Deployment Instructions
Support for on-premises deployments, including those using Containers, ended on December 31, 2023.
For more information, please see our OneSpan Product Life Cycle page, and consult the OneSpan End of Life policy.
For any additional questions contact your Customer Service Representative.
_____________________________________________________________________________________
The following sections contain instructions for deploying OneSpan Sign containers:
Before You Begin
Before you begin, you must ensure that your system satisfies the deployment's hardware and software prerequisites.
You must also have installed the following third-party tools:
For information on installing and configuring these tools, click their links in the above list.
We strongly recommend that you block external access to all local paths:
/sysinfo/*
/esep/admin-console/*
/backoffice/*
/sso/saml/web/metadata/login
Downloading the OneSpan Sign Helm chart
To download the latest Helm Chart, contact your Customer Service Representative or our our Support Team.
Securing Access to the Docker Registry
Before you begin deploying the containers, you must obtain access to the OneSpan Sign Docker Registry. That will enable you to pull OneSpan Sign Docker images during the Helm installation. To obtain that access, you must create a suitable Kubernetes secret object in your namespace.
The following sample regcred.yaml file illustrates how to declare a registry secret:
apiVersion: v1 data: .dockerconfigjson: abcdefghijklmn kind: Secret metadata: name: regcred type: kubernetes.io/dockerconfigjso
Once that's done, you can create a Kubernetes secret object in your target namespace:
$ kubectl apply -f regcred.yaml -namespace my-namespace
The above actions must be completed before you continue.
For more information on creating Kubernetes secrets, see Kubernetes Secrets.
Configuring the Helm Chart
The following sections discuss various aspects of configuring the Helm chart:
Specifying a Public URL & Container Registry
OneSpan Sign's installation requires a public service URL and an accurate container registry. The following example illustrates one way of specifying these things:
global: publicUrl: "<url>" # Public Edge/Loadbalancer Url containerRegistry: "onespan.jfrog.io/oss-onprem-docker-local" # Global registry for all containers
If you are using a separate repository for each component (as in our jfrog repository), you must provide the repository argument for each component. For example:
envoy-load-balancer: repository: oss-gateway sysinfo: repository: oss-system-information sender-ui: repository: oss-sender-ui signer-ui: repository: oss-signer-ui backend-admin: repository: oss-backend-admin backend: repository: oss-backend backend-database-setup: repository: oss-backend-database-setup oracleRepository: oss-platform-database-setup platform: repository: oss-platform platform-admin: repository: oss-platform-admin platform-database-setup: repository: oss-platform-database-setup oracleRepository: oss-platform-database-setup aspose-document-converter: repository: oss-aspose-pdf-converter document-engine: repository: oss-document-engine sso: enabled: true repository: oss-single-sign-on platform-seed: repository: oss-resource-manager-tenant-seeds
Adding SMTP Server External Certificates
The following procedure adds external certificates from an SMTP server to a OneSpan Sign Container environment.
To add external certificates from an SMTP server:
-
In the my-values.yaml file, update the customCA property to include your SMTP server certificates (e.g., Outlook, Google.com).
Your custom Certificate Authority (CA) bundle should be in a PEM (Privacy Enhanced Mail) format. It should contain the CA bundle of certificates that are to be trusted by the Java application. This allows the backend or backend-admin to interact with the SMTP service (or any other service).
- If this your first time deploying OneSpan Sign Containers, continue with this procedure. If not, see Upgrading the OSS Container Deployment .
- Sign in to OneSpan Sign BackOffice. To do so, you must have appropriate administrator privileges. If you do not have these privileges, contact our Support Team. For more information on using BackOffice, see the Application Administrator's Guide.
- Update the file email.properties with your SMTP server configuration values. For example:
{
"email.endpoint" : "",
"email.service.type" : "smtpEmailService",
"email.stmp.host" : "smtp.office365.com",
"email.stmp.port" : "587",
"email.username" : "[email protected]",
"email.password" : "vP$Td&4************^En4xxhdD",
"email.stmp.ssl" : "false",
"email.stmp.tls" : "true"
}
Ensure that your domain is not blocked, and that all required ports are open to the cluster's network.
Viewing Default Parameter Values
To view the Helm Chart's default parameter values for OneSpan Sign:
-
Run the following command:
$ helm inspect values oss > default-values.yaml
This creates a default-values.yaml file that contains the default values.
The default-values.yaml file is a good place to start when you create your own customized my-values.yaml file, since it explains most commonly available values. Installing OneSpan Sign Using Helm instructs you to make that customization.
The following default values may be of particular interest:
-
targetDatabaseType: "mysql" — If you choose to use MySQL as the external database provider, you must edit the my-values.yaml file.
-
emailTemplateType: "smtp" — The default Email Service type for OneSpan Sign is SMTP. To receive system notifications, you must specify the following secrets:
emailAccessUserKey: "" emailSecretPasswordKey: "" emailSMTPHostServerName: ""
-
useExternalCertificates: "false" — By default, OneSpan Sign services are configured with self-signed certificates. However, we recommend using external certificates if you are in a non-development environment. For more information, see Installing Certificates.
The Helm Chart for OneSpan Sign supports external database servers. However, if you decide to use an external database server, you must provide the required connection information.
Validating the Helm Chart
Helm can validate a chart by connecting to the Kubernetes API server.
To validate the Helm Chart:
-
Run the following command:
$ helm install --dry-run oss oss \
-f my-values.yaml --debug \
--namespace my-namespace
If the validation is successful, it will render the manifest in the form of yamls (Kubernetes resources).
Debugging the Chart Configuration
Helm provides an offline "template" command that is useful for debugging charts, and for testing or previewing a chart configuration. This enables you to: (1) render a Helm Chart without applying its values; (2) then see the resources that the chart would create in your Kubernetes cluster.
To debug the Helm Chart's configuration:
-
Run the following command:
$ helm template --debug oss oss \
-f my-values.yaml \
--namespace my-namespace
Installing OneSpan Sign Using Helm
During the installation of Helm, in the background OneSpan Sign creates the following databases:
-
Core Database: A database used by the Core Component
-
OneSpan Sign Application Database: A database used by the OneSpan Sign Application
-
Audit Database: A database used by the Audit Service
During the initial configuration of these databases, there is a data-migration process and then a database-seeding process. These processes initialize basic parameter settings for the various OneSpan Sign components.
For explanations of most common available parameter values, see the file default-values.yaml.
The database-seeding process occurs only during the first upgrade. Any future upgrade will skip this process.
After you have configured and verified the Helm Chart, you can begin customizing your my-values.yaml file.
OneSpan will provide the my-values.yaml file, which you can then customize.
To customize and then apply the my-values.yaml file:
-
Inside the file, specify values for the following required parameters:
-
publicUrl
-
containerRegistry
For example:
global: publicUrl: "my-oss.mydomain.com" containerRegistry: "myregistry.com"
-
-
Specify the following values for the load balancer:
envoy-load-balancer: image: repository: oss-gateway externalCertificateMountPath: "/tmp/certificates" externalCertificate: true externalPublicKey: |- # If adding external public key to values, put cert underneath |- and not within quotations -----BEGIN CERTIFICATE----- puclic key in PEM format -----END CERTIFICATE----- externalPrivateKey: |- # If adding external private key to values, put cert underneath |- and not within quotations -----BEGIN RSA PRIVATE KEY----- private key in PEM format -----END RSA PRIVATE KEY----- -
After your initial setup, several optional components can be installed for the OneSpan Sign service. To specify parameter values for these components, you will need to edit them in the my-values.yaml file. For example:
- Prepare your my-values.yaml file by using the values specified in the section corresponding to the database you plan to use:
- Using an Existing Oracle Database
- Using an Existing MS SQL Database
- Using an Existing MYSQL Database
If you are using LunaHSM, see Using LunaHSM
sso: enabled: true remote-sign-authenticator: enabled: true
For advice on editing these values, refer to oss/README.md.
-
To install in the Kubernetes namespace my-namespace a OneSpan Sign release that uses the values specified in your my-values.yaml file, run the following command:
$ helm install oss oss \
-f my-values.yaml \
--namespace my-namespace
Using LunaHSM
If you are using LunaHSM, then additional configurations need to be made to the my-values.yaml file.
To customize and then apply the my-values.yaml file for use with LunaHSM:
-
Prepare the my-values.yaml file to deploy OSS helm charts, as described in Configuring the Helm Chart. As LunaHSM interacts with the document engine, you will need to provide the following document engine configurations.
document-engine: image: pullPolicy: Always repository: oss/document-engine/project ## Parameters for Luna HSM, set when hsm=lunahsm hsm: lunahsm lunahsm: hsmIp: # HSM IP address or FQDN, required for Luna Network(on-premise) HSM partitionPassword: # The partition password, required for Luna Network(on-premise) HSM partitionIp: # The partition name of your Luna HSM, required for Luna Network(on-premise) HSM slotId: # Slot number of the HSM partition the Luna HSM Client is connecting to cuUser: # Username for logging into the Luna HSM from the Luna HSM client, required for Luna Network(on-premise) HSM; note: as of this writing, this user must have "admin" user rights cuPassword: # Password for logging into the Luna HSM from the Luna HSM client, required for Luna Network(on-premise) HSM cuClient: # Client username registered in the partition if using the Luna Network(on-premise) HSM clientPublicIp: # Public IP of oss kubernetes cluster -
To install in the Kubernetes namespace my-namespace a OneSpan Sign release that uses the values specified in your my-values.yaml file, run the following command:
$ helm install oss oss \ -f my-values.yaml \ --namespace my-namespace - Login to the Platform Admin Console: https://{host}/esep/admin-console/main/index.htm
- Navigate to Manage Settings > PDF Document Engine> Resources and upload the following certificates:
- ca-sha256-root_cert.pem
- CMG7_cert.pem
- intrm-sha256-2_cert.pem
- privatekeyhandle.pem
CPSFile The full path of a *.pem file that contains the PDF Document Engine’s private key | privatekeyhandle.pem#/opt/gemsigning/safenet/lunaclient/lib/libCryptoki2_64.so#0 Note: If you have a Luna Network HSM deployment, you must use the following format for this parameter: <Key Handle PEM file>#<Absolute Path>/libCryptoki2.so#<slot id> However, if you are using slot id = 1 (the default value), and if the libCryptoki library is in its "Luna Client installed location", the format you should use for this parameter is simply <Key Handle PEM file>. |
| IntermediateCertificates | intrm-sha256-2_cert.pem |
| SignerCertificate | CMG7_cert.pem |
| TrustedCertificates | ca-sha256-root_cert.pem |
Using an Existing Oracle Database
To use your own pre-configured Oracle database, you must provide detailed information that Helm needs to properly connect the database to the server. As described in Step 3 of Installing OneSpan Sign Using Helm, values for the next table's parameters must be merged into the file my-values.yaml.
The database users defined in the database setup containers need full DDL permissions. The database users defined in the backend and platform services need full DML on their respective schemas.
backend-admin: targetDatabaseType: "oracle" # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle oracleDatabaseHost: "" # Oracle Database Hostname (Required for external oracle database) oracleDatabaseServicePort: "" # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521) oracleDatabaseUrl: "" # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database) oracleDatabaseUserName: "" # Oracle Backend Username (Required for external oracle database) oracleDatabasePassword: "" # Oracle Backend User Password (Required for external oracle database) oracleDatabaseSchema: "" # Oracle Backend Database Schema Name (Required for external oracle database) oracleAuditDatabaseSchema: "" # Oracle Audit Database Schema Name (Required for external oracle database) backend: targetDatabaseType: "oracle" # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle oracleDatabaseHost: "" # Oracle Database Hostname (Required for external oracle database) oracleDatabaseServicePort: "" # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521) oracleDatabaseUrl: "" # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database) oracleDatabaseUserName: "" # Oracle Backend Username (Required for external oracle database) oracleDatabasePassword: "" # Oracle Backend User Password (Required for external oracle database) oracleDatabaseSchema: "" # Oracle Backend Database Schema Name (Required for external oracle database) backend-database-setup: targetDatabaseType: "oracle" # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle oracleCreateApplicationUsers: "" # Boolean Value to Create or not Create Application Users on Oracle Setup (Required for external oracle database) oracleCreateTableSpace: "" # Boolean Value to Create or not Create Table Spaces on Oracle Setup (Required for external oracle database) oracleCreatePlatformSchema: "" # Boolean Value to Create or not Create Platform Schema on Oracle Setup (Required for external oracle database) oracleDatabaseHost: "" # Oracle Database Hostname (Required for external oracle database) oracleDatabaseServicePort: "" # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521) oracleDatabaseUrl: # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database) oracleDatabaseSchema: # Oracle Backend Database Schema Name (Required for external oracle database) oraclePlatformDatabaseSchema: "" # Oracle Platform Database Schema Name (Required for external oracle database) oracleAuditDatabaseSchema: "" # Oracle Audit Database Schema Name (Required for external oracle database) oracleDatabaseUserName: # Oracle Backend Username (Required for external oracle database) oracleAuditDatabaseUser: "" # Oracle Audit Username (Required for external oracle database) oraclePlatformDatabaseUserName: "" # Oracle Platform Username (Required for external oracle database) oracleRootPassword: "" # Oracle Database Root Password for 'sys' user (Required for external oracle database) oracleBackendDatabasePassword: "" # Oracle Backend User Password (Required for external oracle database) oracleAuditDatabasePassword: "" # Oracle Audit User Password (Required for external oracle database) platform: targetDatabaseType: "oracle" # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle oracleDatabaseHost: "" # Oracle Database Hostname (Required for external oracle database) oracleDatabaseServicePort: "" # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521) oracleDatabaseUrl: "" # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database) oraclePlatformDatabaseUserName: "" # Oracle Platform Username (Required for external oracle database) oracleDatabasePassword: "" # Oracle Platform User Password (Required for external oracle database) oracleDatabaseSchema: "" # Oracle Platform Database Schema Name (Required for external oracle database) platform-admin: targetDatabaseType: "oracle" # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle oracleDatabaseHost: "" # Oracle Database Hostname (Required for external oracle database) oracleDatabaseServicePort: "" # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521) oracleDatabaseUrl: "" # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database) oraclePlatformDatabaseUserName: "" # Oracle Platform Username (Required for external oracle database) oracleDatabasePassword: "" # Oracle Platform User Password (Required for external oracle database) oracleDatabaseSchema: "" # Oracle Platform Database Schema Name (Required for external oracle database) platform-database-setup: targetDatabaseType: "oracle" # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle oracleDatabaseHost: "" # Oracle Database Hostname (Required for external oracle database) oracleDatabaseServicePort: "" # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521) oraclePlatformDatabaseUserName: "" # Oracle Platform Username (Required for external oracle database) oracleDatabasePassword: "" # Oracle Platform User Password (Required for external oracle database) oracleBackendDatabaseSchema: "" # Oracle Backend Database Schema Name (Required for external oracle database) oraclePlatformDatabaseSchema: "" # Oracle Platform Database Schema Name (Required for external oracle database) oracleRootPassword: "" # Oracle Database Root Password for 'sys' user (Required for external oracle database) oracleBackendDatabaseUserName: "" # Oracle Backend Username (Required for external oracle database) oracleBackendDatabasePassword: "" # Oracle Backend User Password (Required for external oracle database) oracleAuditDatabaseSchema: "" # Oracle Audit Database Schema Name (Required for external oracle database) oracleAuditDatabaseUserName: "" # Oracle Audit Username (Required for external oracle database) oracleAuditDatabasePassword: "" # Oracle Audit User Password (Required for external oracle database) oracleCreateTableSpace: "" # Boolean Value to Create or not Create Table Spaces on Oracle Setup (Required for external oracle database) oracleCreateApplicationUsers: "" # Boolean Value to Create or not Create Application Users on Oracle Setup (Required for external oracle database) oracleCreatePlatformSchema: "" # Boolean Value to Create or not Create Platform Schema on Oracle Setup (Required for external oracle database)
If using Amazon Relational Database Service (RDS)
If you are using Amazon's Relational Database Service (RDS) then additional parameters must be added to the Oracle parameter listed above. In addition to those parameters, you must add these:
useAmazonRds: "true" # Required to be true for external oracle database using Amazon RDS. awsRdsMasterUserName: "<master user>" # Required for externa
Manually Creating Table Spaces and Application Users
If you prefer to create table spaces and application users manually, you must set certain values to false. Before you configure those values, you must first create the following:
-
The database platform
-
The Application Database and Audit Database
-
Your users. Each database user must have the permissions to create, alter and drop objects.
Once you've done this, edit your yaml file to set the creation of certain objects to false, as shown here:
yaml backend-database-setup: oracleCreateApplicationUsers: "false" # Boolean Value to Create or not Create Application Users on Oracle Setup oracleCreateTableSpace: "false" # Boolean Value to Create or not Create Table Spaces on Oracle Setup oracleCreatePlatformSchema: "true" # Boolean Value to Create or not Create Platform Schema on Oracle Setup oracleRootPassword: "" # Oracle Database Root Password for 'sys' user (Not required when 'oracleCreateApplicationUsers' or 'oracleCreateTableSpace' or 'oracleCreatePlatformSchema' is set to 'false') oracleDatabaseHost: "" # Oracle Database Hostname oracleDatabaseServicePort: "" # Oracle Database Host Port oracleDatabaseUrl: # Oracle Database Hostname + Port ex: 'domain.com:1521' oracleDatabaseSchema: # Oracle Backend Database Schema Name oraclePlatformDatabaseSchema: "" # Oracle Platform Database Schema Name oracleAuditDatabaseSchema: "" # Oracle Audit Database Schema Name oracleDatabaseUserName: # Oracle Backend Username oracleAuditDatabaseUser: "" # Oracle Audit Username oraclePlatformDatabaseUserName: "" # Oracle Platform Username oracleBackendDatabasePassword: "" # Oracle Backend User Password oracleAuditDatabasePassword: "" # Oracle Audit User Password platform-database-setup: oracleCreateTableSpace: "false" # Boolean Value to Create or not Create Table Spaces on Oracle Setup oracleCreateApplicationUsers: "false" # Boolean Value to Create or not Create Application Users on Oracle Setup oracleCreatePlatformSchema: "false" # Boolean Value to Create or not Create Platform Schema on Oracle Setup oracleRootPassword: "" # Oracle Database Root Password for 'sys' user (Not required when 'oracleCreateApplicationUsers' or 'oracleCreateTableSpace' or 'oracleCreatePlatformSchema' is set to 'false') oracleDatabaseHost: "" # Oracle Database Hostname oracleDatabaseServicePort: "" # Oracle Database Host Port (IF port is NOT 1521) oraclePlatformDatabaseUserName: "" # Oracle Platform Username oracleDatabasePassword: "" # Oracle Platform User Password oracleBackendDatabaseSchema: "" # Oracle Backend Database Schema Name oraclePlatformDatabaseSchema: "" # Oracle Platform Database Schema Name oracleBackendDatabaseUserName: "" # Oracle Backend Username oracleBackendDatabasePassword: "" # Oracle Backend User Password oracleAuditDatabaseSchema: "" # Oracle Audit Database Schema Name oracleAuditDatabaseUserName: "" # Oracle Audit Username oracleAuditDatabasePassword: "" # Oracle Audit User Password
Using an Existing MS SQL Database
To use your own pre-configured Microsoft SQL Server database, you must provide detailed information that Helm needs to properly connect the database to the server. As described in Step 3 of Installing OneSpan Sign Using Helm, values for the next table's parameters must be merged into the file my-values.yaml.
yaml backend-admin: ## MSSQL Required parameters ## To use Your External instance - you must provide all mssql option args ## Defaults to configuration of "contained" mssql DB targetDatabaseType: "sqlserver" flywayJdbcUrl: flywayAuditJdbcUrl: mssqlHostname: mssqlDatabasePort: mssqlDatabase: mssqlDatabaseSchema: mssqlRootUsername: mssqlRootPassword: mssqlUsername: mssqlPassword: mssqlDeployUsername: mssqlDeployPassword: mssqlReadonlyUsername: mssqlReadonlyPassword: mssqlAuditDatabase: mssqlAuditDatabaseUsername: mssqlAuditDatabasePassword: mssqlAuditDeployDatabaseUsername: mssqlAuditDeployDatabasePassword: backend: ## MSSQL Required parameters below. targetDatabaseType: "sqlserver" backend-database-setup: ## MSSQL Required parameters below. targetDatabaseType: "sqlserver" platform: ## MSSQL Required parameters below. Refer from values.yaml file targetDatabaseType: "sqlserver" platform-admin: ## MSSQL Required parameters below. Refer from values.yaml file targetDatabaseType: "sqlserver" platform-database-setup: ## MSSQL Required parameters below. Refer from values.yaml file targetDatabaseType: "sqlserver" platform-seed: targetDatabaseType: "sqlserver"
Using an Existing MYSQL Database
To use your own pre-configured MySQL database, you must provide detailed information that Helm needs to properly connect the database to the server. As described in Step 3 of Installing OneSpan Sign Using Helm, values for the next table's parameters must be merged into the file my-values.yaml.
backend-admin: mysqlDatabaseUserName: "myUser" mysqlDatabasePassword: "myPassword" mysqlDatabaseHostName: "myHostname" mysqlDatabaseServicePort: "3306" backend: mysqlDatabaseUserName: "myUser" mysqlDatabasePassword: "myPassword" mysqlDatabaseHostName: "myHostname" mysqlDatabaseServicePort: "3306" platform: mysqlDatabaseUserName: "myUser" mysqlDatabasePassword: "myPassword" mysqlDatabaseHostName: "myHostname" mysqlDatabaseServicePort: "3306" platform-admin: mysqlDatabaseUserName: "myUser" mysqlDatabasePassword: "myPassword" mysqlDatabaseHostName: "myHostname" mysqlDatabaseServicePort: "3306"
Installing Certificates
By default, OneSpan Sign components use self-signed certificates. However, when you are in a non-development environment, we recommend using external certificates.
Which parameters you need to configure is determined by the components to which a customized certificate will be applied.
The following parameters are common to each chart:
- ExternalCertificates — If you are using an external certificate, set this value to true. Provide the certificate with its externalPublicKey and externalPrivateKey.
- externalPublicKey
- externalPrivateKey
The following table describes the certificates used by each component.
| Component | Certificate and Secret | Notes |
|---|---|---|
| ##backend |
name: backend-secret-tls
name: backend-secret-ca-cert
name: externalCertificateCA (see Notes) |
To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.
|
| ##backend-admin | name: backend-admin-secret-tls
name: backend-admin-secret-ca-cert
name: externalCertificateCA (see Notes) |
To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing. |
| ##document-engine | name: document-engine-cert
name: backend-admin-secret-ca-cert
|
|
| ##envoy-load-balancer | name: secret-envoy-load-balancer-tls
name: backend-admin-secret-ca-cert
|
|
| ##platform | name: platform-secret-tls
name: platform-secret-ca-cert
name: externalCertificateCA (see Notes) |
To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing. |
| ##platform-admin | name: platform-admin-secret-tls
name: platform-admin-secret-ca-cert
name: externalCertificateCA (see Notes) |
To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing. |
| ##remote-sign-authenticator | name: remote-sign-authenticator-secret-tls
name: remote-sign-authenticator-secret-ca-cert
name: Generic
name: externalCertificateCA (see Notes) |
To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing. Example: kubectl creates a generic secret. remote-sign-authenticator-secret-ca-cert --from-file=ca-all.cer |
|
##remote-sign-authenticator - GovTech |
name: remote-sign-authenticator-issuer-cert
name: remote-sign-authenticator-root-cert
name: Generic
|
The certificate for GovTech can be passed on a single line via the values file, or by using a CLI. For example: govTechIssuerCert: "MIIEZDCCA+qgAwIBAgIQKJRkgTsNFqX5YcSkR..." govTechRootCertificate: "MIIEZDCCA+qgAwIBAgIQKJRkgTsNFqX5..." |
| ##sender-ui | name: secret-sender-ui-tls
|
|
| ##signer-ui | name: secret-signer-ui-tls
|
|
| ##sso | name: sso-secret-tls
name: sso-secret-ca-cert
name: externalCertificateCA (see Notes) |
To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing. |
| ##sysinfo | name: secret-sysinfo-tls
|
Creating Kubernetes Secret Objects
For more information about secrets, see Managing Secrets using kubectl.
Kubernetes secret objects can be created in the following ways:
Inline Certificate Passing
When you pass a certificate into the values file, you must insert it exactly as it is appears in the actual certificate file. For example:
externalPublicKey: |- -----BEGIN CERTIFICATE----- MIIEhjCCA26gAwIBAgIBEzANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJDQTEP MA0GA1UECAwGUXVlYmVjMRswGQYDVQQKDBJTaWxhbmlzIFRlY2hub2xvZ3kxDDAK BgNVBAsMA1ImRDEtMCsGA1UEAwwkVGVzdENlcnQgT3BlblNTTCBTSEEyIEludGVy ...<the rest of the certificate>... -----END CERTIFICATE-----
Single Line Certificate Passing
To pass a certificate using a single line, use the following command:
externalCertificate: '---BEGIN CERTIFICATE-\nMIIEhjCCA26gAwIBAgIBEzANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJDQTEP\n .... \nGaIm5+Hw5F9r3g==\n-END CERTIFICATE---\n'
Command Line Certificate Passing
When you create a secret using a command line (CLI), you must reference: (1) the appropriate file on the file system; (2) the appropriate secret, as described above. For example:
kubectl create secret tls <tls secret name> --<certificate variable name>=<certificate file> --<key variable name>=<key file> kubectl create secret generic <generic secret name> --from-file=<ca bundle file>
Managing Resources
This section describes the following customizations:
Customizing Resource Requests and Limits
You can customize the resource limits and requests for each component by adding appropriate resource values to the Helm Chart. This will overwrite any relevant default setting.
For example, to customize the memory and CPU values, you would add the following to the backend section of your my-values.yaml file:
backend:
enabled: true
resources: # Specify CPU and memory resource limits and requests for this pod
requests:
memory: "8G"
cpu: "4"
limits:
memory: "8G"
cpu: "4"
Customizing JVM Parameters
The OneSpan Sign Helm Chart has pre-defined JVM parameters for the following components:
- backend
- backend-admin
- platform
- platform-admin
- aspose-document-converter
In each component's sub-chart, the following configurations appear in the respective values.yaml files:
minJavaHeapSizeInMb: 128 maxJavaMetaspaceSizeInMb: 3072 maxJavaRamPercentage: "80.00"