tags | ||||
---|---|---|---|---|
|
Configurator is a tool to load (generate/restore) and/or dump (backup) the configuration (consists of configmaps and secrets).
See Packages for available versions.
The following environment variables are supported by the container:
CN_CONFIG_ADAPTER
: The config backend adapter, can beconsul
(default),kubernetes
,google
, oraws
.CN_CONFIG_CONSUL_HOST
: hostname or IP of Consul (default tolocalhost
).CN_CONFIG_CONSUL_PORT
: port of Consul (default to8500
).CN_CONFIG_CONSUL_CONSISTENCY
: Consul consistency mode (choose one ofdefault
,consistent
, orstale
). Default tostale
mode.CN_CONFIG_CONSUL_SCHEME
: supported Consul scheme (http
orhttps
).CN_CONFIG_CONSUL_VERIFY
: whether to verify cert or not (default tofalse
).CN_CONFIG_CONSUL_CACERT_FILE
: path to Consul CA cert file (default to/etc/certs/consul_ca.crt
). This file will be used if it exists andCN_CONFIG_CONSUL_VERIFY
set totrue
.CN_CONFIG_CONSUL_CERT_FILE
: path to Consul cert file (default to/etc/certs/consul_client.crt
).CN_CONFIG_CONSUL_KEY_FILE
: path to Consul key file (default to/etc/certs/consul_client.key
).CN_CONFIG_CONSUL_TOKEN_FILE
: path to file contains ACL token (default to/etc/certs/consul_token
).CN_CONFIG_KUBERNETES_NAMESPACE
: Kubernetes namespace (default todefault
).CN_CONFIG_KUBERNETES_CONFIGMAP
: Kubernetes configmaps name (default tojans
).CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG
: Load credentials from$HOME/.kube/config
, only useful for non-container environment (default tofalse
).CN_SECRET_ADAPTER
: The secrets' adapter, can bevault
(default),kubernetes
,google
, oraws
.CN_SECRET_VAULT_VERIFY
: whether to verify cert or not (default tofalse
).CN_SECRET_VAULT_ROLE_ID_FILE
: path to file contains Vault AppRole role ID (default to/etc/certs/vault_role_id
).CN_SECRET_VAULT_SECRET_ID_FILE
: path to file contains Vault AppRole secret ID (default to/etc/certs/vault_secret_id
).CN_SECRET_VAULT_CERT_FILE
: path to Vault cert file (default to/etc/certs/vault_client.crt
).CN_SECRET_VAULT_KEY_FILE
: path to Vault key file (default to/etc/certs/vault_client.key
).CN_SECRET_VAULT_CACERT_FILE
: path to Vault CA cert file (default to/etc/certs/vault_ca.crt
). This file will be used if it exists andCN_SECRET_VAULT_VERIFY
set totrue
.CN_SECRET_VAULT_ADDR
: URL of Vault (default tohttp://localhost:8200
).CN_SECRET_VAULT_NAMESPACE
: Namespace used to access secrets (default to empty string).CN_SECRET_VAULT_KV_PATH
: Path to KV secrets engine (default tosecret
).CN_SECRET_VAULT_PREFIX
: Base prefix name used to build secret path (default tojans
).CN_SECRET_VAULT_APPROLE_PATH
: Path to AppRole (default toapprole
).CN_SECRET_KUBERNETES_NAMESPACE
: Kubernetes namespace (default todefault
).CN_SECRET_KUBERNETES_SECRET
: Kubernetes secrets name (default tojans
).CN_SECRET_KUBERNETES_USE_KUBE_CONFIG
: Load credentials from$HOME/.kube/config
, only useful for non-container environment (default tofalse
).CN_WAIT_MAX_TIME
: How long the startup "health checks" should run (default to300
seconds).CN_WAIT_SLEEP_DURATION
: Delay between startup "health checks" (default to10
seconds).GOOGLE_APPLICATION_CREDENTIALS
: Optional JSON file (contains Google credentials) that can be injected into container for authentication. Refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to for supported credentials.GOOGLE_PROJECT_ID
: ID of Google project.CN_GOOGLE_SECRET_VERSION_ID
: Janssen secret version ID in Google Secret Manager. Defaults tolatest
, which is recommended.CN_GOOGLE_SECRET_NAME_PREFIX
: Prefix for Janssen secret in Google Secret Manager. Defaults tojans
. If leftjans-secret
secret will be created.CN_GOOGLE_SECRET_MANAGER_PASSPHRASE
: Passphrase for Janssen secret in Google Secret Manager. This is recommended to be changed and defaults tosecret
.CN_CONFIGURATION_SKIP_INITIALIZED
: skip initialization if backend already initialized (default tofalse
).CN_AWS_SECRETS_ENDPOINT_URL
: The URL of AWS secretsmanager service (if omitted, will use the one in specified region).CN_AWS_SECRETS_PREFIX
: The prefix name of the secrets (default tojans
).CN_AWS_SECRETS_REPLICA_FILE
: The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file:[{"Region": "us-west-1"}]
.AWS_DEFAULT_REGION
: The default AWS Region to use, for example,us-west-1
orus-west-2
.AWS_SHARED_CREDENTIALS_FILE
: The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).AWS_CONFIG_FILE
: The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).AWS_PROFILE
: The default profile to use, if any.CN_SSL_CERT_FROM_DOMAIN
: Validate certificate is downloaded from given domain. If set totrue
(default tofalse
), raise an error if cert is not downloaded. Note that the flag is ignored if mounted SSL cert and key files exist.
The following commands are supported by the container:
load
dump
The load command can be used either to generate/restore configmaps and secrets for the cluster.
For fresh installation, generate the initial configuration by creating /path/to/host/volume/configuration.json
similar to example below:
{
"_configmap": {
"hostname": "demoexample.jans.io",
"country_code": "US",
"state": "TX",
"city": "Austin",
"admin_email": "s@jans.io",
"orgName": "Gluu Inc."
},
"_secret": {
"admin_password": "S3cr3t+pass"
}
}
NOTE: configuration.json
has optional attributes as seen below.
-
_configmap
:auth_sig_keys
: space-separated key algorithm for signing (default toRS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512
)auth_enc_keys
: space-separated key algorithm for encryption (default toRSA1_5 RSA-OAEP
)optional_scopes
: list of optional scopes (as JSON string) that will be used (supported scopes areredis
,sql
; default to empty list)init_keys_exp
: the initial keys expiration time in hours (default to48
; extra 1 hour will be added for hard limit)
-
_secret
:sql_password
: user's password to access SQL database (only used ifoptional_scopes
list containssql
scope)encoded_salt
: user-defined salt (24 characters length); if omitted, salt will be generated automatically
Example of generating
encoded_salt
value:# using shell script cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1 # output: NFAG5g4R0NSkAZXHL8t2DScL # using python oneliner python -c 'import random, string; print("".join(random.choices(string.ascii_letters + string.digits, k=24)))' # ouput: HsPzqiPkRzNySWlOVui8Ilmw
To generate initial configmaps and secrets:
-
Create config map
config-generate-params
to store the contents ofconfiguration.json
kubectl create cm config-generate-params --from-file=configuration.json
-
Mount the configmap into container and apply the yaml:
apiVersion: batch/v1 kind: Job metadata: name: configurator-load-job spec: template: spec: restartPolicy: Never volumes: - name: config-generate-params configMap: name: config-generate-params containers: - name: configurator-load image: ghcr.io/janssenproject/jans/configurator:$VERSION volumeMounts: - mountPath: /app/db/configuration.json name: config-generate-params subPath: configuration.json envFrom: - configMapRef: name: config-cm args: ["load"]
A successful load
command will dump the pre-populated configuration into /app/db/configuration.out.json
.
To restore configuration from configuration.out.json
file:
-
Create config map
config-dump-params
:kubectl create cm config-dump-params --from-file=configuration.out.json
-
Mount the configmap into container and apply the yaml:
apiVersion: batch/v1 kind: Job metadata: name: configurator-load-job spec: template: spec: restartPolicy: Never volumes: - name: config-dump-params configMap: name: config-dump-params containers: - name: configurator-load image: ghcr.io/janssenproject/jans/configurator:$VERSION volumeMounts: - mountPath: /app/db/configuration.out.json name: config-dump-params subPath: configuration.out.json envFrom: - configMapRef: name: config-cm args: ["load"]
The dump command will dump all configuration from the backends saved into the /app/db/configuration.out.json
file.
apiVersion: batch/v1
kind: Job
metadata:
name: configurator-dump-job
spec:
template:
spec:
restartPolicy: Never
containers:
- name: configurator-dump-job
image: ghcr.io/janssenproject/jans/configurator:$VERSION
command:
- /bin/sh
- -c
- |
/app/scripts/entrypoint.sh dump
sleep 300
envFrom:
- configMapRef:
name: config-cm
Copy over the files to host
kubectl cp configurator-dump-job:/app/db .