
This change adds SAML2 support through the use of a new keystone SAML integrator charm (keystone-saml-k8s). Needed changes have also been made in the keystone charm to make use of the new relation. A new option has also been added to keystone-k8s through which a secret can be specified which should contain the x509 certificate an the corresponding key from which it was derived, used to generate the keystone SP metadata file. Change-Id: Id9b6ab2a51891ac378a2cb406dbe3a456bc24fc4 Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
97 lines
2.3 KiB
Django/Jinja
97 lines
2.3 KiB
Django/Jinja
bundle: kubernetes
|
|
|
|
applications:
|
|
traefik:
|
|
charm: ch:traefik-k8s
|
|
channel: latest/candidate
|
|
base: ubuntu@20.04
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
kubernetes-service-annotations: metallb.universe.tf/address-pool=public
|
|
mysql:
|
|
charm: ch:mysql-k8s
|
|
channel: 8.0/stable
|
|
base: ubuntu@22.04
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
profile-limit-memory: 2560
|
|
experimental-max-connections: 150
|
|
tls-operator:
|
|
charm: self-signed-certificates
|
|
channel: latest/beta
|
|
base: ubuntu@22.04
|
|
scale: 1
|
|
options:
|
|
ca-common-name: internal-ca
|
|
keystone:
|
|
{% if keystone_k8s is defined and keystone_k8s is sameas true -%}
|
|
charm: ../../../keystone-k8s.charm
|
|
{% else -%}
|
|
charm: ch:keystone-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
storage:
|
|
fernet-keys: 5M
|
|
credential-keys: 5M
|
|
resources:
|
|
keystone-image: ghcr.io/canonical/keystone:2025.1
|
|
keystone-saml:
|
|
{% if keystone_saml_k8s is defined and keystone_saml_k8s is sameas true -%}
|
|
charm: ../../../keystone-saml-k8s.charm
|
|
{% else -%}
|
|
charm: ch:keystone-saml-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
name: "test-idp"
|
|
label: "Log in with test IDP"
|
|
# This will fail. We need an actual IDP to test with, but we need to deploy this
|
|
# charm as part of the tests.
|
|
metadata-url: "https://idp.example.com/metadata.xml"
|
|
horizon:
|
|
{% if horizon_k8s is defined and horizon_k8s is sameas true -%}
|
|
charm: ../../../horizon-k8s.charm
|
|
{% else -%}
|
|
charm: ch:horizon-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
horizon-image: ghcr.io/canonical/horizon:2025.1
|
|
|
|
relations:
|
|
- - mysql:database
|
|
- keystone:database
|
|
- - traefik:ingress
|
|
- keystone:ingress-internal
|
|
- - keystone:trusted-dashboard
|
|
- horizon:trusted-dashboard
|
|
- - tls-operator
|
|
- keystone
|
|
- - tls-operator
|
|
- horizon
|
|
- - traefik:certificates
|
|
- tls-operator:certificates
|
|
|
|
- - mysql:database
|
|
- horizon:database
|
|
- - keystone:identity-credentials
|
|
- horizon:identity-credentials
|
|
- - traefik:ingress
|
|
- horizon:ingress-internal
|
|
- - keystone:send-ca-cert
|
|
- horizon:receive-ca-cert
|
|
- - keystone:keystone-saml
|
|
- keystone-saml:keystone-saml
|
|
|