fix(nubus): Enable 2FA for group "Domain Admins" by default.

2025-12-06 15:31:38 +01:00 · 2024-05-13 09:40:35 +02:00
parent 1c6666fe45
commit 11796699bb
6 changed files with 38 additions and 11 deletions
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@@ -0,0 +1,16 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Summary
+
+- *describe the reason for/content of the MR*
+
+# Commits
+
+%{all_commits}
+
+# Authors
+
+%{co_authored_by}
--- a/docs/development.md
+++ b/docs/development.md
@@ -84,12 +84,12 @@ with the many available examples in the yaml files.
 Example:
 ```
  synapse:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Element'
-    # upstreamRegistry: 'https://registry-1.docker.io'
-    # upstreamRepository: 'matrixdotorg/synapse'
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "matrixdotorg/synapse"
    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '91', '2']
+    # upstreamMirrorStartFrom: ["1", "91", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
@@ -99,9 +99,9 @@ Example:

 Uses a regular expression to match the values of the following attributes:

- `# upstreamRegistry`: : required - Attribute's value must be prefixed with `https://` for Renovate.
- `# upstreamrepository`: required
- `tag`: required
+- `# upstreamRegistry` *required*: Attribute's value must be prefixed with `https://` for Renovate.
+- `# upstreamrepository` *required*
+- `tag` *required*

 Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).

@@ -118,7 +118,7 @@ configured to pull artefacts that do not originate from Open CoDE into projects
 The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
 - `# upstreamRepository` *required*: To identify the source repository
- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
+- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
  in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
  element here to define the version the mirror should start with.
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -28,6 +28,8 @@ config:
    intraCluster:
      enabled: true
      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  twoFactorSettings:
+    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
  custom:
    clientScopes:
      - name: "read_contacts"
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -240,7 +240,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "1.0.7"
+    version: "1.1.0"
    verify: true
  openproject:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+authentication:
+  twoFactor:
+    # Define a list of groups to enable 2FA for. Removing a group from the list will not disable 2FA for the removed group.
+    groups:
+      - "Domain Admins"
+...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -253,7 +253,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.4@sha256:28eebb647180aef95d816a7d788891fa780f552f699c38cedddecbcef7a0bd1d"
+    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "OpenProject"