Andreas Geissler | 784322d | 2022-08-25 12:28:38 +0200 | [diff] [blame^] | 1 | onap-oauth2-proxy: |
| 2 | # Oauth client configuration specifics |
| 3 | config: |
| 4 | cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA=" |
| 5 | configFile: |- |
| 6 | email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email |
| 7 | |
| 8 | alphaConfig: |
| 9 | enabled: true |
| 10 | configData: |
| 11 | providers: |
| 12 | - clientID: "oauth2-proxy" |
| 13 | clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp" |
| 14 | id: oidc-istio |
| 15 | provider: oidc # We use the generic 'oidc' provider |
| 16 | loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth |
| 17 | #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token |
| 18 | redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token |
| 19 | profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo |
| 20 | validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo |
| 21 | scope: "openid email profile groups" |
| 22 | #allowedGroups: |
| 23 | # - admins # List all groups managed at our your IdP which should be allowed access |
| 24 | # - infrateam |
| 25 | # - anothergroup |
| 26 | oidcConfig: |
| 27 | emailClaim: email # Name of the clain in JWT containing the E-Mail |
| 28 | groupsClaim: groups # Name of the claim in JWT containing the Groups |
| 29 | userIDClaim: email # Name of the claim in JWT containing the User ID |
| 30 | audienceClaims: ["aud"] |
| 31 | insecureAllowUnverifiedEmail: true |
| 32 | insecureSkipIssuerVerification: true |
| 33 | skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it |
| 34 | issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP |
| 35 | jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs |
| 36 | upstreamConfig: |
| 37 | upstreams: |
| 38 | - id: static_200 |
| 39 | path: / |
| 40 | static: true |
| 41 | staticCode: 200 |
| 42 | # Headers that should be added to responses from the proxy |
| 43 | injectResponseHeaders: # Send this headers in responses from oauth2-proxy |
| 44 | - name: X-Auth-Request-Preferred-Username |
| 45 | values: |
| 46 | - claim: preferred_username |
| 47 | - name: X-Auth-Request-Email |
| 48 | values: |
| 49 | - claim: email |
| 50 | |
| 51 | extraArgs: |
| 52 | cookie-secure: "false" |
| 53 | cookie-domain: ".simpledemo.onap.org" # Replace with your base domain |
| 54 | cookie-samesite: lax |
| 55 | cookie-expire: 12h # How long our Cookie is valid |
| 56 | auth-logging: true # Enable / Disable auth logs |
| 57 | request-logging: true # Enable / Disable request logs |
| 58 | standard-logging: true # Enable / Disable the standart logs |
| 59 | show-debug-on-error: true # Disable in production setups |
| 60 | skip-provider-button: true # We only have one provider configured (Keycloak) |
| 61 | silence-ping-logging: true # Keeps our logs clean |
| 62 | whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain |
| 63 | |
| 64 | # Enables and configure the automatic deployment of the redis subchart |
| 65 | redis: |
| 66 | # provision an instance of the redis sub-chart |
| 67 | enabled: false |
| 68 | |
| 69 | |
| 70 | serviceAccount: |
| 71 | nameOverride: oauth2-proxy |
| 72 | roles: |
| 73 | - read |
| 74 | |