Deploying to a Container (Kubernetes) Platform

Leap Mail session

Leap is installed in the container using a mock mail session in WebSphere. To use as a real mail server, update it accordingly in the WebSphere admin UI.

Networking configuration

By default the service deployed with Leap uses the type ClusterIP. This type is defined in the values.yaml and can be changed if necessary. For information about the available service types, see the Kubernetes Service documentation.

Supported serviceType values are:

ClusterIP
LoadBalancer
NodePort

# Networking specific configuration
networking:
  leap:
    # Configuration to set the type Service type for the Leap Service. 
Supported values are "ClusterIP", "LoadBalancer" and "NodePort"
    serviceType: "ClusterIP"

By default the Service exposes the following ports:


Exposed application part	Port
Leap HTTPS	9443
Leap HTTP	9080
WebSphere Admin Console HTTPS	9043
WebSphere Admin Console HTTP	9060

Security configuration

The security section in the Helm values can be used to define administrator credentials and basic configuration of SAML authentication for Leap.

WebSphere Application Server administrator credentials

The credentials supplied here are used in the container startup to run configuration tasks and setup Leap. Make sure to update the credentials in the custom values if they are changed manually.

Note: The credentials in the values have to always be kept up to date with the actual WebSphere administrator credentials manually. This also applies if LDAP is used for user management.

The default credentials are set to leapadmin for username and password:

security:
  # Security configuration for Leap
  leap:
    # Credentials used for IBM WebSphere Application Server administrative access.
    # Whenever the credentials are changed in LDAP, the values for wasUser and wasPassword need to be 
manually updated accordingly.
    wasUser: "leapadmin"
    wasPassword: "leapadmin"

SAML configuration

The Leap Helm chart and container offer a basic SAML configuration through the Helm values. This can be used to enable SAML, deploy the WebSphereSamlSP.ear, configure the ACS URL, pass the IdP Metadata of the identity provider and add trusted realms.

Note: Please note that this configuration can currently only be used to enable the SAML TAI SSO. To disable it, please set the enabled flag to false and remove the Trust Association manually in WebSphere.

The idpMetadata accepts IdP Metadata in xml format. Please use the multiline string feature of Helm to pass this value.

The ssoId9999 is used to create the SAML TAI SSO.

Example configuration:

security:
  # Security configuration for Leap
  leap:
    # Basic SAML installation and configuration.
    # Please refer to:
    # https://www.ibm.com/docs/en/was/9.0.5?topic=swss-saml-web-single-sign-sso-trust-
association-interceptor-tai-custom-properties
    # and
    # https://www.ibm.com/docs/en/was/9.0.5?topic=sign-configuring-single-sso-partners
    # for reference and additional manual configuration.
    saml:
      # If enabled, this will install the "WebSphereSamlSP.ear" and apply the configuration below 
if they are defined
      # This value can currently only be used to enable the SAML TAI SSO. To disable it, please 
set the flag to false and remove the Trust Association manually in WebSphere
      enabled: true
      # -----
      # WARNING: "acsUrl" and "idpMetadata" are currently only applied once.
      # To update those settings the previous configuration must be removed manually in the WAS console. 
Afterwards it can be changed here again.
      # -----
      # This property specifies the URL of the ACS or business application.
      # This will add a SAML TAI SSO with ssoId "9999" in WAS
      acsUrl: "https://my-leap-host.com/samlsps/acs"
      # The metadata of the SAML IdP in xml format.
      # This supports "multi-line strings" as described in 
https://helm.sh/docs/chart_template_guide/yaml_techniques/#strings-in-yaml
      # acsUrl must be set for the idpMetadata to be applied
      # This will add a SAML IdP Partner configuration for ssoId "9999" and idpId "9999" in WAS
      idpMetadata: |
        <?xml version="1.0" encoding="UTF-8"?>
          <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkexl6xc9MhzqiC30h7">
              <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                  <md:KeyDescriptor use="signing">
                      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                          <ds:X509Data>
                              <ds:X509Certificate>
                  MIIDpDCCAoygAwIBAgIGAWMnhv7cMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
                  ...
                  ...
                  p/qaHYcQd6i2vyor888DLHDPXhSKWhpG
                              </ds:X509Certificate>
                          </ds:X509Data>
                      </ds:KeyInfo>
                  </md:KeyDescriptor>
                  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
                  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
                  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-saml-idp.com/app/sso/saml"/>
                  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my-saml-idp.com/app/sso/saml"/>
              </md:IDPSSODescriptor>
          </md:EntityDescriptor>
      # Inbound trusted realms for the IdP
      realmList: 
        - my-trusted-realm.com

Configuration

The configuration section of the Helm values can be used for Leap specific configuration. It exposes the Leap.properties configuration, Leap context roots, and the WebSphere Security role to user/group mapping for the Leap application.

The contextRoot parameters allow the configuration of the context roots set for Leap:

# Application configuration
configuration:
  # Application specific configuration for Leap
  leap:
    # This sets the context roots for the leap application
    contextRoot:
      leap: /apps
      leapBasicAuth: /apps-basic

The leapProperties value exposes the Configuration properties of Leap. The value will be mounted as the Leap.properties file inside the container and consumed by Leap. Changes to this value will not cause a restart of Leap. If a restart is required, the Pod or the Leap server has to be manually restarted.

Leap properties example:

# Application configuration
configuration:
  # Application specific configuration for Leap
  leap:
    # This supports "multi-line strings" as described in https://helm.sh/docs/chart_template_guide/yaml_techniques/#strings-in-yaml
    leapProperties: |
      ibm.nitro.InfoEntryPoint.dailyInfo = <div>Welcome to <b>HCL Leap</b> in Helm!</div>

The roleMapping section of the Helm values give the option to specify the security mappings of users or groups in WebSphere for the Leap application. Please refer to the WebSphere documentation for a reference on the effects of those values.

# Application configuration
configuration:
  # Application specific configuration for Leap
  leap:
    # The role mapping is applied for the "Security role to user/group mapping" in WebSphere for Leap
    roleMapping:
      SuperAdminUsers:
        Everyone: false
        AllAuthenticated: false
        MappedUsers:
          - leapadmin
        MappedGroups: []
        AllAuthenticatedInTrustedRealms: false
        MappedUsersAccessIDs: []
        MappedGroupsAccessIDs: []
      EditApplicationsUsers:
        Everyone: false
        AllAuthenticated: false
        MappedUsers:
          - leapadmin
        MappedGroups: []
        AllAuthenticatedInTrustedRealms: false
        MappedUsersAccessIDs: []
        MappedGroupsAccessIDs: []
      AdministrativeUsers:
        Everyone: false
        AllAuthenticated: false
        MappedUsers:
          - leapadmin
        MappedGroups: []
        AllAuthenticatedInTrustedRealms: false
        MappedUsersAccessIDs: []
        MappedGroupsAccessIDs: []
      UseApplicationsUsers:
        Everyone: false
        AllAuthenticated: false
        MappedUsers: []
        MappedGroups: []
        AllAuthenticatedInTrustedRealms: true
        MappedUsersAccessIDs: []
        MappedGroupsAccessIDs: []

Additional manual configuration

Any configuration that is not yet covered in the Helm values can be performed in the WebSphere admin console just like on-premises installations. All configurations are persisted on a PersistentVolume that is shared between all Leap Pods.