Add kubernetes installation chapters

SUSE · Oct 14, 2024 · 8a18571 · 8a18571
1 parent 1c03908
commit 8a18571
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 2 deletions.
diff --git a/trento/migration/sso-integration.md b/trento/migration/sso-integration.md
@@ -32,6 +32,16 @@ Trento integrates with an IDP that uses the OIDC protocol to authenticate users
 
 By default, OIDC is disabled. You can enable OIDC when using RPM packages or using Docker images.
 
+### Enabling OpenID Connect when using kubernetes deployment
+
+To enable OIDC when using kubernetes deployment with helm, proceed as follows:
+
+1. Add the following variables to the previously used helm installation command:
+
+   ```
+   HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.oidc.enabled=true --set trento-web.oidc.cliendId=<OIDC_CLIENT_ID> --set trento-web.oidc.clientSecret=<OIDC_CLIENT_SECRET> --set trento-web.oidc.baseUrl=<OIDC_BASE_URL>
+   ```
+
 
 ### Enabling OpenID Connect when using RPM packages
 
@@ -113,6 +123,19 @@ Trento integrates with an IDP that uses the OAuth 2 protocol to authenticate use
 By default, OAuth 2.0 is disabled. You can enable OIDC when using RPM packages or using Docker images.
 
 
+### Enabling OAuth 2.0 when using kubernetes deployment
+
+To enable OAuth 2.0 when using kubernetes deployment with helm, proceed as follows:
+
+1. Add the following variables to the previously used helm installation command:
+
+   ```
+   HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.oauth2.enabled=true --set trento-web.oauth2.cliendId=<OAUTH2_CLIENT_ID> --set trento-web.ouath2.clientSecret=<OAUTH2_CLIENT_SECRET> --set trento-web.oauth2.baseUrl=<OAUTH2_BASE_URL> --set trento-web.oauth2.authorizeUrl=<OAUTH2_AUTHORIZE_URL> --set trento-web.oauth2.tokenUrl=<OAUTH2_TOKEN_URL> --set trento-web.oauth2.userUrl=<OAUTH2_USER_URL> --set trento-web.oauth2.scopes=<OAUTH2_SCOPES>
+   ```
+
+   <option>trento-web.oauth2.scopes</option> variable is optional with `profile email` as default value.
+
+
 ### Enabling OAuth 2.0 when using RPM packages
 
 To enable OAuth 2.0 when using RPM packages, proceed as follows:
@@ -263,7 +286,7 @@ Once the certificate is provided to the IDP, the IDP recreates its own <filename
 
 If the <option>SAML_METDATA_CONTENT</option> option is being used, the content of this variable must be updated with the new metadata as single line string. On the other hand, if <option>SAML_METADATA_URL</option> is used, the new metadata is automatically fetched. If neither of these steps are completed, communication will fail because the message signatures will not be recognized.
 
-If the used IDP has the endpoint to provide the <filename>metadata.xml</filename> file content, prefer the variable <option>SAML_METADATA_URL</option> . Trento will automatically fetch metadata when restarted.
+If the used IDP has the endpoint to provide the <filename>metadata.xml</filename> file content, prefer the variable <option>SAML_METADATA_URL</option>. Trento will automatically fetch metadata when restarted.
 
 ```{=docbook}
 <note>
@@ -287,6 +310,29 @@ Follow the next instructions to restart with the configured options:
 1. Restart the application.
 
 
+### Enabling SAML when using kubernetes deployment
+
+To enable SAML when using kubernetes deployment with helm, proceed as follows:
+
+1. Add the following variables to the previously used helm installation command:
+
+   ```
+   HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.saml.enabled=true --set trento-web.saml.idpId=<SAML_IDP_ID> --set trento-web.saml.spId=<SAML_SP_ID> --set trento-web.saml.metadataUrl=<SAML_METADATA_URL>
+   ```
+
+   To use the <option>SAML_METDATA_CONTENT</option> option rather than <option>SAML_METADATA_URL</option> use:
+
+   ```
+   HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.saml.enabled=true --set trento-web.saml.idpId=<SAML_IDP_ID> --set trento-web.saml.spId=<SAML_SP_ID> --set trento-web.saml.metadataContent=<SAML_METADATA_CONTENT>
+   ```
+
+   Additionally, the following optional values are available:
+
+   ```
+   HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.saml.enabled=true --set trento-web.saml.idpId=<SAML_IDP_ID> --set trento-web.saml.spId=<SAML_SP_ID> --set trento-web.saml.metadataUrl=<SAML_METADATA_URL> --set trento-web.saml.idpNameIdFormat=<SAML_IDP_NAMEID_FORMAT> --set trento-web.saml.spDir=<SAML_SP_DIR> --set trento-web.saml.spEntityId=<SAML_SP_ENTITY_ID> --set trento-web.saml.spContactName=<SAML_SP_CONTACT_NAME> --set trento-web.saml.spContactEmail=<SAML_SP_CONTACT_EMAIL> --set trento-web.saml.spOrgName=<SAML_SP_ORG_NAME> --set trento-web.saml.spOrgDisplayName=<SAML_SP_ORG_DISPLAYNAME> --set trento-web.saml.spOrgUrl=<SAML_SP_ORG_URL> --set trento-web.saml.usernameAttrName=<SAML_USERNAME_ATTR_NAME> --set trento-web.saml.emailAttrName=<SAML_EMAIL_ATTR_NAME> --set trento-web.saml.firstNameAttrName=<SAML_FIRSTNAME_ATTR_NAME> --set trento-web.saml.lastNameAttrName=<SAML_LASTNAME_ATTR_NAME> --set trento-web.saml.signRequests=<SAML_SIGN_REQUESTS> --set trento-web.saml.signMetadata=<SAML_SIGN_METADATA> --set trento-web.saml.signedAssertion=<SAML_SIGNED_ASSERTION> --set trento-web.saml.signedEnvelopes=<SAML_SIGNED_ENVELOPES>
+   ```
+
+
 ### Enabling SAML when using RPM packages
 
 To enable SAML when using RPM packages, proceed as follows:

diff --git a/trento/xml/sso-integration.xml b/trento/xml/sso-integration.xml
@@ -61,6 +61,25 @@
       By default, OIDC is disabled. You can enable OIDC when using RPM
       packages or using Docker images.
     </para>
+    <section xml:id="enabling-openid-connect-when-using-kubernetes-deployment">
+      <title>Enabling OpenID Connect when using kubernetes
+      deployment</title>
+      <para>
+        To enable OIDC when using kubernetes deployment with helm,
+        proceed as follows:
+      </para>
+      <orderedlist numeration="arabic">
+        <listitem>
+          <para>
+            Add the following variables to the previously used helm
+            installation command:
+          </para>
+          <programlisting>
+HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.oidc.enabled=true --set trento-web.oidc.cliendId=&lt;OIDC_CLIENT_ID&gt; --set trento-web.oidc.clientSecret=&lt;OIDC_CLIENT_SECRET&gt; --set trento-web.oidc.baseUrl=&lt;OIDC_BASE_URL&gt;
+</programlisting>
+        </listitem>
+      </orderedlist>
+    </section>
     <section xml:id="enabling-openid-connect-when-using-rpm-packages">
       <title>Enabling OpenID Connect when using RPM packages</title>
       <para>
@@ -200,6 +219,24 @@ docker run -d \
       By default, OAuth 2.0 is disabled. You can enable OIDC when using
       RPM packages or using Docker images.
     </para>
+    <section xml:id="enabling-oauth-20-when-using-kubernetes-deployment">
+      <title>Enabling OAuth 2.0 when using kubernetes deployment</title>
+      <para>
+        To enable OAuth 2.0 when using kubernetes deployment with helm,
+        proceed as follows:
+      </para>
+      <orderedlist numeration="arabic">
+        <listitem>
+          <para>
+            Add the following variables to the previously used helm
+            installation command:
+          </para>
+          <programlisting>
+HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.oauth2.enabled=true --set trento-web.oauth2.cliendId=&lt;OAUTH2_CLIENT_ID&gt; --set trento-web.ouath2.clientSecret=&lt;OAUTH2_CLIENT_SECRET&gt; --set trento-web.oauth2.baseUrl=&lt;OAUTH2_BASE_URL&gt; --set trento-web.oauth2.authorizeUrl=&lt;OAUTH2_AUTHORIZE_URL&gt; --set trento-web.oauth2.tokenUrl=&lt;OAUTH2_TOKEN_URL&gt; --set trento-web.oauth2.userUrl=&lt;OAUTH2_USER_URL&gt; --set trento-web.oauth2.scopes=&lt;OAUTH2_SCOPES&gt;
+</programlisting>
+        </listitem>
+      </orderedlist>
+    </section>
     <section xml:id="enabling-oauth-20-when-using-rpm-packages">
       <title>Enabling OAuth 2.0 when using RPM packages</title>
       <para>
@@ -529,7 +566,7 @@ curl http://localhost:4000/api/public_keys
       <para>
         If the used IDP has the endpoint to provide the
         <filename>metadata.xml</filename> file content, prefer the
-        variable <option>SAML_METADATA_URL</option> . Trento will
+        variable <option>SAML_METADATA_URL</option>. Trento will
         automatically fetch metadata when restarted.
       </para>
       <note>
@@ -564,6 +601,37 @@ SAML_METDATA_CONTENT=&lt;SAML_METADATA_CONTENT&gt;
         </listitem>
       </orderedlist>
     </section>
+    <section xml:id="enabling-saml-when-using-kubernetes-deployment">
+      <title>Enabling SAML when using kubernetes deployment</title>
+      <para>
+        To enable SAML when using kubernetes deployment with helm,
+        proceed as follows:
+      </para>
+      <orderedlist numeration="arabic">
+        <listitem>
+          <para>
+            Add the following variables to the previously used helm
+            installation command:
+          </para>
+          <programlisting>
+HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.saml.enabled=true --set trento-web.saml.idpId=&lt;SAML_IDP_ID&gt; --set trento-web.saml.spId=&lt;SAML_SP_ID&gt; --set trento-web.saml.metadataUrl=&lt;SAML_METADATA_URL&gt;
+</programlisting>
+          <para>
+            To use the <option>SAML_METDATA_CONTENT</option> option
+            rather than <option>SAML_METADATA_URL</option> use:
+          </para>
+          <programlisting>
+HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.saml.enabled=true --set trento-web.saml.idpId=&lt;SAML_IDP_ID&gt; --set trento-web.saml.spId=&lt;SAML_SP_ID&gt; --set trento-web.saml.metadataContent=&lt;SAML_METADATA_CONTENT&gt;
+</programlisting>
+          <para>
+            Additionally, the following optional values are available:
+          </para>
+          <programlisting>
+HELM_EXPERIMENTAL_OCI=1 helm ... --set trento-web.saml.enabled=true --set trento-web.saml.idpId=&lt;SAML_IDP_ID&gt; --set trento-web.saml.spId=&lt;SAML_SP_ID&gt; --set trento-web.saml.metadataUrl=&lt;SAML_METADATA_URL&gt; --set trento-web.saml.idpNameIdFormat=&lt;SAML_IDP_NAMEID_FORMAT&gt; --set trento-web.saml.spDir=&lt;SAML_SP_DIR&gt; --set trento-web.saml.spEntityId=&lt;SAML_SP_ENTITY_ID&gt; --set trento-web.saml.spContactName=&lt;SAML_SP_CONTACT_NAME&gt; --set trento-web.saml.spContactEmail=&lt;SAML_SP_CONTACT_EMAIL&gt; --set trento-web.saml.spOrgName=&lt;SAML_SP_ORG_NAME&gt; --set trento-web.saml.spOrgDisplayName=&lt;SAML_SP_ORG_DISPLAYNAME&gt; --set trento-web.saml.spOrgUrl=&lt;SAML_SP_ORG_URL&gt; --set trento-web.saml.usernameAttrName=&lt;SAML_USERNAME_ATTR_NAME&gt; --set trento-web.saml.emailAttrName=&lt;SAML_EMAIL_ATTR_NAME&gt; --set trento-web.saml.firstNameAttrName=&lt;SAML_FIRSTNAME_ATTR_NAME&gt; --set trento-web.saml.lastNameAttrName=&lt;SAML_LASTNAME_ATTR_NAME&gt; --set trento-web.saml.signRequests=&lt;SAML_SIGN_REQUESTS&gt; --set trento-web.saml.signMetadata=&lt;SAML_SIGN_METADATA&gt; --set trento-web.saml.signedAssertion=&lt;SAML_SIGNED_ASSERTION&gt; --set trento-web.saml.signedEnvelopes=&lt;SAML_SIGNED_ENVELOPES&gt;
+</programlisting>
+        </listitem>
+      </orderedlist>
+    </section>
     <section xml:id="enabling-saml-when-using-rpm-packages">
       <title>Enabling SAML when using RPM packages</title>
       <para>