FQDN changes. README updates

ForgeRock · Jan 30, 2019 · 0a16a3a · 0a16a3a
1 parent 6b4dd21
commit 0a16a3a
Show file tree

Hide file tree

Showing 8 changed files with 17 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -71,9 +71,9 @@ helm install openam
 minikube ip
 
 # You can put DNS entries in an entry in /etc/hosts. For example:
-# 192.168.99.100 login.default.example.com openidm.default.example.com openig.default.example.com
+# 192.168.99.100 default.iam.example.com
 
-open https://login.default.example.com
+open https://default.iam.example.com/am
 
 ```
 
@@ -102,7 +102,7 @@ Refer to the toubleshooting chapter in the [DevOps Guide](https://backstage.forg
 Troubleshooting suggestions:
 
 * The script `bin/debug-log.sh` will generate an HTML file with log output. Useful for troubleshooting.
-* Simplify. Deploy a single helm chart at a time (for example, opendj), and make sure that chart is working correctly before deploying the next chart. The `bin/deploy.sh` script and the `helm/cmp-platform` composite charts are provided as a convenience, but can make it more difficult to narrow down an issue in a single chart. 
+* Simplify. Deploy a single helm chart at a time (for example, helm/ds), and make sure that chart is working correctly before deploying the next chart. The `bin/deploy.sh` script and the `helm/cmp-platform` composite charts are provided as a convenience, but can make it more difficult to narrow down an issue in a single chart. 
 * Describe a failing pod using `kubectl get pods; kubectl describe pod pod-xxx`
     1. Look at the event log for failures. For example, the image can't be pulled.
     2. Examine all the init containers. Did each init container complete with a zero (success) exit code? If not, examine the logs from that failed init container using `kubectl logs pod-xxx -c init-container-name`

diff --git a/docker/apache-agent/Dockerfile b/docker/apache-agent/Dockerfile
@@ -15,8 +15,8 @@ ENV AM_MAX_SHARED_POOL_SIZE 1048576000
 ENV AM_DEFAULT_LOG_LEVEL All
 
 # For testing purposes, you can build this image with ARGs to match your deployment
-ARG AM_SERVER=http://login.example.forgeops.com:80/
-ARG AGENT_SERVER=http://apache-agent.example.forgeops.com
+ARG AM_SERVER=http://default.iam.forgeops.com:80/am
+ARG AGENT_SERVER=http://default.iam.forgeops.com/apache-agent
 
 # Install needed sw
 RUN apt-get update && apt-get install --no-install-recommends  -y unzip curl vim && \

diff --git a/docker/nginx-agent/Dockerfile b/docker/nginx-agent/Dockerfile
@@ -11,9 +11,8 @@ FROM nginx:1.11.10
 COPY --from=0 /var/tmp/web_agents /opt/web_agents
 
 WORKDIR /opt
-
-ARG AM_SERVER=http://login.example.forgeops.com:80/openam
-ARG AGENT_SERVER=http://apache-agent.example.forgeops.com
+ARG AM_SERVER=http://default.iam.forgeops.com:80/am
+ARG AGENT_SERVER=http://default.iam.forgeops.com/nginx-agent
 
 # Copy nginx.conf with included agent module
 COPY nginx.conf /etc/nginx/

diff --git a/helm/README.md b/helm/README.md
@@ -86,40 +86,27 @@ By default charts  deploy to the `default` namespace in Kubernetes.
 You can deploy multiple product instances in different namespaces and they will not 
 interfere with each other. For example, you might have 'dev', 'qa', and 'prod' namespaces. 
 
-To provide external ingress routes that are unique, the namespace can be used when forming the 
-ingress host name. The format is:
- {openam,openidm,openig}.{namespace}.{domain} 
+The default format used for the FQDN is:
+{namespace}.{subdomain}.{domain}/{am|idm|ig|openidm}
+
+subdomain defaults to "iam"
 
  For example:
 
- `login.default.example.com`
+ `default.iam.example.com`
 
 Note that the details of the ingress will depend on the implementation. You may need to modify the ingress definitions. 
 
 # TLS
 
 All charts default to using TLS (https) for the inbound ingress.  
 
-Within a namespace, it is assumed that a single wildcard certificate secret is present `wildcard.$namespace.$domain`. This
-secret is referenced by each ingress controller in the `tls` spec.
-
-You can create the wildcard secret manually, but in these examples we assume
-that [cert-manager](https://github.com/jetstack/cert-manager) is installed and is provisioning certificates for you.
-
-
-The frconfig chart defaults to creating a cert-manager "CA" issuer. This is a simple issuer that issues certificates signed by a CA certificate installed as part of the frconfig chart. We have included a default CA certificate in frconfig/secrets. You can replace this with your own using the sample script `frconfig/secrets/cm.sh`, or replace it with an intermediate signing certificate issued by your organization.
-
-If you are on minikube, cert-manager can be installed using:
-
-`helm upgrade -i cert-manager --namespace kube-system stable/cert-manager`
-
-If you deploy the frconfig chart as-is: `helm install frconfig`  things should "just work". You will get a
-self signed certificate presented to the browser. You must accept the browser warnings, or import the CA cert found in frconfig/secrets into your browser's trusted certificate list.
-
-Alternatively, you can configure frconfig to create a cert-manager issuer for Let's Encrypt. Refer to the cert-manager docs for further details.
+If you use nginx on minikube, the ingress will default to using the nginx self signed certificate. If you want to use nginx and a "real" SSL certificate you must modify the ingress.yaml in each chart, and provide a TLS secret.
 
-If you do not see a secret `wildcard.$namespace.$domain`, it means that something has gone wrong with cert manager. Look in the cert-manager logs to find the cause. If you are using the Let's Encrypt issuer, keep in mind that it can take up to 10 minutes to provision a certificate.
+For istio,  we assume  a wildcard certificate is obtained for the istio ingress for the entire cluster. 
+This certificate handles SSL for all namespaces: *.$subdomain.$domain. 
 
+Note: The frconfig chart no longer defaults to enabling cert-manager - as it is not required by default.
 
 For further information on the above options, see the [DevOps developers guide](https://ea.forgerock.com/docs/platform/devops-guide/index.html#devops-implementation-env-https-access-secret).
 

diff --git a/helm/amster/values.yaml b/helm/amster/values.yaml
@@ -85,7 +85,7 @@ resources:
 # Optional value overrides
 
 # fqdn - the openam server external fqdn.
-# If this is *not* set, it defaults to login.{namespace}{{ .Values.domain }}
+# If this is *not* set, it defaults to {namespace}{subdomain}{domain}
 #fqdn: login.acme.com
 
 # ctsStores - is a csv separated list of avaiable cts servers. This is referenced in the amster configuration as &{ctsStores} on

diff --git a/samples/config/dev/benchmark-am/amster.yaml b/samples/config/dev/benchmark-am/amster.yaml
@@ -4,7 +4,6 @@ config:
   exportPath: /tmp/amster
 
 version: 6.0.0
-fqdn: login.pavel.forgeops.com
 # For production set CPU limits to help Kube Schedule the pods.
 resources:
  limits:

diff --git a/samples/config/prod/m-cluster/common.yaml b/samples/config/prod/m-cluster/common.yaml
@@ -5,9 +5,6 @@
 domain: frk8s.net
 #domain: freng.org
 
-fqdn: login.prod.frk8s.net
-#fqdn: login.medium.freng.org
-
 # Install passwords.
 amadminPassword: password
 encryptionKey: "123456789012"

diff --git a/samples/config/prod/s-cluster/common.yaml b/samples/config/prod/s-cluster/common.yaml
@@ -5,9 +5,6 @@
 #domain: freng.org
 domain: frk8s.net
 
-#fqdn: login.small.freng.org
-fqdn: login.prod.frk8s.net
-
 # Install passwords.
 amadminPassword: password
 encryptionKey: "123456789012"