[Suggestion] - New option for Synchrony service URL

[jozemlakar]

Suggestion

I have a change ready to introduce a new setting in values.yaml and statefulset-synchrony.yaml named synchrony.service.url but wanted to verify the teams opinion on this, before creating PR.

Scenario:

1. Confluence is running behind reverse proxy. It is published on https://public.mydomain.com/confluence
2. SSL is terminating at reverse proxy.
3. Traffic behind reverse proxy is plain http
4. Synchrony is published on same host but directly (via ist own context and not via confluence context). It is published on https://public.mydomain.com/synchrony

This is supported as "Direct to synchrony with a reverse proxy" in the official documentation: https://confluence.atlassian.com/doc/possible-confluence-and-synchrony-configurations-958779064.html

Current values (related):

- ingress.create: true
- ingress.host: public.mydomain.com
- ingress.path: /confluence
- ingress.https: false
- confluence.service.contextPath: /confluence
- confluence.tomcatConfig.generateByHelm: true
- confluence.tomcatConfig.secure: true
- confluence.tomcatConfig.scheme: https
- confluence.tomcatConfig.proxyName: public.mydomain.com
- confluence.tomcatConfig.proxyPort: 443
- confluence.tomcatConfig.generateByHelm: true
- synchrony.enabled: true
- synchrony.ingress.path: /synchrony

Reasoning:

1. Ingress is set to http, because traffic between reverse proxy and kubernetes is plain text and not SSL.
2. This creates problems in Confluence also, but can (and is) overriden by tomcatConfig (notice tomcatConfig above)
3. There is no such option for Synchrony

Result. Everything works, except Synchrony which fails with Error validating JWT:JWT aud property does not match expected value

Reason: StatefulSet is created for Synchrony, including a env variable: env:

           - name: SYNCHRONY_SERVICE_URL
              value: http://public.mydomain.com/synchrony

Notice the http in the value. This value is calculated in statefulset-synchrony.yaml as combination of protocol dependant on .Values.ingress.https and .Values.ingress.host and fixed value /synchrony

Solution:
a) add a new option synchrony.service.url for complete Synchrony service url: . If this option is set, then this value is used and not calculated. If it is not set (default is empty) then it is calcultated as it is now. This is my preffered and suggested solution
b) add a new option for synchrony.ingress.https and calculate the final value (same as now). This leaves fixed value for /synchrony so we would need to fix this as well with existing synchrony.ingress.path. This should be done in any case but is not an issue for me, so out-of-scope. Complicated and would still probably leave scenarios unsupported
c) use existing value of confluence.tomcatConfig.scheme This would work but is ugly as the naming has no relation to usage in Synchrony

Can I get an opionon on this? Then I would get to completing documentation and tests.

Product

Confluence

Code of Conduct

• I agree to follow this project's Code of Conduct

[bianchi2]

@jozemlakar we have seen a couple of use cases where it makes sense just set Synchrony URL without guessing it. It makes sense.

[jozemlakar]

@jozemlakar we have seen a couple of use cases where it makes sense just set Synchrony URL without guessing it. It makes sense.

I understand you are in favor of suggested solution a). I will post a PR when ready