identity-server

A Helm chart for WSO2 Identity server. This Helm chart can be used to deploy highly available and scalable WSO2 identity server deployment.

From this Helm chart, WSO2 Identity server pods are deployed and exposed through Kubernetes ingress resource. Also in advanced setup, you can configure, Kubernetes persistence volume for sharing runtime artifacts, Kubernetes secret provider class for securing secrets, Kubernetes horizontal pod autoscaling(HPA) and Kubernetes pod disruption budget(PDB). Additionally, pod affinity is configured to increase the high availability.

Required permission

User or service principle who installs the Helm chart, needs to possess actions "create", "get", "list", "update", "delete" on following K8s kinds,

Kind	API Version
ConfigMap	v1
Deployment	apps/v1
HorizontalPodAutoscaler	autoscaling/v1
Ingress	networking.k8s.io/v1
PersistentVolume	v1
PersistentVolumeClaim	v1
PodDisruptionBudget	policy/v1
Role	rbac.authorization.k8s.io/v1
RoleBinding	rbac.authorization.k8s.io/v1
SecretProviderClass	secrets-store.csi.x-k8s.io/v1
Service	v1
ServiceAccount	v1
Secret	v1

Quick Start Guide

Prerequisites

Kubernetes ingress controller. Default integration is Kubernetes Nginx ingress controller.
An active WSO2 Subscription.

Add the WSO2 Helm chart repository.

helm repo add wso2 https://helm.wso2.com && helm repo update

Set up environment variables

export NAMESPACE=<Kubernetes Namespace to which you desire to deploy the Kubernetes resources>
export RELEASE_NAME=<Helm relase name for the deployment>
export WSO2_USERNAME=<WSO2 subscription account username>
export WSO2_PASSWORD=<WSO2 subscription account password>

Create Kubernetes namespace

kubectl get namespace ${NAMESPACE} || kubectl create namespace ${NAMESPACE}

Install Helm chart from Helm repository

 helm install "$RELEASE_NAME" wso2/identity-server --version 7.0.0-1 -n "${NAMESPACE}" \
 --set wso2.subscription.username="$WSO2_USERNAME" \
 --set wso2.subscription.password="$WSO2_PASSWORD"

Install Chart From Source

In the context of this document,

KUBERNETES_HOME will refer to a local copy of the wso2/kubernetes-is Git repository.

Clone the Helm Resources for WSO2 Identity Server Git repository.

git clone https://github.com/wso2/kubernetes-is.git

 helm install "$RELEASE_NAME" -n "${NAMESPACE}" . \
 --set wso2.subscription.username="$WSO2_USERNAME" \
 --set wso2.subscription.password="$WSO2_PASSWORD"

Obtain the external IP

Obtain the external IP (EXTERNAL-IP) of the Identity Server Ingress resource, by listing down the Kubernetes Ingresses.

kubectl get ing -n "$NAMESPACE"

The output under the relevant column stands for the following.

NAME: Metadata name of the Kubernetes Ingress resource
HOSTS: Hostname of the WSO2 Identity service
ADDRESS: External IP (EXTERNAL-IP) exposing the Identity service to outside of the Kubernetes environment
PORTS: Externally exposed service ports of the Identity service

Add a DNS record mapping the hostname and the external IP

If the defined hostname (in the previous step) is backed by a DNS service, add a DNS record mapping the hostname and the external IP (EXTERNAL-IP) in the relevant DNS service.

If the defined hostname is not backed by a DNS service, for the purpose of evaluation you may add an entry mapping the hostname and the external IP in the /etc/hosts file at the client-side.

<EXTERNAL-IP> <deployment.ingress.hostName>

4. Access Management Console, Console and My Account

Identity Server's Carbon Management Console: https://<deployment.ingress.hostName>/carbon
Identity Server's Console: https://<deployment.ingress.hostName>/console
Identity Server's My Account: https://<deployment.ingress.hostName>/myaccount

Advance setup

Install Helm chart on Azure Kubernetes service(AKS)

Prerequisites

Azure Kubernetes Service(AKS) with ACR integration.
Kubernetes ingress controller. Default integration is Kubernetes Nginx ingress controller.
Secrets Store CSI Driver and secrets-store-csi-driver-provider-azure to integrate secure vault.
If artifact persistence is enabled; Azure Storage account to cater persistence volume type ReadWriteMany access mode and a share is-share under the Azure storage account.
Azure Key Vault to integrate secure vault.
Pre-configured RDBMS. Please refer to documentation on setting up databases. In the following guide uses Azure MSQL database server.
Azure container registry where the identity server Docker image is hosted.

To set up the infrastructure layer you can use WSO2 Terraform modules

Create Kubernetes namespace

export NAMESPACE=<NAMESPACE>

kubectl get namespace ${NAMESPACE} || kubectl create namespace ${NAMESPACE}

Create a Kubernetes TLS secret for SSL termination at ingress controller. For this you need possess the SSL certificate and the key,

kubectl create secret tls is-tls \
--cert=path/to/cert/file \
--key=path/to/key/file \
-n ${NAMESPACE}

Create a Kubernetes secret for keystore files. It is required to have four Java keystore files for the deployment. Please refer to the documentation for more details and how to create key stores.
- Internal keystore(internal.jks): The key store which is used for encrypting/decrypting internal data
- Primary keystore(primary.jks): Certificates used for signing messages that are communicated with external parties(such SAML, OIDC id_token signing)
- TLS keystore(tls.jks): The key store which is used for tls communication.
- Client truststore(client-truststore.jks): Certificates of trusted third parties

kubectl create secret generic keystores \
--from-file=internal.jks \
--from-file=primary.jks \
--from-file=tls.jks \
--from-file=client-truststore.jks \
-n ${NAMESPACE}

Create Azure storage account secret for persistence volume.

Replace <AZURE_STORAGE_NAME> with Azure storage account name and <AZURE_STORAGE_KEY> with Azure storage account access key.

export AZURE_STORAGE_NAME='<AZURE_STORAGE_NAME>'
export AZURE_STORAGE_KEY='<AZURE_STORAGE_KEY>'

kubectl create secret generic azure-storage-csi \
--from-literal=azurestorageaccountname="${AZURE_STORAGE_NAME}" \
--from-literal=azurestorageaccountkey="${AZURE_STORAGE_KEY}" \
-n ${NAMESPACE}

Configure Azure key vault

Add internal.jks keystore password as the secret with the name INTERNAL-KEYSTORE-PASSWORD-DECRYPTED. Replace <AZURE_KEY_VAULT_NAME> with Azure Key vault name, <AZURE_SUBSCRIPTION_ID> with Azure subscription ID and <INTERNAL_KEYSTORE_PASSWORD_DECRYPTED> with internal keystore(internal.jks) password.

export AZURE_KEY_VAULT_NAME='<AZURE_KEY_VAULT_NAME>'
export AZURE_SUBSCRIPTION_ID='<AZURE_SUBSCRIPTION_ID>'
export INTERNAL_KEYSTORE_PASSWORD_DECRYPTED='<INTERNAL_KEYSTORE_PASSWORD_DECRYPTED>'

az login
az account set -s "${AZURE_SUBSCRIPTION_ID}"
az keyvault secret set --vault-name "${AZURE_KEY_VAULT_NAME}" --name "INTERNAL-KEYSTORE-PASSWORD-DECRYPTED" --value "${INTERNAL_KEYSTORE_PASSWORD_DECRYPTED}"

Create a Kubernetes secret to hold service principal credentials to access keyvault for secrets-store-csi-driver-provider-azure.

Replace <AZURE_KEY_VAULT_SP_APP_ID> with Azure active directory service principle application ID and <AZURE_KEY_VAULT_SP_APP_SECRET> with Azure active directory service principle application secret

export AZURE_KEY_VAULT_SP_APP_ID='<AZURE_KEY_VAULT_SP_APP_ID>'
export AZURE_KEY_VAULT_SP_APP_SECRET='<AZURE_KEY_VAULT_SP_APP_SECRET>'

kubectl create secret generic azure-kv-secret-store-sp \
--from-literal=clientid="${AZURE_KEY_VAULT_SP_APP_ID}" \
--from-literal=clientsecret="${AZURE_KEY_VAULT_SP_APP_SECRET}" \
-n ${NAMESPACE}

Encrypt secrets using WSO2 secure vault encryption

Following set of secure vault encrypted secrets are required for the deployment, please follow the guideline to encrypt secrets using WSO2 secure vault encryption. Make sure to use previously created internal.jks keystore for the WSO2 secure vault encryption.

export DATABASE_IDENTITY_ENCRYPTED_USER='<Identity database encrypted username >'
export DATABASE_IDENTITY_ENCRYPTED_PASSWORD='<Identity database encrypted user password >'
export DATABASE_SHARED_ENCRYPTED_USER='<Shared database encrypted username>'
export DATABASE_SHARED_ENCRYPTED_PASSWORD='<Shared database encrypted user password>'
export DATABASE_USER_ENCRYPTED_USER='<User database encrypted username>'
export DATABASE_USER_ENCRYPTED_PASSWORD='<User database encrypted user password>'
export DATABASE_CONSENT_ENCRYPTED_USER='<Consent database encrypted username>'
export DATABASE_CONSENT_ENCRYPTED_PASSWORD='<Consent database encrypted user password>'
export KEYSTORE_INTERNAL_ENCRYPTED_PASSWORD='<Internal key store encrypted password>'
export KEYSTORE_INTERNAL_ENCRYPTED_KEY_PASSWORD='<Internal key store key encrypted password>'
export KEYSTORE_PRIMARY_ENCRYPTED_PASSWORD='<Primary key store encrypted password>'
export KEYSTORE_PRIMARY_ENCRYPTED_KEY_PASSWORD='<Primary key store key encrypted password>'
export KEYSTORE_TLS_ENCRYPTED_PASSWORD='<TLS key store encrypted password>'
export KEYSTORE_TLS_ENCRYPTED_KEY_PASSWORD='<TLS key store key encrypted password>'
export SUPER_ADMIN_ENCRYPTED_USERNAME='<Super admin user encrypted username>'
export SUPER_ADMIN_ENCRYPTED_PASSWORD='<Super admin user encrypted password>'
export TRUSTSTORE_ENCRYPTED_PASSWORD='<Client truststore encrypted password>'
export IDENTITY_AUTH_FRAMEWORK_ENDPOINT_ENCRYPTED_APP_PASSWORD='<Encrypted app password>'
export SYMMETRIC_ENCRYPTED_KEY='<Encrypted symmetric key>'

Install Helm chart

Add the WSO2 Helm chart repository.

helm repo add wso2 https://helm.wso2.com && helm repo update

Replace <> places holders with values as below,

<IMAGE_REGISTRY_HOSTNAME>: Azure container register(ACR) hostname
<IMAGE_REPOSITORY_NAME>: Azure container register(ACR) identity server image repository name
<IMAGE_DIGEST>: Azure container register(ACR) identity server image digest
<AZURE_TENANT_ID>: Azure tenant ID of Azure Key vault
<AZURE_KEY_VAULT_NAME>: Azure Key vault name
<AZURE_KEY_VAULT_RG>: Azure resource group name of Key vault
<AZURE_KEY_VAULT_SP_APP_ID>: Azure application ID created under step 6
<DATABASE_IDENTITY_URL>: Identity database JDBC URL
<DATABASE_SHARED_URL>: Shared database JDBC URL
<DATABASE_USER_URL>: User database JDBC URL
<DATABASE_CONSENT_URL>: Consent database JDBC URL
<IS_HOSTNAME>: Identity server public hostname
<ACCOUNT_RECOVERY_ENDPOINT_AUTH_HASH>: Hash value of app password
<AZURE_SUBSCRIPTION_ID>: Azure subscription ID
<RELEASE_NAME>: Helm release name for the deployment

export IMAGE_REGISTRY_HOSTNAME='<IMAGE_REGISTRY_HOSTNAME>'
export IMAGE_REPOSITORY_NAME='<IMAGE_REPOSITORY_NAME>'
export IMAGE_DIGEST='<IMAGE_DIGEST>'
export AZURE_TENANT_ID='<AZURE_TENANT_ID>'
export AZURE_KEY_VAULT_NAME='<AZURE_KEY_VAULT_NAME>'
export AZURE_KEY_VAULT_RG='<AZURE_KEY_VAULT_RG>'
export AZURE_KEY_VAULT_SP_APP_ID='<AZURE_KEY_VAULT_SP_APP_ID>'
export DATABASE_IDENTITY_URL='<DATABASE_IDENTITY_URL>'
export DATABASE_SHARED_URL='<DATABASE_SHARED_URL>'
export DATABASE_USER_URL='<DATABASE_USER_URL>'
export DATABASE_CONSENT_URL='<DATABASE_CONSENT_URL>'
export IS_HOSTNAME='<IS_HOSTNAME>'
export ACCOUNT_RECOVERY_ENDPOINT_AUTH_HASH='<ACCOUNT_RECOVERY_ENDPOINT_AUTH_HASH>'
export NAMESPACE='<NAMESPACE>'
export AZURE_SUBSCRIPTION_ID='<AZURE_SUBSCRIPTION_ID>'
export RELEASE_NAME='<RELEASE_NAME>'

helm install "$RELEASE_NAME" wso2/identity-server --version 7.0.0-1  -n "${NAMESPACE}" \
--set deployment.image.registry="${IMAGE_REGISTRY_HOSTNAME}" \
--set deployment.image.repository="${IMAGE_REPOSITORY_NAME}" \
--set deployment.image.digest="${IMAGE_DIGEST}" \
--set deployment.ingress.hostName="${IS_HOSTNAME}" \
--set deploymentToml.account.recovery.endpoint.auth.hash="${ACCOUNT_RECOVERY_ENDPOINT_AUTH_HASH}" \
--set deploymentToml.database.identity.url="${DATABASE_IDENTITY_URL}" \
--set deploymentToml.database.identity.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \
--set deploymentToml.database.identity.type="mssql" \
--set deploymentToml.database.identity.username="${DATABASE_IDENTITY_ENCRYPTED_USER}" \
--set deploymentToml.database.identity.password="${DATABASE_IDENTITY_ENCRYPTED_PASSWORD}" \
--set deploymentToml.database.shared.url="${DATABASE_SHARED_URL}" \
--set deploymentToml.database.shared.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \
--set deploymentToml.database.shared.type="mssql" \
--set deploymentToml.database.shared.username="${DATABASE_SHARED_ENCRYPTED_USER}" \
--set deploymentToml.database.shared.password="${DATABASE_SHARED_ENCRYPTED_PASSWORD}" \
--set deploymentToml.database.user.url="${DATABASE_USER_URL}" \
--set deploymentToml.database.user.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \
--set deploymentToml.database.user.type="mssql" \
--set deploymentToml.database.user.username="${DATABASE_USER_ENCRYPTED_USER}" \
--set deploymentToml.database.user.password="${DATABASE_USER_ENCRYPTED_PASSWORD}" \
--set deploymentToml.database.consent.url="${DATABASE_CONSENT_URL}" \
--set deploymentToml.database.consent.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \
--set deploymentToml.database.consent.type="msql" \
--set deploymentToml.database.consent.username="${DATABASE_CONSENT_ENCRYPTED_USER}" \
--set deploymentToml.database.consent.password="${DATABASE_CONSENT_ENCRYPTED_PASSWORD}" \
--set deployment.externalJKS.enabled=true \
--set deploymentToml.keystore.internal.fileName="internal.jks" \
--set deploymentToml.keystore.internal.password="${KEYSTORE_INTERNAL_ENCRYPTED_PASSWORD}" \
--set deploymentToml.keystore.internal.keyPassword="${KEYSTORE_INTERNAL_ENCRYPTED_KEY_PASSWORD}" \
--set deploymentToml.keystore.primary.fileName="primary.jks" \
--set deploymentToml.keystore.primary.password="${KEYSTORE_PRIMARY_ENCRYPTED_PASSWORD}" \
--set deploymentToml.keystore.primary.keyPassword="${KEYSTORE_PRIMARY_ENCRYPTED_KEY_PASSWORD}" \
--set deploymentToml.keystore.tls.fileName="tls.jks" \
--set deploymentToml.keystore.tls.password="${KEYSTORE_TLS_ENCRYPTED_PASSWORD}" \
--set deploymentToml.keystore.tls.keyPassword="${KEYSTORE_TLS_ENCRYPTED_KEY_PASSWORD}" \
--set deploymentToml.superAdmin.password="${SUPER_ADMIN_ENCRYPTED_PASSWORD}" \
--set deploymentToml.superAdmin.username="${SUPER_ADMIN_ENCRYPTED_USERNAME}" \
--set deploymentToml.truststore.password="${TRUSTSTORE_ENCRYPTED_PASSWORD}" \
--set deploymentToml.identity.authFramework.endpoint.appPassword="${IDENTITY_AUTH_FRAMEWORK_ENDPOINT_ENCRYPTED_APP_PASSWORD}" \
--set deploymentToml.encryption.key="${SYMMETRIC_ENCRYPTED_KEY}" \
--set deployment.secretStore.enabled=true \
--set deployment.secretStore.azure.keyVault.name="${AZURE_KEY_VAULT_NAME}" \
--set deployment.secretStore.azure.keyVault.resourceGroup="${AZURE_KEY_VAULT_RG}" \
--set deployment.secretStore.azure.keyVault.resourceGroup="${AZURE_KEY_VAULT_RG}" \
--set deployment.secretStore.azure.keyVault.servicePrincipalAppID="${AZURE_KEY_VAULT_SP_APP_ID}" \
--set deployment.secretStore.azure.keyVault.subscriptionId="${AZURE_SUBSCRIPTION_ID}" \
--set deployment.secretStore.azure.keyVault.tenantId="${AZURE_TENANT_ID}" \
--set deployment.persistence.enabled=true

If it is required to add additional configuration other than what are parameterised in deployment.toml file, you can override the Helm value deploymentToml.extraConfigs

Compatibility

Kubernetes Version	Helm Version	Secrets Store CSI Driver Version	Compatibility Notes
v1.27.x	v3.xx	v1.3.0	Fully compatible.

Values

Key	Type	Default	Description
deployment.apparmor.profile	string	`"runtime/default"`	Apparmor profile
deployment.buildVersion	string	`"7.0.0"`	Product version
deployment.enableCorrelationLogs	bool	`false`	Enable correlation logs
deployment.externalJKS.enabled	bool	`false`	Mount external keystore and trustores
deployment.externalJKS.secretName	string	`"keystores"`	K8s secret name which contains JKS files
deployment.extraVolumeMounts	list	`[]`	Additional volumeMounts to the pods. All the configuration mounts should be done under the path "/home/wso2carbon/wso2-config-volume/"
deployment.extraVolumes	list	`[]`	Additional volumes to the pod.
deployment.hpa.averageUtilizationCPU	int	`65`	Average CPU utilization for HPA
deployment.hpa.averageUtilizationMemory	int	`75`	averageUtilizationMemory parameter should be greater than 75 if not un expected scaling will happen during rolling update.
deployment.hpa.enabled	bool	`false`	Enable HPA for the deployment
deployment.hpa.maxReplicas	int	`2`	Max replica count for HPA(Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)
deployment.image.digest	string	`""`	Container image digest
deployment.image.imagePullSecret	string	`""`	image pull secret name
deployment.image.pullPolicy	string	`"Always"`	Refer to the Kubernetes documentation on updating images (Ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images)
deployment.image.registry	string	`"docker.wso2.com"`	Container image registry host name
deployment.image.repository	string	`"wso2is"`	Container image repository name
deployment.image.tag	string	`"7.0.0"`	Container image tag. Either "tag" or "digest" should defined
deployment.ingress.annotations."nginx.ingress.kubernetes.io/affinity"	string	`"cookie"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/backend-protocol"	string	`"HTTPS"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/force-ssl-redirect"	string	`"true"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size"	string	`"64k"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering"	string	`"on"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none"	string	`"true"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-hash"	string	`"sha1"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-name"	string	`"paf"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-path"	string	`"/"`
deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-samesite"	string	`"None"`
deployment.ingress.enableNginxRateLimit	bool	`false`	Enable Nginx rate limiting
deployment.ingress.hostName	string	`"wso2is.com"`	Host name of the Identity server as Key Manager
deployment.ingress.ingressClassName	string	`"nginx"`	Ingress class name
deployment.ingress.tlsSecretsName	string	`"is-tls"`	K8s TLS secret for configured hostname
deployment.livenessProbe	object	`{"periodSeconds":10}`	Indicates whether the container is running
deployment.livenessProbe.periodSeconds	int	`10`	How often (in seconds) to perform the probe
deployment.pdb.minAvailable	string	`"50%"`	Minimum availability for PDB
deployment.persistence.azure.enabled	bool	`true`	Enable persistence for artifact sharing using Azure file share
deployment.persistence.azure.fileShare	string	`"is-share"`	Names of Azure File shares for persisted data
deployment.persistence.azure.secretName	string	`"azure-storage-csi"`	K8s secret name for the Azure file share CI driver
deployment.persistence.capacity	string	`"100Gi"`	Define capacity for persistent runtime artifacts which are shared between instances of the Identity Server profile
deployment.persistence.enabled	bool	`false`	Enable persistence for artifact sharing
deployment.persistence.subPaths.tenants	string	`"tenants"`	Azure storage account tenants file share path
deployment.persistence.subPaths.userstores	string	`"userstores"`	Azure storage account userstores file share path
deployment.preStopHookWaitSeconds	int	`10`	preStopHookWaitInSeconds waits before calling server stop in the pre stop hook.
deployment.productPackName	string	`"wso2is"`	Product pack name
deployment.progressDeadlineSeconds	int	`600`	Progress deadline seconds where the Deployment controller waits before indicating (in the Deployment status) that the Deployment progress has stalled.
deployment.readinessProbe	object	`{"initialDelaySeconds":60,"periodSeconds":10}`	Indicates whether the container is ready to service requests
deployment.readinessProbe.initialDelaySeconds	int	`60`	Number of seconds after the container has started before readiness probes are initiated
deployment.readinessProbe.periodSeconds	int	`10`	How often (in seconds) to perform the probe
deployment.replicas	int	`1`	Number of deployment replicas
deployment.resources.jvm.javaOpts	string	`"-Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true -Dhttpclient.hostnameVerifier=Strict -Djdk.tls.client.protocols=TLSv1.2 -Djava.util.prefs.systemRoot=/home/wso2carbon/.java -Djava.util.prefs.userRoot=/home/wso2carbon/.java/.userPrefs"`	JVM parameters
deployment.resources.jvm.memOpts	string	`"-Xms2048m -Xmx2048m"`	JVM memory options
deployment.resources.limits.cpu	string	`"3"`	The maximum amount of CPU that should be allocated for a Pod
deployment.resources.limits.memory	string	`"4Gi"`	The maximum amount of memory that should be allocated for a Pod
deployment.resources.requests	object	`{"cpu":"2","memory":"2Gi"}`	as per official documentation (Ref: https://is.docs.wso2.com/en/latest/setup/installation-prerequisites/)
deployment.resources.requests.cpu	string	`"2"`	The minimum amount of CPU that should be allocated for a Pod
deployment.resources.requests.memory	string	`"2Gi"`	The minimum amount of memory that should be allocated for a Pod
deployment.secretStore.azure.enabled	bool	`true`	Enable Azure Key Vault integration.
deployment.secretStore.azure.keyVault.name	string	`""`	Name of the target Azure Key Vault instance
deployment.secretStore.azure.keyVault.resourceGroup	string	`""`	Name of the Azure Resource Group to which the target Azure Key Vault belongs
deployment.secretStore.azure.keyVault.secretName	string	`"INTERNAL-KEYSTORE-PASSWORD-DECRYPTED"`	Azure Key Vault secret name of the internal keystore password
deployment.secretStore.azure.keyVault.servicePrincipalAppID	string	`""`	Service Principal created for transacting with the target Azure Key Vault Ref: https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/docs/service-principal-mode.md
deployment.secretStore.azure.keyVault.subscriptionId	string	`""`	Subscription ID of the target Azure Key Vault
deployment.secretStore.azure.keyVault.tenantId	string	`""`	Azure Active Directory tenant ID of the target Key Vault
deployment.secretStore.azure.nodePublishSecretRef	string	`"azure-kv-secret-store-sp"`	The name of the Kubernetes secret that contains the service principal credentials to access Azure Key Vault. Ref: https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault
deployment.secretStore.enabled	bool	`false`	Enable secure vault with secret store CSI driver
deployment.securityContext.runAsUser	int	`802`	Run as user ID
deployment.securityContext.seccompProfile.type	string	`"RuntimeDefault"`	Seccomp profile type
deployment.startupProbe	object	`{"failureThreshold":30,"initialDelaySeconds":60,"periodSeconds":5}`	Startup probe executed prior to Liveness Probe taking over
deployment.startupProbe.failureThreshold	int	`30`	Number of attempts
deployment.startupProbe.initialDelaySeconds	int	`60`	Number of seconds after the container has started before startup probes are initiated
deployment.startupProbe.periodSeconds	int	`5`	How often (in seconds) to perform the probe
deployment.strategy.rollingUpdate.maxSurge	int	`1`	The maximum number of pods that can be scheduled above the desired number of pods
deployment.strategy.rollingUpdate.maxUnavailable	int	`0`	The maximum number of pods that can be unavailable during the update
deployment.terminationGracePeriodSeconds	int	`40`	Pod termination grace period. K8s API server waits this period after pre stop hook and sending TERM signal
deploymentToml.account.recovery.endpoint.auth.hash	string	`"66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"`	Configure client authentication app password hash. Ref https://is.docs.wso2.com/en/latest/deploy/security/product-level-security-guidelines/#configure-client-authentication
deploymentToml.clustering.domain	string	`"wso2.is.domain"`	Cluster domain
deploymentToml.clustering.enabled	bool	`true`	Enable clustering. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-hazelcast/
deploymentToml.clustering.localMemberPort	string	`"4001"`	This defines local member port
deploymentToml.clustering.membershipScheme	string	`"kubernetes"`	This defines membership schema type
deploymentToml.database.consent.driver	string	`"org.h2.Driver"`	The database JDBC driver
deploymentToml.database.consent.password	string	`"wso2carbon"`	The database password
deploymentToml.database.consent.poolOptions	string	`nil`	The database pool options
deploymentToml.database.consent.type	string	`"h2"`	The SQL server type(ex: mysql, mssql)
deploymentToml.database.consent.url	string	`"jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE"`	The database JDBC URL
deploymentToml.database.consent.username	string	`"wso2carbon"`	The database username
deploymentToml.database.identity.driver	string	`"org.h2.Driver"`	The database JDBC driver
deploymentToml.database.identity.password	string	`"wso2carbon"`	The password
deploymentToml.database.identity.poolOptions	string	`nil`	The database pool options
deploymentToml.database.identity.type	string	`"h2"`	The SQL server type(ex: mysql, mssql)
deploymentToml.database.identity.url	string	`"jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE"`	The database JDBC URL
deploymentToml.database.identity.username	string	`"wso2carbon"`	The database username
deploymentToml.database.shared.driver	string	`"org.h2.Driver"`	The database JDBC driver
deploymentToml.database.shared.password	string	`"wso2carbon"`	The database password
deploymentToml.database.shared.poolOptions	string	`nil`	The database pool options
deploymentToml.database.shared.type	string	`"h2"`	The SQL server type(ex: mysql, mssql)
deploymentToml.database.shared.url	string	`"jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"`	The database JDBC URL
deploymentToml.database.shared.username	string	`"wso2carbon"`	The database username
deploymentToml.database.user.driver	string	`"org.h2.Driver"`	The database JDBC driver
deploymentToml.database.user.password	string	`"wso2carbon"`	The database password
deploymentToml.database.user.poolOptions	string	`nil`	The database pool options
deploymentToml.database.user.type	string	`"h2"`	The SQL server type(ex: mysql, mssql)
deploymentToml.database.user.url	string	`"jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"`	The database JDBC URL
deploymentToml.database.user.username	string	`"wso2carbon"`	The database username
deploymentToml.encryption.key	string	`"3cc0481b70794667b5bee7e2beed2de4"`	Configure symmetric key encryption key. Ref https://is.docs.wso2.com/en/latest/deploy/security/symmetric-encryption/use-symmetric-encryption/
deploymentToml.extraConfigs	string	`nil`	Add custom configurations to deployment.toml.
deploymentToml.identity.authFramework.endpoint.appPassword	string	`"dashboard"`	Configure client authentication encrypted app password. Ref https://is.docs.wso2.com/en/latest/deploy/security/product-level-security-guidelines/#configure-client-authentication
deploymentToml.keystore.internal.alias	string	`"wso2carbon"`
deploymentToml.keystore.internal.fileName	string	`"wso2carbon.jks"`
deploymentToml.keystore.internal.keyPassword	string	`"wso2carbon"`
deploymentToml.keystore.internal.password	string	`"wso2carbon"`
deploymentToml.keystore.internal.type	string	`"JKS"`
deploymentToml.keystore.primary.alias	string	`"wso2carbon"`
deploymentToml.keystore.primary.fileName	string	`"wso2carbon.jks"`
deploymentToml.keystore.primary.keyPassword	string	`"wso2carbon"`
deploymentToml.keystore.primary.password	string	`"wso2carbon"`
deploymentToml.keystore.primary.type	string	`"JKS"`
deploymentToml.keystore.tls.alias	string	`"wso2carbon"`
deploymentToml.keystore.tls.fileName	string	`"wso2carbon.jks"`
deploymentToml.keystore.tls.keyPassword	string	`"wso2carbon"`
deploymentToml.keystore.tls.password	string	`"wso2carbon"`
deploymentToml.keystore.tls.type	string	`"JKS"`
deploymentToml.oauth.tokenCleanup	bool	`false`	Enable/Disable the internal token cleanup process. Ref: https://is.docs.wso2.com/en/6.0.0/deploy/remove-unused-tokens-from-the-database/#!
deploymentToml.oauth.tokenGeneration.includeUsernameInAccessToken	bool	`false`	Add UserName Assertions in Access Tokens. Ref: https://is.docs.wso2.com/en/6.0.0/deploy/enable-assertions-in-access-tokens/
deploymentToml.otp.email.addressRequestPage	string	`"https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp"`
deploymentToml.otp.email.authenticationEndpointErrorPage	string	`"https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp"`	Error page that will be displayed in case of an authentication failure.
deploymentToml.otp.email.authenticationEndpointURL	string	`"https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp"`	Authentication endpoint URL of the authenticator.
deploymentToml.otp.email.captureAndUpdateEmailAddress	bool	`true`
deploymentToml.otp.email.emailAddressRegex	string	`"(?<=.{1}).(?=.*@)"`
deploymentToml.otp.email.enableByUserClaim	bool	`true`
deploymentToml.otp.email.enabled	bool	`false`	Enable email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/mfa/email-otp-config-advanced/#email-otp-configurations
deploymentToml.otp.email.federatedEmailAttributeKey	string	`"email"`
deploymentToml.otp.email.mandatory	bool	`false`	This parmeter defines whether email OTP is enforced as the second step of the 2FA/MFA or not.
deploymentToml.otp.email.secondaryUserstore	string	`"primary"`	You can define multiple user stores per tenant as comma separated values.
deploymentToml.otp.email.sendOTPToFederatedEmailAttribute	bool	`false`
deploymentToml.otp.email.showEmailAddressInUI	bool	`true`
deploymentToml.otp.email.tokenExpirationTime	int	`300000`
deploymentToml.otp.email.useEventHandlerBasedEmailSender	bool	`true`
deploymentToml.otp.email.usecase	string	`"local"`	This parameter defines how the email ID will be retrieved.
deploymentToml.otp.email.userAccountLockEnabled	bool	`false`	Enable account locking by email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/
deploymentToml.otp.sms.authenticationEndpointErrorPage	string	`"/smsotpauthenticationendpoint/smsotpError.jsp"`
deploymentToml.otp.sms.authenticationEndpointURL	string	`"/smsotpauthenticationendpoint/smsotp.jsp"`
deploymentToml.otp.sms.backupCode	bool	`true`
deploymentToml.otp.sms.captureAndUpdateMobileNumber	bool	`true`
deploymentToml.otp.sms.directlyToMobile	bool	`false`
deploymentToml.otp.sms.enableByUserClaim	bool	`true`
deploymentToml.otp.sms.enabled	bool	`false`	Enable SMS OTP. Ref: https://is.docs.wso2.com/en/latest/guides/mfa/sms-otp-config-advanced/
deploymentToml.otp.sms.federatedMobile	bool	`false`
deploymentToml.otp.sms.federatedMobileAttributeKey	string	`"mobile"`
deploymentToml.otp.sms.mandatory	bool	`false`
deploymentToml.otp.sms.mobileNumberRegPage	string	`"/smsotpauthenticationendpoint/mobile.jsp"`
deploymentToml.otp.sms.redirectToMultiOptionPageOnFailure	bool	`false`
deploymentToml.otp.sms.resendEnable	bool	`true`
deploymentToml.otp.sms.retryEnable	bool	`true`
deploymentToml.otp.sms.secondaryUserstore	string	`"primary"`
deploymentToml.otp.sms.usecase	string	`"local"`
deploymentToml.otp.sms.userAccountLockEnabled	bool	`false`	Enable account locking by email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/
deploymentToml.outputAdapter.email.enableAuthentication	bool	`true`
deploymentToml.outputAdapter.email.enableStartTls	bool	`true`
deploymentToml.outputAdapter.email.enabled	bool	`false`	Enable the email sender. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-email-sending/#configure-the-email-sender-globally
deploymentToml.outputAdapter.email.fromAddress	string	`""`
deploymentToml.outputAdapter.email.hostname	string	`""`
deploymentToml.outputAdapter.email.password	string	`""`
deploymentToml.outputAdapter.email.port	int	`587`
deploymentToml.outputAdapter.email.username	string	`""`
deploymentToml.recaptcha.apiUrl	string	`""`
deploymentToml.recaptcha.enabled	bool	`false`	Enable reCAPTCHA. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-recaptcha/
deploymentToml.recaptcha.secretKey	string	`""`
deploymentToml.recaptcha.siteKey	string	`""`
deploymentToml.recaptcha.verifyUrl	string	`""`
deploymentToml.server.offset	string	`"0"`	Change default ports(Ref: https://is.docs.wso2.com/en/latest/references/default-ports-of-wso2-products/#:~:text=For%20each%20additional%20WSO2%20product,to%20the%20server%20during%20startup.)
deploymentToml.superAdmin.createAdminAccount	bool	`true`	Create Carbon console admin account
deploymentToml.superAdmin.password	string	`"admin"`	Carbon console admin account password
deploymentToml.superAdmin.username	string	`"admin"`	Carbon console admin account username
deploymentToml.totp.authenticationEndpointEnableTOTPPage	string	`"authenticationendpoint/totp_enroll.do"`
deploymentToml.totp.authenticationEndpointErrorPage	string	`"authenticationendpoint/totp_error.do"`
deploymentToml.totp.authenticationEndpointURL	string	`"authenticationendpoint/totp.do"`
deploymentToml.totp.authenticationMandatory	bool	`true`
deploymentToml.totp.enabled	bool	`false`
deploymentToml.totp.encodingMethod	string	`"Base32"`
deploymentToml.totp.enrolUserInAuthenticationFlow	bool	`true`
deploymentToml.totp.issuer	string	`"WSO2"`
deploymentToml.totp.secondaryUserstore	string	`"primary"`
deploymentToml.totp.timeStepSize	string	`"30"`
deploymentToml.totp.useCommonIssuer	bool	`true`
deploymentToml.totp.usecase	string	`"local"`
deploymentToml.totp.userAccountLockEnabled	bool	`false`	Enable account locking by OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/
deploymentToml.totp.windowSize	string	`"3"`
deploymentToml.transport.https.properties.server	string	`"WSO2 Carbon Server"`	Server name in HTTP response headers. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#change-the-server-name-in-http-response-headers
deploymentToml.transport.https.sslHostConfig.properties.ciphers	string	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"	Configure TSL ciphers in the HTTPS transport. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#disable-weak-ciphers
deploymentToml.transport.https.sslHostConfig.properties.protocols	string	`"+TLSv1, +TLSv1.1, +TLSv1.2, +TLSv1.3"`	Enabling SSL protocols in the HTTPS transport. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enabling-ssl-protocols-in-the-wso2-is
deploymentToml.transport.thrift.ciphers	string	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA"	Configure TSL ciphers in ThriftAuthenticationService. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enable-ssl-protocols-and-ciphers-in-thriftauthenticationservice
deploymentToml.transport.thrift.protocols	string	`"TLSv1,TLSv1.1,TLSv1.2"`	Enabling SSL protocols in ThriftAuthenticationService. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enable-ssl-protocols-and-ciphers-in-thriftauthenticationservice
deploymentToml.truststore.fileName	string	`"client-truststore.jks"`
deploymentToml.truststore.password	string	`"wso2carbon"`
deploymentToml.truststore.type	string	`"JKS"`
deploymentToml.userAccountLock.enabled	bool	`true`	Enable user account lock. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-account/
deploymentToml.userAccountLock.loginAttempts.allowedFailedAttempts	int	`5`	This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. If the value you specify is 2, the account gets locked if the login attempt fails twice.
deploymentToml.userAccountLock.loginAttempts.autoUnlockAfter	int	`5`	The time specified here is in minutes. Authentication can be attempted once this time has passed.
deploymentToml.userAccountLock.loginAttempts.autoUnlockTimeIncrementRatio	int	`2`	This indicates how much the account unlock timeout is incremented by after each failed login attempt
deploymentToml.userStore.type	string	`"database_unique_id"`
k8sKindAPIVersions	object	`{"configMap":"v1","deployment":"apps/v1","horizontalPodAutoscaler":"autoscaling/v1","ingress":"networking.k8s.io/v1","persistentVolume":"v1","persistentVolumeClaim":"v1","podDisruptionBudget":"policy/v1","role":"rbac.authorization.k8s.io/v1","roleBinding":"rbac.authorization.k8s.io/v1","secret":"v1","secretProviderClass":"secrets-store.csi.x-k8s.io/v1","service":"v1","serviceAccount":"v1"}`	K8s API versions for K8s kinds
k8sKindAPIVersions.configMap	string	`"v1"`	K8s API version for kind ConfigMap
k8sKindAPIVersions.deployment	string	`"apps/v1"`	K8s API version for kind Deployment
k8sKindAPIVersions.horizontalPodAutoscaler	string	`"autoscaling/v1"`	K8s API version for kind HorizontalPodAutoscaler
k8sKindAPIVersions.ingress	string	`"networking.k8s.io/v1"`	K8s API version for kind Ingress
k8sKindAPIVersions.persistentVolume	string	`"v1"`	K8s API version for kind PersistentVolume
k8sKindAPIVersions.persistentVolumeClaim	string	`"v1"`	K8s API version for kind PersistentVolumeClaim
k8sKindAPIVersions.podDisruptionBudget	string	`"policy/v1"`	K8s API version for kind PodDisruptionBudget
k8sKindAPIVersions.role	string	`"rbac.authorization.k8s.io/v1"`	K8s API version for kind Role
k8sKindAPIVersions.roleBinding	string	`"rbac.authorization.k8s.io/v1"`	K8s API version for kind RoleBinding
k8sKindAPIVersions.secret	string	`"v1"`	K8s API version for kind Secret
k8sKindAPIVersions.secretProviderClass	string	`"secrets-store.csi.x-k8s.io/v1"`	K8s API version for kind SecretProviderClass
k8sKindAPIVersions.service	string	`"v1"`	K8s API version for kind Service
k8sKindAPIVersions.serviceAccount	string	`"v1"`	K8s API version for kind ServiceAccount
wso2.subscription.password	string	`""`	WSO2 account password
wso2.subscription.username	string	`""`	WSO2 account username

Name		Name	Last commit message	Last commit date
Latest commit History 450 Commits
confs		confs
images		images
templates		templates
.gitignore		.gitignore
.helmignore		.helmignore
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
Chart.yaml		Chart.yaml
LICENSE		LICENSE
README.md		README.md
issue_template.md		issue_template.md
pull_request_template.md		pull_request_template.md
values.yaml		values.yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

identity-server

Required permission

Quick Start Guide

Prerequisites

Install Chart From Source

Clone the Helm Resources for WSO2 Identity Server Git repository.

4. Access Management Console, Console and My Account

Advance setup

Install Helm chart on Azure Kubernetes service(AKS)

Prerequisites

Compatibility

Values

About

Releases 17

Packages

Contributors 33

Languages

License

wso2/kubernetes-is

Folders and files

Latest commit

History

Repository files navigation

identity-server

Required permission

Quick Start Guide

Prerequisites

Install Chart From Source

Clone the Helm Resources for WSO2 Identity Server Git repository.

4. Access Management Console, Console and My Account

Advance setup

Install Helm chart on Azure Kubernetes service(AKS)

Prerequisites

Compatibility

Values

About

Topics

Resources

License

Stars

Watchers

Forks

Releases 17

Packages 0

Contributors 33

Languages

Packages