Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

When updating your yuuvis® Momentum installation to version 2021 Autumn, manual configuration changes are required for some services.

Table of Contents

Core

Configuration Changes for the AUTHENTICATION Service


Access to '/manage/**' Endpoints

The /manage/** endpoints provided by the AUTHENTICATION Service are now available via a separate port that is protected from external access. Especially for customers using the Tenant Management services, the configuration of the AUTHENTICATION Service has to be adjusted and an ancillary Kubernetes Service has to be created as follows.

Adjust the 'authentication-prod.yml' file:

  • Expose the individual /manage endpoints in the authorization.accesses section.

    Deprecated ConfigurationNew Configuration
    authorization.accesses:
    ### manage-endpoints
      - endpoints: /manage/info,/manage/health
        expose: true
    authorization.accesses:
    ### manage-endpoints
      - endpoints: /manage/**
        expose: true
  • Add the following two lines in order to select the port number 9091 for the /manage endpoints.

    management.server.port: 9091
    management.server.servlet.context-path: /

Adjust the Kubernetes Service:

  • Run the command.

    kubectl -n yuuvis edit svc authentication
  • Remove the label yuuvis: "true".

    Deprecated ConfigurationNew Configuration
      labels:
        app: yuuvis
        name: authentication
        yuuvis: "true"
      name: authentication
    labels:
      app: yuuvis
      name: authentication
    name: authentication

Create a new Kubernetes Service:

  • Create a new file authentication-manage-service.yaml with the following content:

    apiVersion: v1
    kind: Service
    metadata:
      labels:
        app: yuuvis
        name: authentication-manage
      name: authentication-manage
    spec:
      ports:
      - name: "80"
        port: 80
        targetPort: 9091
      selector:
        name: authentication
      type: ClusterIP
  • Run the command:

    kubectl -n yuuvis apply -f authentication-manage-service.yaml

Adjust the ports for liveness probe and readiness probe:

  • Run the command:

    kubectl -n yuuvis edit deploy authentication
  • Adjust the configuration:

    Deprecated ConfigurationNew Configuration
    livenessProbe:
      failureThreshold: 3
      httpGet:
        path: /manage/info
        port: 8080
        scheme: HTTP
    ...
    readinessProbe:
      failureThreshold: 3
      httpGet:
        path: /manage/info
        port: 8080
        scheme: HTTP
    livenessProbe:
      failureThreshold: 3
      httpGet:
        path: /manage/info
        port: 9091
        scheme: HTTP
    ...
    readinessProbe:
      failureThreshold: 3
      httpGet:
        path: /manage/info
        port: 9091
        scheme: HTTP

Restart the AUTHENTICATION service.

Cross-Tenant Service Accounts

In order to allow for the configuration and usage of Cross-Tenant Service Accountsan ancillary Kubernetes Service has to be created as follows.

  • Create a file authentication-internal.yml with the following content:

    kind: Service
    apiVersion: v1
    metadata:
      name: authentication-internal
    spec:
      selector:
        app: authentication
      type: ClusterIP
      ports:
      - protocol: TCP
        port: 80
        targetPort: 8081
  • Run the command:

    kubectl -n yuuvis apply -f authentication-internal.yml

Safety Note

The AUTHENTICATION service manages the cross-tenant requests of service accounts via the separate port 8081. This port must be accessible only within the yuuvis® Momentum cluster to ensure strict separation of tenants for users. Never expose this internal port for public access!


  • No labels