# sso-provider).
sso_app_secret: app_secret
sso_app_id: arvados-server
- sso_provider_url: http://{{ .Values.externalIP }}:3002
+ sso_provider_url: https://{{ .Values.externalIP }}:3002
# If this is not false, HTML requests at the API server's root URL
# are redirected to this location, and it is provided in the text of
# SPDX-License-Identifier: Apache-2.0
server {
- listen 0.0.0.0:3002;
- server_name insecure-sso;
+ listen 127.0.0.1:9000;
+ server_name localhost-sso;
root /var/www/arvados-sso/current/public;
index index.html index.htm index.php;
passenger_enabled on;
# If you're using RVM, uncomment the line below.
passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # `client_max_body_size` should match the corresponding setting in
+ # the API server's Nginx configuration.
+ client_max_body_size 128m;
+}
+
+upstream sso {
+ server 127.0.0.1:9000 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen 0.0.0.0:3002 ssl;
+ server_name public-sso;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/sso.pem;
+ ssl_certificate_key /etc/ssl/private/sso.key;
+
+ index index.html index.htm index.php;
+ # `client_max_body_size` should match the corresponding setting in
+ # the API server's Nginx configuration.
+ client_max_body_size 128m;
+
+ location / {
+ proxy_pass http://sso;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
}
- name: sso-configmap
mountPath: /init-scripts/92-init-client.sh
subPath: 92-init-client.sh
+ - name: ssl-configmap
+ mountPath: /etc/ssl/certs/sso.pem
+ subPath: cert
+ - name: ssl-configmap
+ mountPath: /etc/ssl/private/sso.key
+ subPath: key
+
volumes:
- name: sso-configmap
configMap:
name: arvados-sso-configmap
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap