sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(helmfile): Add additional provisioning components and configuration

Browse Source
This commit is contained in:
Sebastian König-Festl
2024-01-18 17:30:27 +01:00
committed by Thorsten Rossner
parent c0fc225349
commit 110ff56f74
5 changed files with 125 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/security.md
View File

@@ -89,7 +89,9 @@ This list gives you an overview of default security settings and if they comply
| | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | provisioning-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | dispatcher | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | events-and-consumer-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | udm-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |

113
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -3,15 +3,95 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
repository: {{ .Values.images.umsProvisioning.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioning.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
dispatcher:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
events-and-consumer-api:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
rootPath: "/univention/provisioning-api"
ingress:
# copied from values-common.yaml.gotmpl
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
udm-listener:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
nats:
global:
@@ -39,19 +119,4 @@ nats:
registry: {{ .Values.global.imageRegistry }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
provisioningApi:
rootPath: "/univention/provisioning-api"
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

4
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -278,10 +278,10 @@ serverBlock: |
proxy_pass http://ums-portal-frontend:80/;
}
## provisioning-api
## ums-provisioning
location /univention/provisioning-api/ {
rewrite ^/univention/provisioning-api(/.*)$ $1 break;
proxy_pass http://ums-provisioning-provisioning-api:80;
proxy_pass http://ums-provisioning-events-and-consumer-api:80;
}
## guardian

8
helmfile/environments/default/charts.yaml
View File

@@ -617,16 +617,16 @@ charts:
umsProvisioning:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/charts/univention/provisioning-api
# upstreamRepository=souvap/tooling/charts/univention/provisioning
# dependencyType=supplier
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "provisioning-api"
version: "0.2.1"
name: "provisioning"
version: "0.9.5"
verify: true
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '2', '1']
# @mirrorFrom: ['0', '9', '5']
umsSelfserviceListener:
# renovate:

32
helmfile/environments/default/images.yaml
View File

@@ -705,17 +705,28 @@ images:
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '9', '4']
umsProvisioning:
umsProvisioningDispatcher:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/provisioning-dispatch
# upstreamRepository=souvap/tooling/images/univention/dispatcher
# dependencyType=supplier
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatch"
tag: "0.4.0@sha256:43fda35f02cfa7c4c6aaa42e561858f7b0b80485370c1e393cef3a4b8d7715c0"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/dispatcher"
tag: "0.9.5@sha256:35bfe36c0f44070a514074804f740e9f3d60d2d1386757067d392bc2ebef9f84"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '4', '0']
# @mirrorFrom: ['0', '9', '5']
umsProvisioningEventsAndConsumerApi:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
# dependencyType=supplier
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/events-and-consumer-api"
tag: "0.9.5@sha256:e8e9c40ccad460e4c837b7c0108de04b1ab9faf4d385ffd280e5326731a3116b"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '9', '5']
umsProvisioningNats:
# renovate:
# upstreamRegistry=docker.io
@@ -740,6 +751,17 @@ images:
registry: "docker.io"
repository: "natsio/nats-server-config-reloader"
tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
umsProvisioningUdmListener:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/udm-listener
# dependencyType=supplier
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-listener"
tag: "0.9.5@sha256:4550913a415e0ab17701a4475f87461836b74546cb9a89d452ac607e5b5dfdfb"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '9', '5']
umsSelfserviceInvitation:
# renovate:
# upstreamRegistry=registry.souvap-univention.de