The Verdict-as-a-Service productive operation in your own Kubernetes cluster
The installation is similar to our test instructions, but with the following differences:
-
use your Kubernets Cluster instead of the Minikube.
-
more customization is usually required.
Please find below further information relevant to the use of Verdict-as-a-Service in a productive environment.
Production environment
In production you will have to configure a few values.
Ingress
The default hostname is "vaas". To change it and provide a tls configuration, add this to your values.yaml:
mini-identity-provider:
issuer: "http://vaas/auth"
ingress:
className: ""
hosts:
- host: vaas
paths:
- path: /auth(/|$)(.*)
pathType: ImplementationSpecific
service:
name: provider
port: 8080
tls: []
gateway:
ingress:
className: ""
hosts:
- host: vaas
paths:
- path: /ws
pathType: ImplementationSpecific
service:
name: gateway
port: 9090
- host: vaas
paths:
- path: /
pathType: ImplementationSpecific
service:
name: gateway
port: 8080
tls: []
uploadUrl: "http://vaas/upload"Replace the "vaas" with your hostname in the following values:
-
mini-identity-provider.issuer
-
mini-identity-provider.ingress.hosts.0.host
-
gateway.ingress.0.host
-
gateway.ingress.1.host
-
gateway.uploadUrl
If you require a different ingressClassName than "default", set:
-
gateway.ingress.className
-
mini-identity-provider.ingress.className
Zero-trust network configurations
If you are using a zero-trust network configuration, network policies have to be enabled (default). The update CronJob requires access to the Kubernetes API. If the update fails with logs like:
E0603 09:35:50.444603 1 memcache.go:265] couldn't get current server API group list: Get "https://10.96.0.1:443/api?timeout=32s": dial tcp 10.96.0.1:443: i/o timeoutyou have to configure the k8sApiPort:
gdscan:
autoUpdate:
networkPolicy:
k8sApiPort: 6443Managing the secrets in the values.yaml
By default all secrets are generated by the helm chart. If you want to manage them yourself or you are using ArgoCD, you can specify the secrets in the values.yaml.
| Parameter | Description | Value |
|---|---|---|
mini-identity-provider.auth.existingSecret |
Use existing secret for auth details (auth.secret will be ignored and picked up from this secret). The secret has to contain the keys id and secret |
"" |
mini-identity-provider.auth.secret |
The client secret |
"" |
mini-identity-provider.auth.id |
The Client id |
"vaas" |
mini-identity-provider.signing.existingSecret |
Use existing secret for signing details (signing.cert and signing.key will be ignored and picked up from this secret). The secret has to contain the keys tls.cert and tls.key |
"" |
mini-identity-provider.signing.crt |
The signing/encryption certificate in PEM format |
"" |
mini-identity-provider.signing.key |
The signing/encryption private key in PEM format |
"" |
gateway.uploadToken.existingSecret |
Use existing secret for signing the upload token |
"" |
gateway.uploadToken.key |
The upload token signing key |
"" |
Provide your own secret:
-
mini-identity-provider.auth.existingSecret
-
mini-identity-provider.signing.existingSecret
-
gateway.uploadToken.existingSecret
Specify secret in the values.yaml:
-
mini-identity-provider.auth.secret
-
mini-identity-provider.auth.id
-
mini-identity-provider.signing.crt
-
mini-identity-provider.signing.key
-
gateway.uploadToken.key
You can generate the certificate and private key with
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -x509 -key private_key.pem -out certificate.pem -days 3650 -subj "/CN=Mini Identity Provider Server Signing Certificate"You can generate the upload token signing key with
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 256 | head -n 1Should you need support, our team of experts is available to help you with the Verdict-as-a-Service product launch.