How to deploy shibboleth service provider in Kubernetes environment?

Etienne Dysli Metref etienne.dysli-metref at
Mon May 27 03:12:47 EDT 2019

On 24/05/2019 15.56, Peter Schober wrote:
>> Is it possible to deploy shibboleth service provider in separate
>> container and apache in separate container?
> It's possible, but why would you chose to do that?
> Just keeping them both in the same container avoids security issues
> and makes deployment easier. I don't think you can swap out either
> half for other verions or running different build/packaging so it's
> best to treat those as a single system.

I don't think you can mix mod_shib and shib versions either and they use
the same configuration files, so they form a "unit of deployment" IMHO,
therefore separating them in two containers makes less sense.

However, if you want to run several processes in one container, you then
need a real init program to start everything else, propagate signals,
reap zombie processes, etc. and that makes your container image more
complicated to build. This also hides any crashing process from
Kubernetes so you'd lose a bit of visibility there (unless you expose
this via health checks). Moreover, you now have two log streams (apache
and shibd) mixed in one container output stream which need to be
untangled to be useful.

Trade-offs... ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the users mailing list