From 110ff56f7487e7ac89b1b75c8c63d04e1c2a41c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20K=C3=B6nig-Festl?= Date: Thu, 18 Jan 2024 17:30:27 +0100 Subject: [PATCH] fix(helmfile): Add additional provisioning components and configuration --- docs/security.md | 4 +- .../values-provisioning.yaml.gotmpl | 113 ++++++++++++++---- .../values-ums-stack-gateway.yaml.gotmpl | 4 +- helmfile/environments/default/charts.yaml | 8 +- helmfile/environments/default/images.yaml | 32 ++++- 5 files changed, 125 insertions(+), 36 deletions(-) diff --git a/docs/security.md b/docs/security.md index 5915cf48..c0bf38b3 100644 --- a/docs/security.md +++ b/docs/security.md @@ -89,7 +89,9 @@ This list gives you an overview of default security settings and if they comply | | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | provisioning-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | dispatcher | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | events-and-consumer-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | udm-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl index a99eca42..065f8916 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl @@ -3,15 +3,95 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze SPDX-License-Identifier: Apache-2.0 */}} --- -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }} - repository: {{ .Values.images.umsProvisioning.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioning.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} + +dispatcher: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }} + repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + resources: + {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + seccompProfile: + type: "RuntimeDefault" + +events-and-consumer-api: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} + repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + rootPath: "/univention/provisioning-api" + ingress: + # copied from values-common.yaml.gotmpl + # Intentionally not using the Ingress configuration of the UMS stack at the + # moment, since it does depend on rewriting capabilities of the ingress + # controller. Those are encapsulated into the release "stack-gateway" so that + # the compatibility with all ingress controllers is increased. + enabled: false + host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} + resources: + {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + seccompProfile: + type: "RuntimeDefault" + +udm-listener: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} + repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + config: + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} + ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + resources: + {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + privileged: false + seccompProfile: + type: "RuntimeDefault" nats: global: @@ -39,19 +119,4 @@ nats: registry: {{ .Values.global.imageRegistry }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - -provisioningApi: - rootPath: "/univention/provisioning-api" - -resources: - {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }} - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" ... diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl index e6038f7a..2e7264a7 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl @@ -278,10 +278,10 @@ serverBlock: | proxy_pass http://ums-portal-frontend:80/; } - ## provisioning-api + ## ums-provisioning location /univention/provisioning-api/ { rewrite ^/univention/provisioning-api(/.*)$ $1 break; - proxy_pass http://ums-provisioning-provisioning-api:80; + proxy_pass http://ums-provisioning-events-and-consumer-api:80; } ## guardian diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index e4e80f89..6318c09d 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -617,16 +617,16 @@ charts: umsProvisioning: # renovate: # upstreamRegistry=registry.souvap-univention.de - # upstreamRepository=souvap/tooling/charts/univention/provisioning-api + # upstreamRepository=souvap/tooling/charts/univention/provisioning # dependencyType=supplier registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" - name: "provisioning-api" - version: "0.2.1" + name: "provisioning" + version: "0.9.5" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' - # @mirrorFrom: ['0', '2', '1'] + # @mirrorFrom: ['0', '9', '5'] umsSelfserviceListener: # renovate: diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index ff3e70d8..874dd869 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -705,17 +705,28 @@ images: # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' # @mirrorFrom: ['0', '9', '4'] - umsProvisioning: + umsProvisioningDispatcher: # renovate: # upstreamRegistry=registry.souvap-univention.de - # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatch + # upstreamRepository=souvap/tooling/images/univention/dispatcher # dependencyType=supplier registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatch" - tag: "0.4.0@sha256:43fda35f02cfa7c4c6aaa42e561858f7b0b80485370c1e393cef3a4b8d7715c0" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/dispatcher" + tag: "0.9.5@sha256:35bfe36c0f44070a514074804f740e9f3d60d2d1386757067d392bc2ebef9f84" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' - # @mirrorFrom: ['0', '4', '0'] + # @mirrorFrom: ['0', '9', '5'] + umsProvisioningEventsAndConsumerApi: + # renovate: + # upstreamRegistry=registry.souvap-univention.de + # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api + # dependencyType=supplier + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/events-and-consumer-api" + tag: "0.9.5@sha256:e8e9c40ccad460e4c837b7c0108de04b1ab9faf4d385ffd280e5326731a3116b" + # @supplier: "Univention" + # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' + # @mirrorFrom: ['0', '9', '5'] umsProvisioningNats: # renovate: # upstreamRegistry=docker.io @@ -740,6 +751,17 @@ images: registry: "docker.io" repository: "natsio/nats-server-config-reloader" tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783" + umsProvisioningUdmListener: + # renovate: + # upstreamRegistry=registry.souvap-univention.de + # upstreamRepository=souvap/tooling/images/univention/udm-listener + # dependencyType=supplier + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-listener" + tag: "0.9.5@sha256:4550913a415e0ab17701a4475f87461836b74546cb9a89d452ac607e5b5dfdfb" + # @supplier: "Univention" + # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' + # @mirrorFrom: ['0', '9', '5'] umsSelfserviceInvitation: # renovate: # upstreamRegistry=registry.souvap-univention.de