blob: 81a9986d3d01ad80b6e980a0433121ec976e156e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
onap-oauth2-proxy:
# Oauth client configuration specifics
config:
cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA="
configFile: |-
email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email
alphaConfig:
enabled: true
configData:
providers:
- clientID: "oauth2-proxy"
clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp"
id: oidc-istio
provider: oidc # We use the generic 'oidc' provider
loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth
#redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token
redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token
profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
scope: "openid email profile groups"
#allowedGroups:
# - admins # List all groups managed at our your IdP which should be allowed access
# - infrateam
# - anothergroup
oidcConfig:
emailClaim: email # Name of the clain in JWT containing the E-Mail
groupsClaim: groups # Name of the claim in JWT containing the Groups
userIDClaim: email # Name of the claim in JWT containing the User ID
audienceClaims: ["aud"]
insecureAllowUnverifiedEmail: true
insecureSkipIssuerVerification: true
skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it
issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP
jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs
upstreamConfig:
upstreams:
- id: static_200
path: /
static: true
staticCode: 200
# Headers that should be added to responses from the proxy
injectResponseHeaders: # Send this headers in responses from oauth2-proxy
- name: X-Auth-Request-Preferred-Username
values:
- claim: preferred_username
- name: X-Auth-Request-Email
values:
- claim: email
extraArgs:
cookie-secure: "false"
cookie-domain: ".simpledemo.onap.org" # Replace with your base domain
cookie-samesite: lax
cookie-expire: 12h # How long our Cookie is valid
auth-logging: true # Enable / Disable auth logs
request-logging: true # Enable / Disable request logs
standard-logging: true # Enable / Disable the standart logs
show-debug-on-error: true # Disable in production setups
skip-provider-button: true # We only have one provider configured (Keycloak)
silence-ping-logging: true # Keeps our logs clean
whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain
# Enables and configure the automatic deployment of the redis subchart
redis:
# provision an instance of the redis sub-chart
enabled: false
serviceAccount:
nameOverride: oauth2-proxy
roles:
- read
|
