Skip to content

Commit

Permalink
gefest-1518: keys api envs role model
Browse files Browse the repository at this point in the history
  • Loading branch information
e.kitova committed Jan 31, 2025
1 parent 70d695c commit 20e38fa
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 35 deletions.
63 changes: 32 additions & 31 deletions charts/keys/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,37 +82,38 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about

### API service settings

| Name | Description | Value |
| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `api.adminUsers` | Usernames and passwords of admin users. Format: `username1:password1,username2:password2`. | `""` |
| `api.adminSessionTTL` | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h` |
| `api.logLevel` | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`. | `warning` |
| `api.signPrivateKey` | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API. | `""` |
| `api.oidc.enable` | If OIDC authentication is enabled. | `false` |
| `api.oidc.enableSignlePartnerMode` | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). | `false` |
| `api.oidc.url` | URL of the OIDC provider. | `""` |
| `api.oidc.retryCount` | Maximum number of retries for requests to OIDC provider. | `3` |
| `api.oidc.timeout` | Timeout for requests to OIDC provider. | `3s` |
| `api.oidc.defaultPartner` | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** | |
| `api.oidc.defaultPartner.id` | Default partner's Id. | `""` |
| `api.oidc.defaultPartner.name` | Default partner's Name. | `""` |
| `api.oidc.defaultPartner.role` | Role of the user in the default partner. Can be: 'user', 'admin'. | `""` |
| `api.replicas` | A replica count for the pod. | `1` |
| `api.revisionHistoryLimit` | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment). | `3` |
| `api.strategy.type` | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`. | `RollingUpdate` |
| `api.strategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be created over the desired number of pods when doing [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | `0` |
| `api.strategy.rollingUpdate.maxSurge` | Maximum number of pods that can be unavailable during the [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment) process. | `1` |
| `api.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `api.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `api.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `api.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `api.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` |
| `api.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` |
| `api.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` |
| `api.service.annotations` | Kubernetes [service annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `api.service.labels` | Kubernetes [service labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `api.service.type` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). | `ClusterIP` |
| `api.service.port` | Service port. | `80` |
| Name | Description | Value |
|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --------------- |
| `api.adminUsers` | Usernames and passwords of admin users. Format: `username1:password1,username2:password2`. | `""` |
| `api.adminSessionTTL` | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h` |
| `api.logLevel` | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`. | `warning` |
| `api.signPrivateKey` | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API. | `""` |
| `api.oidc.enable` | If OIDC authentication is enabled. | `false` |
| `api.oidc.enableSinglePartnerMode` | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). | `false` |
| `api.oidc.enableExternalProvider` | Enable external oidc provider: do not have access to manage users. | `false` |
| `api.oidc.url` | URL of the OIDC provider. | `""` |
| `api.oidc.retryCount` | Maximum number of retries for requests to OIDC provider. | `3` |
| `api.oidc.timeout` | Timeout for requests to OIDC provider. | `3s` |
| `api.oidc.defaultPartner` | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** | |
| `api.oidc.defaultPartner.id` | Default partner's Id. | `""` |
| `api.oidc.defaultPartner.name` | Default partner's Name. | `""` |
| `api.oidc.defaultPartner.role` | Role of the user in the default partner. Can be: 'user', 'admin'. | `""` |
| `api.replicas` | A replica count for the pod. | `1` |
| `api.revisionHistoryLimit` | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment). | `3` |
| `api.strategy.type` | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`. | `RollingUpdate` |
| `api.strategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be created over the desired number of pods when doing [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | `0` |
| `api.strategy.rollingUpdate.maxSurge` | Maximum number of pods that can be unavailable during the [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment) process. | `1` |
| `api.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `api.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `api.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `api.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `api.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` |
| `api.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` |
| `api.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` |
| `api.service.annotations` | Kubernetes [service annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `api.service.labels` | Kubernetes [service labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `api.service.type` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). | `ClusterIP` |
| `api.service.port` | Service port. | `80` |

### Kubernetes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) settings

Expand Down
6 changes: 4 additions & 2 deletions charts/keys/templates/helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
value: "{{ .Values.featureFlags.enableAudit }}"
- name: KEYS_FEATURE_FLAGS_PUBLIC_API_SIGN
value: "{{ .Values.featureFlags.enablePublicAPISign }}"
- name: KEYS_FEATURE_FLAGS_EXTERNAL_COMPANIES
value: "{{ .Values.api.oidc.enableSignlePartnerMode }}"
- name: KEYS_FEATURE_FLAGS_SINGLE_PARTNER_MODE
value: "{{ .Values.api.oidc.enableSinglePartnerMode }}"
- name: KEYS_FEATURE_FLAGS_EXTERNAL_OIDC
value: "{{ .Values.api.oidc.enableExternalProvider }}"
- name: KEYS_FEATURE_FLAGS_OIDC
value: "{{ .Values.api.oidc.enable }}"
{{- end }}
Expand Down
6 changes: 4 additions & 2 deletions charts/keys/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,8 @@ api:
# -----END CERTIFICATE-----

# @param api.oidc.enable If OIDC authentication is enabled.
# @param api.oidc.enableSignlePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used).
# @param api.oidc.enableSinglePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used).
# @param api.oidc.enableExternalProvider Enable external oidc provider: do not have access to manage users.
# @param api.oidc.url URL of the OIDC provider.
# @param api.oidc.retryCount Maximum number of retries for requests to OIDC provider.
# @param api.oidc.timeout Timeout for requests to OIDC provider.
Expand All @@ -168,7 +169,8 @@ api:

oidc:
enable: false
enableSignlePartnerMode: false
enableSinglePartnerMode: false
enableExternalProvider: false
url: ''
retryCount: 3
timeout: 3s
Expand Down

0 comments on commit 20e38fa

Please sign in to comment.