fix(helmfile): Add additional provisioning components and configuration

docs/security.md

@@ -89,7 +89,9 @@ This list gives you an overview of default security settings and if they comply
 |                             | portal-frontend               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-listener               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-server                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | provisioning-api              |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | dispatcher                    |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | events-and-consumer-api       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | udm-listener                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | selfservice-listener          |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | stack-gateway                 | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |                             | store-dav                     |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -3,15 +3,95 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
+
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
+dispatcher:
-  repository: {{ .Values.images.umsProvisioning.repository | quote }}
+  image:
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
-  tag: {{ .Values.images.umsProvisioning.tag | quote }}
+    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
-  pullSecrets:
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    {{- range .Values.global.imagePullSecrets }}
+    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
-    - name: {{ . | quote }}
+    pullSecrets:
-    {{- end }}
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+
+events-and-consumer-api:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  rootPath: "/univention/provisioning-api"
+  ingress:
+    # copied from values-common.yaml.gotmpl
+    # Intentionally not using the Ingress configuration of the UMS stack at the
+    # moment, since it does depend on rewriting capabilities of the ingress
+    # controller. Those are encapsulated into the release "stack-gateway" so that
+    # the compatibility with all ingress controllers is increased.
+    enabled: false
+    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+
+udm-listener:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  config:
+    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
 
 nats:
   global:
@@ -39,19 +119,4 @@ nats:
       registry: {{ .Values.global.imageRegistry }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-
-provisioningApi:
-  rootPath: "/univention/provisioning-api"
-
-resources:
-  {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -278,10 +278,10 @@ serverBlock: |
       proxy_pass http://ums-portal-frontend:80/;
     }
 
-    ## provisioning-api
+    ## ums-provisioning
     location /univention/provisioning-api/ {
       rewrite ^/univention/provisioning-api(/.*)$ $1 break;
-      proxy_pass http://ums-provisioning-provisioning-api:80;
+      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
     }
 
     ## guardian

helmfile/environments/default/charts.yaml

@@ -617,16 +617,16 @@ charts:
   umsProvisioning:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/provisioning-api
+    # upstreamRepository=souvap/tooling/charts/univention/provisioning
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "provisioning-api"
+    name: "provisioning"
-    version: "0.2.1"
+    version: "0.9.5"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '2', '1']
+    # @mirrorFrom: ['0', '9', '5']
 
   umsSelfserviceListener:
     # renovate:

helmfile/environments/default/images.yaml

@@ -705,17 +705,28 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '9', '4']
-  umsProvisioning:
+  umsProvisioningDispatcher:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatch
+    # upstreamRepository=souvap/tooling/images/univention/dispatcher
     # dependencyType=supplier
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatch"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/dispatcher"
-    tag: "0.4.0@sha256:43fda35f02cfa7c4c6aaa42e561858f7b0b80485370c1e393cef3a4b8d7715c0"
+    tag: "0.9.5@sha256:35bfe36c0f44070a514074804f740e9f3d60d2d1386757067d392bc2ebef9f84"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '4', '0']
+    # @mirrorFrom: ['0', '9', '5']
+  umsProvisioningEventsAndConsumerApi:
+    # renovate:
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/events-and-consumer-api"
+    tag: "0.9.5@sha256:e8e9c40ccad460e4c837b7c0108de04b1ab9faf4d385ffd280e5326731a3116b"
+    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '9', '5']
   umsProvisioningNats:
     # renovate:
     # upstreamRegistry=docker.io
@@ -740,6 +751,17 @@ images:
     registry: "docker.io"
     repository: "natsio/nats-server-config-reloader"
     tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
+  umsProvisioningUdmListener:
+    # renovate:
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/images/univention/udm-listener
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-listener"
+    tag: "0.9.5@sha256:4550913a415e0ab17701a4475f87461836b74546cb9a89d452ac607e5b5dfdfb"
+    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '9', '5']
   umsSelfserviceInvitation:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de