JanssenProject · iromli · Jan 27, 2026 · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026
@@ -79,8 +79,8 @@ spec:
             value: {{ include "shibboleth.customJavaOptions" . | trim }}
           - name: CN_SCIM_JAVA_OPTIONS
             value: {{ include "scim.customJavaOptions" . | trim }}
-          {{- include "janssen-all-in-one.usr-envs" . | indent 12 }}
-          {{- include "janssen-all-in-one.usr-secret-envs" . | indent 12 }}
+          {{- include "janssen-all-in-one.usr-envs" . | indent 10 }}
+          {{- include "janssen-all-in-one.usr-secret-envs" . | indent 10 }}
         securityContext:
           runAsUser: 1000
           runAsNonRoot: true

@@ -61,7 +61,8 @@ spec:
   hostnames:
   - {{ .Values.fqdn | quote }}
   rules:
-
+  {{- /* DON'T remove `/jans-auth` prefix in filters; they will be stripped in AIO image internally */}}
+
   {{- /* 1. OpenID Configuration */}}
   {{- if index .Values "auth-server" "ingress" "openidConfigEnabled" }}
   - matches:
@@ -265,23 +266,6 @@ spec:
     - name: {{ $svcName }}
       port: {{ $svcPort }}
   {{- end }}
-
-  {{- /* 13. Jans Lock */}}
-  {{- if and (index .Values "auth-server" "lockEnabled") (index .Values "auth-server" "ingress" "lockEnabled") }}
-  - matches:
-    - path:
-        type: Exact
-        value: /jans-lock
-    filters:
-    - type: URLRewrite
-      urlRewrite:
-        path:
-          type: ReplaceFullPath
-          replaceFullPath: /jans-auth
-    backendRefs:
-    - name: {{ $svcName }}
-      port: {{ $svcPort }}
-  {{- end }}
 
 ---
 {{- /* ======================================================== */}}
@@ -365,17 +349,6 @@ spec:
       port: {{ $svcPort }}
   {{- end }}
 
-  {{- /* 6. SAML (/kc) */}}
-  {{- if .Values.saml.ingress.samlEnabled }}
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /kc
-    backendRefs:
-    - name: {{ $svcName }}
-      port: {{ $svcPort }}
-  {{- end }}
-
 ---
 {{- /* ======================================================== */}}
 {{- /* ROUTE 3: SECURE APPS (HTTP REDIRECT)                     */}}
@@ -402,9 +375,9 @@ spec:
   hostnames:
   - {{ .Values.fqdn | quote }}
   rules:
-  
+
   {{- /* Same 6 Rules, but with Redirect Filter instead of BackendRef */}}
-  
+
   {{- /* 1. Auth Server Redirect */}}
   {{- if index .Values "auth-server" "ingress" "authServerEnabled" }}
   - matches:
@@ -470,17 +443,74 @@ spec:
         statusCode: 301
   {{- end }}
 
-  {{- /* 6. SAML Redirect */}}
-  {{- if .Values.saml.ingress.samlEnabled }}
+---
+
+{{- if and (index .Values "auth-server" "lockEnabled") (index .Values "auth-server" "ingress" "lockAuditEnabled") }}
+{{- /* ======================================================== */}}
+{{- /* ROUTE 4: gRPC APPS                                       */}}
+{{- /* These endpoints use gRPC                                 */}}
+{{- /* ======================================================== */}}
+apiVersion: gateway.networking.k8s.io/v1
+{{- if eq .Values.gatewayApi.gatewayClassName "istio" }}
+{{- /* Use HTTPRoute in istio to avoid routes being overriden by another route type */}}
+kind: HTTPRoute
+{{- else }}
+kind: GRPCRoute
+{{- end }}
+metadata:
+  name: {{ $fullName }}-grpc-routes
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ $fullName }}-routes
+{{- if .Values.gatewayApi.routeLabels }}
+{{- toYaml .Values.gatewayApi.routeLabels | nindent 4 }}
+{{- end }}
+{{- if .Values.gatewayApi.routeAnnotations }}
+  annotations:
+{{- toYaml .Values.gatewayApi.routeAnnotations | nindent 4 }}
+{{- end }}
+spec:
+  parentRefs:
+  - name: {{ .Values.gatewayApi.name }}
+    sectionName: https
+  hostnames:
+  - {{ .Values.fqdn | quote }}
+  rules:
+  {{- /* 1. Lock Server Audit */}}
+  {{- /* List all routable methods explicitly to satisfy different gateway implementation */}}
+  {{- if eq .Values.gatewayApi.gatewayClassName "istio" }}
+  {{- /* HTTPRoute matches for istio */}}
   - matches:
     - path:
         type: PathPrefix
-        value: /kc
-    filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
+        value: /io.jans.lock.audit.AuditService
+    backendRefs:
+    - name: {{ $svcName }}-grpc
+      port: 50051
+  {{- else }}
+  - matches:
+    - method:
+        service: io.jans.lock.audit.AuditService
+        method: ProcessLog
+    - method:
+        service: io.jans.lock.audit.AuditService
+        method: ProcessBulkLog
+    - method:
+        service: io.jans.lock.audit.AuditService
+        method: ProcessHealth
+    - method:
+        service: io.jans.lock.audit.AuditService
+        method: ProcessBulkHealth
+    - method:
+        service: io.jans.lock.audit.AuditService
+        method: ProcessTelemetry
+    - method:
+        service: io.jans.lock.audit.AuditService
+        method: ProcessBulkTelemetry
+    backendRefs:
+    - name: {{ $svcName }}-grpc
+      port: 50051
   {{- end }}
+{{- end }}
 
-{{- end }}
+{{- end }}
@@ -32,3 +32,43 @@ spec:
   sessionAffinityConfig:
 {{ toYaml . | indent 4 }}
   {{- end }}
+
+---
+
+{{- if and (index .Values "auth-server" "lockEnabled") (index .Values "auth-server" "ingress" "lockAuditEnabled") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.service.name }}-grpc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-{{ include "janssen-all-in-one.name" . }}-aio
+{{ include "janssen-all-in-one.labels" . | indent 4 }}
+{{- if .Values.additionalLabels }}
+{{ toYaml .Values.additionalLabels | indent 4 }}
+{{- end }}
+{{- if or (.Values.additionalAnnotations) (.Values.customAnnotations.service) }}
+  annotations:
+{{- if .Values.additionalAnnotations }}
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+{{- if .Values.customAnnotations.service }}
+{{ toYaml .Values.customAnnotations.service | indent 4 }}
+{{- end }}
+{{- end }}
+spec:
+  {{- if .Values.alb.ingress }}
+  type: NodePort
+  {{- end }}
+  ports:
+  - port: 50051 # avoid using the same pod port as some gateway implementation doesn't _like_ shared port for gRPC and non-gRPC
+    targetPort: {{ .Values.service.port }}
+    name: grpc-{{ .Values.service.name }}
+  selector:
+    app: {{ .Release.Name }}-{{ include "janssen-all-in-one.name" . }}-aio
+  sessionAffinity: {{ .Values.service.sessionAffinity }}
+  {{- with .Values.service.sessionAffinityConfig }}
+  sessionAffinityConfig:
+{{ toYaml . | indent 4 }}
+  {{- end }}
+{{- end }}
@@ -185,10 +185,14 @@ auth-server:
     scriptLogTarget: "FILE"
     # -- jans-auth_script.log level
     scriptLogLevel: "INFO"
-    # -- jans-auth_script.log target
+    # -- jans-auth_audit.log target
     auditStatsLogTarget: "FILE"
     # -- jans-auth_audit.log level
     auditStatsLogLevel: "INFO"
+    # -- jans-lock.log target
+    lockLogTarget: "STDOUT"
+    # -- jans-lock.log level
+    lockLogLevel: "INFO"
   # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`)
   authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"
   # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`)
@@ -213,8 +217,8 @@ auth-server:
     u2fConfigEnabled: true
     # -- Enable endpoint /.well-known/lock-server-configuration
     lockConfigEnabled: false
-    # -- Enable endpoint /jans-lock
-    lockEnabled: false
+    # -- Enabled endpoint /io.jans.lock.audit.AuditService
+    lockAuditEnabled: false
     # -- Lock config ingress resource labels. key app is taken
     lockConfigLabels: {}
     # -- Lock config ingress resource additional annotations.
@@ -613,7 +617,7 @@ gatewayApi:
   # -- The name of the Gateway resource to be created
   name: jans-gateway
   # -- Gateway http port number
-  httpPort: 80 
+  httpPort: 80
   # -- Gateway https port number
   httpsPort: 443
   # -- Secret containing the TLS certificate for the Gateway

@@ -32,3 +32,43 @@ spec:
   sessionAffinityConfig:
 {{ toYaml . | indent 4 }}
   {{- end }}
+
+---
+
+{{- if and (index .Values.global "auth-server" "lockEnabled") (index .Values.global "auth-server" "ingress" "lockAuditEnabled") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ index .Values "global" "auth-server" "authServerServiceName" }}-grpc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    APP_NAME: auth-server
+{{ include "auth-server.labels" . | indent 4 }}
+{{- if .Values.additionalLabels }}
+{{ toYaml .Values.additionalLabels | indent 4 }}
+{{- end }}
+{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "service") }}
+  annotations:
+{{- if .Values.additionalAnnotations }}
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+{{- if index .Values.global "auth-server" "customAnnotations" "service" }}
+{{ toYaml (index .Values.global "auth-server" "customAnnotations" "service") | indent 4 }}
+{{- end }}
+{{- end }}
+spec:
+  {{- if .Values.global.alb.ingress }}
+  type: NodePort
+  {{- end }}
+  ports:
+  - port: 50051 # avoid using the same pod port as some gateway implementation doesn't _like_ shared port for gRPC and non-gRPC
+    targetPort: {{ .Values.service.port }}
+    name: grpc-{{ .Values.service.name }}
+  selector:
+    app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server
+  sessionAffinity: {{ .Values.service.sessionAffinity }}
+  {{- with .Values.service.sessionAffinityConfig }}
+  sessionAffinityConfig:
+{{ toYaml . | indent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/janssen/charts/config/README.md b/charts/janssen/charts/config/README.md
@@ -75,15 +75,6 @@ Kubernetes: `>=v1.22.0-0`
 | configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. |
 | configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. |
 | configmap.containerMetadataName | string | `"kubernetes"` |  |
-| configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access |
-| configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). |
-| configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name |
-| configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host |
-| configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). |
-| configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. |
-| configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username |
-| configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. |
-| configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level |
 | configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. |
 | configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. |
 | countryCode | string | `"US"` | Country code. Used for certificate creation. |

@@ -94,6 +94,8 @@ data:
   | replace "scriptLogLevel" "script_log_level"
   | replace "auditStatsLogTarget" "audit_log_target"
   | replace "auditStatsLogLevel" "audit_log_level"
+  | replace "lockLogTarget" "lock_log_target"
+  | replace "lockLogLevel" "lock_log_level"
   | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix"
   | squote
   }}