sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(helmfile): Add seLinuxOptions for all applications

Browse Source
This commit is contained in:
Dominik Kaminski
2024-02-13 16:13:04 +01:00
committed by Thorsten Rossner
parent c2087efcf9
commit 02d04faa2a
55 changed files with 172 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
helmfile/apps/collabora/values.yaml.gotmpl
View File

@@ -126,7 +126,7 @@ securityContext:
- "NET_RAW"
- "SYS_CHROOT"
- "MKNOD"
seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
serviceAccount:
create: true
...

1
helmfile/apps/cryptpad/values.yaml.gotmpl
View File

@@ -70,6 +70,7 @@ securityContext:
runAsNonRoot: true
runAsUser: 4001
runAsGroup: 4001
seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
serviceAccount:
create: true

1
helmfile/apps/element/values-element.yaml.gotmpl
View File

@@ -110,6 +110,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.element }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
View File

@@ -35,5 +35,6 @@ securityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
...

1
helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
View File

@@ -35,6 +35,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
extraEnvVars:
- name: "ACCESS_TOKEN"

1
helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
View File

@@ -18,6 +18,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
View File

@@ -35,4 +35,5 @@ securityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
...

1
helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
extraEnvVars:
- name: "UVS_ACCESS_TOKEN"

1
helmfile/apps/element/values-synapse-web.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -79,6 +79,7 @@ containerSecurityContext:
runAsGroup: 10991
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/element/values-well-known.yaml.gotmpl
View File

@@ -18,6 +18,7 @@ containerSecurityContext:
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
global:
domain: {{ .Values.global.domain | quote }}

1
helmfile/apps/intercom-service/values.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
global:
domain: {{ .Values.global.domain | quote }}

6
helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
View File

@@ -23,6 +23,7 @@ containerSecurityContext:
runAsUser: 1993
runAsGroup: 1993
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -74,6 +75,7 @@ jitsi:
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
prosody:
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -121,6 +123,7 @@ jitsi:
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
jicofo:
replicaCount: {{ .Values.replicas.jicofo }}
image:
@@ -142,6 +145,7 @@ jitsi:
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
jvb:
replicaCount: {{ .Values.replicas.jvb }}
image:
@@ -164,6 +168,7 @@ jitsi:
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
jibri:
replicaCount: {{ .Values.replicas.jibri }}
image:
@@ -201,6 +206,7 @@ patchJVB:
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

1
helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
View File

@@ -87,6 +87,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
debug:
loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}

3
helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
View File

@@ -25,6 +25,7 @@ exporter:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -77,6 +78,7 @@ php:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
cron:
successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
debug:
@@ -116,6 +118,7 @@ apache2:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

1
helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
View File

@@ -66,6 +66,7 @@ containerSecurityContext:
readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
podSecurityContext:
enabled: true

12
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -40,6 +40,7 @@ nextcloud-integration-ui:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
public-sector-ui:
image:
@@ -66,6 +67,7 @@ public-sector-ui:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
appsuite:
appsuite-toolkit:
@@ -129,6 +131,7 @@ appsuite:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
@@ -353,6 +356,7 @@ appsuite:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
core-ui-middleware:
enabled: true
@@ -394,7 +398,7 @@ appsuite:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
core-cacheservice:
enabled: false
@@ -424,6 +428,7 @@ appsuite:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
core-documents-collaboration:
enabled: false
@@ -465,6 +470,7 @@ appsuite:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
core-imageconverter:
enabled: true
@@ -494,6 +500,7 @@ appsuite:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
guard-ui:
enabled: true
@@ -519,7 +526,7 @@ appsuite:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
core-spellcheck:
enabled: false
@@ -548,4 +555,5 @@ appsuite:
privileged: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
...

1
helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
View File

@@ -38,6 +38,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}

1
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -20,6 +20,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
environment:
# For more details and more options see

1
helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
View File

@@ -83,6 +83,7 @@ securityContext:
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
serviceAccount:
create: true

5
helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
View File

@@ -15,6 +15,7 @@ clamd:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
@@ -40,6 +41,7 @@ containerSecurityContext:
capabilities:
drop: []
privileged: false
seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
freshclam:
containerSecurityContext:
@@ -55,6 +57,7 @@ freshclam:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
repository: {{ .Values.images.freshclam.repository | quote }}
@@ -86,6 +89,7 @@ icap:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
@@ -113,6 +117,7 @@ milter:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
repository: {{ .Values.images.milter.repository | quote }}

1
helmfile/apps/services/values-clamav-simple.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
global:
imagePullSecrets:

1
helmfile/apps/services/values-mariadb.yaml.gotmpl
View File

@@ -17,6 +17,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
global:
imagePullSecrets:

1
helmfile/apps/services/values-memcached.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
global:
imagePullSecrets:

1
helmfile/apps/services/values-minio.yaml.gotmpl
View File

@@ -29,6 +29,7 @@ containerSecurityContext:
readOnlyRootFilesystem: false
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
defaultBuckets: "openproject,openxchange,ums,nextcloud"

1
helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -17,6 +17,7 @@ containerSecurityContext:
runAsUser: 0
runAsGroup: 0
privileged: true
seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
global:
imagePullSecrets:

1
helmfile/apps/services/values-postgresql.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
job:

1
helmfile/apps/services/values-redis.yaml.gotmpl
View File

@@ -30,6 +30,7 @@ master:
capabilities:
drop:
- "ALL"
seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
count: {{ .Values.replicas.redis }}
persistence:
size: {{ .Values.persistence.size.redis | quote }}

1
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
View File

@@ -55,5 +55,6 @@ securityContext:
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
...

1
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
View File

@@ -73,5 +73,6 @@ securityContext:
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
...

1
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
View File

@@ -46,5 +46,6 @@ securityContext:
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
...

1
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
View File

@@ -27,6 +27,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
volumes:
claims:

1
helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -76,6 +76,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
service:
type: "ClusterIP"

1
helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
View File

@@ -44,5 +44,6 @@ securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
...

1
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
View File

@@ -46,5 +46,6 @@ securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
...

1
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -597,6 +597,7 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"

2
helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
View File

@@ -110,5 +110,5 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
...

1
helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
View File

@@ -75,5 +75,6 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
...

1
helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
View File

@@ -50,5 +50,6 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
...

3
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -28,6 +28,7 @@ dispatcher:
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
events-and-consumer-api:
image:
@@ -62,6 +63,7 @@ events-and-consumer-api:
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
udm-listener:
image:
@@ -104,6 +106,7 @@ udm-listener:
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
nats:
global:

1
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
View File

@@ -73,5 +73,6 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
...

1
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
View File

@@ -29,6 +29,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"

1
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
View File

@@ -29,6 +29,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
stackDataContext:
idpSamlMetadataUrlInternal: null

1
helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
View File

@@ -53,6 +53,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
storeDav:
auth:

1
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
View File

@@ -51,6 +51,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
udmRestApi:
# TODO: Stub value currently

1
helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
View File

@@ -58,5 +58,6 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
...

1
helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
View File

@@ -94,6 +94,7 @@ securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"

1
helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
View File

@@ -66,6 +66,7 @@ containerSecurityContext:
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"

2
helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
View File

@@ -44,6 +44,7 @@ handler:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
resources:
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
postgresql:
@@ -88,6 +89,7 @@ proxy:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
...

1
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
View File

@@ -44,6 +44,7 @@ containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
podSecurityContext:
fsGroup: 1000

1
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -45,6 +45,7 @@ containerSecurityContext:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
service:
type: "ClusterIP"

1
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -36,6 +36,7 @@ containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
customConfigs:
xwiki.cfg:

95
helmfile/environments/default/selinux.yaml Normal file
View File

@@ -0,0 +1,95 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
#
# Disclaimer:
# We assume that you are very aware of what you are doing when working wih SELinux settings and that you can easily
# break the affected components with these settings.
---
seLinuxOptions:
clamavSimple: ~
clamd: ~
collabora: ~
cryptpad: ~
dovecot: ~
element: ~
freshclam: ~
icap: ~
intercom: ~
# The Jibri Helm chart does not support setting the securityContext externally.
#jibri: ~
jicofo: ~
jitsi: ~
jitsiKeycloakAdapter: ~
jitsiPatchJVB: ~
jvb: ~
mariadb: ~
matrixNeoBoardWidget: ~
matrixNeoChoiceWidget: ~
matrixNeoDateFixBot: ~
matrixNeoDateFixWidget: ~
matrixUserVerificationService: ~
memcached: ~
milter: ~
minio: ~
nextcloudApache2: ~
nextcloudExporter: ~
nextcloudManagement: ~
nextcloudPHP: ~
opendeskKeycloakBootstrap: ~
openproject: ~
openprojectBootstrap: ~
openprojectInitDb: ~
openxchangeBootstrap: ~
openxchangeCoreGuidedtours: ~
openxchangeCoreMW: ~
openxchangeCoreUI: ~
openxchangeCoreUIMiddleware: ~
openxchangeCoreUserGuide: ~
openxchangeDocumentConverter: ~
openxchangeGotenberg: ~
openxchangeGuardUI: ~
openxchangeImageConverter: ~
openxchangeNextcloudIntegrationUI: ~
openxchangePublicSectorUI: ~
oxConnector: ~
postfix: ~
postgresql: ~
prosody: ~
redis: ~
synapse: ~
synapseCreateUser: ~
synapseGuestModule: ~
synapseWeb: ~
umsConfigHtpasswd: ~
umsDataLoader: ~
umsGuardianAuthorizationApi: ~
umsGuardianManagementApi: ~
umsGuardianManagementUi: ~
umsKeycloak: ~
umsKeycloakBootstrap: ~
umsKeycloakExtensionHandler: ~
umsKeycloakExtensionProxy: ~
umsLdapNotifier: ~
umsLdapServer: ~
umsNotificationsApi: ~
umsOpenPolicyAgent: ~
umsPortalFrontend: ~
umsPortalListener: ~
umsPortalServer: ~
umsProvisioningDispatcher: ~
umsProvisioningEventsAndConsumerApi: ~
umsProvisioningNats: ~
umsProvisioningNatsBox: ~
umsProvisioningNatsReloader: ~
umsProvisioningUdmListener: ~
umsSelfserviceInvitation: ~
umsSelfserviceListener: ~
umsStackGateway: ~
umsStoreDav: ~
umsUdmRestApi: ~
umsUmcGateway: ~
umsUmcServer: ~
umsWaitForDependency: ~
wellKnown: ~
xwiki: ~
...