PurpleComputing/scim-examples
2
0
Fork 0
mirror of https://github.com/PurpleComputing/scim-examples.git synced 2026-06-11 07:10:30 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

more clarification, add 'advanced' section

Browse Source
This commit is contained in:
alicethorne-ab
2020-04-09 15:19:22 -04:00
parent 7d0608e7dd
commit e60c3cfbb9
1 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
kubernetes/README.md
View File

@@ -61,14 +61,14 @@ Make sure to pass the filepath of the scimsession file that you downloaded. The
## Configuring the SCIM bridge
You'll want to edit the `op-scim-deployment.yaml` file and change the variable `{YOUR-DOMAIN-HERE}` you've decided on in _Creating your DNS record_. This allows LetsEncrypt to issue your deployment an SSL certificate necessary for encrypted traffic. As discussed in that section, you'll need to have the IP address of the container, so we'll continue with deployment, and then finish configuring the DNS.
You'll want to edit the `op-scim-deployment.yaml` file and change the variable `{YOUR-DOMAIN-HERE}` to the domain you've decided on. This allows LetsEncrypt to issue your deployment an SSL certificate necessary for encrypted traffic.
Additionally, if you are using an existing redis instance that's not running on `redis:6379`, add the `--redis-host=[host]` and `--redis-port=[port]` flags to `containers.args` in that same `op-scim-deployment.yaml` file.
To finish setting up DNS, need to have the IP address of the load balancer container. Continue with deployment, and then finish configuring the DNS near the end.
## Deploy redis
A redis instance is required when using the SCIM Bridge, whether you use the option provided her to deploy one, or have configured one yourself independently. If you defined a pre-existing redis instance in [Configuring the SCIM bridge](#Configuring-the-SCIM-bridge), you can skip this section.
A redis instance is required when using the SCIM Bridge, whether you use the option provided her to deploy one, or have configured one yourself independently. (See [Advanced setup](#Advanced-setup))
Use the `redis-deployment.yaml` and `redis-service.yaml` files with `kubectl` to deploy redis.
@@ -86,7 +86,9 @@ This will deploy a single redis instance listening on Kubernetes internal DNS `r
Using the `op-scim-deployment.yaml` and `op-scim-service.yaml` files, deploy the 1Password SCIM bridge to your Kubernetes cluster.
These files configure the 1Password SCIM Bridge to connect to the redis instance indicated by the args, and it deploys a load balancer to handle traffic on ports 80 and 443. Traffic on :80 is needed to perform the LetsEncrypt certificate challenges, after which all SCIM traffic will be served on :443.
These files deploy the 1Password `op-scim` service, and deploys a load balancer to handle traffic on ports 80 and 443. Traffic on :80 is needed to perform the LetsEncrypt certificate challenges, after which all SCIM traffic will be served on :443.
Ensure that your options in `op-scim-deployment.yaml` are set, and deploy using the following:
```
kubectl apply -f op-scim-deployment.yaml
@@ -115,3 +117,15 @@ curl --header "Authorization: Bearer <bearertoken>" https://<domain>/scim/Users
Alternatively, you can visit the domain in any web browser. You'll see a 1Password SCIM Bridge Status page which can be used to verify your OAuth bearer token. This page is being served by your SCIM Bridge using a secured TLS connection established using your LetsEncrypt domain certificate.
You can now continue with the administration guide to configure your Identity Provider to enable provisioning with your SCIM Bridge.
## Advanced setup (optional)
If you have infrastructure already in place, such as a web server, a redis server, and/or a pre-existing SSL certificate, you can integrate the op-scim service with them instead of using the load balancer and redis container deployments.
### Web server with SSL certificate
In `op-scim-deployment.yaml`, you can remove the option `--letsencrypt-domain`. This will have the op-scim service serve on port 3002. You can then map your pre-existing webserver (Apache, NGINX, etc). You will no longer be issued a certificate by LetsEncrypt.
### Redis server
If you are using an existing redis instance that's not running on `redis:6379`, add the `--redis-host=[host]` and `--redis-port=[port]` flags to `containers.args` in that same `op-scim-deployment.yaml` file.