-
Notifications
You must be signed in to change notification settings - Fork 1
Deployment Specification
shaunharrisonFR edited this page Oct 3, 2023
·
3 revisions
Within the secure-api-gateway-releases repository, you will find the Kustomize objects and Helm umbrella charts for deploying a version of SAPI-G. However, they have purposefully been designed to be general and they contain no deployment-specific information to allow multiple customers to take these files, and apply their own individual overlays on top.
This can be done via an additional repository or local files; an example of the directory is as follows;
v1
id-cloud-config
cloud config objects
kustomize
Overlay
[VERSION] 7.2.0
Kustomize Objects
Values.yaml
v2
id-cloud-config
cloud config objects
kustomize
Overlay
[VERSION] 7.2.0
Kustomize Objects
Values.yaml
The id-cloud-config folder contains the full Identity Cloud configuration, which already has the SAPI-G configuration applied per Apply the SAPI-G Configuration.
The Kustomize files contain the following:
- ca.crt
- configmap.yaml
| Name | Description | Example |
|---|---|---|
| BASE_FQDN | The fully qualified domain name created in the DNS section | ob.domain |
| IG_FQDN | The fully qualified domain name created to access IG | sapig.ob.domain |
| MTLS_FQDN | The fully qualified domain name created for accessing mutual TLS authentication | mtls.sapig.ob.domain |
| IDENTITY_PLATFORM_FQDN | The fully qualified domain name created for accessing the Identity Cloud | openam.forgeblocks.com |
| USER_OBJECT | Identify Data Manager - format is realm in use + _user | alpha_user |
| IG_OB_ASPSP_SIGNING_KID | Open Banking directory ASPSP signing Key ID (OB Seal) | |
| AM_REALM | The realm being used, typically the alpha realm | alpha |
| CERT_ISSUER | null-issuer | |
| OB_ASPSP_ORG_ID | Open Banking directory ASPSP organisation ID |
- kustomization.yaml
| Name | Description | Example |
|---|---|---|
| namespace | What namespace to deploy to within the Kubernetes cluster | ob |
| commonLabels.app.kubernetes.io/name | What name label to apply during deployment | forgerock |
| resources | The location of the base Kustomize files. The ref will need to be amended to reflect the version of SAPI-G being installed | https://github.com/SecureApiGateway/secure-api-gateway-releases/kustomize/overlay/7.2.0/defaults?ref=v1.0.0 |
| patchesStrategicMerge | How to apply the changes to the base files | - configmap.yaml - secret.yaml |
| secretGenerator.name | The name of the secret to create within the Kubernetes cluster | obri-ca |
| secretGenerator.files | The file to use for the value of the secret | ca.crt |
| generatorOptions.disableNameSuffixHash | We don’t want to add a name suffix hash to the secret being created as we want it to be called obri-ca | true |
- secret.yaml
| Name | Description | Example |
|---|---|---|
| apiVersion | The API version to use | v1 |
| kind | The type of object that is being created | Secret |
| metadata.name | The name of the secret to create in the cluster, must be openig-secrets-env | openig-secrets-env |
| type | The type of secret being created | Opaque |
| data.IG_OB_ASPSP_SIGNING_KEYSTORE_KEYPASS | The keypass for the key in the Java keystore mounted into the IG Docker container used for Open Banking signing purposes | N/A |
| data.IG_OB_ASPSP_SIGNING_KEYSTORE_STOREPASS | The storepass for the Java keystore mounted into the IG Docker container used for Open Banking signing purposes | N/A |
| data.IG_METRICS_USERNAME | Specifies the username that is allowed to access the IG metrics endpoint Deployments should generate a strong username and password combination for this |
N/A |
| data.IG_METRICS_PASSWORD | Password for the above username | N/A |
| data.IG_TRUSTSTORE_PASSWORD | Password for the Java keystore configured as the truststore for IG | N/A |
| data.IG_TEST_DIRECTORY_CA_KEYSTORE_STOREPASS | Keystore store password. Matches the -storepass arg supplied to keytool | N/A |
| data.IG_TEST_DIRECTORY_CA_KEYSTORE_KEYPASS | Keystore key password. Matches the -keypass arg supplied to keytool | N/A |
| data.IG_TEST_DIRECTORY_SIGNING_KEYSTORE_STOREPASS | Keystore store password. Matches the -storepass arg supplied to keytool | N/A |
| data.IG_TEST_DIRECTORY_SIGNING_KEYSTORE_KEYPASS | Keystore key password. Matches the -keypass arg supplied to keytool | N/A |
| data.IG_CLIENT_ID | Username for the client account created Value must match what has been entered to the Identity Cloud environment variable |
N/A |
| data.IG_CLIENT_SECRET | ig-client OAuth2 client's password to match the account created above Value must match what has been entered to the Identity Cloud environment variable |
N/A |
| data.IG_IDM_USER | User for ROPC with ig-client OAuth2 client Value must match what has been entered to the Identity Cloud environment variable |
N/A |
| data.IG_IDM_PASSWORD | service_account.ig OAuth2 client's password for the account created above Value must match what has been entered to the Identity Cloud environment variable |
N/A |
| data.IG_AGENT_ID | Username for the agent account created Value must match what has been entered to the Identity Cloud environment variable |
N/A |
| data.IG_AGENT_PASSWORD | ig-agent Identity Gateway Agent's password for the account created above Value must match what has been entered to the Identity Cloud environment variable |
N/A |
- values.yaml
This is where we provide additional values for the Helm deployment. The values within this file will override any previous values from the umbrella charts.
| Name | Description | Example |
|---|---|---|
| external-secrets-gsm.serviceAccount | Optional: Only populate if using External Secrets | default |
| external-secrets-gsm.name | Optional: Only populate if using External Secrets | initializer-secret |
| external-secrets-gsm.version | Optional: Only populate if using External Secrets | v1 |
| external-secrets-gsm.fr_platform.type | Optional: Only populate if using External Secrets | Identity Cloud |
| external-secrets-gsm.openBankingCert.secretName | Optional: Only populate if using External Secrets | obwac |
| external-secrets-gsm.openBankingCert.certPrefix | Optional: Only populate if using External Secrets | v1-ob-wac |
| external-secrets-gsm.externalCert.projectId | Optional: Only populate if using External Secrets | sbat-dev |
| external-secrets-gsm.externalCert.secretName | Optional: Only populate if using External Secrets | sbat-dev |
| external-secrets-gsm.externalCert.certPrefix | Optional: Only populate if using External Secrets | v1-ob-sandbox |
| external-secrets-gsm.ig.truststore.secretName | Optional: Only populate if using External Secrets | ig-truststore-pem |
| external-secrets-gsm.ig.truststore.fileName | Optional: Only populate if using External Secrets | ig-truststore.pem |
| external-secrets-gsm.ig.truststore.googleSecretName | Optional: Only populate if using External Secrets | am-oauth2-ca-certs |
| external-secrets-gsm.ig.ob.signingKey.secretName | Optional: Only populate if using External Secrets | ig-ob-signing-key |
| external-secrets-gsm.ig.ob.signingKey.fileName | Optional: Only populate if using External Secrets | ig-ob-signing-key.p12 |
| external-secrets-gsm.ig.ob.signingKey.googleSecretName | Optional: Only populate if using External Secrets | v1-ig-ob-signing-key |
| external-secrets-gsm.ig.testTrustedDirectory.secretName | Optional: Only populate if using External Secrets | test-trusted-dir-keystore |
| external-secrets-gsm.ig.testTrustedDirectory.fileName | Optional: Only populate if using External Secrets | test-trusted-dir-keystore.p12 |
| external-secrets-gsm.ig.testTrustedDirectory.googleSecretName | Optional: Only populate if using External Secrets | test-trusted-dir-keystore |
| external-secrets-gsm.rcs.signing.certPrefix | Optional: Only populate if using External Secrets | v1-rcs-signing |
| external-secrets-gsm.rcs.signing.secretName | Optional: Only populate if using External Secrets | v1-rcs-signing |
| remote-consent-service.deployment.affinity | Optional: Use affinity or anti affinity config | podAntiAffinity requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - remote-consent-service topologyKey: "kubernetes.io/hostname" |
| remote-consent-service.deployment.image.repo | The container registry for the Docker image | eu.gcr.io/[COMPANY_NAME]/securebanking/rCs |
| test-facility-bank.deployment.affinity | Optional: Use affinity or anti affinity config | podAntiAffinity requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - test-facility-bank topologyKey: "kubernetes.io/hostname" |
| test-facility-bank.deployment.image.repo | The container registry for the Docker image | eu.gcr.io/[COMPANY_NAME]/securebanking/rs |
| test-facility-bank.mongodb.host | The workflow name for MongoDB | ob-sandbox-v1-mongodb |
| test-facility-bank.springConfig.testdata.userAccountIds.psu4test.sortCode | Test data sort code. Can have multiple entries | 012332 Multiple Entry example: - sortCode: "012332" accountNumber: "43245676" - sortCode: "012332" accountNumber: "54312390" |
| test-facility-bank.springConfig.testdata.userAccountIds.psu4test.accountNumber | Test data account number. Can have multiple entries | 43245676 Multiple Entry example: - sortCode: "012332" accountNumber: "43245676" - sortCode: "012332" accountNumber: "54312390" |
| test-facility-bank.springConfig.rs.discovery.versions.[] | The versions of OBIE API to enable | v3.0: false v3.1: false v3.1.1: false v3.1.2: false v3.1.3: false v3.1.4: false v3.1.5: false v3.1.6: false v3.1.7: false v3.1.8: false v3.1.9: false v3.1.10: true |
| test-facility-bank.springConfig.rs.discovery.apis.CREATE_FUNDS_CONFIRMATION | Individual OB APIs that can be enabled or disabled | false |
| test-facility-bank.springConfig.rs.discovery.apis.GET_FUNDS_CONFIRMATION | Individual OB APIs that can be enabled or disabled | false |
| test-facility-bank.springConfig.rs.discovery.apis.CREATE_CALLBACK_URL | Individual OB APIs that can be enabled or disabled | false |
| test-facility-bank.springConfig.rs.discovery.apis.GET_CALLBACK_URLS | Individual OB APIs that can be enabled or disabled | false |
| test-facility-bank.springConfig.rs.discovery.apis.AMEND_CALLBACK_URL | Individual OB APIs that can be enabled or disabled | false |
| test-facility-bank.springConfig.rs.discovery.apis.DELETE_CALLBACK_URL | Individual OB APIs that can be enabled or disabled | false |
| test-user-account-creator.deployment.image.repo | The container registry for the Docker image | eu.gcr.io/[COMPANY_NAME]/securebanking/test-user-account-creator |
| remote-consent-service-user-interface.deployment.image.repo | The container registry for the Docker image | eu.gcr.io/[COMPANY_NAME]/securebanking/rcs-ui |
| remote-consent-service-user-interface.deployment.affinity | Optional: Use affinity or anti affinity config | podAntiAffinity requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - remote-consent-service-user-interface topologyKey: "kubernetes.io/hostname" |
Other values from the child charts can be overwritten within this file. For example, if you want to run a specific version of the Remote Consent Service UI, you can add the required tag to the values.yaml file. For example:
test-user-account-creator:
deployment:
image:
repo: eu.gcr.io/sbat-gcr-release/securebanking/securebanking-test-data-initializer
tag: 1.0.0
-
The Secure API Gateway (SAPI-G) Documentation
- SAPI-G Implementation Status
- Understanding SAPI-G
- Deployment
- Protect Custom APIs using SAPI-G
- Testing
- Troubleshooting