When updating your yuuvis® Momentum installation to version 2021 Autumn, manual configuration changes are required for some services.
Table of Contents
Core
Configuration Changes for the AUTHENTICATION Service
Access to '/manage/**' Endpoints
The /manage/**
endpoints provided by the AUTHENTICATION Service are now available via a separate port that is protected from external access. Especially for customers using the Tenant Management services, the configuration of the AUTHENTICATION Service has to be adjusted and an ancillary Kubernetes Service has to be created as follows.
Adjust the 'authentication-prod.yml' file:
Expose the individual
/manage
endpoints in theauthorization.accesses
section.Deprecated Configuration New Configuration authorization.accesses: ### manage-endpoints - endpoints: /manage/info,/manage/health expose: true
authorization.accesses: ### manage-endpoints - endpoints: /manage/** expose: true
Add the following two lines in order to select the port number
9091
for the/manage
endpoints.management.server.port: 9091 management.server.servlet.context-path: /
Adjust the Kubernetes Service:
Run the command.
kubectl -n yuuvis edit svc authentication
Remove the label
yuuvis:
"true"
.Deprecated Configuration New Configuration labels: app: yuuvis name: authentication yuuvis: "true" name: authentication
labels: app: yuuvis name: authentication name: authentication
Create a new Kubernetes Service:
Create a new file
authentication-manage-service.yaml
with the following content:apiVersion: v1 kind: Service metadata: labels: app: yuuvis name: authentication-manage name: authentication-manage spec: ports: - name: "80" port: 80 targetPort: 9091 selector: name: authentication type: ClusterIP
Run the command:
kubectl -n yuuvis apply -f authentication-manage-service.yaml
Adjust the ports for liveness probe and readiness probe:
Run the command:
kubectl -n yuuvis edit deploy authentication
Adjust the configuration:
Deprecated Configuration New Configuration livenessProbe: failureThreshold: 3 httpGet: path: /manage/info port: 8080 scheme: HTTP ... readinessProbe: failureThreshold: 3 httpGet: path: /manage/info port: 8080 scheme: HTTP
livenessProbe: failureThreshold: 3 httpGet: path: /manage/info port: 9091 scheme: HTTP ... readinessProbe: failureThreshold: 3 httpGet: path: /manage/info port: 9091 scheme: HTTP
Restart the AUTHENTICATION service.
Cross-Tenant Service Accounts
In order to allow for the configuration and usage of Cross-Tenant Service Accounts, an ancillary Kubernetes Service has to be created as follows.
Create a file
authentication-internal.yml
with the following content:kind: Service apiVersion: v1 metadata: name: authentication-internal spec: selector: app: authentication type: ClusterIP ports: - protocol: TCP port: 80 targetPort: 8081
Run the command:
kubectl -n yuuvis apply -f authentication-internal.yml
Safety Note
The AUTHENTICATION service manages the cross-tenant requests of service accounts via the separate port 8081
. This port must be accessible only within the yuuvis® Momentum cluster to ensure strict separation of tenants for users. Be sure to never expose this internal port for public access!