-
Notifications
You must be signed in to change notification settings - Fork 3
/
dogu.json
437 lines (437 loc) · 16.9 KB
/
dogu.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
{
"Name": "official/cas",
"Version": "7.0.8-7",
"DisplayName": "Central Authentication Service",
"Description": "The Central Authentication Service (CAS) is a single sign-on protocol for the web.",
"Url": "https://apereo.github.io/cas",
"Category": "Base",
"Tags": [
"authentication",
"sso",
"cas"
],
"Logo": "https://cloudogu.com/images/dogus/cas.png",
"Image": "registry.cloudogu.com/official/cas",
"Dependencies": [
{
"Type": "dogu",
"Name": "nginx",
"version": ">=1.26.1-5"
},
{
"type": "dogu",
"name": "postfix"
}
],
"OptionalDependencies": [
{
"Type": "dogu",
"Name": "ldap"
}
],
"ServiceAccounts": [
{
"Type": "ldap",
"Params": [
"rw"
]
}
],
"Configuration": [
{
"Name": "limit/failure_threshold",
"Description": "Number of failed login attempts. This number is used to calculate the failure rate in conjunction with limit/range_seconds. (0 means disabled; defaults to 500)",
"Optional": true,
"Default": "500"
},
{
"Name": "limit/range_seconds",
"Description": "Time in seconds defines timeframe over which the login failures are taken into account (must be a positive number, takes only effect if limit/failure_threshold is > 0; defaults to 10 seconds)",
"Optional": true,
"Default": "10"
},
{
"Name": "limit/stale_removal_interval",
"Description": "Time in seconds between background runs which finds and removes clean expired and stale login failures (must be a positive number, takes only effect if limit/failure_threshold is > 0; defaults to 60 seconds)",
"Optional": true,
"Default": "60"
},
{
"Name": "limit/lock_time",
"Description": "Time in seconds to lock an account if the throttling threshold was met; (must be a positive number, takes only effect if limit/failure_threshold is > 0; defaults to 600 seconds)",
"Optional": true,
"Default": "600"
},
{
"Name": "mail_sender",
"Description": "Email address to use as sender of the CAS dogu",
"Optional": true
},
{
"Name": "password_management/enable_password_reset_via_email",
"Description": "Specifies whether the functionality for resetting the password via a link sent by e-mail should be activated. This entry is set to 'true' by default.",
"Default": "true",
"Optional": true,
"Validation": {
"Type": "ONE_OF",
"Values": [
"true",
"false"
]
}
},
{
"Name": "password_management/reset_password_subject",
"Description": "Specifies the subject of the e-mail when resetting the password.",
"Optional": true
},
{
"Name": "password_management/reset_password_text",
"Description": "Specifies the text for the password reset email. Note: The password reset link must be inserted mandatory with ${url}",
"Optional": true
},
{
"Name": "forgot_password_text",
"Description": "Text which shall be shown if a user clicks 'Forgot Password'. Note: The button 'Forgot password' is only visible if the value 'enable_password_reset_via_email' is not `true`.",
"Optional": true
},
{
"Name": "legal_urls/terms_of_service",
"Description": "This URL links to the Terms of Service and will be the first link at the bottom of login or logout pages. If empty the whole link will be omitted. If changed the CAS dogu must be restarted to take effect. When the protocol part of the url (e.g. https://) is not supplied, the url will be set to fqdn/cas/{given_url}. When the protocol is supplied, the url will be shown as given.",
"Optional": true
},
{
"Name": "legal_urls/imprint",
"Description": "This URL links to the Imprint and will be the second link at the bottom of login or logout pages. If empty the whole link will be omitted. If changed the CAS dogu must be restarted to take effect. When the protocol part of the url (e.g. https://) is not supplied, the url will be set to fqdn/cas/{given_url}. When the protocol is supplied, the url will be shown as given.",
"Optional": true
},
{
"Name": "legal_urls/privacy_policy",
"Description": "This URL links to the Privacy Policy and will be the last link at the bottom of login or logout pages. If empty the whole link will be omitted. If changed the CAS dogu must be restarted to take effect. When the protocol part of the url (e.g. https://) is not supplied, the url will be set to fqdn/cas/{given_url}. When the protocol is supplied, the url will be shown as given.",
"Optional": true
},
{
"Name": "session_tgt/max_time_to_live_in_seconds",
"Description": "Maximum session timeout - TGT will expire after defined timespan regardless the usage",
"Optional": true
},
{
"Name": "session_tgt/time_to_kill_in_seconds",
"Description": "Idle session timeout - TGT will expire sooner if no further requests keep the session alive",
"Optional": true
},
{
"Name": "ldap/host",
"Description": "The host of the LDAP (without protocol and without port), e.g. ldap if LDAP dogu is used.",
"Optional": false
},
{
"Name": "ldap/port",
"Description": "The port of the LDAP, e.g. 389",
"Optional": false
},
{
"Name": "ldap/base_dn",
"Description": "Base DN of users to be authenticated, \"(dc=cloudogu,dc=com)\". This value is only used when using an external LDAP.",
"Optional": true
},
{
"Name": "ldap/connection_dn",
"Description": "Manager DN for authenticated searches, e.g. \"(cn=admin,dc=cloudogu,dc=com)\" This value is only used when using an external LDAP.",
"Optional": true
},
{
"Name": "ldap/password",
"Description": "The password for connection to ldap in encrypted form. This value is only used when using an external LDAP.",
"Optional": true
},
{
"Name": "ldap/search_filter",
"Description": "Search filter used for configurations that require searching for DNs, e.g. (objectClass=person)"
},
{
"Name": "ldap/ds_type",
"Description": "Type of the LDAP",
"Optional": true,
"Validation": {
"Type": "ONE_OF",
"Values": [
"embedded",
"external"
]
}
},
{
"Name": "ldap/encryption",
"Description": "Type of the encryption of the LDAP. Defaults to 'none'.",
"Default": "none",
"Optional": true,
"Validation": {
"Type": "ONE_OF",
"Values": [
"",
"none",
"startTLS",
"startTLSAny",
"ssl",
"sslAny"
]
}
},
{
"Name": "ldap/attribute_id",
"Description": "The attribute for the user ID in the LDAP"
},
{
"Name": "ldap/attribute_given_name",
"Description": "The attribute for the user's given name in the LDAP",
"Optional": true
},
{
"Name": "ldap/attribute_surname",
"Description": "The attribute for the user's surname in the LDAP",
"Optional": true
},
{
"Name": "ldap/attribute_fullname",
"Description": "The attribute for the user's fullname in the LDAP, which can also be seen as display name like \"John Doe\"",
"Optional": true
},
{
"Name": "ldap/attribute_mail",
"Description": "The attribute for the user's mail address in the LDAP",
"Optional": true
},
{
"Name": "ldap/attribute_group",
"Description": "The user's group membership attribute (e.g. memberOf)",
"Optional": true
},
{
"Name": "ldap/group_attribute_name",
"Description": "Name of the attribute for groups (the group's user membership attribute) in LDAP, e.g. member",
"Optional": true
},
{
"Name": "ldap/group_base_dn",
"Description": "Settings for ldap group search by member. Base dn for group search e.g.: o=ces.local,dc=cloudogu,dc=com",
"Optional": true
},
{
"Name": "ldap/group_search_filter",
"Description": "Search filter for group search. If this property is empty, group search by member will be skipped",
"Optional": true
},
{
"Name": "logging/root",
"Description": "Set the root log level to one of ERROR, WARN, INFO, DEBUG.",
"Optional": true,
"Default": "WARN",
"Validation": {
"Type": "ONE_OF",
"Values": [
"WARN",
"DEBUG",
"INFO",
"ERROR"
]
}
},
{
"Name": "container_config/memory_limit",
"Description": "Limits the container's memory usage. Use a positive integer value followed by one of these units [b,k,m,g] (byte, kibibyte, mebibyte, gibibyte).",
"Optional": true,
"Validation": {
"Type": "BINARY_MEASUREMENT"
}
},
{
"Name": "container_config/memory_request",
"Description": "Requests the container's minimal memory requirement. Use a positive integer value followed by one of these units [b,k,m,g] (byte, kibibyte, mebibyte, gibibyte). This configuration is only applicable to the Multinode-EcoSystem.",
"Optional": true,
"Default": "1g",
"Validation": {
"Type": "BINARY_MEASUREMENT"
}
},
{
"Name": "container_config/swap_limit",
"Description": "Limits the container's swap memory usage. Use zero or a positive integer value followed by one of these units [b,k,m,g] (byte, kibibyte, mebibyte, gibibyte). 0 will disable swapping.",
"Optional": true,
"Validation": {
"Type": "BINARY_MEASUREMENT"
}
},
{
"Name": "container_config/cpu_core_limit",
"Description": "Limits the container's CPU core usage. Use a positive floating value describing a fraction of 1 virtual CPU core. When you define a value of '0.5', you are requesting half as much CPU time compared to if you asked for '1.0' CPU. This configuration is only applicable to the Multinode-EcoSystem.",
"Optional": true
},
{
"Name": "container_config/cpu_core_request",
"Description": "Requests the container's minimal CPU core requirement. Use a positive floating value describing a fraction of 1 virtual CPU core. When you define a value of '0.5', you are requesting half as much CPU time compared to if you asked for '1.0' CPU. This configuration is only applicable to the Multinode-EcoSystem.",
"Default": "0.5",
"Optional": true
},
{
"Name": "container_config/storage_limit",
"Description": "Limits the container's ephemeral storage usage. Use a positive integer value followed by one of these units [b,k,m,g] (byte, kibibyte, mebibyte, gibibyte). This configuration is only applicable to the Multinode-EcoSystem.",
"Optional": true,
"Validation": {
"Type": "BINARY_MEASUREMENT"
}
},
{
"Name": "container_config/storage_request",
"Description": "Requests the container's minimal ephemeral storage requirement. Use a positive integer value followed by one of these units [b,k,m,g] (byte, kibibyte, mebibyte, gibibyte). This configuration is only applicable to the Multinode-EcoSystem.",
"Optional": true,
"Validation": {
"Type": "BINARY_MEASUREMENT"
}
},
{
"Name": "container_config/java_max_ram_percentage",
"Description": "Limits the heap stack size of the CAS process to the configured percentage of the available physical memory when the container has more than approx. 250 MB of memory available. Is only considered when a memory_limit is set. Use a valid float value with decimals between 0 and 100 (f. ex. 55.0 for 55%). Default value for CAS: 25%",
"Optional": true,
"Default": "25.0",
"Validation": {
"Type": "FLOAT_PERCENTAGE_HUNDRED"
}
},
{
"Name": "container_config/java_min_ram_percentage",
"Description": "Limits the heap stack size of the CAS process to the configured percentage of the available physical memory when the container has less than approx. 250 MB of memory available. Is only considered when a memory_limit is set. Use a valid float value with decimals between 0 and 100 (f. ex. 55.0 for 55%). Default value for CAS: 50%",
"Optional": true,
"Default": "50.0",
"Validation": {
"Type": "FLOAT_PERCENTAGE_HUNDRED"
}
},
{
"Name": "oidc/enabled",
"Description": "Determines whether the CAS should use the configured OIDC provider for delegated authentication. This entry is set to 'false' by default.",
"Default": "false",
"Optional": true,
"Validation": {
"Type": "ONE_OF",
"Values": [
"true",
"false"
]
}
},
{
"Name": "oidc/discovery_uri",
"Description": "Describes the URI that contains the description for the OIDC protocol of the target provider.",
"Optional": true
},
{
"Name": "oidc/client_id",
"Description": "Contains the identifier that should be used to identify the client against the OIDC provider.",
"Optional": true
},
{
"Name": "oidc/client_secret",
"Description": "Contains the secret that should be used along the client ID to identify the client against the OIDC provider.",
"Optional": true,
"Encrypted": true
},
{
"Name": "oidc/display_name",
"Description": "The display name is used for the OIDC provider in the user interface.",
"Default": "OIDC Provider",
"Optional": true
},
{
"Name": "oidc/redirect_uri",
"Description": "The url which will be used as redirect target after a successful delegated logout. The url has to match the patterns which are allowed for the configured client. [defaults to <instance>/cas/logout]",
"Default": "",
"Optional": true
},
{
"Name": "oidc/optional",
"Description": "Determines whether the authentication via the configured OIDC provider is optional. The user is automatically redirected to the login page of the OIDC provider if this property is set to 'false'. The 'true' entry makes authentication via the OIDC provider optional. For this, an additional button for the OIDC provider is displayed on the login page of the CAS, which can be used for authentication with the OIDC provider. This entry is set to 'false' by default.",
"Default": "false",
"Optional": true,
"Validation": {
"Type": "ONE_OF",
"Values": [
"true",
"false"
]
}
},
{
"Name": "oidc/scopes",
"Description": "Specifies the resource to be queried against OIDC. Normally, this enumeration should contain at least the openid, user's email, profile information, and the groups assigned to the user. This entry is set to `openid email profile groups` by default.",
"Default": "openid email profile groups",
"Optional": true
},
{
"Name": "oidc/attribute_mapping",
"Description": "The attributes provided by OIDC do not exactly match the attributes required by the CAS. It is necessary to transform the OIDC attributes into attributes accepted by the cas. Therefore, this entry should contain rules to transform an attribute provided by the OIDC provider into an attribute required by CAS. The rules should be provided in the following format: 'email:mail,family_name:surname'. With the given example the OIDC attribute 'email' and 'family_name' are transformed into 'mail' and 'surname' respectively. The CAS requires the following attributes to function properly: 'mail,surname,givenName,username,displayName'.",
"Optional": true
},
{
"Name": "oidc/principal_attribute",
"Description": "Specifies an attribute that should be used as principal id inside the CES. CAS uses the ID provided by the OIDC provider when this property is empty.",
"Optional": true
}
],
"Volumes": [
{
"Name": "logs",
"Path": "/logs",
"Owner": "1000",
"Group": "1000",
"NeedsBackup": false
},
{
"Name": "localConfig",
"Path": "/var/ces/config",
"Owner": "1000",
"Group": "1000",
"NeedsBackup": true
},
{
"Name": "services",
"Path": "/etc/cas/services/production",
"Owner": "1000",
"Group": "1000",
"NeedsBackup": true
}
],
"ExposedCommands": [
{
"Name": "service-account-create",
"Description": "Creates a new service account",
"Command": "/create-sa.sh"
},
{
"Name": "service-account-remove",
"Description": "Removes an existing service account",
"Command": "/remove-sa.sh"
},
{
"Name": "pre-upgrade",
"Command": "/pre-upgrade.sh"
},
{
"Name": "post-upgrade",
"Command": "/post-upgrade.sh"
},
{
"Name": "upgrade-notification",
"Command": "/upgrade-notification.sh"
}
],
"HealthChecks": [
{
"Type": "tcp",
"Port": 8080
},
{
"Type": "state"
}
]
}