    # default nameID if IdP nameID not set
    # nameID: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
    providers:
      # SAML providers or IdP
      # simplesamlphp:
      #   idpMetadata: https://simplesaml.miclip.io/simplesaml/saml2/idp/metadata.php
      #   nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:transient
      #   assertionConsumerIndex: 0
      #   metadataTrustCheck: false
      #   showSamlLoginLink: true
      #   linkText: 'Simple SAML IDP'
      #   iconUrl: 'http://link.to/icon.jpg'
      #   addShadowUserOnLogin: true
      #   externalGroupsWhitelist:
      #     - admin
      #     - user
      #   emailDomain:
      #     - example.com
      #   attributeMappings:
      #     given_name: givenname
      #     family_name: surname
      #     email: email          
      #     user_name: uid
      #   providerDescription: 'Human readable description of this provider'
  ## Configuration values for the postgresql dependency.
  ## Ref: https://github.com/helm/charts/blob/master/stable/postgresql/README.md
  ##
  trustedCertificates: 
    letsencrypt-staging-int.pem: |
      -----BEGIN CERTIFICATE-----
      MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBm
      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
      ZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UE
      BhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQD
      Ex8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0B
      AQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+
      gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvO
      L/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTS
      nmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lS
      nukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdL
      biWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQww
      DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS
      BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10u
      ZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQq
      MCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1Ud
      HwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQb
      MBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCN
      DLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1
      vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczn
      y2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZ
      Uq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XB
      yphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtA
      xkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215
      Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgy
      zUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIY
      qKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGW
      xx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuG
      hSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ==
      -----END CERTIFICATE-----
    letsencrypt-staging-root.pem: |
      -----BEGIN CERTIFICATE-----
      MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
      ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE
      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
      YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC
      AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc
      ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg
      jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4
      wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD
      oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt
      TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO
      fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6
      rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ
      FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8
      mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/
      GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru
      mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
      Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG
      9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y
      nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j
      qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x
      qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/
      sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q
      CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/
      5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
      xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/
      fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof
      gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M
      7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
      -----END CERTIFICATE-----

##
## Java keystore for certificates 
##
trustStorePassword: changeme

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 8080

ingress:
  enabled: true
  className: "contour"
  annotations: 
    cert-manager.io/cluster-issuer: letsencrypt-staging
  hosts:
    - host: uaa.miclip.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: 
  - secretName: chart-uaa-tls
    hosts:
      - uaa.miclip.io

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}

postgresql:
  ## Use the PostgreSQL chart dependency.
  ##
  ## Set to false if using the default in memory database
  ##
  enabled: true

  ## Provide a name to substitute for the full name of postgresql resources
  ## ps.: Resources will not be appended with "-postgresql"
  ##
  fullnameOverride:

  ### PostgreSQL User to create.
  ##
  postgresqlUsername: uaa

  ## PostgreSQL Password for the new user.
  ## If not set, a random 10 characters password will be used via a secret.
  ##
  # postgresqlPassword: 

  ## PostgreSQL Database to create.
  ##
  postgresqlDatabase: uaa

  ## Allows for setting a specific cluster ip for the PostgreSQL
  ## service.
  service:
    clusterIP:

  ## Persistent Volume Storage configuration for PostgreSQL.
  ##
  ## Ref: https://kubernetes.io/docs/user-guide/persistent-volumes
  ##
  persistence:
    ## Enable PostgreSQL persistence using Persistent Volume Claims.
    ##
    enabled: true

    ## Persistent Volume Storage Class to be used by PersistentVolumes created
    ## for PostgreSQL.
    ##
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass:

    ## Persistent Volume Access Mode.
    ##
    accessModes:
      - ReadWriteOnce

    ## Persistent Volume Storage Size.
    ##
    size: 8Gi