Deploying to a Container (Kubernetes) Platform
The following sections describe how to deploy leap to a Kubernetes-friendly container platform.
Leap Mail session
Leap is installed in the container using a mock mail session in WebSphere. To use as a real mail server, update it accordingly in the WebSphere admin UI.
Networking configuration
By default the service deployed with Leap uses the type ClusterIP. This type is defined in the values.yaml and can be changed if necessary. For information about the available service types, see the Kubernetes Service documentation.
Supported serviceType values are:
- ClusterIP
- LoadBalancer
- NodePort
# Networking specific configuration
networking:
leap:
# Configuration to set the type Service type for the Leap Service.
Supported values are "ClusterIP", "LoadBalancer" and "NodePort"
serviceType: "ClusterIP"
By default the Service exposes the following ports:
Exposed application part | Port |
---|---|
Leap HTTPS | 9443 |
Leap HTTP | 9080 |
WebSphere Admin Console HTTPS | 9043 |
WebSphere Admin Console HTTP | 9060 |
Security configuration
The security section in the Helm values can be used to define administrator credentials and basic configuration of SAML authentication for Leap.
WebSphere Application Server administrator credentials
security:
# Security configuration for Leap
leap:
# Credentials used for IBM WebSphere Application Server administrative access.
# Whenever the credentials are changed in LDAP, the values for wasUser and wasPassword need to be
manually updated accordingly.
wasUser: "leapadmin"
wasPassword: "leapadmin"
SAML configuration
The idpMetadata accepts IdP Metadata in xml format. Please use the multiline string feature of Helm to pass this value.
The ssoId9999
is used to create the SAML TAI SSO.
security:
# Security configuration for Leap
leap:
# Basic SAML installation and configuration.
# Please refer to:
# https://www.ibm.com/docs/en/was/9.0.5?topic=swss-saml-web-single-sign-sso-trust-
association-interceptor-tai-custom-properties
# and
# https://www.ibm.com/docs/en/was/9.0.5?topic=sign-configuring-single-sso-partners
# for reference and additional manual configuration.
saml:
# If enabled, this will install the "WebSphereSamlSP.ear" and apply the configuration below
if they are defined
# This value can currently only be used to enable the SAML TAI SSO. To disable it, please
set the flag to false and remove the Trust Association manually in WebSphere
enabled: true
# -----
# WARNING: "acsUrl" and "idpMetadata" are currently only applied once.
# To update those settings the previous configuration must be removed manually in the WAS console.
Afterwards it can be changed here again.
# -----
# This property specifies the URL of the ACS or business application.
# This will add a SAML TAI SSO with ssoId "9999" in WAS
acsUrl: "https://my-leap-host.com/samlsps/acs"
# The metadata of the SAML IdP in xml format.
# This supports "multi-line strings" as described in
https://helm.sh/docs/chart_template_guide/yaml_techniques/#strings-in-yaml
# acsUrl must be set for the idpMetadata to be applied
# This will add a SAML IdP Partner configuration for ssoId "9999" and idpId "9999" in WAS
idpMetadata: |
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkexl6xc9MhzqiC30h7">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAWMnhv7cMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
...
...
p/qaHYcQd6i2vyor888DLHDPXhSKWhpG
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-saml-idp.com/app/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my-saml-idp.com/app/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
# Inbound trusted realms for the IdP
realmList:
- my-trusted-realm.com
Configuration
The configuration section of the Helm values can be used for Leap specific configuration. It exposes the Leap.properties configuration, Leap context roots, and the WebSphere Security role to user/group mapping for the Leap application.
# Application configuration
configuration:
# Application specific configuration for Leap
leap:
# This sets the context roots for the leap application
contextRoot:
leap: /apps
leapBasicAuth: /apps-basic
The leapProperties value exposes the Configuration properties of Leap. The value will be mounted as the Leap.properties file inside the container and consumed by Leap. Changes to this value will not cause a restart of Leap. If a restart is required, the Pod or the Leap server has to be manually restarted.
# Application configuration
configuration:
# Application specific configuration for Leap
leap:
# This supports "multi-line strings" as described in https://helm.sh/docs/chart_template_guide/yaml_techniques/#strings-in-yaml
leapProperties: |
ibm.nitro.InfoEntryPoint.dailyInfo = <div>Welcome to <b>HCL Leap</b> in Helm!</div>
# Application configuration
configuration:
# Application specific configuration for Leap
leap:
# The role mapping is applied for the "Security role to user/group mapping" in WebSphere for Leap
roleMapping:
SuperAdminUsers:
Everyone: false
AllAuthenticated: false
MappedUsers:
- leapadmin
MappedGroups: []
AllAuthenticatedInTrustedRealms: false
MappedUsersAccessIDs: []
MappedGroupsAccessIDs: []
EditApplicationsUsers:
Everyone: false
AllAuthenticated: false
MappedUsers:
- leapadmin
MappedGroups: []
AllAuthenticatedInTrustedRealms: false
MappedUsersAccessIDs: []
MappedGroupsAccessIDs: []
AdministrativeUsers:
Everyone: false
AllAuthenticated: false
MappedUsers:
- leapadmin
MappedGroups: []
AllAuthenticatedInTrustedRealms: false
MappedUsersAccessIDs: []
MappedGroupsAccessIDs: []
UseApplicationsUsers:
Everyone: false
AllAuthenticated: false
MappedUsers: []
MappedGroups: []
AllAuthenticatedInTrustedRealms: true
MappedUsersAccessIDs: []
MappedGroupsAccessIDs: []
Additional manual configuration
Any configuration that is not yet covered in the Helm values can be performed in the WebSphere admin console just like on-premises installations. All configurations are persisted on a PersistentVolume that is shared between all Leap Pods.