A Helm chart for gen3 Fence
| Repository | Name | Version |
|---|---|---|
| file://../common | common | 0.1.15 |
| https://charts.bitnami.com/bitnami | postgresql | 11.9.13 |
| Key | Type | Default | Description |
|---|---|---|---|
| FENCE_CONFIG | map | {"ACCESS_TOKEN_COOKIE_NAME":"access_token","ACCESS_TOKEN_EXPIRES_IN":1200,"ALLOWED_USER_SERVICE_ACCOUNT_DOMAINS":["developer.gserviceaccount.com","appspot.gserviceaccount.com","iam.gserviceaccount.com"],"ALLOW_GOOGLE_LINKING":true,"APPLICATION_ROOT":"/user","APP_NAME":"Gen3 Data Commons","ARBORIST":"http://arborist-service","ASSUME_ROLE_CACHE_SECONDS":1800,"AUDIT_SERVICE":"http://audit-service","AUTHLIB_INSECURE_TRANSPORT":true,"AWS_CREDENTIALS":{},"AZ_BLOB_CONTAINER_URL":"https://myfakeblob.blob.core.windows.net/my-fake-container/","AZ_BLOB_CREDENTIALS":null,"BILLING_PROJECT_FOR_SA_CREDS":null,"BILLING_PROJECT_FOR_SIGNED_URLS":null,"CIRRUS_CFG":{"GOOGLE_ADMIN_EMAIL":"","GOOGLE_API_KEY":"","GOOGLE_APPLICATION_CREDENTIALS":"","GOOGLE_CLOUD_IDENTITY_ADMIN_EMAIL":"","GOOGLE_IDENTITY_DOMAIN":"","GOOGLE_PROJECT_ID":"","GOOGLE_STORAGE_CREDS":""},"CLIENT_ALLOWED_SCOPES":["openid","user","data","google_credentials","google_service_account","google_link","ga4gh_passport_v1"],"DATA_UPLOAD_BUCKET":"bucket1","DBGAP_ACCESSION_WITH_CONSENT_REGEX":"(?P<phsid>phs[0-9]+)(.(?P<version>v[0-9]+)){0,1}(.(?P<participant_set>p[0-9]+)){0,1}.(?P<consent>c[0-9]+)","DEBUG":false,"DEFAULT_LOGIN_IDP":"google","DEFAULT_LOGIN_URL":"{{BASE_URL}}/login/google","DEV_LOGIN_COOKIE_NAME":"dev_login","DREAM_CHALLENGE_GROUP":"DREAM","DREAM_CHALLENGE_TEAM":"DREAM","EMAIL_SERVER":"localhost","ENABLED_IDENTITY_PROVIDERS":{},"ENABLE_AUDIT_LOGS":{"login":false,"presigned_url":false},"ENABLE_AUTOMATIC_BILLING_PERMISSION_SA_CREDS":false,"ENABLE_AUTOMATIC_BILLING_PERMISSION_SIGNED_URLS":false,"ENABLE_CSRF_PROTECTION":true,"ENABLE_DB_MIGRATION":true,"ENABLE_PROMETHEUS_METRICS":false,"ENCRYPTION_KEY":"REPLACEME","GA4GH_VISA_ISSUER_ALLOWLIST":["{{BASE_URL}}","https://sts.nih.gov","https://stsstg.nih.gov"],"GEN3_PASSPORT_EXPIRES_IN":43200,"GLOBAL_PARSE_VISAS_ON_LOGIN":false,"GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN":86400,"GOOGLE_BULK_UPDATES":false,"GOOGLE_GROUP_PREFIX":"","GOOGLE_MANAGED_SERVICE_ACCOUNT_DOMAINS":["dataflow-service-producer-prod.iam.gserviceaccount.com","cloudbuild.gserviceaccount.com","cloud-ml.google.com.iam.gserviceaccount.com","container-engine-robot.iam.gserviceaccount.com","dataflow-service-producer-prod.iam.gserviceaccount.com","sourcerepo-service-accounts.iam.gserviceaccount.com","dataproc-accounts.iam.gserviceaccount.com","gae-api-prod.google.com.iam.gserviceaccount.com","genomics-api.google.com.iam.gserviceaccount.com","containerregistry.iam.gserviceaccount.com","container-analysis.iam.gserviceaccount.com","cloudservices.gserviceaccount.com","stackdriver-service.iam.gserviceaccount.com","appspot.gserviceaccount.com","partnercontent.gserviceaccount.com","trifacta-gcloud-prod.iam.gserviceaccount.com","gcf-admin-robot.iam.gserviceaccount.com","compute-system.iam.gserviceaccount.com","gcp-sa-websecurityscanner.iam.gserviceaccount.com","storage-transfer-service.iam.gserviceaccount.com","firebase-sa-management.iam.gserviceaccount.com","firebase-rules.iam.gserviceaccount.com","gcp-sa-cloudbuild.iam.gserviceaccount.com","gcp-sa-automl.iam.gserviceaccount.com","gcp-sa-datalabeling.iam.gserviceaccount.com","gcp-sa-cloudscheduler.iam.gserviceaccount.com"],"GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN":2592000,"GOOGLE_SERVICE_ACCOUNT_PREFIX":"","GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN":604800,"GUN_MAIL":{"datacommons.io":{"api_key":"","api_url":"https://api.mailgun.net/v3/mailgun.example.com","default_login":"postmaster@mailgun.example.com","smtp_hostname":"smtp.mailgun.org","smtp_password":""}},"HTTP_PROXY":{"host":null,"port":3128},"INDEXD":"http://indexd-service","INDEXD_PASSWORD":"","INDEXD_USERNAME":"fence","ITRUST_GLOBAL_LOGOUT":"https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl=","LOGIN_OPTIONS":[{"desc":"description","idp":"google","name":"Login from Google"}],"LOGIN_REDIRECT_WHITELIST":[],"MAX_ACCESS_TOKEN_TTL":3600,"MAX_API_KEY_TTL":2592000,"MAX_PRESIGNED_URL_TTL":3600,"MAX_ROLE_SESSION_INCREASE":false,"MOCK_AUTH":false,"MOCK_GOOGLE_AUTH":false,"MOCK_STORAGE":false,"OAUTH2_JWT_ALG":"RS256","OAUTH2_JWT_ENABLED":true,"OAUTH2_JWT_ISS":"{{BASE_URL}}","OAUTH2_PROVIDER_ERROR_URI":"/api/oauth2/errors","OAUTH2_TOKEN_EXPIRES_IN":{"authorization_code":1200,"implicit":1200},"OPENID_CONNECT":{"cilogon":{"client_id":"","client_secret":"","discovery_url":"https://cilogon.org/.well-known/openid-configuration","mock":false,"mock_default_user":"http://cilogon.org/serverT/users/64703","redirect_url":"{{BASE_URL}}/login/cilogon/login/","scope":"openid email profile"},"cognito":{"client_id":"","client_secret":"","discovery_url":"https://cognito-idp.{REGION}.amazonaws.com/{USER-POOL-ID}/.well-known/openid-configuration","redirect_url":"{{BASE_URL}}/login/cognito/login/","scope":"openid email"},"fence":{"access_token_url":"{{api_base_url}}/oauth2/token","api_base_url":"","authorize_url":"{{api_base_url}}/oauth2/authorize","client_id":"","client_kwargs":{"redirect_uri":"{{BASE_URL}}/login/fence/login","scope":"openid"},"client_secret":"","mock":false,"mock_default_user":"test@example.com","name":"","refresh_token_url":"{{api_base_url}}/oauth2/token","shibboleth_discovery_url":"https://login.bionimbus.org/Shibboleth.sso/DiscoFeed"},"generic_oidc_idp":{"client_id":"","client_secret":"","discovery":{"authorization_endpoint":"","jwks_uri":"","token_endpoint":""},"discovery_url":"https://server.com/.well-known/openid-configuration","email_field":"","name":"some_idp","redirect_url":"{{BASE_URL}}/login/some_idp/login","scope":"","user_id_field":""},"google":{"client_id":"","client_secret":"","discovery_url":"https://accounts.google.com/.well-known/openid-configuration","mock":"","mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/google/login/","scope":"openid email"},"microsoft":{"client_id":"","client_secret":"","discovery_url":"https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration","mock":false,"mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/microsoft/login/","scope":"openid email"},"okta":{"client_id":"","client_secret":"","discovery_url":"","redirect_url":"{{BASE_URL}}/login/okta/login/","scope":"openid email"},"orcid":{"client_id":"","client_secret":"","discovery_url":"https://orcid.org/.well-known/openid-configuration","mock":false,"mock_default_user":"0000-0002-2601-8132","redirect_url":"{{BASE_URL}}/login/orcid/login/","scope":"openid"},"ras":{"client_id":"","client_secret":"","discovery_url":"https://sts.nih.gov/.well-known/openid-configuration","mock":false,"mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/ras/callback","scope":"openid email profile ga4gh_passport_v1"},"shibboleth":{"client_id":"","client_secret":"","redirect_url":"{{BASE_URL}}/login/shib/login"},"synapse":{"client_id":"","client_secret":"","discovery_url":"","redirect_url":"","scope":"openid"}},"OVERRIDE_NGINX_RATE_LIMIT":18,"PRIVACY_POLICY_URL":null,"PROBLEM_USER_EMAIL_NOTIFICATION":{"admin":["admin@example.edu"],"content":"The Data Commons Framework utilizes dbGaP for data access authorization. Another member of a Google project you belong to ({}) is attempting to register a service account to the following additional datasets ({}). Please contact dbGaP to request access.\n","domain":"example.com","from":"do-not-reply@example.com","subject":"Account access error notification"},"PUSH_AUDIT_LOGS_CONFIG":{"aws_sqs_config":{"aws_cred":null,"region":null,"sqs_url":null},"type":"aws_sqs"},"RAS_REFRESH_EXPIRATION":1296000,"RAS_USERINFO_ENDPOINT":"/openid/connect/v1.1/userinfo","REFRESH_TOKEN_EXPIRES_IN":2592000,"REGISTERED_USERS_GROUP":"","REGISTER_USERS_ON":false,"REMOVE_SERVICE_ACCOUNT_EMAIL_NOTIFICATION":{"admin":["admin@example.edu"],"content":"Service accounts were removed from access control data because some users or service accounts of GCP Project {} are not authorized to access the data sets associated to the service accounts, or do not adhere to the security policies.\n","domain":"example.com","enable":false,"from":"do-not-reply@example.com","subject":"User service account removal notification"},"RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION":false,"S3_BUCKETS":{},"SEND_FROM":"example@gmail.com","SEND_TO":"example@gmail.com","SERVICE_ACCOUNT_LIMIT":6,"SESSION_ALLOWED_SCOPES":["openid","user","credentials","data","admin","google_credentials","google_service_account","google_link","ga4gh_passport_v1"],"SESSION_COOKIE_DOMAIN":null,"SESSION_COOKIE_NAME":"fence","SESSION_COOKIE_SECURE":true,"SESSION_LIFETIME":28800,"SESSION_TIMEOUT":1800,"SHIBBOLETH_HEADER":"persistent_id","SSO_URL":"https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState=","STORAGE_CREDENTIALS":{},"SUPPORT_EMAIL_FOR_ERRORS":null,"SYNAPSE_AUTHZ_TTL":86400,"SYNAPSE_DISCOVERY_URL":null,"SYNAPSE_JWKS_URI":null,"SYNAPSE_URI":"https://repo-prod.prod.sagebase.org/auth/v1","TOKEN_PROJECTS_CUTOFF":10,"USERSYNC":{"fallback_to_dbgap_sftp":false,"sync_from_visas":false,"visa_types":{"ras":["https://ras.nih.gov/visas/v1","https://ras.nih.gov/visas/v1.1"]}},"USER_ALLOWED_SCOPES":["fence","openid","user","data","admin","google_credentials","google_service_account","google_link","ga4gh_passport_v1"],"WHITE_LISTED_GOOGLE_PARENT_ORGS":[],"WHITE_LISTED_SERVICE_ACCOUNT_EMAILS":[],"WTF_CSRF_SECRET_KEY":"{{ENCRYPTION_KEY}}","dbGaP":[{"decrypt_key":"","enable_common_exchange_area_access":false,"info":{"host":"","password":"","port":22,"proxy":"","username":""},"parse_consent_code":true,"protocol":"sftp","study_common_exchange_areas":{"example":"test_common_exchange_area"},"study_to_resource_namespaces":{"_default":["/"],"test_common_exchange_area":["/dbgap/"]}}]} |
Private configuration settings for Fence app |
| FENCE_CONFIG.APP_NAME | string | "Gen3 Data Commons" |
Name of the Fence app |
| FENCE_CONFIG.AUTHLIB_INSECURE_TRANSPORT | bool | true |
allow OIDC traffic on http for development. By default it requires https. WARNING: ONLY set to true when fence will be deployed in such a way that it will ONLY receive traffic from internal clients and can safely use HTTP. |
| FENCE_CONFIG.CLIENT_ALLOWED_SCOPES | list | ["openid","user","data","google_credentials","google_service_account","google_link","ga4gh_passport_v1"] |
These are the possible scopes a client can be given, NOT scopes that are given to all clients. You can be more restrictive during client creation |
| FENCE_CONFIG.DEBUG | map | false |
Debug and security settings Modify based on whether you're in a dev environment or in production |
| FENCE_CONFIG.DEFAULT_LOGIN_IDP | string | "google" |
Default login provider. - must be configured in LOGIN_OPTIONS and OPENID_CONNECT - - if several options in LOGIN_OPTIONS are defined for this IDP, will default to the first one |
| FENCE_CONFIG.DEFAULT_LOGIN_URL | string | "{{BASE_URL}}/login/google" |
Default login URL: DEPRECATED and replaced by LOGIN_OPTIONS + DEFAULT_LOGIN_IDP configs |
| FENCE_CONFIG.DEV_LOGIN_COOKIE_NAME | str | "dev_login" |
the name of the cookie set by mock authentication (used for testing only) |
| FENCE_CONFIG.ENABLE_CSRF_PROTECTION | bool | true |
enable CSRF protection |
| FENCE_CONFIG.ENABLE_DB_MIGRATION | bool | true |
fence (at the moment) attempts a migration on startup. setting this to false will disable that WARNING: ONLY set to false if you do NOT want to automatically migrate your database. You should be careful about incompatible versions of your db schema with what fence expects. In other words, things could be broken if you update to a later fence that expects a schema your database isn't migrated to. NOTE: We are working to improve the migration process in the near future |
| FENCE_CONFIG.ENABLE_PROMETHEUS_METRICS | bool | false |
enable Prometheus Metrics for observability purposes WARNING: Any counters, gauges, histograms, etc. should be carefully reviewed to make sure its labels do not contain any PII / PHI |
| FENCE_CONFIG.ENCRYPTION_KEY | string | "REPLACEME" |
A URL-safe base64-encoded 32-byte key for encrypting keys in db in python you can use the following script to generate one: import base64 import os key = base64.urlsafe_b64encode(os.urandom(32)) print(key) |
| FENCE_CONFIG.LOGIN_OPTIONS | list | [{"desc":"description","idp":"google","name":"Login from Google"}] |
List of enabled login options (used by data-portal to display login buttons). |
| FENCE_CONFIG.MOCK_AUTH | bool | false |
if true, will automatically login a user with username "test" WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only) |
| FENCE_CONFIG.MOCK_GOOGLE_AUTH | bool | false |
if true, will fake a successful login response from Google in /login/google NOTE: this will also modify the behavior of /link/google endpoints WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only) will login as the username set in cookie DEV_LOGIN_COOKIE_NAME |
| FENCE_CONFIG.MOCK_STORAGE | bool | false |
if true, will ignore anything configured in STORAGE_CREDENTIALS |
| FENCE_CONFIG.OPENID_CONNECT | dict | {"cilogon":{"client_id":"","client_secret":"","discovery_url":"https://cilogon.org/.well-known/openid-configuration","mock":false,"mock_default_user":"http://cilogon.org/serverT/users/64703","redirect_url":"{{BASE_URL}}/login/cilogon/login/","scope":"openid email profile"},"cognito":{"client_id":"","client_secret":"","discovery_url":"https://cognito-idp.{REGION}.amazonaws.com/{USER-POOL-ID}/.well-known/openid-configuration","redirect_url":"{{BASE_URL}}/login/cognito/login/","scope":"openid email"},"fence":{"access_token_url":"{{api_base_url}}/oauth2/token","api_base_url":"","authorize_url":"{{api_base_url}}/oauth2/authorize","client_id":"","client_kwargs":{"redirect_uri":"{{BASE_URL}}/login/fence/login","scope":"openid"},"client_secret":"","mock":false,"mock_default_user":"test@example.com","name":"","refresh_token_url":"{{api_base_url}}/oauth2/token","shibboleth_discovery_url":"https://login.bionimbus.org/Shibboleth.sso/DiscoFeed"},"generic_oidc_idp":{"client_id":"","client_secret":"","discovery":{"authorization_endpoint":"","jwks_uri":"","token_endpoint":""},"discovery_url":"https://server.com/.well-known/openid-configuration","email_field":"","name":"some_idp","redirect_url":"{{BASE_URL}}/login/some_idp/login","scope":"","user_id_field":""},"google":{"client_id":"","client_secret":"","discovery_url":"https://accounts.google.com/.well-known/openid-configuration","mock":"","mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/google/login/","scope":"openid email"},"microsoft":{"client_id":"","client_secret":"","discovery_url":"https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration","mock":false,"mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/microsoft/login/","scope":"openid email"},"okta":{"client_id":"","client_secret":"","discovery_url":"","redirect_url":"{{BASE_URL}}/login/okta/login/","scope":"openid email"},"orcid":{"client_id":"","client_secret":"","discovery_url":"https://orcid.org/.well-known/openid-configuration","mock":false,"mock_default_user":"0000-0002-2601-8132","redirect_url":"{{BASE_URL}}/login/orcid/login/","scope":"openid"},"ras":{"client_id":"","client_secret":"","discovery_url":"https://sts.nih.gov/.well-known/openid-configuration","mock":false,"mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/ras/callback","scope":"openid email profile ga4gh_passport_v1"},"shibboleth":{"client_id":"","client_secret":"","redirect_url":"{{BASE_URL}}/login/shib/login"},"synapse":{"client_id":"","client_secret":"","discovery_url":"","redirect_url":"","scope":"openid"}} |
Configurations for OpenID Connect (OIDC) authentication - Fully configure at least one client so login works - WARNING: Be careful changing the *_ALLOWED_SCOPES as you can break basic and optional functionality |
| FENCE_CONFIG.OPENID_CONNECT.fence | dict | {"access_token_url":"{{api_base_url}}/oauth2/token","api_base_url":"","authorize_url":"{{api_base_url}}/oauth2/authorize","client_id":"","client_kwargs":{"redirect_uri":"{{BASE_URL}}/login/fence/login","scope":"openid"},"client_secret":"","mock":false,"mock_default_user":"test@example.com","name":"","refresh_token_url":"{{api_base_url}}/oauth2/token","shibboleth_discovery_url":"https://login.bionimbus.org/Shibboleth.sso/DiscoFeed"} |
: Contains multi-tenant Fence configuration Support for multi-tenant fence (another fence is this fence's IDP) If this fence instance is a client of another fence, fill this cfg out. REMOVE if not needed |
| FENCE_CONFIG.OPENID_CONNECT.fence.access_token_url | str | "{{api_base_url}}/oauth2/token" |
: URL for access token endpoint of the other fence |
| FENCE_CONFIG.OPENID_CONNECT.fence.api_base_url | str | "" |
: Root URL for the other fence this api_base_url should be the root url for the OTHER fence something like: https://example.com |
| FENCE_CONFIG.OPENID_CONNECT.fence.authorize_url | str | "{{api_base_url}}/oauth2/authorize" |
: URL for authorization endpoint of the other fence The next 3 should not need to be changed if the provider is following Oauth2 endpoint naming conventions |
| FENCE_CONFIG.OPENID_CONNECT.fence.client_id | str | "" |
: ID of the client of this fence on the other fence this client_id and client_secret should be obtained by registering THIS fence as a new client of the OTHER fence |
| FENCE_CONFIG.OPENID_CONNECT.fence.client_kwargs | object | {"redirect_uri":"{{BASE_URL}}/login/fence/login","scope":"openid"} |
dict: Additional client parameters |
| FENCE_CONFIG.OPENID_CONNECT.fence.client_kwargs.redirect_uri | str | "{{BASE_URL}}/login/fence/login" |
: The URL to which the other fence will redirect after logging in |
| FENCE_CONFIG.OPENID_CONNECT.fence.client_kwargs.scope | str | "openid" |
: Space-separated string of scopes openid is required to use OIDC flow |
| FENCE_CONFIG.OPENID_CONNECT.fence.client_secret | str | "" |
: Secret of the client of this fence on the other fence |
| FENCE_CONFIG.OPENID_CONNECT.fence.mock | bool | false |
: Whether to mock a successful login response for testing purposes if mock is true, will fake a successful login response for login WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only) |
| FENCE_CONFIG.OPENID_CONNECT.fence.mock_default_user | str | "test@example.com" |
: Default user for mock login |
| FENCE_CONFIG.OPENID_CONNECT.fence.name | str | "" |
: Name of the provider for consent screens Custom name to display for consent screens. If not provided, will use fence. If the other fence is using NIH Login, you should make name: NIH Login |
| FENCE_CONFIG.OPENID_CONNECT.fence.refresh_token_url | str | "{{api_base_url}}/oauth2/token" |
: URL for refresh token endpoint of the other fence |
| FENCE_CONFIG.OPENID_CONNECT.fence.shibboleth_discovery_url | str | "https://login.bionimbus.org/Shibboleth.sso/DiscoFeed" |
: URL of the shibboleth discovery endpoint if needed for InCommon login this is needed to enable InCommon login, if some LOGIN_OPTIONS are configured with idp=fence and a list of shib_idps: |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.client_id | str | "" |
Client ID |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.client_secret | str | "" |
Client secret |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.discovery.authorization_endpoint | str | "" |
Authorization endpoint URL |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.discovery.jwks_uri | str | "" |
JSON Web Key Set (JWKS) URI |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.discovery.token_endpoint | str | "" |
Token endpoint URL |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.discovery_url | str | "https://server.com/.well-known/openid-configuration" |
URL of the OIDC discovery endpoint for the IDP |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.email_field | str | "" |
Optional; claims field to get the user email from (default "email") |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.name | str | "some_idp" |
Optional; display name for this IDP |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.redirect_url | str | "{{BASE_URL}}/login/some_idp/login" |
Redirect URL for this IDP |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.scope | str | "" |
Optional; default is "openid" |
| FENCE_CONFIG.OPENID_CONNECT.generic_oidc_idp.user_id_field | str | "" |
Optional; claims field to get the user_id from (default "sub") |
| FENCE_CONFIG.OPENID_CONNECT.google | dict | {"client_id":"","client_secret":"","discovery_url":"https://accounts.google.com/.well-known/openid-configuration","mock":"","mock_default_user":"test@example.com","redirect_url":"{{BASE_URL}}/login/google/login/","scope":"openid email"} |
Configuration for Google authentication provider |
| FENCE_CONFIG.OPENID_CONNECT.google.client_id | str | "" |
Client ID |
| FENCE_CONFIG.OPENID_CONNECT.google.client_secret | str | "" |
Client secret |
| FENCE_CONFIG.OPENID_CONNECT.google.discovery_url | str | "https://accounts.google.com/.well-known/openid-configuration" |
URL of the OIDC discovery endpoint for Google |
| FENCE_CONFIG.OPENID_CONNECT.google.mock | str | "" |
Optional; defaults to '{{MOCK_GOOGLE_AUTH}}' for backwards compatibility with older cfg files |
| FENCE_CONFIG.OPENID_CONNECT.google.mock_default_user | str | "test@example.com" |
Optional; defaults to 'test@example.com' |
| FENCE_CONFIG.OPENID_CONNECT.google.redirect_url | str | "{{BASE_URL}}/login/google/login/" |
The allowed redirect back to fence, should not need to change |
| FENCE_CONFIG.OPENID_CONNECT.google.scope | str | "openid email" |
The scope to request from Google (default "openid email") |
| FENCE_CONFIG.SESSION_ALLOWED_SCOPES | list | ["openid","user","credentials","data","admin","google_credentials","google_service_account","google_link","ga4gh_passport_v1"] |
these are the scopes that a browser session can create for a user (very similar to USER_ALLOWED_SCOPES, as the session will actually create access_tokens for an actively logged in user) |
| FENCE_CONFIG.SESSION_COOKIE_SECURE | bool | true |
set if you want browsers to only send cookies with requests over HTTPS |
| FENCE_CONFIG.USER_ALLOWED_SCOPES | list | ["fence","openid","user","data","admin","google_credentials","google_service_account","google_link","ga4gh_passport_v1"] |
these are the scopes that CAN be included in a user's own access_token |
| FENCE_CONFIG.WTF_CSRF_SECRET_KEY | str | "{{ENCRYPTION_KEY}}" |
signing key for WTForms to sign CSRF tokens with |
| FENCE_CONFIG_PUBLIC | map | {} |
Public configuration settings for Fence app |
| USER_YAML | string | "cloud_providers: {}\nauthz:\n # policies automatically given to anyone, even if they are not authenticated\n anonymous_policies:\n - open_data_reader\n\n # policies automatically given to authenticated users (in addition to their other policies)\n all_users_policies: []\n\n groups:\n # can CRUD programs and projects and upload data files\n - name: data_submitters\n policies:\n - services.sheepdog-admin\n - data_upload\n - MyFirstProject_submitter\n users:\n - username1@gmail.com\n\n # can create/update/delete indexd records\n - name: indexd_admins\n policies:\n - indexd_admin\n users:\n - username1@gmail.com\n\n resources:\n - name: workspace\n - name: data_file\n - name: services\n subresources:\n - name: sheepdog\n subresources:\n - name: submission\n subresources:\n - name: program\n - name: project\n - name: 'indexd'\n subresources:\n - name: 'admin'\n - name: audit\n subresources:\n - name: presigned_url\n - name: login\n - name: open\n - name: programs\n subresources:\n - name: MyFirstProgram\n subresources:\n - name: projects\n subresources:\n - name: MyFirstProject\n\n policies:\n - id: workspace\n description: be able to use workspace\n resource_paths:\n - /workspace\n role_ids:\n - workspace_user\n - id: data_upload\n description: upload raw data files to S3\n role_ids:\n - file_uploader\n resource_paths:\n - /data_file\n - id: services.sheepdog-admin\n description: CRUD access to programs and projects\n role_ids:\n - sheepdog_admin\n resource_paths:\n - /services/sheepdog/submission/program\n - /services/sheepdog/submission/project\n - id: indexd_admin\n description: full access to indexd API\n role_ids:\n - indexd_admin\n resource_paths:\n - /programs\n - id: open_data_reader\n role_ids:\n - peregrine_reader\n - guppy_reader\n - fence_storage_reader\n resource_paths:\n - /open\n - id: all_programs_reader\n role_ids:\n - peregrine_reader\n - guppy_reader\n - fence_storage_reader\n resource_paths:\n - /programs\n - id: MyFirstProject_submitter\n role_ids:\n - reader\n - creator\n - updater\n - deleter\n - storage_reader\n - storage_writer\n resource_paths:\n - /programs/MyFirstProgram/projects/MyFirstProject\n\n roles:\n - id: file_uploader\n permissions:\n - id: file_upload\n action:\n service: fence\n method: file_upload\n - id: workspace_user\n permissions:\n - id: workspace_access\n action:\n service: jupyterhub\n method: access\n - id: sheepdog_admin\n description: CRUD access to programs and projects\n permissions:\n - id: sheepdog_admin_action\n action:\n service: sheepdog\n method: '*'\n - id: indexd_admin\n description: full access to indexd API\n permissions:\n - id: indexd_admin\n action:\n service: indexd\n method: '*'\n - id: admin\n permissions:\n - id: admin\n action:\n service: '*'\n method: '*'\n - id: creator\n permissions:\n - id: creator\n action:\n service: '*'\n method: create\n - id: reader\n permissions:\n - id: reader\n action:\n service: '*'\n method: read\n - id: updater\n permissions:\n - id: updater\n action:\n service: '*'\n method: update\n - id: deleter\n permissions:\n - id: deleter\n action:\n service: '*'\n method: delete\n - id: storage_writer\n permissions:\n - id: storage_creator\n action:\n service: '*'\n method: write-storage\n - id: storage_reader\n permissions:\n - id: storage_reader\n action:\n service: '*'\n method: read-storage\n - id: peregrine_reader\n permissions:\n - id: peregrine_reader\n action:\n method: read\n service: peregrine\n - id: guppy_reader\n permissions:\n - id: guppy_reader\n action:\n method: read\n service: guppy\n - id: fence_storage_reader\n permissions:\n - id: fence_storage_reader\n action:\n method: read-storage\n service: fence\n\nclients:\n wts:\n policies:\n - all_programs_reader\n - open_data_reader\n\nusers:\n username1@gmail.com: {}\n username2:\n tags:\n name: John Doe\n email: johndoe@gmail.com\n policies:\n - MyFirstProject_submitter\n\ncloud_providers: {}\ngroups: {}\n" |
USER YAML. Passed in as a multiline string. |
| affinity | map | {"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["fence"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}} |
Affinity to use for the deployment. |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution | map | [{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["fence"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}] |
Option for scheduling to be required or preferred. |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0] | int | {"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["fence"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100} |
Weight value for preferred scheduling. |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0] | list | {"key":"app","operator":"In","values":["fence"]} |
Label key for match expression. |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator | string | "In" |
Operation type for the match expression. |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values | list | ["fence"] |
Value for the match expression key. |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | "kubernetes.io/hostname" |
Value for topology key label. |
| autoscaling | map | {"enabled":false,"maxReplicas":4,"minReplicas":1,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":80} |
Configuration for autoscaling the number of replicas |
| autoscaling.enabled | bool | false |
Whether autoscaling is enabled |
| autoscaling.maxReplicas | int | 4 |
The maximum number of replicas to scale up to |
| autoscaling.minReplicas | int | 1 |
The minimum number of replicas to scale down to |
| autoscaling.targetCPUUtilizationPercentage | int | 80 |
Target CPU utilization percentage |
| autoscaling.targetMemoryUtilizationPercentage | int | 80 |
Target Memory utilization percentage |
| commonLabels | map | nil |
Will completely override the commonLabels defined in the common chart's _label_setup.tpl |
| criticalService | string | "true" |
Valid options are "true" or "false". If invalid option is set- the value will default to "false". |
| env | list | [{"name":"GEN3_UWSGI_TIMEOUT","valueFrom":{"configMapKeyRef":{"key":"uwsgi-timeout","name":"manifest-global","optional":true}}},{"name":"DD_AGENT_HOST","valueFrom":{"fieldRef":{"fieldPath":"status.hostIP"}}},{"name":"AWS_STS_REGIONAL_ENDPOINTS","value":"regional"},{"name":"PYTHONPATH","value":"/var/www/fence"},{"name":"GEN3_DEBUG","value":"False"},{"name":"PGHOST","valueFrom":{"secretKeyRef":{"key":"host","name":"fence-dbcreds","optional":false}}},{"name":"PGUSER","valueFrom":{"secretKeyRef":{"key":"username","name":"fence-dbcreds","optional":false}}},{"name":"PGPASSWORD","valueFrom":{"secretKeyRef":{"key":"password","name":"fence-dbcreds","optional":false}}},{"name":"PGDB","valueFrom":{"secretKeyRef":{"key":"database","name":"fence-dbcreds","optional":false}}},{"name":"DBREADY","valueFrom":{"secretKeyRef":{"key":"dbcreated","name":"fence-dbcreds","optional":false}}},{"name":"DB","value":"postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)"},{"name":"INDEXD_PASSWORD","valueFrom":{"secretKeyRef":{"key":"fence","name":"indexd-service-creds"}}},{"name":"gen3Env","valueFrom":{"configMapKeyRef":{"key":"hostname","name":"manifest-global"}}}] |
Environment variables to pass to the container |
| externalSecrets | map | {"createK8sFenceConfigSecret":false,"createK8sGoogleAppSecrets":false,"createK8sJwtKeysSecret":false,"dbcreds":null,"fenceConfig":null,"fenceGoogleAppCredsSecret":null,"fenceGoogleStorageCredsSecret":null,"fenceJwtKeys":null} |
External Secrets settings. |
| externalSecrets.createK8sFenceConfigSecret | string | false |
Will create the Helm "fence-config" secret even if Secrets Manager is enabled. This is helpful if you are wanting to use External Secrets for some, but not all secrets. |
| externalSecrets.createK8sGoogleAppSecrets | string | false |
Will create the Helm "fence-google-app-creds-secret" and "fence-google-storage-creds-secret" secrets even if Secrets Manager is enabled. This is helpful if you are wanting to use External Secrets for some, but not all secrets. |
| externalSecrets.createK8sJwtKeysSecret | string | false |
Will create the Helm "fence-jwt-keys" secret even if Secrets Manager is enabled. This is helpful if you are wanting to use External Secrets for some, but not all secrets. |
| externalSecrets.dbcreds | string | nil |
Will override the name of the aws secrets manager secret. Default is "Values.global.environment-.Chart.Name-creds" |
| externalSecrets.fenceConfig | string | nil |
Will override the name of the aws secrets manager secret. Default is "fence-config" |
| externalSecrets.fenceGoogleAppCredsSecret | string | nil |
Will override the name of the aws secrets manager secret. Default is "fence-google-app-creds-secret" |
| externalSecrets.fenceGoogleStorageCredsSecret | string | nil |
Will override the name of the aws secrets manager secret. Default is "fence-google-storage-creds-secret" |
| externalSecrets.fenceJwtKeys | string | nil |
Will override the name of the aws secrets manager secret. Default is "fence-jwt-keys" |
| fullnameOverride | string | "" |
Override the full name of the deployment. |
| global.aws | map | {"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"useLocalSecret":{"enabled":false,"localSecretName":null,"localSecretNamespace":null}} |
AWS configuration |
| global.aws.awsAccessKeyId | string | nil |
Credentials for AWS stuff. |
| global.aws.awsSecretAccessKey | string | nil |
Credentials for AWS stuff. |
| global.aws.enabled | bool | false |
Set to true if deploying to AWS. Controls ingress annotations. |
| global.aws.useLocalSecret | map | {"enabled":false,"localSecretName":null,"localSecretNamespace":null} |
Local secret setting if using a pre-exising secret. |
| global.aws.useLocalSecret.enabled | bool | false |
Set to true if you would like to use a secret that is already running on your cluster. |
| global.aws.useLocalSecret.localSecretName | string | nil |
Name of the local secret. |
| global.aws.useLocalSecret.localSecretNamespace | string | nil |
Namespace of the local secret. |
| global.dev | bool | true |
Whether the deployment is for development purposes. |
| global.dictionaryUrl | string | "https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json" |
URL of the data dictionary. |
| global.dispatcherJobNum | int | "10" |
Number of dispatcher jobs. |
| global.environment | string | "default" |
Environment name. This should be the same as vpcname if you're doing an AWS deployment. Currently this is being used to share ALB's if you have multiple namespaces. Might be used other places too. |
| global.externalSecrets | map | {"deploy":false,"separateSecretStore":false} |
External Secrets settings. |
| global.externalSecrets.deploy | bool | false |
Will use ExternalSecret resources to pull secrets from Secrets Manager instead of creating them locally. Be cautious as this will override any fence secrets you have deployed. |
| global.externalSecrets.separateSecretStore | string | false |
Will deploy a separate External Secret Store for this service. |
| global.hostname | string | "localhost" |
Hostname for the deployment. |
| global.kubeBucket | string | "kube-gen3" |
S3 bucket name for Kubernetes manifest files. |
| global.logsBucket | string | "logs-gen3" |
S3 bucket name for log files. |
| global.minAvialable | int | 1 |
The minimum amount of pods that are available at all times if the PDB is deployed. |
| global.netPolicy | map | {"enabled":false} |
Controls network policy settings |
| global.pdb | bool | false |
If the service will be deployed with a Pod Disruption Budget. Note- you need to have more than 2 replicas for the pdb to be deployed. |
| global.portalApp | string | "gitops" |
Portal application name. |
| global.postgres.dbCreate | bool | true |
Whether the database should be created. |
| global.postgres.externalSecret | string | "" |
Name of external secret. Disabled if empty |
| global.postgres.master | map | {"host":null,"password":null,"port":"5432","username":"postgres"} |
Master credentials to postgres. This is going to be the default postgres server being used for each service, unless each service specifies their own postgres |
| global.postgres.master.host | string | nil |
hostname of postgres server |
| global.postgres.master.password | string | nil |
password for superuser in postgres. This is used to create or restore databases |
| global.postgres.master.port | string | "5432" |
Port for Postgres. |
| global.postgres.master.username | string | "postgres" |
username of superuser in postgres. This is used to create or restore databases |
| global.publicDataSets | bool | true |
Whether public datasets are enabled. |
| global.revproxyArn | string | "arn:aws:acm:us-east-1:123456:certificate" |
ARN of the reverse proxy certificate. |
| global.syncFromDbgap | bool | false |
Whether to sync data from dbGaP. |
| global.tierAccessLevel | string | "libre" |
Access level for tiers. acceptable values for tier_access_level are: libre, regular and private. If omitted, by default common will be treated as private |
| global.tierAccessLimit | int | "1000" |
Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. |
| image.pullPolicy | string | "Always" |
When to pull the image. This value should be "Always" to ensure the latest image is used. |
| image.repository | string | "quay.io/cdis/fence" |
The Docker image repository for the fence service |
| image.tag | string | "master" |
Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | [] |
Docker image pull secrets. |
| initEnv | list | [{"name":"PGHOST","valueFrom":{"secretKeyRef":{"key":"host","name":"fence-dbcreds","optional":false}}},{"name":"PGUSER","valueFrom":{"secretKeyRef":{"key":"username","name":"fence-dbcreds","optional":false}}},{"name":"PGPASSWORD","valueFrom":{"secretKeyRef":{"key":"password","name":"fence-dbcreds","optional":false}}},{"name":"PGDB","valueFrom":{"secretKeyRef":{"key":"database","name":"fence-dbcreds","optional":false}}},{"name":"DBREADY","valueFrom":{"secretKeyRef":{"key":"dbcreated","name":"fence-dbcreds","optional":false}}},{"name":"DB","value":"postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)"},{"name":"FENCE_DB","value":"postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)"},{"name":"PYTHONPATH","value":"/var/www/fence"}] |
Volumes to attach to the init container. |
| initVolumeMounts | list | [{"mountPath":"/var/www/fence/fence-config-secret.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/fence-config-public.yaml","name":"config-volume-public","readOnly":true,"subPath":"fence-config-public.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"}] |
Volumes to mount to the init container. |
| labels | map | {"authprovider":"yes","netnolimit":"yes","public":"yes","userhelper":"yes"} |
Labels to add to the pod. |
| labels.authprovider | string | "yes" |
Grants egress from all pods to pods labeled with authrpovider=yes. For network policy selectors. |
| labels.netnolimit | string | "yes" |
Grants egress from pods labeled with netnolimit=yes to any IP address. Use explicit proxy and AWS APIs |
| labels.public | string | "yes" |
Grants ingress from the revproxy service for pods labeled with public=yes |
| labels.userhelper | string | "yes" |
Grants ingress from pods in usercode namespaces for gen3 pods labeled with userhelper=yes |
| logo | string | nil |
|
| metricsEnabled | bool | false |
Whether Metrics are enabled. |
| nameOverride | string | "" |
Override the name of the chart. |
| nodeSelector | map | {} |
Node Selector for the pods |
| partOf | string | "Authentication" |
Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. |
| podAnnotations | map | {} |
Annotations to add to the pod |
| podSecurityContext | map | {"fsGroup":101} |
Security context for the pod |
| postgres | map | {"database":null,"dbCreate":null,"dbRestore":false,"host":null,"password":null,"port":"5432","separate":false,"username":null} |
Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you |
| postgres.database | string | nil |
Database name for postgres. This is a service override, defaults to - |
| postgres.dbCreate | bool | nil |
Whether the database should be created. Default to global.postgres.dbCreate |
| postgres.host | string | nil |
Hostname for postgres server. This is a service override, defaults to global.postgres.host |
| postgres.password | string | nil |
Password for Postgres. Will be autogenerated if left empty. |
| postgres.port | string | "5432" |
Port for Postgres. |
| postgres.separate | string | false |
Will create a Database for the individual service to help with developing it. |
| postgres.username | string | nil |
Username for postgres. This is a service override, defaults to - |
| postgresql | map | {"primary":{"persistence":{"enabled":false}}} |
Postgresql subchart settings if deployed separately option is set to "true". Disable persistence by default so we can spin up and down ephemeral environments |
| postgresql.primary.persistence.enabled | bool | false |
Option to persist the dbs data. |
| privacy_policy | string | nil |
|
| projects | string | nil |
|
| release | string | "production" |
Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". |
| replicaCount | int | 1 |
Number of desired replicas |
| resources | map | {"limits":{"cpu":1,"memory":"2Gi"},"requests":{"cpu":0.3,"memory":"128Mi"}} |
Resource requests and limits for the containers in the pod |
| resources.limits | map | {"cpu":1,"memory":"2Gi"} |
The maximum amount of resources that the container is allowed to use |
| resources.limits.cpu | string | 1 |
The maximum amount of CPU the container can use |
| resources.limits.memory | string | "2Gi" |
The maximum amount of memory the container can use |
| resources.requests | map | {"cpu":0.3,"memory":"128Mi"} |
The amount of resources that the container requests |
| resources.requests.cpu | string | 0.3 |
The amount of CPU requested |
| resources.requests.memory | string | "128Mi" |
The amount of memory requested |
| secrets | map | {"awsAccessKeyId":null,"awsSecretAccessKey":null} |
Secret information for Usersync and External Secrets. |
| secrets.awsAccessKeyId | str | nil |
AWS access key ID. Overrides global key. |
| secrets.awsSecretAccessKey | str | nil |
AWS access key ID. Overrides global key. |
| securityContext | map | {} |
Security context for the containers in the pod |
| selectorLabels | map | nil |
Will completely override the selectorLabels defined in the common chart's _label_setup.tpl |
| service | map | {"port":80,"type":"ClusterIP"} |
Kubernetes service information. |
| service.port | int | 80 |
The port number that the service exposes. |
| service.type | string | "ClusterIP" |
Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". |
| serviceAccount | map | {"annotations":{"eks.amazonaws.com/role-arn":null},"create":true,"name":"fence-sa"} |
Service account to use or create. |
| serviceAccount.annotations | map | {"eks.amazonaws.com/role-arn":null} |
Annotations to add to the service account. |
| serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | nil |
The Amazon Resource Name (ARN) of the role to associate with the service account |
| serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| serviceAccount.name | string | "fence-sa" |
The name of the service account |
| tolerations | list | [] |
Tolerations for the pods |
| usersync | map | {"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":false} |
Configuration options for usersync cronjob. |
| usersync.addDbgap | bool | false |
Force attempting a dbgap sync if "true", falls back on user.yaml |
| usersync.custom_image | string | nil |
To set a custom image for pulling the user.yaml file from S3. Default is the Gen3 Awshelper image. |
| usersync.onlyDbgap | bool | false |
Forces ONLY a dbgap sync if "true", IGNORING user.yaml |
| usersync.schedule | string | "*/30 * * * *" |
The cron schedule expression to use in the usersync cronjob. Runs every 30 minutes by default. |
| usersync.slack_send_dbgap | bool | false |
Will echo what files we are seeing on dbgap ftp to Slack. |
| usersync.slack_webhook | string | "None" |
Slack webhook endpoint used with certain jobs. |
| usersync.syncFromDbgap | bool | false |
Whether to sync data from dbGaP. |
| usersync.userYamlS3Path | string | "s3://cdis-gen3-users/helm-test/user.yaml" |
Path to the user.yaml file in S3. |
| usersync.usersync | bool | false |
Whether to run Fence usersync or not. |
| volumeMounts | list | [{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config-secret.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":true,"subPath":"jwt_private_key.pem"},{"mountPath":"/var/www/fence/fence-config-public.yaml","name":"config-volume-public","readOnly":true,"subPath":"fence-config-public.yaml"}] |
Volumes to mount to the container. |
| volumes | list | [{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":false},"name":"yaml-merge"},{"configMap":{"name":"manifest-fence","optional":true},"name":"config-volume-public"}] |
Volumes to attach to the container. |
Autogenerated from chart metadata using helm-docs v1.14.2