fix(helmfile): Add seLinuxOptions for all applications

2025-12-07 16:01:37 +01:00 · 2024-02-13 16:13:04 +01:00
parent c2087efcf9
commit 02d04faa2a
55 changed files with 172 additions and 4 deletions
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -126,7 +126,7 @@ securityContext:
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
-
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -70,6 +70,7 @@ securityContext:
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
 serviceAccount:
  create: true
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -110,6 +110,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -35,5 +35,6 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -35,6 +35,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
 extraEnvVars:
  - name: "ACCESS_TOKEN"
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -18,6 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -35,4 +35,5 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
  runAsUser: 0
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -79,6 +79,7 @@ containerSecurityContext:
  runAsGroup: 10991
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -18,6 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -23,6 +23,7 @@ containerSecurityContext:
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -74,6 +75,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -121,6 +123,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -142,6 +145,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
@@ -164,6 +168,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -201,6 +206,7 @@ patchJVB:
    runAsNonRoot: true
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -87,6 +87,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -25,6 +25,7 @@ exporter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -77,6 +78,7 @@ php:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
@@ -116,6 +118,7 @@ apache2:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -66,6 +66,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -40,6 +40,7 @@ nextcloud-integration-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
 public-sector-ui:
  image:
@@ -66,6 +67,7 @@ public-sector-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
 appsuite:
  appsuite-toolkit:
@@ -129,6 +131,7 @@ appsuite:
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
@@ -353,6 +356,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
  core-ui-middleware:
    enabled: true
@@ -394,7 +398,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
  core-cacheservice:
    enabled: false
@@ -424,6 +428,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
  core-documents-collaboration:
    enabled: false
@@ -465,6 +470,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
  core-imageconverter:
    enabled: true
@@ -494,6 +500,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
  guard-ui:
    enabled: true
@@ -519,7 +526,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
  core-spellcheck:
    enabled: false
@@ -548,4 +555,5 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
 ...
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -38,6 +38,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -20,6 +20,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
 environment:
 # For more details and more options see
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -83,6 +83,7 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
 serviceAccount:
  create: true
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -15,6 +15,7 @@ clamd:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
@@ -40,6 +41,7 @@ containerSecurityContext:
  capabilities:
    drop: []
  privileged: false
  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
 freshclam:
  containerSecurityContext:
@@ -55,6 +57,7 @@ freshclam:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
@@ -86,6 +89,7 @@ icap:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
@@ -113,6 +117,7 @@ milter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -17,6 +17,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -29,6 +29,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: false
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
 defaultBuckets: "openproject,openxchange,ums,nextcloud"
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -17,6 +17,7 @@ containerSecurityContext:
  runAsUser: 0
  runAsGroup: 0
  privileged: true
  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
 job:
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -30,6 +30,7 @@ master:
    capabilities:
      drop:
        - "ALL"
    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -55,5 +55,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -73,5 +73,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -46,5 +46,6 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -27,6 +27,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
 volumes:
  claims:
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -76,6 +76,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
 service:
  type: "ClusterIP"
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -44,5 +44,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -46,5 +46,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
 ...
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -597,6 +597,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -110,5 +110,5 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -75,5 +75,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -50,5 +50,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -28,6 +28,7 @@ dispatcher:
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
 events-and-consumer-api:
  image:
@@ -62,6 +63,7 @@ events-and-consumer-api:
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
 udm-listener:
  image:
@@ -104,6 +106,7 @@ udm-listener:
    runAsGroup: 0
    runAsNonRoot: false
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
 nats:
  global:
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -73,5 +73,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -29,6 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -29,6 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
 stackDataContext:
  idpSamlMetadataUrlInternal: null
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -53,6 +53,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
 storeDav:
  auth:
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -51,6 +51,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
 udmRestApi:
  # TODO: Stub value currently
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -58,5 +58,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -94,6 +94,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -66,6 +66,7 @@ containerSecurityContext:
  runAsUser: 1000
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -44,6 +44,7 @@ handler:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
 postgresql:
@@ -88,6 +89,7 @@ proxy:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -44,6 +44,7 @@ containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
 podSecurityContext:
  fsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -45,6 +45,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
 service:
  type: "ClusterIP"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -36,6 +36,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
 customConfigs:
  xwiki.cfg:
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -0,0 +1,95 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
 # Disclaimer:
 # We assume that you are very aware of what you are doing when working wih SELinux settings and that you can easily
 # break the affected components with these settings.
 ---
 seLinuxOptions:
  clamavSimple: ~
  clamd: ~
  collabora: ~
  cryptpad: ~
  dovecot: ~
  element: ~
  freshclam: ~
  icap: ~
  intercom: ~
  # The Jibri Helm chart does not support setting the securityContext externally.
  #jibri: ~
  jicofo: ~
  jitsi: ~
  jitsiKeycloakAdapter: ~
  jitsiPatchJVB: ~
  jvb: ~
  mariadb: ~
  matrixNeoBoardWidget: ~
  matrixNeoChoiceWidget: ~
  matrixNeoDateFixBot: ~
  matrixNeoDateFixWidget: ~
  matrixUserVerificationService: ~
  memcached: ~
  milter: ~
  minio: ~
  nextcloudApache2: ~
  nextcloudExporter: ~
  nextcloudManagement: ~
  nextcloudPHP: ~
  opendeskKeycloakBootstrap: ~
  openproject: ~
  openprojectBootstrap: ~
  openprojectInitDb: ~
  openxchangeBootstrap: ~
  openxchangeCoreGuidedtours: ~
  openxchangeCoreMW: ~
  openxchangeCoreUI: ~
  openxchangeCoreUIMiddleware: ~
  openxchangeCoreUserGuide: ~
  openxchangeDocumentConverter: ~
  openxchangeGotenberg: ~
  openxchangeGuardUI: ~
  openxchangeImageConverter: ~
  openxchangeNextcloudIntegrationUI: ~
  openxchangePublicSectorUI: ~
  oxConnector: ~
  postfix: ~
  postgresql: ~
  prosody: ~
  redis: ~
  synapse: ~
  synapseCreateUser: ~
  synapseGuestModule: ~
  synapseWeb: ~
  umsConfigHtpasswd: ~
  umsDataLoader: ~
  umsGuardianAuthorizationApi: ~
  umsGuardianManagementApi: ~
  umsGuardianManagementUi: ~
  umsKeycloak: ~
  umsKeycloakBootstrap: ~
  umsKeycloakExtensionHandler: ~
  umsKeycloakExtensionProxy: ~
  umsLdapNotifier: ~
  umsLdapServer: ~
  umsNotificationsApi: ~
  umsOpenPolicyAgent: ~
  umsPortalFrontend: ~
  umsPortalListener: ~
  umsPortalServer: ~
  umsProvisioningDispatcher: ~
  umsProvisioningEventsAndConsumerApi: ~
  umsProvisioningNats: ~
  umsProvisioningNatsBox: ~
  umsProvisioningNatsReloader: ~
  umsProvisioningUdmListener: ~
  umsSelfserviceInvitation: ~
  umsSelfserviceListener: ~
  umsStackGateway: ~
  umsStoreDav: ~
  umsUdmRestApi: ~
  umsUmcGateway: ~
  umsUmcServer: ~
  umsWaitForDependency: ~
  wellKnown: ~
  xwiki: ~
 ...