AWS Helm Values
Here is an example of aws helm values for your JUDGE deployment.
Note that you'll need to update your gitlab/github client id and secret in the values.yaml file.
The default, JUDGE deploys a MySQL and a Minio pod. For optimal production readiness integrate with AWS RDS and S3, consult the official AWS documentation for comprehensive guidance on configuring a production-ready Amazon RDS cluster and S3 bucket. Customize your deployment using the values.yaml file to seamlessly integrate with your infrastructure.
global:
registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
repository: "testifysec"
imagePullSecrets: []
# - name: regcred
storageClass: ""
## Compatibility adaptations for Kubernetes platforms
##
kratos:
image:
tag: v1.0.0-token-update
enabled: true
nameOverride: "judge-kratos"
ingress:
public:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
tls: []
hosts:
- host: kratos.testifysec.local
paths:
- path: /
pathType: Prefix
kratos:
dsn: "mysql://root:root@tcp(judge-mysql.default.svc.cluster.local:3306)/kratos?sql_mode=''"
config:
serve:
public:
base_url: https://kratos.testifysec.local
cors:
allowed_origins:
- https://*.dev
cookies:
domain: testifysec.local
path: /
same_site: Lax
selfservice:
flows:
error:
ui_url: https://login.testifysec.local/error
settings:
ui_url: http://login.testifysec.local/settings
privileged_session_max_age: 15m
required_aal: highest_available
recovery:
enabled: true
ui_url: https://login.testifysec.local/recovery
verification:
enabled: true
ui_url: https://login.testifysec.local/verification
after:
default_browser_return_url: https://login.testifysec.local/
logout:
after:
default_browser_return_url: https://login.testifysec.local/login
login:
ui_url: https://login.testifysec.local/login
lifespan: 10m
after:
default_browser_return_url: https://judge.testifysec.local
registration:
lifespan: 10m
ui_url: https://login.testifysec.local/registration
after:
oidc:
hooks:
- hook: session # Always enable this for oidc flows or the user experience suffers significantly!
- hook: web_hook
config:
url: http://judge-judge-api.default.svc.cluster.local:8080/webhook/defaulttenant
method: POST
body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICAgIGlkZW50aXR5SWQ6IGN0eC5pZGVudGl0eS5pZCwKICAgICAgdHJhaXRzOiBjdHguaWRlbnRpdHkudHJhaXRzCn0=
default_browser_return_url: https://judge.testifysec.local
allowed_return_urls:
- https://login.testifysec.local
- https://kratos.testifysec.local
- https://judge.testifysec.local
methods:
oidc:
config:
providers:
- id: gitlab
provider: gitlab
client_id: your-gitlab-client-id # set ENV variable
client_secret: your-gitlab-client-secret # set ENV variable
issuer_url: https://gitlab.com # Replace with your gitlab instance url
mapper_url: file:///etc/config/kratos/gitlab.jsonnet
scope:
- openid
- profile
- email
- read_user
- read_api
- read_repository
# - id: github
# provider: github
# client_id: your-github-client-id # set ENV variable
# client_secret: your-github-client-secret # set ENV variable
# issuer_url: https://github.com # Replace with your github instance url
# mapper_url: file:///etc/config/kratos/github.jsonnet
# scope:
# - user
archivista:
image:
tag: v1.6.0
enabled: true
nameOverride: "judge-archivista"
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
hosts:
- host: archivista.testifysec.local
paths:
- path: /
pathType: Prefix
kratos-selfservice-ui-node:
image:
tag: v1.6.0
enabled: true
nameOverride: "judge-kratos-self-service"
kratosAdminUrl: "http://kratos-admin.default.svc.cluster.local"
kratosPublicUrl: "http://kratos-public.default.svc.cluster.local"
kratosBrowserUrl: "https://kratos.testifysec.local"
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
tls: []
hosts:
- host: login.testifysec.local
paths:
- path: /
pathType: Prefix
judge-api:
image:
tag: v1.6.0
enabled: true
deployment:
env:
- name: "__TESTIFY_SKIP_LICENSE_CHECK__"
value: "false"
- name: KRATOS_PUBLIC_URL
value: "kratos-public.default.svc.cluster.local"
- name: KRATOS_ADMIN_URL
value: "kratos-admin.default.svc.cluster.local"
- name: GITLAB_URL
value: "https://gitlab.com" # Replace with your gitlab instance url
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
hosts:
- host: judge-api.testifysec.local
paths:
- path: /
pathType: Prefix
judge-web:
image:
tag: v1.6.0
enabled: true
nameOverride: "judge-web"
nginxReverseProxy:
enabled: true
archivistaUrl: http://judge-judge-archivista.default.svc.cluster.local:8082
judgeApiUrl: http://judge-judge-api.default.svc.cluster.local:8080
kratosPublicUrl: http://kratos-public.default.svc.cluster.local
kratosSelfServiceUiUrl: http://kratos-selfservice-ui-node.default.svc.cluster.local
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
tls: []
hosts:
- host: judge.testifysec.local
paths:
- path: /
pathType: Prefix
backend:
service:
name: judge-judge-web
port:
number: 8077
redirectIngress:
enabled: false
dex:
image:
tag: v2.39.1
enabled: true
nameOverride: "judge-dex"
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
hosts:
- host: dex.testifysec.local
paths:
- path: /
pathType: Prefix
config:
issuer: https://dex.testifysec.local
storage:
type: memory
logger:
level: debug
format: json
oauth2:
responseTypes: [ "code" ]
skipApprovalScreen: true
alwaysShowLoginScreen: true
staticClients:
- id: testifysec
public: true
name: 'testifysec'
connectors:
- type: gitlab
id: gitlab-fulcio-test
name: Gitlab
config:
clientID: your-gitlab-client-id # set ENV variable
clientSecret: your-gitlab-client-secret # set ENV variable
redirectURI: https://dex.testifysec.local/callback
fulcio:
image:
tag: v1.4.5
enabled: true
nameOverride: "judge-fulcio"
server:
volumes: []
volumeMounts: []
args:
disable_ct_log: true
ingress:
http:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
hosts:
- path: /
host: "fulcio.testifysec.local"
grpc:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol-version: GRPC
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
tls: []
hosts:
- host: fulcio.testifysec.local
pathType: Prefix
path: /dev.sigstore.fulcio.v2.CA
config:
contents: {"OIDCIssuers": { "https://dex.testifysec.local": { "IssuerURL": "https://dex.testifysec.local", "ClientID": "testifysec", "Type": "email" } }}
tsa:
image:
tag: v1.6.0
version: v1.6.0
enabled: true
nameOverride: "judge-timestamp-server"
server:
args:
signer: memory
ingress:
http:
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
hosts:
- path: /
pathType: Prefix
host: tsa.testifysec.local
mysql:
image:
tag: v1.6.0
enabled: true
nameOverride: "judge-mysql"
minio:
image:
tag: RELEASE.2024-04-18T19-09-19Z
enabled: true
nameOverride: "judge-minio"
mc:
nameOverride: "judge-mc"