Configure Genesys Authentication

From Genesys Documentation
Jump to: navigation, search
This topic is part of the manual Genesys Authentication Private Edition Guide for version Current of Genesys Authentication.

Learn how to configure Genesys Authentication.

Complete the steps on this page to configure your Genesys Authentication deployment.

Add Java KeyStore support (optional)

Complete the steps in this section to set up a Java KeyStore (JKS) if you need to configure Genesys Authentication to use JSON Web Token authentication. This method of authentication is currently used for WebRTC.

Create a keystore file:

keytool -keystore idp_keystore.jks -genkey -alias gws-auth-key -storepass <password> -keypass <password> -keyalg RSA

Get the Base64 encoded key:

cat ./idp_keystore.jks | base64

The result looks like this:

/u3+7QAAAAIAAAABAAAAAQAMZ3dzLWF1dGgta2V5AAABeRmB2Y4AAAUBMIIE/TAOBgorBgEEASoCEQEBBQAEggTpwQQ5aW5CUYAsf4/IheBuNrlPPyZhUA+NWh3SG52HV3sVjV+p18vKp2k/q12I9NynoM6R/DW5bFfEWU1zx3cfXH2kNirRUOIbNZpa43NOroyyF1GSdZFlwa8Kq8Xtp8ZBmiJdSb1n12ODaTKGKv1cb5tsfdzkWs99QeTBGJypHMCdnBvdFB0Nvid+yaxdmK3bdQlCwDgDOHZ2RnU0oxXebH3o+jIrrowyo7DidJDyUwIeT2PPPI9F88QsP+CdDRRR1T7t0ojd1hIJ8YYMwJ1wQmwgF4QZRbtrEnwXqkHinJnwOERcp4FLuceds6YTlcxvWsS+GEv38Jv8YokLwRb/mMACTHk4R9yASsd7fljgNLSn0jhrz9FuxvYgpOVvExiq+sb5YrfbZjtTzZDzFVOu/2kWzASfZBSiyyxMOr3IhUPkMpIrg+UYkI0tgn/C3yR1wLr9HElpx8fCu61ORqp8hhp1yvL46K0c6eTa2JcRpO6fmysf2EG0JagG7zNEJHlvtNnt3JpQV06xos2iWsFAtHq+9w8LwvCVbDzx/UHoCYenIdJ7SBv06mXgKisa3RDIi/y5x5/9T4brgCLUvwI4Z5Rf/oi2Zx5/lXjQXmBPlPAcUVHLr5PvNQUUx5NBr/ooioD7qka4ADF1/cx8I2bzqTi+U01fiFdMGRlNlCfcGDMI2h82JUeCswRYi4+dMDiSaGgC2MoL2susLxMYa5CTo9Vs0Y2k+6j8fhIO4h8h0JxdXZODU63OM0cDSUHXfbyKSey/4IhiV3k7W4OHYeXUeDvoNmfo/AriELZl+WgYETiXGsKzxmrsHrBKC0+aT098FwqdY9ACsM/7WoF2+9eftc7fa2jruutrRjmk0A/BaIqzboJLFiWaUUGV9gsexEmpGszikQsmOYSIRxY8BYF+SYldehcfcsRRxDnhTaGNV8y2ZnwA61FNPAFps3gaFXeaYsUzlxTSi9m70HJJrUp7JDK6SGg6luiKMG4O7QjsGgOOwGpoLJf7EFOCspN3t4damhH/KFi9OrEuAdhMJa+iQ21PBZ+iIwxb0y9xMReImoUtoqy6Epre3qMOS6MILLw2bVrxJYo38+hR5uzNdlbsUlpYOoorI1Hp8A/VEYtG9PDHEhhoqUamdUYUzkFDi9QZfylIgi8Jc4G4PPrPKgMPqqE7sl6bJvoLavU58eHpdWo/Mb9UtdTx+l/SlulCCE0Xce6M9YE1SyC2B3gd82zNQa81lx+QAY8IaSmX+C2nMz+UeXKngSEzguK6gXg9RwCs8pUavuLQ6uZGkJ+fhDBvDAFgD7hG1XdHs27XGSUsRq6GiiwmjZXsZ70ETIVmXfuSvGuYYpv4CKzIDvweGdbkUWap2oQqm6Sw+OkJLbim1aW4MSYGCZItLOM36108onELop0wTIMiZBv2cIaQ+WzbyKDXIi94ebntxu42GSeUn1IGDMGAa+vh4itLDV6yIXCRHCd9GM6JBj+SKXkn+J0FIZ257Kf4k3kg6rm9Ha1800NMB7ILrbJChCZd5bmDmMwUGsNrlar2Oa4S41Y81vmBQJlMzSvAS37gk3eFX3XLKtfn7+Dxq8aYRA0TQEMln0uUuoiNRZH8iaLwhpI4bEkaoSU/DT/KHRB7AHN5/vQpj6KOscxqmyPrgPY/+TseczEeaQLQ6MfjvXY+AAAAAQAFWC41MDkAAAN7MIIDdzCCAl+gAwIBAgIEYxhLHTANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIxMDQyODE3MjMzMFoXDTIxMDcyNzE3MjMzMFowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0300E4F3NDKRHYwrkqDgeUPwoIrozyLp6JvkCsOe1nj5L44vwJjnrYw9falOVDQ9ggwquwXoD5RNEf5/esYcJNEqu1btJLwLvhXb651OyZnsmeNGP2BrNCPXZS6CBReMMKJaZrlCwJQxiSrGPHB/gpxKoAowLwl3V7wB2BHKDhrczQBPdvtsfBAzeqpN/yRpdKZRAtu2LyGqRZKCglSrwYenJFqROdOeworbNmtIKXfQLiamE4KdhzQdPfnyBC7ZWtCIJUp9Va4LmCYD/ISOmVyfQ9Xql1rRNQLcVaewCKRM2ffBAkx98d3n79XUZDljOzHh+79tCpheuuYfbMQqMCAwEAAaMhMB8wHQYDVR0OBBYEFNtM8mIEb67VYot5tjDAdrhiq+31MA0GCSqGSIb3DQEBCwUAA4IBAQBued3SqK+1chAUpNz06Ceak2Ldzlz6MXxBZx6fx50odSY3C4rwywK31RSAAtCe/Ta4y+B6JcdPjFtII6Pf5W0DDTOa3cHNMeukYn5lBnaMbIKqoxFT7nM7MD3DB+dISvMu8FtVWFwbPzXWhl+Aycuu9ETGlCoJqYfl+vmLyGjJVadcUg4E3u7b29woO+bH9pagJErfi7Wq0vaaqMtkKjfOSovMTwz5ruXSiCDZlxb8C8CEr9lkpT3F0G1XFaNNOHoZiZNwXFKLoLrdI2t3pOCYyhwYbGKGMyitRguYz490dxZ0G5R4kMo/YbN7be2QIJwmucIZzH7fkU90V+rmVZhl9Bo8ixuIJG/vZTxmEBaDqmhiP4w=

Make note of the following values - you need them to configure JKS support in the Helm chart:

  • Keystore filename
  • Keystore password
  • Key alias
  • Key password
  • Base64 encoded key

Configure a secret to access JFrog

If you haven't done so already, create a secret for accessing the JFrog registry:

kubectl create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>

Now map the secret to the default service account:

kubectl secrets link default <credential-name> --for=pull

Override Helm chart values

You can specify parameters for the deployment by overriding Helm chart values in the values.yaml file. See the Parameters table for a full list of overridable values.

For more information about how to override Helm chart values, see Overriding Helm chart values in the Setting up Genesys Multicloud CX Private Edition guide.

If you want to use arbitrary UIDs in your OpenShift deployment, you must override the securityContext settings in the values.yaml file, so that no user or group IDs are specified. For details, see Configure security below.

Parameters
Parameter Description Valid values Default
gws-core-auth The gws-core-auth image version tag. For example, 100.0.003.3508. A valid image version ""
gws-core-environment The gws-core-environment image version tag. For example, 100.0.003.1866. A valid image version ""
gws-ui-auth The gws-ui-auth image version tag. For example, 100.0.003.1328. A valid image version ""
image.imagePullSecrets The secret Kubernetes uses to get credentials to pull images from the registry. A valid secret []
image.pullPolicy Specifies when Kubernetes pulls images from the registry on start up. IfNotPresent or Always "IfNotPresent"
image.registry Docker registry address A valid registry URL ""
consul.discovery_register Specifies whether services are registered in Consul. true or false false
consul.discovery_tenants Enables tenant discovery through Consul. true or false true
consul.enabled Enables a connection to Consul. true or false false
consul.host The host of the local Consul agent. A valid URL "http://$(K8_HOST_IP)"
consul.port The port of the local Consul agent. A valid port 8500
consul.require_token Specifies whether Genesys Authentication reads the API token from a Kubernetes secret. true or false false
consul.secret.create Create or use an existing secret with the Consul API token. true or false false
consul.secret.name_override The name of the Kubernetes secret for Consul. A valid secret name nil
consul.secret.token The API token to access Consul. A valid API token nil
ingress.enabled Enables external ingress for Genesys Authentication. true or false true
ingress.frontend The host that is used by external ingress. A valid host "gauth.local"
ingress.annotations. Annotations that are applied to external ingress. See the Kubernetes documentation for details. A valid set of annotations as "name: value" nginx.ingress.kubernetes.io/proxy-body-size: "0"
ingress.tls_enabled Enables Transport Layer Security (TLS) on external ingress. true or false true
ingress.tls The name of the secret for Secure Sockets Layer (SSL) certificates. A valid secret name
- hosts:
  - gauth.local
  secretName: letsencrypt
internal_ingress.enabled Enables internal ingress for Genesys Authentication. true or false true
internal_ingress.frontend The host that is used by internal ingress. A valid host "gauth-int.local"
internal_ingress.annotations Annotations that are applied to internal ingress. See the Kubernetes documentation for details. A valid set of annotations as "name: value" nginx.ingress.kubernetes.io/proxy-body-size: "0"
internal_ingress.tls_enabled Enables Transport Layer Security (TLS) on internal ingress. true or false true
internal_ingress.tls The name of the secret for Secure Sockets Layer (SSL) certificates. A valid secret name
- hosts:
  - gauth-int.local
  secretName: letsencrypt
monitoring.enabled Specifies whether to deploy Custom Resource Definitions (CRD) for ServiceMonitors to determine which services should be monitored. true or false false
monitoring.interval The interval at which Prometheus scrapes metrics. A duration in seconds "15s"
monitoring.alarms Specifies whether to deploy CRD for PrometheusRules to define rules for alarms. true or false false
monitoring.alarmThresholds.redisKeys The threshold to trigger an alarm on the total number of keys in Redis. Number 5000000
monitoring.alarmThresholds.redisMaxMemoryPerentage The threshold to trigger an alarm for used Redis memory. Number 85
monitoring.dashboards Specifies whether to deploy ConfigMaps with Grafana Dashboards. true or false false
monitoring.pagerduty Enables alarms with a severity of CRITICAL. true or false true
optional.affinity Specifies the affinity and anti-affinity for Genesys Authentication pods. See the Kubernetes documentation for details. Object
podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
    - podAffinityTerm:
        labelSelector:
          matchLabels:
            gauth: '{{ .gauth }}'
            app.kubernetes.io/name: '{{ include "auth.name" . }}'
            app.kubernetes.io/instance: '{{ .Release.Name }}'
        topologyKey: failure-domain.beta.kubernetes.io/zone
      weight: 100
optional.dnsConfig Specifies custom DNS settings for Genesys Authentication pods. See the Kubernetes documentation for details. Object
options:
  - name: ndots
    value: "3"
optional.dnsPolicy Specifies the DNS policy for Genesys Authentication pods. See the Kubernetes documentation for details. "Default", "ClusterFirst", "ClusterFirstWithHostNet", or "None" "ClusterFirst"
optional.nodeSelector The labels Kubernetes uses to assign pods to nodes. See the Kubernetes documentation for details. Object {}
optional.priorityClassName The class name Kubernetes uses to determine the priority of a pod relative to other pods. See the Kubernetes documentation for details. A valid priority class name ""
optional.securityContext Specifies the privilege and access control settings Genesys Authentication pods. See Configure security for details. Object {}
optional.strategy Specifies details for the rolling update strategy Genesys Authentication uses to upgrade it containers. See the Kubernetes documentation for details. Object
type: RollingUpdate
rollingUpdate:
  maxSurge: 10
  maxUnavailable: 0
optional.tolerations The tolerations Kubernetes uses for advanced pod scheduling. See the Kubernetes documentation for details. Object []
podDisruptionBudget.create Specifies whether to create a PodDisruptionBudget. See the Kubernetes documentation for details. true or false false
podDisruptionBudget.spec Specifies the details of your PodDisruptionBudget. See the Kubernetes documentation for details. A valid spec that defines a value for either minAvailable or maxUnavailable. Do not specify .spec.selector because it is calculated by Helm. minAvailable: 2
pod_autoscaler.auth.enabled Enables the Horizontal Pod Autoscaler for the Authentication Service. See the Kubernetes documentation for details. true or false false
pod_autoscaler.auth.maxReplicas Specifies the maximum number of Authentication Service replicas the Horizontal Pod Autoscaler controller will scale. Number 10
pod_autoscaler.auth.metrics Specifies resource metrics the Horizontal Pod Autoscaler controller uses to scale Authentication Service pods up or down. See the Kubernetes documentation for details. Object
- type: Resource
  resource:
    name: cpu
    target:
      type: Utilization
      averageUtilization: 350%
pod_autoscaler.environment.enabled Enables the Horizontal Pod Autoscaler for the Environment Service. See the Kubernetes documentation for details. true or false false
pod_autoscaler.environment.maxReplicas Specifies the maximum number of Environment Service replicas the Horizontal Pod Autoscaler controller will scale. Number 10
pod_autoscaler.environment.metrics Specifies resource metrics the Horizontal Pod Autoscaler controller uses to scale Environment Service pods up or down. See the Kubernetes documentation for details. Object
- type: Resource
  resource:
    name: cpu
    target:
      type: Utilization
      averageUtilization: 350%

postgres.deploy Specifies whether to deploy PostgreSQL. Set this option for lab environments only. true or false false
postgres.image Specifies the Docker image to use in the lab environment if postgres.deploy=true. A Docker image "postgres:11-alpine"
postgres.configmap.create Specifies whether Genesys Authentication creates a ConfigMap with PostgreSQL connection parameters. If the value is false, you must create the ConfigMap manually. true or false false
postgres.configmap.name_override The name of the ConfigMap. A value name nil
postgres.db The name of Genesys Authentication's PostgreSQL database. A valid database name nil
postgres.host The host of the PostgreSQL instance. A valid host nil
postgres.port The port of the PostgreSQL instance. A valid port nil
postgres.username The username to access Genesys Authentication's PostgreSQL database. A valid username nil
postgres.password The password to access Genesys Authentication's PostgreSQL database. A valid password nil
postgres.secret.create Specifies whether to create a Kubernetes secret with user credentials for PostgreSQL. If this value is false, you must create the secret manually. true or false false
postgres.secret.name_override The name of the PostgreSQL secret. A valid name nil
redis.cluster_nodes The Redis nodes in your cluster. For example, "redis-cluster1:7000,redis-cluster2:7002". A comma-separated list of "host:port" pairs nil
redis.configmap.create Specifies whether to create a ConfigMap with connection parameters for Redis. If this value is false, you must create the ConfigMap manually. true or false false
redis.configmap.name_override The name of the Redis ConfigMap. A valid name nil
redis.deploy Specifies whether to deploy a Redis cluster. Set this option for lab environments only. true or false false
redis.image Specifies the Docker image to use in the lab environment if redis.deploy=true. A Docker image "redis:5-stretch"
redis.password The Redis password. A valid password nil
redis.password_required Specifies whether Genesys Authentication should read the Redis password from a Kubernetes secret. true or false false
redis.secret.create Specifies whether to create a Kubernetes secret with Redis password. If this value is false, you must create the secret manually. true or false false
redis.secret.name_override The name of the Redis secret. A valid name nil
redis.use_tls Enable or disable a TLS connection to the Redis cluster. true or false false
serviceAccount.create Specifies whether to create a service account. true or false false
serviceAccount.name The name of the service account to use. A service account name ""
serviceAccount.annotations Annotations to add to the service account. See the Kubernetes documentation for details. A valid set of labels as "name: value" {}
services.initContainers Optional init containers to add to Genesys Authentication deployments. Object {}
services.location Location of the deployment. For example, "/USW1". A valid location. "/"
services.replicas The number of Genesys Authentication pod replicas to deploy. Number 3
services.db.init Enable automatic updates for the database schema. true or false true
services.db.poolCheckoutTimeout The database pool timeout. Number 3000
services.db.poolSize The database pool size. Number 3
services.db.ssl Enable or disable an SSL connection to PostgreSQL. See the PostgreSQL documentation for details about SSL modes. disable, prefer, require, verify-ca, or verify-full "disable"
services.auth.loglevel Specifies the log level for the Authentication Service. INFO, DEBUG, WARN DEBUG
services.auth.deploymentAnnotations Annotations for Authentication Service deployment objects. See the Kubernetes documentation for details. A valid set of annotations as "name: value" {}
services.auth.env.GWS_AUTH_SECURITY_HTTP_SCHEME_HEADER_NAME The name of the header with protocol. This value can be used when HTTPS is terminated by the load balancer. A valid header name "X-Forwarded-Proto"
services.auth.env.GWS_AUTH_timeouts_requestTimeoutMs The Authentication Service request timeout. A value in milliseconds 30000
services.auth.env.JAVA_TOOL_OPTIONS Specifies JVM arguments to set in the JAVA_TOOL_OPTIONS environment variable. Valid JVM arguments "-XX:+PrintFlagsFinal -XX:+UseG1GC -Dfile.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -XX:MaxRAMPercentage=80.0"
services.auth.env.GWS_AUTH_logging_level_com_genesys_gws_v3 Specifies the log level for the Authentication Service. INFO, DEBUG, WARN DEBUG
services.auth.env.GWS_AUTH_http_headers_frame_options Specifies the value of the X-Frame-Options HTTP response header. SAMEORIGIN, DENY, DISABLE, ALLOW ALLOW
services.auth.jks.enabled Specifies whether Genesys Authentication uses Java KeyStore. See Add JKS support for details. This value must be set to true for Security Assertion Markup Language single sign-on (SAML SSO) functionality. true or false false
services.auth.jks.keyAlias The name of the key alias in the keystore used by the Authentication Service. This value comes from Add JKS support. A valid key alias nil
services.auth.jks.keyPassword The keystore password from Add JKS support. A valid keystore password nil
services.auth.jks.keyStore The name of the Java keystore file from Add JKS support. A valid keystore name "jksStorage.jks"
services.auth.jks.keyStorePassword The keystore password from Add JKS support. A valid keystore password nil
services.auth.jks.secret.create Specifies whether to create a new secret with the keystore file content and keystore credentials. true or false true
services.auth.jks.keyStoreFileData The Base64 encoded key value from Add JKS support. A valid key nil
services.auth.jks.secret.name A Kubernetes secret name with the keystore credentials and content. A valid secret name nil
services.auth.jks.sso.enabled Specifies whether to enable SAML SSO functionality. true or false false
services.auth.livenessProbe Specifies parameters for the livenessProbe. See the Kubernetes documentation for details. Object
livenessProbe:
  httpGet:
    path: /health
    port: management
  initialDelaySeconds: 120
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 3
  failureThreshold: 3
services.auth.readinessProbe Specifies parameters for the readinessProbe. See the Kubernetes documentation for details. Object
readinessProbe:
  httpGet:
    path: /health
    port: management
  initialDelaySeconds: 30
  timeoutSeconds: 3
  periodSeconds: 10
services.auth.replicas The number of Authentication Service pod replicas to deploy. This value overrides services.replicas. Number nil
services.auth.resources The requests and limits for Authentication Service pod resources. See the Kubernetes documentation for details. Object
requests:
  cpu: 500m
  memory: 4Gi
limits:
  cpu: "4"
  memory: 6Gi
services.auth.serviceAnnotations Annotations for Authentication Service service objects. See the Kubernetes documentation for details. A valid set of annotations as "name: value" {}
services.auth_ui.deploymentAnnotations Annotations for Authentication UI deployment objects. See the Kubernetes documentation for details. A valid set of annotations as "name: value" {}
services.auth_ui.env.GWS_NGINX_ENABLE_MAPPING Use Consul to discover Auth Service "false"
services.auth_ui.livenessProbe Specifies parameters for the livenessProbe. See the Kubernetes documentation for details. Object {}
services.auth_ui.readinessProbe Specifies parameters for the readinessProbe. See the Kubernetes documentation for details. Object {}
services.auth_ui.replicas The number of Authentication UI pod replicas to deploy. This value overrides services.replicas. Number nil
services.auth_ui.resources The requests and limits for Authentication UI pod resources. See the Kubernetes documentation for details. Object
requests:
  cpu: 100m
  memory: 500Mi
limits:
  cpu: 500m
  memory: 1Gi
services.auth_ui.serviceAnnotations Annotations for Authentication UI service objects. See the Kubernetes documentation for details. A valid set of annotations as "name: value" {}
services.environment.loglevel Specifies the log level for the Environment Service. INFO, DEBUG, WARN INFO
services.environment.deploymentAnnotations Annotations for Environment Service deployment objects. See the Kubernetes documentation for details. A valid set of annotations as "name: value" {}
services.environment.env.JAVA_TOOL_OPTIONS Specifies JVM arguments to set in the JAVA_TOOL_OPTIONS environment variable. Valid JVM arguments "-XX:+PrintFlagsFinal -XX:+UseG1GC -Dfile.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -XX:MaxRAMPercentage=80.0"
services.environment.env.GWS_ENVIRONMENT_logging_level_com_genesys_gws_v3 Specifies the log level for the Environment Service. INFO, DEBUG, WARN INFO
services.environment.force_writable Ignore the Data Center topology in a single-region deployment. true or false true
services.environment.livenessProbe Specifies parameters for the livenessProbe. See the Kubernetes documentation for details. Object
livenessProbe:
  httpGet:
    path: /health
    port: management
  initialDelaySeconds: 120
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 3
  failureThreshold: 3
services.environment.readinessProbe Specifies parameters for the readinessProbe. See the Kubernetes documentation for details. Object
readinessProbe:
  httpGet:
    path: /health
    port: management
  initialDelaySeconds: 30
  timeoutSeconds: 3
  periodSeconds: 10
services.environment.replicas The number of Environment Service pod replicas. This value overrides services.replicas. Number nil
services.environment.resources The requests and limits for Environment Service pod resources. See the Kubernetes documentation for details. Object
requests:
  cpu: 500m
  memory: 4Gi
limits:
  cpu: "4"
  memory: 6Gi
services.environment.serviceAnnotations Annotations for Authentication Service service objects. See the Kubernetes documentation for details. A valid set of annotations as "name: value" {}
services.secret.admin_password Encrypted password of the operational user. The password should be encrypted with bcrypt hashing with any number of rounds. You can generate an encrypted password on the following site: https://www.javainuse.com/onlineBcrypt A valid password nil
services.secret.admin_username The username of an operational user. A valid username nil
services.secret.client_id The ID of an encrypted client secret. A valid client ID nil
services.secret.client_secret The encrypted client secret. A valid client secret nil
services.secret.create Specifies whether to create the Kubernetes secret with the credentials of the operational user and client ID. true or false true
services.secret.name_override The name of the secret. A valid name nil
services.secrets.secretProviderClassNames.admin_user The name of the secretProviderClass with the operational user credentials. A valid class name "keyvault-gauth-admin-user"
services.secrets.secretProviderClassNames.client_credentials The name of the secretProviderClass with the client credentials. A valid class name "keyvault-gauth-client-credentials"
services.secrets.secretProviderClassNames.consul_token The name of the secretProviderClass with the Consul token. A valid class name "keyvault-consul-consul-gauth-token"
services.secrets.secretProviderClassNames.jks_credentials The name of the secretProviderClass with the JKS credentials. A valid class name "keyvault-gauth-jks-credentials"
services.secrets.secretProviderClassNames.jks_keyvault The name of the secretProviderClass with the JKS keystore. A valid class name "keyvault-gauth-jks-keyvault"
services.secrets.secretProviderClassNames.pg_user The name of the secretProviderClass with PostgreSQL credentials. A valid class name "keyvault-gauth-pg-user"
services.secrets.secretProviderClassNames.redis_password The name of the secretProviderClass with the Redis password. A valid class name "keyvault-gauth-redis-password"
services.secrets.useSecretProviderClass Specifies whether to read secrets from the secretProviderClass instead of Kubernetes secrets. true or false false

Configure Kubernetes

The sections below provide more information about configuring Kubernetes.

ConfigMaps

Genesys Authentication includes separate ConfigMaps for PostgreSQL and Redis configuration.

PostgreSQL - configmap-pg.yaml

{{- if or .Values.postgres.configmap.create .Values.postgres.deploy }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "configmap.postgres" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "gauth.labels" . | nindent 4 }}
    gauth: postgres
data:
  db: {{ required "Missing required parameter 'postgres.password'" .Values.postgres.db |quote}}
  host: {{ default ( include "name.postgres" . ) .Values.postgres.host |quote}}
  port: {{ default ( include "port.postgres.service" . ) .Values.postgres.port |quote }}
  {{- end }}

Redis - configmap-redis.yaml

{{ if or .Values.redis.configmap.create .Values.redis.deploy }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "configmap.redis" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "gauth.labels" . | nindent 4 }}
    gauth: redis
data:
  cluster_nodes: {{ default ( include "service.redis" . ) .Values.redis.cluster_nodes | quote}}
  {{end}}

Secrets

The following Genesys Authentication services artifacts are stored as Kubernetes secrets:

  • Administrator user credentials for the Authentication API and Environment API services.
  • OAuth 20 client IDs and client secrets for the Authentication API and Environment API services.
  • PostgreSQL database credentials for the Environment API service.
  • PostgreSQL database credentials for the Authentication API service.
  • Java keystore password for Authentication API service.
  • Credentials for access to a password-protected Redis (Access Key) for the Authentication API service.

Configure security

To learn more about how security is configured for private edition, be sure to read the Permissions and OpenShift security settings topics in the Setting up Genesys Multicloud CX Private Edition guide.

The security context settings define the privilege and access control settings for pods and containers.

By default, the user and group IDs are set in the values.yaml file as 500:500:500, meaning the genesys user.

optional:
  securityContext:
    runAsUser: 500
    runAsGroup: 500
    fsGroup: 500
    runAsNonRoot: true

Arbitrary UIDs in OpenShift

If you want to use arbitrary UIDs in your OpenShift deployment, you must override the securityContext settings in the values.yaml file, so that you do not define any specific IDs.

optional:
  securityContext:
    runAsUser: null
    runAsGroup: 0
    fsGroup: null
    runAsNonRoot: true

For details about these parameters and possible values, see optional.securityContext.* in the Parameters table above.