diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index efb2333a..ed71a5e0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -48,7 +48,9 @@ variables: ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}" value: "dev" MASTER_PASSWORD_WEB_VAR: - description: "Optional: Provide a seed to be used for generation of all internal secrets. Same seed will result in same secrets." + description: > + Optional: Provide a seed to be used for generation of all internal secrets. + Same seed will result in same secrets. value: "" ENV_STOP_BEFORE: description: "Stop environment/delete namespace for the deployment." diff --git a/helmfile/apps/open-xchange/helmfile.yaml b/helmfile/apps/open-xchange/helmfile.yaml index 7281f2c9..4ee573a1 100644 --- a/helmfile/apps/open-xchange/helmfile.yaml +++ b/helmfile/apps/open-xchange/helmfile.yaml @@ -27,7 +27,8 @@ repositories: {{ .Values.charts.openXchangeAppSuite.repository }}" # openDesk Open-Xchange Bootstrap - # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap + # Source: + # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap - name: "open-xchange-bootstrap-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }} diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml index b2afc0df..9f20039a 100644 --- a/helmfile/apps/univention-management-stack/helmfile.yaml +++ b/helmfile/apps/univention-management-stack/helmfile.yaml @@ -5,168 +5,17 @@ bases: - "../../bases/environments.yaml" --- repositories: - # Univention Management Stack - - name: "ums-guardian-management-api-repo" + # Univention Management Stack Umbrella Chart + - name: "ums" keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsGuardianManagementApi.verify }} + verify: {{ .Values.charts.ums.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\ - {{ .Values.charts.umsGuardianManagementApi.repository }}" - - name: "ums-guardian-management-ui-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsGuardianManagementUi.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\ - {{ .Values.charts.umsGuardianManagementUi.repository }}" - - name: "ums-guardian-authorization-api-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\ - {{ .Values.charts.umsGuardianAuthorizationApi.repository }}" - - name: "ums-open-policy-agent-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsOpenPolicyAgent.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\ - {{ .Values.charts.umsOpenPolicyAgent.repository }}" - - name: "ums-ldap-server-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsLdapServer.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\ - {{ .Values.charts.umsLdapServer.repository }}" - - name: "ums-ldap-notifier-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsLdapNotifier.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\ - {{ .Values.charts.umsLdapNotifier.repository }}" - - name: "ums-udm-rest-api-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsUdmRestApi.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\ - {{ .Values.charts.umsUdmRestApi.repository }}" - - name: "ums-stack-data-ums-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsStackDataUms.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\ - {{ .Values.charts.umsStackDataUms.repository }}" - - name: "ums-stack-data-swp-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsStackDataSwp.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\ - {{ .Values.charts.umsStackDataSwp.repository }}" - - name: "ums-portal-server-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsPortalServer.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\ - {{ .Values.charts.umsPortalServer.repository }}" - - name: "ums-notifications-api-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsNotificationsApi.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\ - {{ .Values.charts.umsNotificationsApi.repository }}" - - name: "ums-portal-listener-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsPortalListener.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\ - {{ .Values.charts.umsPortalListener.repository }}" - - name: "ums-portal-frontend-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsPortalFrontend.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\ - {{ .Values.charts.umsPortalFrontend.repository }}" - - name: "ums-umc-gateway-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsUmcGateway.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\ - {{ .Values.charts.umsUmcGateway.repository }}" - - name: "ums-umc-server-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsUmcServer.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\ - {{ .Values.charts.umsUmcServer.repository }}" - - name: "ums-selfservice-listener-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsSelfserviceListener.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\ - {{ .Values.charts.umsSelfserviceListener.repository }}" - - name: "ums-provisioning-repo" - keyring: "../../files/gpg-pubkeys/univention-de.gpg" - verify: {{ .Values.charts.umsProvisioning.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\ - {{ .Values.charts.umsProvisioning.repository }}" - - # Univention Keycloak Extensions - - name: "ums-keycloak-extensions-repo" - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\ - {{ .Values.charts.umsKeycloakExtensions.repository }}" - # Univention Keycloak - - name: "ums-keycloak-repo" - keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" - verify: {{ .Values.charts.umsKeycloak.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\ - {{ .Values.charts.umsKeycloak.repository }}" - - name: "ums-keycloak-bootstrap-repo" - keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" - verify: {{ .Values.charts.umsKeycloakBootstrap.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\ - {{ .Values.charts.umsKeycloakBootstrap.repository }}" + url: + "{{ .Values.global.helmRegistry | default .Values.charts.ums.registry }}/\ + {{ .Values.charts.ums.repository }}" + # OpenDesk Keycloak Bootstrap Chart - name: "opendesk-keycloak-bootstrap-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }} @@ -175,223 +24,24 @@ repositories: oci: true url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\ {{ .Values.charts.opendeskKeycloakBootstrap.repository }}" - # VMWare Bitnami - # Source: https://github.com/bitnami/charts/ - - name: "nginx-repo" - keyring: "../../files/gpg-pubkeys/opencode.gpg" - verify: {{ .Values.charts.nginx.verify }} - username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} - oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\ - {{ .Values.charts.nginx.repository }}" releases: - - name: "ums-keycloak" - chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}" - version: "{{ .Values.charts.umsKeycloak.version }}" + # Univention Management Stack Umbrella Chart + - name: "ums" + chart: "ums/{{ .Values.charts.ums.name }}" + version: "{{ .Values.charts.ums.version }}" values: - - "values-ums-keycloak.yaml.gotmpl" + - "values-umbrella.yaml.gotmpl" installed: {{ .Values.univentionManagementStack.enabled }} timeout: 900 - - - name: "ums-keycloak-extensions" - chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}" - version: "{{ .Values.charts.umsKeycloakExtensions.version }}" - values: - - "values-ums-keycloak-extensions.yaml.gotmpl" - needs: - - "ums-keycloak" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-keycloak-bootstrap" - chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}" - version: "{{ .Values.charts.umsKeycloakBootstrap.version }}" - values: - - "values-ums-keycloak-bootstrap.yaml.gotmpl" - needs: - - "ums-keycloak" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - + # OpenDesk Keycloak Bootstrap Chart - name: "opendesk-keycloak-bootstrap" chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}" version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}" values: - "values-opendesk-keycloak-bootstrap.yaml.gotmpl" needs: - - "ums-keycloak-bootstrap" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-stack-gateway" - chart: "nginx-repo/{{ .Values.charts.nginx.name }}" - version: "{{ .Values.charts.nginx.version }}" - values: - - "values-ums-stack-gateway.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-ldap-server" - chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}" - version: "{{ .Values.charts.umsLdapServer.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-ldap-server.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-ldap-notifier" - chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}" - version: "{{ .Values.charts.umsLdapNotifier.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-ldap-notifier.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-udm-rest-api" - chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}" - version: "{{ .Values.charts.umsUdmRestApi.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-udm-rest-api.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-stack-data-ums" - chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}" - version: "{{ .Values.charts.umsStackDataUms.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-stack-data-ums.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-stack-data-swp" - chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}" - version: "{{ .Values.charts.umsStackDataSwp.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-stack-data-swp.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-portal-server" - chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}" - version: "{{ .Values.charts.umsPortalServer.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-portal-server.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-notifications-api" - chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}" - version: "{{ .Values.charts.umsNotificationsApi.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-notifications-api.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-portal-listener" - chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}" - version: "{{ .Values.charts.umsPortalListener.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-portal-listener.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-portal-frontend" - chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}" - version: "{{ .Values.charts.umsPortalFrontend.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-portal-frontend.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-umc-gateway" - chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}" - version: "{{ .Values.charts.umsUmcGateway.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-umc-gateway.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-umc-server" - chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}" - version: "{{ .Values.charts.umsUmcServer.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-umc-server.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-selfservice-listener" - chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}" - version: "{{ .Values.charts.umsSelfserviceListener.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-selfservice-listener.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-provisioning" - chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}" - version: "{{ .Values.charts.umsProvisioning.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-provisioning.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-provisioning-udm-listener" - chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}" - version: "{{ .Values.charts.umsProvisioningUdmListener.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-provisioning-udm-listener.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-guardian-management-api" - chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}" - version: "{{ .Values.charts.umsGuardianManagementApi.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-guardian-management-api.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-guardian-management-ui" - chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}" - version: "{{ .Values.charts.umsGuardianManagementUi.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-guardian-management-ui.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-guardian-authorization-api" - chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}" - version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-guardian-authorization-api.yaml.gotmpl" - installed: {{ .Values.univentionManagementStack.enabled }} - timeout: 900 - - - name: "ums-open-policy-agent" - chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}" - version: "{{ .Values.charts.umsOpenPolicyAgent.version }}" - values: - - "values-common.yaml.gotmpl" - - "values-open-policy-agent.yaml.gotmpl" + - "ums" installed: {{ .Values.univentionManagementStack.enabled }} timeout: 900 diff --git a/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl deleted file mode 100644 index 8dee2fc9..00000000 --- a/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl +++ /dev/null @@ -1,25 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -global: - configMapUcrDefaults: "ums-stack-data-ums-ucr" - configMapUcr: "ums-stack-data-swp-ucr" - configMapUcrForced: null - -ingress: - # Intentionally not using the Ingress configuration of the UMS stack at the - # moment, since it does depend on rewriting capabilities of the ingress - # controller. Those are encapsulated into the release "stack-gateway" so that - # the compatibility with all ingress controllers is increased. - enabled: false - host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - tls: - # The TLS configuration is on the "master" Ingress, see "portal-frontend" - enabled: false - secretName: "" - -istio: - enabled: false - -... diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl deleted file mode 100644 index 58759300..00000000 --- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl +++ /dev/null @@ -1,61 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -guardianAuthorizationApi: - guardianAuthzCorsAllowedOrigins: "*" - guardianAuthzAdapterSettingsPort: "env" - guardianAuthzAdapterAppPersistencePort: "udm_data" - guardianAuthzAdapterPolicyPort: "opa" - guardianAuthzAdapterAuthenticationPort: "fast_api_oauth" - guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }} - guardianAuthzLoggingStructured: false - guardianAuthzLoggingFormat: "{time:YYYY-MM-DD HH:mm:ss.SSS ZZ} | {level} | {message} | {extra}" - home: "/guardian_service_dir" - isUniventionAppCenter: 0 - oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" - opaAdapterUrl: "http://ums-open-policy-agent/" - udmDataAdapterUrl: "http://ums-udm-rest-api/udm/" - udmDataAdapterUsername: "cn=admin" - udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }} - repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -resources: - {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - readOnlyRootFilesystem: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl deleted file mode 100644 index df93cb64..00000000 --- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl +++ /dev/null @@ -1,79 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -guardianManagementApi: - home: "/guardian_service_dir" - isUniventionAppCenter: 0 - guardianManagementCorsAllowedOrigins: "*" - guardianManagementAdapterSettingsPort: "env" - guardianManagementAdapterAppPersistencePort: "sql" - guardianManagementAdapterConditionPersistencePort: "sql" - guardianManagementAdapterContextPersistencePort: "sql" - guardianManagementAdapterNamespacePersistencePort: "sql" - guardianManagementAdapterPermissionPersistencePort: "sql" - guardianManagementAdapterRolePersistencePort: "sql" - guardianManagementAdapterCapabilityPersistencePort: "sql" - guardianManagementAdapterAuthenticationPort: "fast_api_oauth" - guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization" - guardianManagementAdapterResourceAuthorizationPort: "always" - guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }} - guardianManagementLoggingStructured: false - guardianManagementLoggingFormat: "{time:YYYY-MM-DD HH:mm:ss.SSS ZZ} | {level} | {message} | {extra}" - guardianManagementBaseUrl: "http://0.0.0.0:8000" - oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret" - oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" - sqlPersistenceAdapterDialect: "postgresql" - sqlPersistenceAdapterDbName: "postgres" - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }} - repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -postgresql: - bundled: false - connection: - host: {{ .Values.databases.umsGuardianManagementApi.host | quote }} - port: {{ .Values.databases.umsGuardianManagementApi.port | quote }} - auth: - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} - database: {{ .Values.databases.umsGuardianManagementApi.name | quote }} - password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }} - -resources: - {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - readOnlyRootFilesystem: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl deleted file mode 100644 index 08704e78..00000000 --- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl +++ /dev/null @@ -1,52 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -guardianManagementUi: - viteManagementUiAdapterAuthenticationPort: "keycloak" - viteManagementUiAdapterDataPort: "api" - viteKeycloakAuthenticationAdapterClientId: "guardian-ui" - viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management" - viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }} - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }} - repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -resources: - {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - readOnlyRootFilesystem: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl deleted file mode 100644 index 835aafcd..00000000 --- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl +++ /dev/null @@ -1,35 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }} - repository: {{ .Values.images.umsLdapNotifier.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsLdapNotifier.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -resources: - {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - privileged: false - seccompProfile: - type: "RuntimeDefault" - privileged: false - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }} - -volumes: - claims: - shared-data: "shared-data-ums-ldap-server-0" - shared-run: "shared-run-ums-ldap-server-0" - -... diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl deleted file mode 100644 index 91bbc73a..00000000 --- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl +++ /dev/null @@ -1,92 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -extraVolumes: - - name: "opendesk-schemas" - configMap: - name: "ums-stack-data-swp-schemas" - -extraVolumeMounts: - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema" - subPath: "opendeskFileshare.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema" - subPath: "opendeskKnowledgemanagement.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema" - subPath: "opendeskLearnmanagement.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema" - subPath: "opendeskLivecollaboration.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" - subPath: "opendeskProjectmanagement.schema" - -extraSecrets: - - name: ums-stack-openldap-credentials - stringData: - adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - -waitForDependency: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} - repository: {{ .Values.images.umsWaitForDependency.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsWaitForDependency.tag | quote }} - -ldapServer: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }} - repository: {{ .Values.images.umsLdapServer.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsLdapServer.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - config: - domainName: "univention-organization.intranet" - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} - samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} - samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }} - credentialSecret: - name: ums-stack-openldap-credentials - key: adminPassword - -persistence: - storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }} -legacy: - sharedRunSize: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }} - -resources: - {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }} - -initResources: - {{ .Values.resources.umsLdapServerInit | toYaml | nindent 2 }} - -podSecurityContext: - enabled: true - fsGroup: 102 - fsGroupChangePolicy: "Always" - sysctls: - - name: "net.ipv4.ip_unprivileged_port_start" - value: "1" - -containerSecurityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - runAsUser: 101 - runAsGroup: 102 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - -... diff --git a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl deleted file mode 100644 index 51efc8cd..00000000 --- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl +++ /dev/null @@ -1,55 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }} - repository: {{ .Values.images.umsNotificationsApi.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsNotificationsApi.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -notificationsapi: - apply_database_migrations: "True" - dev_mode: "False" - environment: "staging" - log_level: "DEBUG" - sql_echo: "False" - api_prefix: "/univention/portal/notifications-api" - -postgresql: - bundled: false - connection: - host: {{ .Values.databases.umsNotificationsApi.host | quote }} - port: {{ .Values.databases.umsNotificationsApi.port | quote }} - auth: - username: {{ .Values.databases.umsNotificationsApi.username | quote }} - database: {{ .Values.databases.umsNotificationsApi.name | quote }} - password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }} - existingSecret: "ums-notifications-api-postgresql-credentials" - -resources: - {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }} - -extraSecrets: - - name: ums-notifications-api-postgresql-credentials - stringData: - password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }} -... diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl deleted file mode 100644 index 26de7ad7..00000000 --- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl +++ /dev/null @@ -1,52 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }} - repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -openPolicyAgent: - isUniventionAppCenter: 0 - opaDataBundle: "bundles/GuardianDataBundle.tar.gz" - opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz" - opaPollingMinDelay: 10 - opaPollingMaxDelay: 15 - opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management" - -resources: - {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl index ba2a7fd5..9d00f015 100644 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -300,289 +300,6 @@ config: - "address" - "email" - "profile" - - name: "guardian-management-api" - clientId: "guardian-management-api" - rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" - fullScopeAllowed: true - protocolMappers: - - name: "Client Host" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "clientHost" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "clientHost" - jsonType.label: "String" - - name: "Client ID" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "client_id" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "client_id" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - userinfo.token.claim: false - id.token.claim: false - access.token.claim: true - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-cli" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "Client IP Address" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "clientAddress" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "clientAddress" - jsonType.label: "String" - - name: "guardian-scripts" - clientId: "guardian-scripts" - description: "" - rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - adminUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - surrogateAuthRequired: false - enabled: true - alwaysDisplayInConsole: false - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" - webOrigins: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - bearerOnly: false - consentRequired: false - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: true - serviceAccountsEnabled: false - publicClient: true - frontchannelLogout: false - protocol: "openid-connect" - fullScopeAllowed: true - protocolMappers: - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: false - access.token.claim: true - userinfo.token.claim: false - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-scripts" - id.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - aggregate.attrs: false - multivalued: false - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - defaultClientScopes: - - "opendesk" - - "web-origins" - - "acr" - - "roles" - - "profile" - - "email" - optionalClientScopes: - - "address" - - "phone" - - "offline_access" - - "microprofile-jwt" - - name: "guardian-ui" - clientId: "guardian-ui" - rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" - standardFlowEnabled: true - publicClient: true - protocol: "openid-connect" - fullScopeAllowed: true - protocolMappers: - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: "false" - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-ui" - id.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: false - access.token.claim: true - userinfo.token.claim: false containerSecurityContext: allowPrivilegeEscalation: false diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl deleted file mode 100644 index f660c28b..00000000 --- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl +++ /dev/null @@ -1,117 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- - -extraIngresses: - redirects: - # Using "stack-gateway" currently. - enabled: false - # The TLS configuration is on the "master" Ingress, see below. - tls: - enabled: false - master: - # Using "stack-gateway" currently. - enabled: false - tls: - enabled: {{ .Values.ingress.tls.enabled }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - - # See "extraVolumeMounts" below - custom-favicon: - # Using "stack-gateway" at the moment - enabled: false - annotations: - nginx.org/mergeable-ingress-type: "minion" - paths: - - pathType: "Exact" - path: "/favicon.ico" - tls: {} - -extraVolumes: - - name: "opendesk-branding" - configMap: - name: "ums-stack-data-swp-branding" - -extraVolumeMounts: - - name: "opendesk-branding" - mountPath: "/var/www/html/favicon.ico" - subPath: "favicon.ico" - - name: "opendesk-branding" - mountPath: "/var/www/html/css/custom.css" - subPath: "custom.css" - - name: "opendesk-branding" - mountPath: "/var/www/html/icons/logo.svg" - subPath: "logo.svg" - - name: "opendesk-branding" - mountPath: "/var/www/html/icons/logo_small_border.svg" - subPath: "logo_small_border.svg" - - name: "opendesk-branding" - mountPath: "/var/www/html/custom/portal_background_image.png" - subPath: "portal_background_image.png" - - name: "opendesk-branding" - mountPath: "/var/www/html/custom/portal_background_image.svg" - subPath: "portal_background_image.svg" - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }} - repository: {{ .Values.images.umsPortalFrontend.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsPortalFrontend.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - # See "extraVolumeMounts" below - custom-branding: - # Using "stack-gateway" at the moment - enabled: false - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^/univention/portal(/.*)$ $1 break; - nginx.org/location-snippets: | - rewrite ^/univention/portal(/.*)$ $1 break; - nginx.org/mergeable-ingress-type: "minion" - paths: - # This relies on the correct implementation of the matching for paths of - # type "Prefix" since "/univention/portal/icons/entries/" is owned by - # store-dav. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches - - pathType: "Prefix" - path: "/univention/portal/icons/" - - pathType: "Prefix" - path: "/univention/portal/custom/" - tls: {} - -replicaCount: {{ .Values.replicas.umsPortalFrontend }} - -resources: - {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }} -... diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl deleted file mode 100644 index 0fa45bc6..00000000 --- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl +++ /dev/null @@ -1,85 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }} - repository: {{ .Values.images.umsPortalListener.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsPortalListener.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - waitForDependency: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} - repository: {{ .Values.images.umsWaitForDependency.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsWaitForDependency.tag | quote }} - -persistence: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }} - -portalListener: - adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }} - assetsRootPath: "portal-assets" - ucsInternalPath: "portal-data" - - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - notifierServer: {{ .Values.ldap.notifierHost | quote }} - portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }} - udmApiUrl: "http://ums-udm-rest-api/udm/" - udmApiUsername: "cn=admin" - debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }} - tlsMode: "off" - udmApiUrl: "http://ums-udm-rest-api/udm/" - udmApiUsername: "cn=admin" - umcGetUrl: "http://ums-umc-server/get" - umcSessionUrl: "http://ums-umc-server/get/session-info" - objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} - objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} - objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }} - objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} - -resources: - {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }} - -resourcesDependencyWaiter: - {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }} - -store-dav: - bundled: false - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl deleted file mode 100644 index be4f63da..00000000 --- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl +++ /dev/null @@ -1,75 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }} - repository: {{ .Values.images.umsPortalServer.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsPortalServer.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -portalServer: - authMode: "saml" - editable: "false" - umcGetUrl: "http://ums-umc-server/get" - umcSessionUrl: "http://ums-umc-server/get/session-info" - logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} - adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }} - ucsInternalPath: "portal-data" - objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} - objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} - centralNavigation: - enabled: true - - credentialSecret: - name: "ums-portal-server-minio-credentials" - -replicaCount: {{ .Values.replicas.umsPortalServer }} - -resources: - {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }} - -podSecurityContext: - enabled: true - fsGroup: 1000 - fsGroupChangePolicy: "Always" - sysctls: - - name: "net.ipv4.ip_unprivileged_port_start" - value: "1" - -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - enabled: true - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - - -extraSecrets: - - name: ums-portal-server-minio-credentials - stringData: - accessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }} - secretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} - - name: ums-portal-server-authenticator-credentials - stringData: - authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }} - -extraVolumes: - - name: authenticator-secret - secret: - secretName: ums-portal-server-authenticator-credentials - -extraVolumeMounts: - - name: authenticator-secret - mountPath: "/var/secrets/authenticator.secret" - subPath: "authenticator.secret" -... diff --git a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl deleted file mode 100644 index a804db1c..00000000 --- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} - repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -config: - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - notifierServer: {{ .Values.ldap.notifierHost | quote }} - tlsMode: "off" - natsHost: "ums-provisioning-nats" - natsPort: "4222" - natsUser: "udmlistener" - natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }} - internalApiHost: "ums-provisioning-api" - eventsUsernameUdm: "udmproducer" - eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }} - -resources: - {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }} -... diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl deleted file mode 100644 index e5072e37..00000000 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ /dev/null @@ -1,221 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- - -api: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} - repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - config: - rootPath: "/univention/provisioning-api" - resources: - {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }} - credentialSecretName: "ums-provisioning-api-credentials" - -dispatcher: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }} - repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - resources: - {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }} - config: - UDM_HOST: "ums-udm-rest-api" - UDM_PORT: 80 - credentialSecretName: "ums-provisioning-dispatcher-credentials" - -prefill: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }} - repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - resources: - {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }} - config: - UDM_HOST: "ums-udm-rest-api" - UDM_PORT: 80 - credentialSecretName: "ums-provisioning-prefill-credentials" - -nats: - affinity: "" - nameOverride: "" - bundled: true - connection: - host: "ums-provisioning-nats" - port: 4222 - config: - authorization: - enabled: true - users: - - user: "$NATS_USER" - password: "$NATS_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_API_USER" - password: "$NATS_API_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_DISPATCHER_USER" - password: "$NATS_DISPATCHER_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_PREFILL_USER" - password: "$NATS_PREFILL_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_UDMLISTENER_USER" - password: "$NATS_UDMLISTENER_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_ADMIN_USER" - password: "$NATS_ADMIN_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - resources: - {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }} - - extraEnvVars: - - name: NATS_USER - value: "master_admin" - - name: NATS_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-nats-credentials - key: admin_password - - name: NATS_ADMIN_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: ADMIN_NATS_USER - - name: NATS_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: ADMIN_NATS_PASSWORD - - name: NATS_API_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: NATS_USER - - name: NATS_API_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: NATS_PASSWORD - - name: NATS_DISPATCHER_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-dispatcher-credentials - key: NATS_USER - - name: NATS_DISPATCHER_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-dispatcher-credentials - key: NATS_PASSWORD - - name: NATS_PREFILL_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-prefill-credentials - key: NATS_USER - - name: NATS_PREFILL_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-prefill-credentials - key: NATS_PASSWORD - - name: NATS_UDMLISTENER_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-udmlistener-credentials - key: NATS_USER - - name: NATS_UDMLISTENER_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-udmlistener-credentials - key: NATS_PASSWORD - -extraSecrets: - - name: ums-provisioning-nats-credentials - stringData: - admin_password: {{ .Values.secrets.nats.natsAdminPassword }} - - name: ums-provisioning-api-credentials - stringData: - NATS_USER: "api" - NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }} - ADMIN_NATS_USER: "admin" - ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }} - UDM_HOST: "udm-rest-api" - ADMIN_USERNAME: "admin" - ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }} - DISPATCHER_USERNAME: "dispatcher" - DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }} - PREFILL_USERNAME: "prefill" - PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }} - EVENTS_USERNAME_UDM: "udmproducer" - EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }} - - name: ums-provisioning-dispatcher-credentials - stringData: - NATS_USER: "dispatcher" - NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }} - DISPATCHER_USERNAME: "dispatcher" - DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }} - - name: ums-provisioning-prefill-credentials - stringData: - NATS_USER: "prefill" - NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }} - UDM_USERNAME: "cn=admin" - UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - PREFILL_USERNAME: "prefill" - PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }} - - name: ums-provisioning-udmlistener-credentials - stringData: - NATS_USER: "udmlistener" - NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }} - -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - enabled: true - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - -podSecurityContext: - enabled: true - fsGroup: 1000 - fsGroupChangePolicy: "Always" - sysctls: - - name: "net.ipv4.ip_unprivileged_port_start" - value: "1" - - - -... diff --git a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl deleted file mode 100644 index d1cb2c03..00000000 --- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -image: - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - selfserviceListener: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }} - repository: {{ .Values.images.umsSelfserviceListener.repository | quote }} - tag: {{ .Values.images.umsSelfserviceListener.tag | quote }} - - selfserviceInvitation: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }} - repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }} - tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }} - - waitForDependency: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} - repository: {{ .Values.images.umsWaitForDependency.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsWaitForDependency.tag | quote }} - -persistence: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }} - -resources: - {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }} - -resourcesDependencyWaiter: - {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }} - -selfserviceListener: - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - notifierServer: {{ .Values.ldap.notifierHost | quote }} - umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} - debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }} - tlsMode: "off" - umcServerUrl: "http://ums-umc-server" - umcAdminUser: "default.admin" - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl deleted file mode 100644 index 9183a521..00000000 --- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl +++ /dev/null @@ -1,74 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -additionalAnnotations: - intents.otterize.com/service-name: "ums-stack-data-swp" - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }} - repository: {{ .Values.images.umsDataLoader.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsDataLoader.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -resources: - {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }} - -stackDataContext: - ldapBase: "dc=swp-ldap,dc=internal" - oxDefaultContext: "1" - smtpStartTls: true - ldapSearchUsers: - {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }} - - username: {{ printf "ldapsearch_%s" $username | quote }} - password: {{ $password | quote }} - lastname: "LDAP-Search-User" - {{- end }} - - externalDomainName: {{ .Values.global.domain | quote }} - externalMailDomain: {{ .Values.global.domain | quote }} - - portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }} - portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }} - portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }} - portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }} - portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }} - portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }} - portalTitleDE: "{{ .Values.theme.texts.productName }} Portal" - portalTitleEN: "{{ .Values.theme.texts.productName }} Portal" - - smtpHost: {{ .Values.smtp.host | quote }} - smtpPort: {{ .Values.smtp.port | quote }} - smtpUser: {{ .Values.smtp.username | quote }} - - userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }} - adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} - -stackDataSwp: - udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - systemInformation: - deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}" - releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}" - udmApiUser: "cn=admin" - udmApiUrl: "http://ums-udm-rest-api/udm/" - loadDevData: true - -... diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl deleted file mode 100644 index 0c924d94..00000000 --- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl +++ /dev/null @@ -1,63 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -additionalAnnotations: - intents.otterize.com/service-name: "ums-stack-data-ums" - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }} - repository: {{ .Values.images.umsDataLoader.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsDataLoader.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -resources: - {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }} - -stackDataContext: - idpSamlMetadataUrlInternal: null - umcSamlSchemes: "https" - # The openDesk configuration brings its own UMC policies. - installUmcPolicies: false - domainname: {{ .Values.global.domain | quote }} - externalMailDomain: {{ .Values.global.domain | quote }} - hostname: {{ .Values.global.hosts.univentionManagementStack | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapBase: {{ .Values.ldap.baseDn | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} - umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} - ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }} - initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }} - initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }} - umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }} - umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }} - umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }} - umcMemcachedUsername: "" - -stackDataUms: - loadDevData: true - udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - udmApiUrl: "http://ums-udm-rest-api/udm/" - udmApiUser: "cn=admin" - -... diff --git a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl deleted file mode 100644 index 8a0b85bd..00000000 --- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl +++ /dev/null @@ -1,65 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }} - repository: {{ .Values.images.umsStoreDav.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsStoreDav.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - configHtpasswd: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsConfigHtpasswd.registry | quote }} - repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -persistence: - data: - storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }} - -resources: - {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }} - -storeDav: - auth: - basicAuth: - portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }} - portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }} - -... diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl deleted file mode 100644 index 8a1ab7da..00000000 --- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl +++ /dev/null @@ -1,64 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -extraVolumes: - - name: "attribute-to-group-mapper-hook" - configMap: - name: "ums-stack-data-swp-attribute-to-group-mapper-hook" - -extraVolumeMounts: - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" - subPath: "AttributeToGroupMapper.py" - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" - subPath: "flag_to_group_mapping.json" - -resources: - {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }} - -initResources: - {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 2 }} - -replicaCount: {{ .Values.replicas.umsUdmRestApi }} - -podSecurityContext: - enabled: true - fsGroup: 1000 - fsGroupChangePolicy: "Always" - -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - enabled: true - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - -udmRestApi: - secretRef: ums-udm-rest-api-credentials - ldap: - uri: "ldap://{{ .Values.ldap.host }}:389" - baseDN: {{ .Values.ldap.baseDn | quote }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }} - repository: {{ .Values.images.umsUdmRestApi.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsUdmRestApi.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -extraSecrets: - - name: ums-udm-rest-api-credentials - stringData: - ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - -... diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl new file mode 100644 index 00000000..2b7158f2 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl @@ -0,0 +1,1563 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +global: + configMapUcrDefaults: "ums-stack-data-ums-ucr" + configMapUcr: "ums-stack-data-swp-ucr" + configMapUcrForced: null + domain: {{ .Values.global.domain | quote }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +tags: + pre-release: true + +guardian: + enabled: false + authorizationApi: + podAnnotations: + intents.otterize.com/service-name: "ums-guardian-authorization-api" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }} + repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + + config: + guardianAuthzLoggingStructured: false + oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" + opaAdapterUrl: "http://ums-guardian-open-policy-agent/" + udmDataAdapterUrl: "http://ums-udm-rest-api/udm/" + udmDataAdapterUsername: "cn=admin" + udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + ingress: + enabled: false + resources: + {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} + + managementApi: + podAnnotations: + intents.otterize.com/service-name: "ums-guardian-management-api" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }} + repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + + config: + guardianManagementLoggingStructured: false + guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization" + oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" + secretRef: "guardian-keycloak-client-secret" + ingress: + enabled: false + resources: + {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} + + managementUi: + podAnnotations: + intents.otterize.com/service-name: "ums-guardian-management-ui" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }} + repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + + config: + viteKeycloakAuthenticationAdapterClientId: "guardian-ui" + viteManagementUiAdapterAuthenticationPort: "keycloak" + viteManagementUiAdapterDataPort: "api" + viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management" + viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }} + ingress: + enabled: false + resources: + {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }} + + openPolicyAgent: + podAnnotations: + intents.otterize.com/service-name: "ums-ums-open-policy-agent" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }} + repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + + config: + opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management" + ingress: + enabled: false + resources: + {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} + + + provisioning: + enabled: true + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianProvisioning.registry | quote }} + repository: {{ .Values.images.umsGuardianProvisioning.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsGuardianProvisioning.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + config: + nubusBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + keycloak: + url: "http://ums-keycloak:8080" + fqdn: "id.uv-example.gaia.open-desk.cloud" + realm: "opendesk" + admin: "kcadmin" + credentialSecretName: "guardian-keycloak-secret" + + postgresql: + bundled: false + connection: + host: {{ .Values.databases.umsGuardianManagementApi.host | quote }} + port: {{ .Values.databases.umsGuardianManagementApi.port | quote }} + auth: + username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} + database: {{ .Values.databases.umsGuardianManagementApi.name | quote }} + password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }} + +ldap-notifier: + enabled: true + podAnnotations: + intents.otterize.com/service-name: "ums-ldap-notifier" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }} + repository: {{ .Values.images.umsLdapNotifier.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsLdapNotifier.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + replicaCount: {{ .Values.replicas.umsLdapNotifier }} + resources: + {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }} + securityContext: + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }} + volumes: + claims: + shared-data: "shared-data-ums-ldap-server-0" + shared-run: "shared-run-ums-ldap-server-0" + +ldap-server: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-ldap-server" + replicaCount: {{ .Values.replicas.umsLdapServer }} + serviceAccount: + annotations: + intended.usage: "compliance" + waitForDependency: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} + repository: {{ .Values.images.umsWaitForDependency.repository }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + ldapServer: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }} + repository: {{ .Values.images.umsLdapServer.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + config: + domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}" + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} + samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} + samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }} + credentialSecret: + name: ums-ldap-credentials + key: adminPassword + extraVolumes: + - name: "opendesk-schemas" + configMap: + name: "ums-stack-data-swp-schemas" + + extraVolumeMounts: + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema" + subPath: "opendeskFileshare.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema" + subPath: "opendeskKnowledgemanagement.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema" + subPath: "opendeskLearnmanagement.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema" + subPath: "opendeskLivecollaboration.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" + subPath: "opendeskProjectmanagement.schema" + + persistence: + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} + size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }} + + resources: + {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} + + initResources: + {{ .Values.resources.umsLdapServerInit | toYaml | nindent 4 }} + +notifications-api: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-notifications-api" + serviceAccount: + annotations: + intended.usage: "compliance" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }} + repository: {{ .Values.images.umsNotificationsApi.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsNotificationsApi.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + postgresql: + bundled: false + connection: + host: {{ .Values.databases.umsNotificationsApi.host | quote }} + port: {{ .Values.databases.umsNotificationsApi.port | quote }} + auth: + username: {{ .Values.databases.umsNotificationsApi.username | quote }} + database: {{ .Values.databases.umsNotificationsApi.name | quote }} + existingSecret: "ums-notifications-api-postgresql-credentials" + replicaCount: {{ .Values.replicas.umsNotificationsApi }} + notificationsapi: + apply_database_migrations: "True" + dev_mode: "False" + environment: "staging" + log_level: "DEBUG" + sql_echo: "False" + api_prefix: "/univention/portal/notifications-api" + resources: + {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }} + +portal-frontend: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-portal-frontend" + serviceAccount: + annotations: + intended.usage: "compliance" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }} + repository: {{ .Values.images.umsPortalFrontend.repository }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsPortalFrontend.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + extraVolumes: + - name: "opendesk-branding" + configMap: + name: "ums-stack-data-swp-branding" + extraVolumeMounts: + - name: "opendesk-branding" + mountPath: "/var/www/html/favicon.ico" + subPath: "favicon.ico" + - name: "opendesk-branding" + mountPath: "/var/www/html/css/custom.css" + subPath: "custom.css" + - name: "opendesk-branding" + mountPath: "/var/www/html/icons/logo.svg" + subPath: "logo.svg" + - name: "opendesk-branding" + mountPath: "/var/www/html/icons/logo_small_border.svg" + subPath: "logo_small_border.svg" + - name: "opendesk-branding" + mountPath: "/var/www/html/custom/portal_background_image.png" + subPath: "portal_background_image.png" + - name: "opendesk-branding" + mountPath: "/var/www/html/custom/portal_background_image.svg" + subPath: "portal_background_image.svg" + replicaCount: {{ .Values.replicas.umsPortalFrontend }} + resources: + {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }} + +portal-listener: + enabled: true + podAnnotations: + intents.otterize.com/service-name: "ums-portal-listener" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }} + repository: {{ .Values.images.umsPortalListener.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsPortalListener.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + waitForDependency: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} + repository: {{ .Values.images.umsWaitForDependency.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsWaitForDependency.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + persistence: + storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} + size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }} + portalListener: + adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }} + assetsRootPath: "portal-assets" + ucsInternalPath: "portal-data" + + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} + ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + notifierServer: {{ .Values.ldap.notifierHost | quote }} + portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }} + udmApiUrl: "http://ums-udm-rest-api/udm/" + udmApiUsername: "cn=admin" + debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }} + tlsMode: "off" + umcGetUrl: "http://ums-umc-server/get" + umcSessionUrl: "http://ums-umc-server/get/session-info" + objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} + objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} + objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }} + objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} + replicaCount: {{ .Values.replicas.umsPortalListener }} + resources: + {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }} + + resourcesWaitForDependency: + {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 4 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + privileged: false + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + seLinuxOptions: + {{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }} + +portal-server: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-portal-server" + serviceAccount: + annotations: + intended.usage: "compliance" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }} + repository: {{ .Values.images.umsPortalServer.repository }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsPortalServer.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + portalServer: + authMode: "saml" + editable: "false" + adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }} + ucsInternalPath: "portal-data" + umcGetUrl: "http://ums-umc-server/get" + umcSessionUrl: "http://ums-umc-server/get/session-info" + objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} + objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} + centralNavigation: + enabled: true + credentialSecret: + name: "ums-portal-server-minio-credentials" + accessKeyId: "nubus-s3-access-key-id" + secretAccessKey: "nubus-s3-secret-key-id" + + extraVolumes: + - name: authenticator-secret + secret: + secretName: ums-portal-server-authenticator-credentials + + extraVolumeMounts: + - name: authenticator-secret + mountPath: "/var/secrets/authenticator.secret" + subPath: "authenticator.secret" + + replicaCount: {{ .Values.replicas.umsPortalServer }} + + resources: + {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} + +provisioning: + enabled: false + api: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} + repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + credentialSecretName: "ums-provisioning-api-credentials" + dispatcher: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }} + repository: {{ .Values.images.umsProvisioningDispatcher.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsProvisioningDispatcher.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + credentialSecretName: "ums-provisioning-dispatcher-credentials" + prefill: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }} + repository: {{ .Values.images.umsProvisioningPrefill.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsProvisioningPrefill.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + credentialSecretName: "ums-provisioning-prefill-credentials" + nats: + config: + authorization: + enabled: false + users: + - user: "admin" + password: "$NATS_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_API_USER" + password: "$NATS_API_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_DISPATCHER_USER" + password: "$NATS_DISPATCHER_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_PREFILL_USER" + password: "$NATS_PREFILL_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + extraEnvVars: + - name: NATS_USER + value: "admin" + - name: NATS_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-nats-credentials + key: admin_password + - name: NATS_API_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-api-credentials + key: NATS_USER + - name: NATS_API_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-api-credentials + key: NATS_PASSWORD + - name: NATS_DISPATCHER_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-dispatcher-credentials + key: NATS_USER + - name: NATS_DISPATCHER_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-dispatcher-credentials + key: NATS_PASSWORD + - name: NATS_PREFILL_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-prefill-credentials + key: NATS_USER + - name: NATS_PREFILL_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-prefill-credentials + key: NATS_PASSWORD + + ingress: + host: "localhost" + tls: + enabled: false + +udm-listener: + enabled: false + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} + repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + config: + debugLevel: "4" + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} + ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + ldapPort: "389" + notifierServer: "ums-ldap-notifier" + tlsMode: "off" + natsHost: "ums-provisioning-nats" + +stack-data-ums: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-stack-data-ums" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }} + repository: {{ .Values.images.umsDataLoader.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsDataLoader.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + stackDataUms: + loadDevData: true + udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + udmApiUrl: "http://ums-udm-rest-api/udm/" + udmApiUser: "cn=admin" + stackDataContext: + idpSamlMetadataUrlInternal: null + umcSamlSchemes: "https" + # The openDesk configuration brings its own UMC policies. + installUmcPolicies: false + domainname: {{ .Values.global.domain | quote }} + externalMailDomain: {{ .Values.global.domain | quote }} + hostname: {{ .Values.global.hosts.univentionManagementStack | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapBase: {{ .Values.ldap.baseDn | quote }} + ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} + idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} + umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} + idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} + ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }} + initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }} + initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }} + umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }} + umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }} + umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }} + umcMemcachedUsername: "" + +stack-data-swp: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-stack-data-swp" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }} + repository: {{ .Values.images.umsDataLoader.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsDataLoader.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + stackDataContext: + ldapBase: {{ .Values.ldap.baseDn }} + oxDefaultContext: "1" + smtpStartTls: true + ldapSearchUsers: + {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }} + - username: {{ printf "ldapsearch_%s" $username | quote }} + password: {{ $password | quote }} + lastname: "LDAP-Search-User" + {{- end }} + + externalDomainName: {{ .Values.global.domain | quote }} + externalMailDomain: {{ .Values.global.domain | quote }} + + portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }} + portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }} + portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }} + portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }} + portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }} + portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }} + portalTitleDE: "{{ .Values.theme.texts.productName }} Portal" + portalTitleEN: "{{ .Values.theme.texts.productName }} Portal" + + smtpHost: {{ .Values.smtp.host | quote }} + smtpPort: {{ .Values.smtp.port | quote }} + smtpUser: {{ .Values.smtp.username | quote }} + + userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }} + adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} + + stackDataSwp: + udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + systemInformation: + deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}" + releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}" + udmApiUser: "cn=admin" + udmApiUrl: "http://ums-udm-rest-api/udm/" + loadDevData: true + resources: + {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + seLinuxOptions: + {{- .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 6 }} + +selfservice-listener: + enabled: true + podAnnotations: + intents.otterize.com/service-name: "ums-selfservice-listener" + image: + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + + selfserviceListener: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }} + repository: {{ .Values.images.umsSelfserviceListener.repository | quote }} + tag: {{ .Values.images.umsSelfserviceListener.tag | quote }} + + selfserviceInvitation: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }} + repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }} + tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }} + + waitForDependency: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} + repository: {{ .Values.images.umsWaitForDependency.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsWaitForDependency.tag | quote }} + + persistence: + storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} + size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }} + + resources: + {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }} + + resourcesDependencyWaiter: + {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 4 }} + + replicaCount: {{ .Values.replicas.umsSelfserviceListener }} + + selfserviceListener: + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} + ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + notifierServer: {{ .Values.ldap.notifierHost | quote }} + umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} + debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }} + tlsMode: "off" + umcServerUrl: "http://ums-umc-server" + umcAdminUser: "default.admin" + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + privileged: false + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }} + +udm-rest-api: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-udm-rest-api" + serviceAccount: + annotations: + intended.usage: "compliance" + udmRestApi: + secretRef: ums-udm-rest-api-credentials + ldap: + uri: "ldap://ums-ldap-server:389" + baseDN: {{ .Values.ldap.baseDn | quote }} + tls: + enabled: false + secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }} + repository: {{ .Values.images.umsUdmRestApi.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsUdmRestApi.tag | quote }} + extraVolumes: + - name: "attribute-to-group-mapper-hook" + configMap: + name: "ums-stack-data-swp-attribute-to-group-mapper-hook" + extraVolumeMounts: + - name: "attribute-to-group-mapper-hook" + mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" + subPath: "AttributeToGroupMapper.py" + - name: "attribute-to-group-mapper-hook" + mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" + subPath: "flag_to_group_mapping.json" + resources: + {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }} + initResources: + {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }} + replicaCount: {{ .Values.replicas.umsUdmRestApi }} + +umc-gateway: + enabled: true + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }} + repository: {{ .Values.images.umsUmcGateway.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsUmcGateway.tag | quote }} + replicaCount: {{ .Values.replicas.umsUmcGateway }} + umcGateway: + umcHtmlTitle: "openDesk - Admin" + extraVolumes: + - name: "entrypoint-swp-patches" + configMap: + name: "ums-stack-data-swp-umc-gateway-entrypoint" + defaultMode: 0555 + - name: "announcements-customization" + configMap: + name: "ums-stack-data-swp-umc-server-announcements" + defaultMode: 0444 + extraVolumeMounts: + - name: "entrypoint-swp-patches" + mountPath: "/entrypoint.d/90-swp.sh" + subPath: "90-swp.sh" + - name: "announcements-customization" + mountPath: + "/usr/share/univention-management-console-frontend/js/dijit/themes\ + /umc/icons/16x16/udm-portals-announcement.png" + subPath: "udm-portals-announcement.png" + ingress: + host: localhost + enabled: false + tls: + enabled: false + + resources: + {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }} + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + privileged: false + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }} + +umc-server: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-umc-server" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }} + repository: {{ .Values.images.umsUmcServer.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsUmcServer.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + replicaCount: {{ .Values.replicas.umsUmcServer }} + umcServer: + certPemFile: "/var/secrets/ssl/tls.crt" + caCert: "Cg==" + certPem: "Cg==" + privateKey: "Cg==" + ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + smtpSecret: {{ .Values.smtp.password | quote }} + privateKeyFile: "/var/secrets/ssl/tls.key" + extraVolumes: + - name: "certificates" + secret: + secretName: "opendesk-certificates-tls" + - name: "entrypoint-swp-patches" + configMap: + name: "ums-stack-data-swp-umc-server-entrypoint" + defaultMode: 0555 + - name: "self-service-emails" + configMap: + name: "ums-stack-data-swp-self-service-emails" + defaultMode: 0444 + - name: "attribute-to-group-mapper-hook" + configMap: + name: "ums-stack-data-swp-attribute-to-group-mapper-hook" + - name: "announcements-customization" + configMap: + name: "ums-stack-data-swp-umc-server-announcements" + defaultMode: 0444 + extraVolumeMounts: + - name: "certificates" + mountPath: "/var/secrets/ssl" + - name: "entrypoint-swp-patches" + mountPath: "/entrypoint.d/90-customization.sh" + subPath: "90-customization.sh" + - name: "self-service-emails" + mountPath: "/usr/share/univention-self-service/email_bodies" + - name: "attribute-to-group-mapper-hook" + mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" + subPath: "AttributeToGroupMapper.py" + - name: "attribute-to-group-mapper-hook" + mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" + subPath: "flag_to_group_mapping.json" + - name: "announcements-customization" + mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml" + subPath: "udm-portals-announcement.xml" + ingress: + host: localhost + enabled: false + tls: + enabled: false + memcached: + bundled: false + auth: + username: null + # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET. + password: "password" + server: {{ .Values.cache.umsSelfservice.host | quote }} + + postgresql: + bundled: false + connection: + host: {{ .Values.databases.umsSelfservice.host | quote }} + port: {{ .Values.databases.umsSelfservice.port | quote }} + auth: + username: {{ .Values.databases.umsSelfservice.username | quote }} + database: {{ .Values.databases.umsSelfservice.name | quote }} + password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} + postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }} + + resources: + {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }} + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + privileged: false + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }} + +keycloak: + enabled: true + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak" + serviceAccount: + annotations: + intended.usage: "compliance" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }} + repository: {{ .Values.images.umsKeycloak.repository | quote }} + tag: {{ .Values.images.umsKeycloak.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + + config: + admin: + password: {{ .Values.secrets.keycloak.adminPassword | quote }} + database: + host: {{ .Values.databases.keycloak.host | quote }} + port: {{ .Values.databases.keycloak.port }} + user: {{ .Values.databases.keycloak.username | quote }} + database: {{ .Values.databases.keycloak.name | quote }} + existingSecret: + name: "ums-keycloak-postgresql-credentials" + key: "keycloakDatabasePassword" + logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} + enableMetrics: true + # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions + # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly + # through an own ingress. + exposeAdminConsole: false + + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + privileged: false + readOnlyRootFilesystem: false + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }} + + podSecurityContext: + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + + theme: + univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css" + univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css" + favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico" + + replicaCount: {{ .Values.replicas.keycloak }} + + resources: + {{ .Values.resources.umsKeycloak | toYaml | nindent 2 }} + +keycloak-bootstrap: + enabled: true + serviceAccount: + annotations: + intended.usage: "compliance" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }} + repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }} + tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + + cleanup: + deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} + keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }} + + config: + keycloak: + adminUser: "kcadmin" + adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} + realm: {{ .Values.platform.realm | quote }} + intraCluster: + enabled: true + internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" + loginLinks: + - link_number: 1 + language: "de" + description: "Passwort vergessen?" + href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten" + - link_number: 1 + language: "en" + description: "Forgot password?" + href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten" + ums: + ldap: + internalHostname: {{ .Values.ldap.host | quote }} + baseDN: {{ .Values.ldap.baseDn | quote }} + readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal" + readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }} + mappers: + - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin" + - ldapAndUserModelAttributeName: "oxContextIDNum" + saml: + serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + twoFactorAuthentication: + enabled: true + group: "2fa-users" + + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: false + privileged: false + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }} + + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-bootstrap" + + podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: "Always" + + resources: + {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }} + +keycloak-extensions: + enabled: true + keycloak: + host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" + adminUsername: "kcadmin" + adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} + adminRealm: "master" + realm: {{ .Values.platform.realm | quote }} + postgresql: + connection: + host: {{ .Values.databases.keycloakExtension.host | quote }} + port: {{ .Values.databases.keycloakExtension.port }} + auth: + database: {{ .Values.databases.keycloakExtension.name | quote }} + username: {{ .Values.databases.keycloakExtension.username | quote }} + password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} + handler: + replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }} + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-extensions-handler" + # nameOverride: "keycloak-extensions-handler" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }} + repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }} + tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + imagePullSecrets: {{ .Values.global.imagePullSecrets }} + appConfig: + captchaProtectionEnable: false + deviceProtectionEnable: true + ipProtectionEnable: true + logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} + newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account" + smtpPassword: {{ .Values.smtp.password | quote }} + smtpHost: {{ .Values.smtp.host | quote }} + smtpPort: {{ .Values.smtp.port | quote }} + smtpUsername: {{ .Values.smtp.username | quote }} + mailFrom: "noreply@{{ .Values.global.domain }}" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + privileged: false + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }} + resources: + {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }} + proxy: + replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }} + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-extensions-proxy" + # nameOverride: "keycloak-extensions-proxy" + appConfig: + logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }} + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }} + repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }} + tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + imagePullSecrets: {{ .Values.global.imagePullSecrets }} + ingress: + annotations: + nginx.org/proxy-buffer-size: "8k" + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" + paths: + {{- if .Values.debug.enabled }} + - pathType: "Prefix" + path: "/admin" + {{- end }} + - pathType: "Prefix" + path: "/realms" + - pathType: "Prefix" + path: "/resources" + - pathType: "Prefix" + path: "/fingerprintjs" + - pathType: "Exact" + path: "/univention/meta.json" + backend: + service: + name: "ums-stack-gateway" + port: + name: "http" + + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} + host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: {{ .Values.ingress.tls.secretName | quote }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }} + resources: + {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }} + +keycloak-postgresql: + enabled: false + +stack-gateway: + enabled: true + additionalAnnotations: + intents.otterize.com/service-name: "ums-stack-gateway" + fullnameOverride: "ums-stack-gateway" + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }} + repository: {{ .Values.images.umsStackGateway.repository | quote }} + tag: {{ .Values.images.umsStackGateway.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + ingress: + annotations: + # Ensure that the ingress controller can handle responses with plenty of + # headers. This is a requirement from the UDM Rest API. + nginx.org/proxy-buffer-size: "64k" + nginx.org/proxy-buffers: "4 128k" + enabled: {{ .Values.ingress.enabled }} + extraTls: + - hosts: + - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} + secretName: {{ .Values.ingress.tls.secretName | quote }} + hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} + ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} + tls: false + + podSecurityContext: + enabled: true + fsGroup: 1001 + replicaCount: {{ .Values.replicas.umsStackGateway }} + + resources: + {{ .Values.resources.umsStackGateway | toYaml | nindent 4 }} + + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }} + + service: + type: "ClusterIP" + + serviceAccount: + create: true + + # The content of the "serverBlock" does resemble the Ingress configuration of + # the UMS components. The "location" entries do intentionally reflect precisely + # the respective paths which are configured. + serverBlock: | + server { + listen 8080; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $http_x_forwarded_host; + proxy_set_header X-Forwarded-Port $http_x_forwarded_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + + ## portal-frontend + # The frontend does not own "/univention/portal" nor + # "/univention/selfservice", only these two bits + location = /univention/portal/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + location = /univention/portal/index.html { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + location = /univention/selfservice/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + + # The following prefixes are owned by the frontend + location /univention/portal/css/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/fonts/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/i18n/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/media/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/js/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/oidc/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/selfservice/css/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/selfservice/fonts/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/selfservice/i18n/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/selfservice/media/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/selfservice/js/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/selfservice/oidc/ { + rewrite ^/univention/selfservice(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + + + ## frontend redirects + location = / { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/ { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/portal { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/selfservice { + absolute_redirect off; + return 302 /univention/selfservice/; + } + + + ## portal-server + location = /univention/portal/portal.json { + proxy_pass http://ums-portal-server:80; + } + location = /univention/selfservice/portal.json { + proxy_pass http://ums-portal-server:80; + } + location = /univention/portal/navigation.json { + proxy_pass http://ums-portal-server:80; + } + + + ## udm-rest-api + location /univention/udm/ { + # The UDM Rest API does return on some endpoints a lot of headers + proxy_busy_buffers_size 128k; + proxy_buffers 4 128k; + proxy_buffer_size 64k; + + rewrite ^/univention(/udm/.*)$ $1 break; + proxy_pass http://ums-udm-rest-api:80; + } + + + ## umc-gateway + location = /univention/languages.json { + proxy_pass http://ums-umc-gateway:80; + } + location = /univention/meta.json { + proxy_pass http://ums-umc-gateway:80; + } + location = /univention/theme.css { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/js/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/login/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/management/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/themes/ { + proxy_pass http://ums-umc-gateway:80; + } + + + ## umc-server + location = /univention/auth { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + proxy_set_header X-UMC-HTTPS 'on'; + } + location /univention/logout { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/saml { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + proxy_set_header X-UMC-HTTPS 'on'; + } + location /univention/get { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/set { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/command { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/upload { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + + + ## notifications-api + location /univention/portal/notifications-api/ { + rewrite ^/univention/portal/notifications-api(/.*)$ $1 break; + proxy_pass http://ums-notifications-api:80; + } + + ## openDesk branding + location = /favicon.ico { + proxy_pass http://ums-portal-frontend:80/; + } + location /univention/portal/custom/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + location /univention/portal/icons/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + + ## provisioning-api + # location /univention/provisioning-api/ { + # rewrite ^/univention/provisioning-api(/.*)$ $1 break; + # proxy_pass http://ums-provisioning-api:80; + # } + + ## guardian + # location /univention/guardian/management-ui { + # proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui; + # } + # location /guardian/management { + # proxy_pass http://ums-guardian-management-api:80/guardian/management; + # } + # location /guardian/authorization { + # proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization; + # } + + ## object storage (minio) + location /univention/portal/icons/entries/ { + rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break; + # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; + proxy_pass http://minio:9000; + } + location /univention/portal/icons/logos/ { + rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break; + # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; + proxy_pass http://minio:9000; + } + location /univention/selfservice/icons/entries/ { + rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break; + # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; + proxy_pass http://minio:9000; + } + location /univention/selfservice/icons/logos/ { + rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break; + # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; + proxy_pass http://minio:9000; + } + + } + +minio: + enabled: false + +extraSecrets: + - name: ums-ldap-credentials + stringData: + adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + - name: ums-notifications-api-postgresql-credentials + stringData: + password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }} + - name: ums-keycloak-extensions-postgresql-credentials + stringData: + password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} + - name: ums-portal-server-minio-credentials + stringData: + nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }} + nubus-s3-secret-key-id: {{ .Values.secrets.minio.umsUser | quote }} + - name: ums-portal-server-authenticator-credentials + stringData: + authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }} + - name: ums-provisioning-api-credentials + stringData: + NATS_USER: "api" + NATS_PASSWORD: "password" + - name: ums-provisioning-dispatcher-credentials + stringData: + UDM_USERNAME: "cn=admin" + UDM_PASSWORD: "password" + NATS_USER: "dispatcher" + NATS_PASSWORD: "password" + - name: ums-provisioning-prefill-credentials + stringData: + NATS_USER: "prefill" + NATS_PASSWORD: "password" + - name: ums-provisioning-nats-credentials + stringData: + admin_password: "nimda" + - name: ums-udm-rest-api-credentials + stringData: + ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + - name: "ums-keycloak-postgresql-credentials" + stringData: + keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} + - name: "guardian-keycloak-client-secret" + stringData: + oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} + - name: "guardian-keycloak-secret" + stringData: + KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }} + GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} +... diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl deleted file mode 100644 index 54ed47d5..00000000 --- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl +++ /dev/null @@ -1,64 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -extraVolumes: - - name: "entrypoint-swp-patches" - configMap: - name: "ums-stack-data-swp-umc-gateway-entrypoint" - defaultMode: 0555 - - name: "announcements-customization" - configMap: - name: "ums-stack-data-swp-umc-server-announcements" - defaultMode: 0444 - -extraVolumeMounts: - - name: "entrypoint-swp-patches" - mountPath: "/entrypoint.d/90-swp.sh" - subPath: "90-swp.sh" - - name: "announcements-customization" - mountPath: - "/usr/share/univention-management-console-frontend/js/dijit/themes\ - /umc/icons/16x16/udm-portals-announcement.png" - subPath: "udm-portals-announcement.png" - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }} - repository: {{ .Values.images.umsUmcGateway.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsUmcGateway.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - -resources: - {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl deleted file mode 100644 index 08b8856b..00000000 --- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl +++ /dev/null @@ -1,109 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -extraVolumes: - - name: "certificates" - secret: - secretName: "opendesk-certificates-tls" - - name: "entrypoint-swp-patches" - configMap: - name: "ums-stack-data-swp-umc-server-entrypoint" - defaultMode: 0555 - - name: "self-service-emails" - configMap: - name: "ums-stack-data-swp-self-service-emails" - defaultMode: 0444 - - name: "attribute-to-group-mapper-hook" - configMap: - name: "ums-stack-data-swp-attribute-to-group-mapper-hook" - - name: "announcements-customization" - configMap: - name: "ums-stack-data-swp-umc-server-announcements" - defaultMode: 0444 - -extraVolumeMounts: - - name: "certificates" - mountPath: "/var/secrets/ssl" - - name: "entrypoint-swp-patches" - mountPath: "/entrypoint.d/90-customization.sh" - subPath: "90-customization.sh" - - name: "self-service-emails" - mountPath: "/usr/share/univention-self-service/email_bodies" - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" - subPath: "AttributeToGroupMapper.py" - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" - subPath: "flag_to_group_mapping.json" - - name: "announcements-customization" - mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml" - subPath: "udm-portals-announcement.xml" - -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - {{ . }} - {{- end }} - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }} - repository: {{ .Values.images.umsUmcServer.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsUmcServer.tag | quote }} - -memcached: - bundled: false - auth: - password: null - -postgresql: - bundled: false - auth: - username: {{ .Values.databases.umsSelfservice.username | quote }} - database: {{ .Values.databases.umsSelfservice.name | quote }} - password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} - postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }} - connection: - host: {{ .Values.databases.umsSelfservice.host | quote }} - port: {{ .Values.databases.umsSelfservice.port | quote }} - -resources: - {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }} - -umcServer: - certPemFile: "/var/secrets/ssl/tls.crt" - caCert: "Cg==" - certPem: "Cg==" - privateKey: "Cg==" - ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - smtpSecret: {{ .Values.smtp.password | quote }} - privateKeyFile: "/var/secrets/ssl/tls.key" - -... diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl deleted file mode 100644 index 69b029a3..00000000 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -global: - domain: {{ .Values.global.domain | quote }} - hosts: - {{ .Values.global.hosts | toYaml | nindent 4 }} - registry: {{ .Values.global.imageRegistry | quote }} - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }} - repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }} - tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - -cleanup: - deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} - keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }} - -config: - keycloak: - adminUser: "kcadmin" - adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} - realm: {{ .Values.platform.realm | quote }} - intraCluster: - enabled: true - internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" - loginLinks: - - link_number: 1 - language: "de" - description: "Passwort vergessen?" - href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten" - - link_number: 1 - language: "en" - description: "Forgot password?" - href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten" - ums: - ldap: - internalHostname: {{ .Values.ldap.host | quote }} - baseDN: {{ .Values.ldap.baseDn | quote }} - readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal" - readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }} - mappers: - - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin" - - ldapAndUserModelAttributeName: "oxContextIDNum" - saml: - serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - twoFactorAuthentication: - enabled: true - group: "2fa-users" - -containerSecurityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: false - privileged: false - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - seLinuxOptions: - {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }} - -podAnnotations: - intents.otterize.com/service-name: "ums-keycloak-bootstrap" - -podSecurityContext: - enabled: true - fsGroup: 1000 - fsGroupChangePolicy: "Always" - -resources: - {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl deleted file mode 100644 index bc6768ac..00000000 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl +++ /dev/null @@ -1,111 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -global: - keycloak: - host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" - adminUsername: "kcadmin" - adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} - adminRealm: "master" - realm: {{ .Values.platform.realm | quote }} - postgresql: - connection: - host: {{ .Values.databases.keycloakExtension.host | quote }} - port: {{ .Values.databases.keycloakExtension.port }} - auth: - database: {{ .Values.databases.keycloakExtension.name | quote }} - username: {{ .Values.databases.keycloakExtension.username | quote }} - password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} -handler: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }} - repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }} - tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - imagePullSecrets: {{ .Values.global.imagePullSecrets }} - appConfig: - captchaProtectionEnable: false - deviceProtectionEnable: true - ipProtectionEnable: true - logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} - newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account" - smtpPassword: {{ .Values.smtp.password | quote }} - smtpHost: {{ .Values.smtp.host | quote }} - smtpPort: {{ .Values.smtp.port | quote }} - smtpUsername: {{ .Values.smtp.username | quote }} - mailFrom: "noreply@{{ .Values.global.domain }}" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - privileged: false - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }} - resources: - {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }} -postgresql: - enabled: false -proxy: - appConfig: - logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }} - repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }} - tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - imagePullSecrets: {{ .Values.global.imagePullSecrets }} - ingress: - annotations: - nginx.org/proxy-buffer-size: "8k" - nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" - paths: - {{- if .Values.debug.enabled }} - - pathType: "Prefix" - path: "/admin" - {{- end }} - - pathType: "Prefix" - path: "/realms" - - pathType: "Prefix" - path: "/resources" - - pathType: "Prefix" - path: "/fingerprintjs" - - pathType: "Exact" - path: "/univention/meta.json" - backend: - service: - name: "ums-stack-gateway" - port: - name: "http" - - enabled: {{ .Values.ingress.enabled }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - tls: - enabled: {{ .Values.ingress.tls.enabled }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - privileged: false - readOnlyRootFilesystem: true - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }} - resources: - {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }} -... diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl deleted file mode 100644 index 892dce02..00000000 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -global: - domain: {{ .Values.global.domain | quote }} - hosts: - {{ .Values.global.hosts | toYaml | nindent 4 }} - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }} - repository: {{ .Values.images.umsKeycloak.repository | quote }} - tag: {{ .Values.images.umsKeycloak.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - -config: - admin: - password: {{ .Values.secrets.keycloak.adminPassword | quote }} - database: - host: {{ .Values.databases.keycloak.host | quote }} - port: {{ .Values.databases.keycloak.port }} - user: {{ .Values.databases.keycloak.username | quote }} - database: {{ .Values.databases.keycloak.name | quote }} - password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} - logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} - enableMetrics: true - # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions - # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly - # through an own ingress. - exposeAdminConsole: false - -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - privileged: false - readOnlyRootFilesystem: false - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }} - -podSecurityContext: - fsGroup: 1000 - fsGroupChangePolicy: "OnRootMismatch" - -theme: - univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css" - univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css" - favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico" - -replicaCount: {{ .Values.replicas.keycloak }} - -resources: - {{ .Values.resources.umsKeycloak | toYaml | nindent 2 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl deleted file mode 100644 index 3dd550ed..00000000 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl +++ /dev/null @@ -1,301 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -global: - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} - -fullnameOverride: "ums-stack-gateway" - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }} - repository: {{ .Values.images.umsStackGateway.repository | quote }} - tag: {{ .Values.images.umsStackGateway.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - -ingress: - annotations: - # Ensure that the ingress controller can handle responses with plenty of - # headers. This is a requirement from the UDM Rest API. - nginx.org/proxy-buffer-size: "64k" - nginx.org/proxy-buffers: "4 128k" - enabled: {{ .Values.ingress.enabled }} - extraTls: - - hosts: - - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - tls: false - -podSecurityContext: - enabled: true - fsGroup: 1001 - -containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - seLinuxOptions: - {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }} - -service: - type: "ClusterIP" - -serviceAccount: - create: true - -fullnameOverride: "ums-stack-gateway" - -# The content of the "serverBlock" does resemble the Ingress configuration of -# the UMS components. The "location" entries do intentionally reflect precisely -# the respective paths which are configured. -serverBlock: | - server { - listen 8080; - - proxy_http_version 1.1; - - proxy_set_header Host $http_host; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_x_forwarded_host; - proxy_set_header X-Forwarded-Port $http_x_forwarded_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - - ## portal-frontend - # The frontend does not own "/univention/portal" nor - # "/univention/selfservice", only these two bits - location = /univention/portal/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location = /univention/portal/index.html { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location = /univention/selfservice/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - - # The following prefixes are owned by the frontend - location /univention/portal/css/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/fonts/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/i18n/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/media/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/js/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/oidc/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/css/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/fonts/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/i18n/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/media/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/js/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/oidc/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - - - ## frontend redirects - location = / { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/ { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/portal { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/selfservice { - absolute_redirect off; - return 302 /univention/selfservice/; - } - - - ## portal-server - location = /univention/portal/portal.json { - proxy_pass http://ums-portal-server:80; - } - location = /univention/selfservice/portal.json { - proxy_pass http://ums-portal-server:80; - } - location = /univention/portal/navigation.json { - proxy_pass http://ums-portal-server:80; - } - - - ## object storage (minio) - location /univention/portal/icons/entries/ { - rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break; - proxy_pass http://minio:9000; - } - location /univention/portal/icons/logos/ { - rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break; - proxy_pass http://minio:9000; - } - location /univention/selfservice/icons/entries/ { - rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break; - proxy_pass http://minio:9000; - } - location /univention/selfservice/icons/logos/ { - rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break; - proxy_pass http://minio:9000; - } - - - ## udm-rest-api - location /univention/udm/ { - # The UDM Rest API does return on some endpoints a lot of headers - proxy_busy_buffers_size 128k; - proxy_buffers 4 128k; - proxy_buffer_size 64k; - - rewrite ^/univention(/udm/.*)$ $1 break; - proxy_pass http://ums-udm-rest-api:80; - } - - - ## umc-gateway - location = /univention/languages.json { - proxy_pass http://ums-umc-gateway:80; - } - location = /univention/meta.json { - proxy_pass http://ums-umc-gateway:80; - } - location = /univention/theme.css { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/js/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/login/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/management/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/themes/ { - proxy_pass http://ums-umc-gateway:80; - } - - - ## umc-server - location = /univention/auth { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - proxy_set_header X-UMC-HTTPS 'on'; - } - location /univention/logout { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/saml { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - proxy_set_header X-UMC-HTTPS 'on'; - } - location /univention/get { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/set { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/command { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/upload { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - - - ## notifications-api - location /univention/portal/notifications-api/ { - rewrite ^/univention/portal/notifications-api(/.*)$ $1 break; - proxy_pass http://ums-notifications-api:80; - } - - ## openDesk branding - location = /favicon.ico { - proxy_pass http://ums-portal-frontend:80/; - } - location /univention/portal/custom/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location /univention/portal/icons/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - - ## guardian - location /univention/guardian/management-ui { - proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui; - } - location /guardian/opa { - rewrite ^/guardian/opa(/.*)$ $1 break; - proxy_pass http://ums-open-policy-agent:80/; - } - location /guardian/management { - proxy_pass http://ums-guardian-management-api:80/guardian/management; - } - location /guardian/authorization { - proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization; - } - - } - -... diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index 944f0745..906db57e 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -294,7 +294,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize" name: "opendesk-otterize" - version: "1.7.9" + version: "2.0.0" verify: true oxConnector: # providerCategory: 'Supplier' @@ -375,58 +375,12 @@ charts: # upstreamRepository: 'souvap/tooling/charts/univention/ums' # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' # upstreamMirrorStartFrom: ['0', '0', '1'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" + # registry: "registry.opencode.de" + # repository: "bmi/opendesk/components/supplier/univention/charts-mirror" + registry: "registry.souvap-univention.de" + repository: "souvap/tooling/charts/univention" name: "ums" - version: "0.7.5" - verify: true - umsGuardianAuthorizationApi: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/guardian-authorization-api' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '0', '1'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "guardian-authorization-api" - version: "0.1.0" - verify: true - umsGuardianManagementApi: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/guardian-management-api' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '0', '1'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "guardian-management-api" - version: "0.1.0" - verify: true - umsGuardianManagementUi: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/guardian-management-ui' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '0', '1'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "guardian-management-ui" - version: "0.1.0" - verify: true - umsKeycloak: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention-keycloak/ums-keycloak' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['1', '0', '3'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "ums-keycloak" - version: "1.0.5" + version: "0.11.0" verify: true umsKeycloakBootstrap: # providerCategory: 'Supplier' @@ -440,198 +394,6 @@ charts: name: "ums-keycloak-bootstrap" version: "1.0.1" verify: true - umsKeycloakExtensions: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/keycloak-extensions' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '0', '3'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "keycloak-extensions" - version: "0.2.1" - verify: true - umsLdapNotifier: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/ldap-notifier' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '7', '2'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "ldap-notifier" - version: "0.10.1" - verify: true - umsLdapServer: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/ldap-server' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '7', '2'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "ldap-server" - version: "0.10.1" - verify: true - umsNotificationsApi: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/notifications-api' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '9', '2'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "notifications-api" - version: "0.20.1" - verify: true - umsOpenPolicyAgent: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/open-policy-agent' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '0', '1'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "open-policy-agent" - version: "0.1.0" - verify: true - umsPortalFrontend: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/portal-frontend' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '9', '2'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "portal-frontend" - version: "0.20.1" - verify: true - umsPortalListener: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/portal-listener' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '9', '2'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "portal-listener" - version: "0.20.1" - verify: true - umsPortalServer: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/portal-server' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '9', '2'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "portal-server" - version: "0.20.1" - verify: true - umsProvisioning: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/provisioning' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '9', '5'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "provisioning" - version: "0.20.2" - verify: true - umsProvisioningUdmListener: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/udm-listener' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '9', '5'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "udm-listener" - version: "0.20.2" - verify: true - umsSelfserviceListener: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/selfservice-listener' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '3', '1'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "selfservice-listener" - version: "0.3.1" - verify: true - umsStackDataSwp: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/stack-data-swp' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '41', '8'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "stack-data-swp" - version: "0.45.1" - verify: true - umsStackDataUms: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/stack-data-ums' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '41', '8'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "stack-data-ums" - version: "0.45.1" - verify: true - umsUdmRestApi: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/udm-rest-api' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '4', '3'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "udm-rest-api" - version: "0.9.0" - verify: true - umsUmcGateway: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/umc-gateway' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '6', '4'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "umc-gateway" - version: "0.11.6" - verify: true - umsUmcServer: - # providerCategory: 'Supplier' - # providerResponsible: 'Univention' - # upstreamRegistry: 'registry.souvap-univention.de' - # upstreamRepository: 'souvap/tooling/charts/univention/umc-server' - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' - # upstreamMirrorStartFrom: ['0', '6', '4'] - registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "umc-server" - version: "0.11.6" - verify: true xwiki: # providerCategory: 'Supplier' # providerResponsible: 'XWiki' diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index a00adfd4..9ea1ac09 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -486,7 +486,7 @@ images: # upstreamMirrorStartFrom: ['0', '41', '5'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader" - tag: "0.44.0@sha256:c08d619880537c03ebdcdc19fa9746bf5098e3810d85487d47676f3846c6b16c" + tag: "0.45.2@sha256:6e2e054903f361eea5cd54ae6dd3da94380d4a6a11f2628983e2acdbc66d605e" umsGuardianAuthorizationApi: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -556,7 +556,7 @@ images: # upstreamMirrorStartFrom: ['0', '0', '3'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler" - tag: "0.2.0@sha256:ed3a391cb32b9bb9408a4b8e9839b6ee89cbab60149732cd51165a871a91c54d" + tag: "0.3.1@sha256:98871e8d5acfe6bfa6ea7d140197ae41585cfb06c71514ffcf6e98df8315b9ee" umsKeycloakExtensionProxy: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -566,7 +566,7 @@ images: # upstreamMirrorStartFrom: ['0', '0', '3'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy" - tag: "0.2.0@sha256:8b924ab47771b9aee07384e3d13106406d49b1e7ef7fc46648adb1f0fb401327" + tag: "0.3.1@sha256:e6c2130310798e286cea84bf5226709021c12663fb9e8ca30f29515151741fa5" umsLdapNotifier: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -576,7 +576,7 @@ images: # upstreamMirrorStartFrom: ['0', '8', '2'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier" - tag: "0.10.1@sha256:940eb9c20c53f90aa477699c0393242a7064d974a856d714ad151069e8d12af4" + tag: "0.10.3@sha256:beb4577e7fdf1e18d3769e62296f210c0651460346dc2325e6cc29f4c671fa71" umsLdapServer: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -586,7 +586,7 @@ images: # upstreamMirrorStartFrom: ['0', '8', '2'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server" - tag: "0.10.1@sha256:5ae54faec6074c4653ef837158262dd6e7b7ff414f8d8722e35f929543a6a6ef" + tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05" umsNotificationsApi: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -596,7 +596,7 @@ images: # upstreamMirrorStartFrom: ['0', '9', '4'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api" - tag: "0.20.1@sha256:c1176da0ecd3d964b7caaea0d9e583d7644c7a7dbdb08c0ecd85df88e0f27321" + tag: "0.20.3@sha256:1e32854d6d4413725870fde26a904da83282b3debea82b386c5753223ecc6a59" umsOpenPolicyAgent: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -616,7 +616,7 @@ images: # upstreamMirrorStartFrom: ['0', '9', '4'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend" - tag: "0.20.1@sha256:fc7d1d7b22b83037ac6d54b2cc1baaefc78175cdc86557cfc121eda469832b59" + tag: "0.20.3@sha256:4fe6646711efcc07eb4b6e59a57f1d5080cca5f4ec2c960d073e92ecae8be42f" umsPortalListener: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -626,7 +626,7 @@ images: # upstreamMirrorStartFrom: ['0', '9', '4'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener" - tag: "0.20.1@sha256:e93f256f736223edceaac50831cee062b4b8fee0a46f27175e6ea0c506620358" + tag: "0.20.3@sha256:8960b54477d4a74e8cb52f66264928e0940b725c349cda2a22ede67e216f5f1e" umsPortalServer: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -636,7 +636,7 @@ images: # upstreamMirrorStartFrom: ['0', '9', '4'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server" - tag: "0.20.1@sha256:db5d79b64dc1b8678401d32a1a695b217d7677e7578738f0eec90467c7b5ae05" + tag: "0.20.3@sha256:0ec3db74ce9b7c8706d1534b6dcb464eb016a5de94c3b5bfc49215ccb606715c" umsProvisioningDispatcher: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -646,7 +646,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher" - tag: "0.20.2@sha256:738a8a6028ede63d22369ec58ac4834a0b34445cac216cb9475c24ccb1eaed1e" + tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d" umsProvisioningEventsAndConsumerApi: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -656,7 +656,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api" - tag: "0.20.2@sha256:46523693c84e5e6639e9762a43b1dbfa98954391da268c70a152b76e26d9c6c2" + tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f" umsProvisioningPrefill: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -666,7 +666,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill" - tag: "0.20.2@sha256:47143e4a3bb68c814dd7017b273b138c061a5bbb0f7e71c32ba45b2c15f1d831" + tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973" umsProvisioningUdmListener: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -676,7 +676,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener" - tag: "0.20.2@sha256:011c73748fb406ad68e35be683da79429b420e1e42a39733b342632eb3efec2d" + tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02" umsSelfserviceInvitation: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -686,7 +686,7 @@ images: # upstreamMirrorStartFrom: ['0', '3', '2'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation" - tag: "0.3.2@sha256:8dd90d8669e206232edff37aca73c528344ad453ad0154f36cca0561bf1999a2" + tag: "0.4.0@sha256:bd252758576e1733076c78756f04225ebed73d9c48de22440975ef11dd087caf" umsSelfserviceListener: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -696,7 +696,7 @@ images: # upstreamMirrorStartFrom: ['0', '3', '2'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener" - tag: "0.3.2@sha256:de0fc94cab436e982219d9c883a2353d91de583d5cf75046902847df4b451e28" + tag: "0.4.0@sha256:0bc0235fd64a19a183f112da73109b54712c2d70fe7fa77c6405beefb7167588" umsStackGateway: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -704,7 +704,7 @@ images: # upstreamRepository: 'bitnami/nginx' registry: "registry-1.docker.io" repository: "bitnami/nginx" - tag: "1.25.3@sha256:40ce0d6b8f5fc174a4df8c59c8893164c540192ee862cb7253650a30d9dc3b73" + tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24" umsUdmRestApi: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -714,7 +714,7 @@ images: # upstreamMirrorStartFrom: ['0', '5', '2'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api" - tag: "0.9.0@sha256:f5589a1a885e9f96d98304148bac5a40dfd4350ee40205a29b8798b29ae0a7db" + tag: "0.9.2@sha256:3309171c63f46cd3dccd15eb24af5dbb13f8abbc39c95e5a2d24d0d802ea896f" umsUmcGateway: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -744,7 +744,7 @@ images: # upstreamMirrorStartFrom: ['0', '9', '4'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency" - tag: "0.20.1@sha256:8b3d7195223de10ce6ac2649a363eed073dad9bb277c0d8d2d1c0f1613e0d5a7" + tag: "0.20.3@sha256:d1ccba5fe7448c2bda71c8a93f265a42a000e8dc79fd884e7e6ecdf29ad80efc" wellKnown: # providerCategory: 'Community' # providerResponsible: 'Element' diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml index bb2a7ba1..ad6b1a8e 100644 --- a/helmfile/environments/default/replicas.yaml +++ b/helmfile/environments/default/replicas.yaml @@ -44,9 +44,19 @@ replicas: redis: 1 synapse: 1 synapseWeb: 1 + umsKeycloakExtensionsHandler: 1 + umsKeycloakExtensionsProxy: 1 + umsLdapNotifier: 1 + umsLdapServer: 1 + umsNotificationsApi: 1 umsPortalFrontend: 1 + umsPortalListener: 1 umsPortalServer: 1 + umsSelfserviceListener: 1 + umsStackGateway: 1 umsUdmRestApi: 1 + umsUmcGateway: 1 + umsUmcServer: 1 wellKnown: 1 xwiki: 1 ... diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index a1b48340..89993741 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -501,6 +501,13 @@ resources: requests: cpu: 0.1 memory: "256Mi" + umsStackGateway: + limits: + cpu: 99 + memory: "64Mi" + requests: + cpu: 0.1 + memory: "16Mi" umsUdmRestApi: limits: cpu: 99 diff --git a/helmfile/environments/test/values.yaml.gotmpl b/helmfile/environments/test/values.yaml.gotmpl index fdbd14e4..e7043098 100644 --- a/helmfile/environments/test/values.yaml.gotmpl +++ b/helmfile/environments/test/values.yaml.gotmpl @@ -75,9 +75,19 @@ replicas: redis: 42 synapse: 42 synapseWeb: 42 + umsKeycloakExtensionsHandler: 42 + umsKeycloakExtensionsProxy: 42 + umsLdapNotifier: 42 + umsLdapServer: 42 + umsNotificationsApi: 42 umsPortalFrontend: 42 + umsPortalListener: 42 umsPortalServer: 42 + umsSelfserviceListener: 42 + umsStackGateway: 42 umsUdmRestApi: 42 + umsUmcGateway: 42 + umsUmcServer: 42 wellKnown: 42 xwiki: 42 ...