diff --git a/helmfile/apps/element/helmfile-child.yaml.gotmpl b/helmfile/apps/element/helmfile-child.yaml.gotmpl index a6f81f17..d2fd35a8 100644 --- a/helmfile/apps/element/helmfile-child.yaml.gotmpl +++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl @@ -33,6 +33,52 @@ repositories: oci: true url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}" + - name: "synapse-create-account-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.synapseCreateAccount.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}" + + # openDesk Matrix Widgets + # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets + - name: "matrix-user-verification-service-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.matrixUserVerificationService.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}" + - name: "matrix-neoboard-widget-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.matrixNeoboardWidget.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" + - name: "matrix-neochoice-widget-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.matrixNeoboardWidget.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" + - name: "matrix-neodatefix-widget-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.matrixNeodatefixWidget.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}" + - name: "matrix-neodatefix-bot-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.matrixNeodatefixBot.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}" + releases: - name: "opendesk-element" chart: "element-repo/{{ .Values.charts.element.name }}" @@ -70,6 +116,62 @@ releases: installed: {{ .Values.element.enabled }} timeout: 900 + - name: "opendesk-matrix-user-verification-service-bootstrap" + chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}" + version: "{{ .Values.charts.synapseCreateAccount.version }}" + values: + - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + + - name: "opendesk-matrix-user-verification-service" + chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}" + version: "{{ .Values.charts.matrixUserVerificationService.version }}" + values: + - "values-matrix-user-verification-service.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + + - name: "matrix-neoboard-widget" + chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}" + version: "{{ .Values.charts.matrixNeoboardWidget.version }}" + values: + - "values-matrix-neoboard-widget.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + + - name: "matrix-neochoice-widget" + chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}" + version: "{{ .Values.charts.matrixNeochoiseWidget.version }}" + values: + - "values-matrix-neochoice-widget.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + + - name: "matrix-neodatefix-widget" + chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}" + version: "{{ .Values.charts.matrixNeodatefixWidget.version }}" + values: + - "values-matrix-neodatefix-widget.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + + - name: "matrix-neodatefix-bot-bootstrap" + chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}" + version: "{{ .Values.charts.synapseCreateAccount.version }}" + values: + - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + + - name: "matrix-neodatefix-bot" + chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}" + version: "{{ .Values.charts.matrixNeodatefixBot.version }}" + values: + - "values-matrix-neodatefix-bot.yaml.gotmpl" + installed: {{ .Values.element.enabled }} + timeout: 900 + commonLabels: deploy-stage: "component-1" component: "element" diff --git a/helmfile/apps/element/values-element.yaml.gotmpl b/helmfile/apps/element/values-element.yaml.gotmpl index 5ac7f68e..4092933e 100644 --- a/helmfile/apps/element/values-element.yaml.gotmpl +++ b/helmfile/apps/element/values-element.yaml.gotmpl @@ -20,6 +20,86 @@ configuration: --cpd-color-bg-action-primary-rest: {{ .Values.theme.colors.primary | quote }} --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }} + "net.nordeck.element_web.module.widget_lifecycle": + widget_permissions: + "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html": + identity_approved: true + "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*": + preload_approved: true + capabilities_approved: + - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create + - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create + - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk + - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk + - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot + - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot + - org.matrix.msc2762.send.state_event:m.room.power_levels# + - org.matrix.msc2762.receive.state_event:m.room.power_levels# + - org.matrix.msc2762.receive.state_event:m.room.member + - org.matrix.msc2762.receive.state_event:m.room.name + - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard + - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard + - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#* + - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions + - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling + - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling + - town.robin.msc3846.turn_servers + - org.matrix.msc4039.upload_file + - org.matrix.msc4039.download_file + "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*": + preload_approved: true + capabilities_approved: + - org.matrix.msc2762.send.event:net.nordeck.poll.vote + - org.matrix.msc2762.receive.event:net.nordeck.poll.vote + - org.matrix.msc2762.send.state_event:net.nordeck.poll + - org.matrix.msc2762.receive.state_event:net.nordeck.poll + - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings + - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings + - org.matrix.msc2762.receive.state_event:m.room.power_levels + - org.matrix.msc2762.receive.state_event:m.room.name + - org.matrix.msc2762.receive.state_event:m.room.member + - org.matrix.msc2762.send.state_event:net.nordeck.poll.group + - org.matrix.msc2762.receive.state_event:net.nordeck.poll.group + - org.matrix.msc2762.send.event:net.nordeck.poll.start + - org.matrix.msc2762.receive.event:net.nordeck.poll.start + "https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*": + preload_approved: true + identity_approved: true + capabilities_approved: + - org.matrix.msc2931.navigate + - org.matrix.msc2762.timeline:* + - org.matrix.msc2762.receive.state_event:m.room.power_levels + - org.matrix.msc2762.receive.event:m.reaction + - org.matrix.msc2762.receive.state_event:m.room.create + - org.matrix.msc2762.receive.state_event:m.room.tombstone + - org.matrix.msc2762.receive.state_event:m.room.member + - org.matrix.msc2762.send.state_event:m.room.member + - org.matrix.msc2762.receive.state_event:m.room.name + - org.matrix.msc2762.receive.state_event:m.room.topic + - org.matrix.msc2762.receive.state_event:m.space.parent + - org.matrix.msc2762.receive.state_event:m.space.child + - org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata + - org.matrix.msc2762.receive.state_event:im.vector.modular.widgets + - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create + - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create + - org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create + - org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create + - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close + - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close + - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle + - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle + - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle + - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle + - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update + - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update + - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions + - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions + - org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message + - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message + - org.matrix.msc3973.user_directory_search + + welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}" + containerSecurityContext: allowPrivilegeEscalation: false capabilities: diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl new file mode 100644 index 00000000..d9cedad0 --- /dev/null +++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl @@ -0,0 +1,57 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }} + +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoBoardWidget.registry | quote }} + repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }} + tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: {{ .Values.ingress.tls.secretName | quote }} + +podAnnotations: {} + +podSecurityContext: + enabled: true + fsGroup: 101 + +replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }} + +resources: + {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }} + +theme: + {{ .Values.theme | toYaml | nindent 2 }} + +... diff --git a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl new file mode 100644 index 00000000..4b4a93de --- /dev/null +++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl @@ -0,0 +1,57 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }} + +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoChoiceWidget.registry | quote }} + repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }} + tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: {{ .Values.ingress.tls.secretName | quote }} + +podAnnotations: {} + +podSecurityContext: + enabled: true + fsGroup: 101 + +replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }} + +theme: + {{ .Values.theme | toYaml | nindent 2 }} + +resources: + {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }} + +... diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl new file mode 100644 index 00000000..ea4d789a --- /dev/null +++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl @@ -0,0 +1,46 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +cleanup: + deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }} + deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }} + +configuration: + username: "meetings-bot" + pod: "opendesk-synapse-0" + secretName: "matrix-neodatefix-bot-account" + password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }} + +global: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }} + url: {{ .Values.images.synapseCreateUser.repository | quote }} + tag: {{ .Values.images.synapseCreateUser.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + +fullnameOverride: "matrix-neodatefix-bot-bootstrap" + +podAnnotations: {} + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }} + +... diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl new file mode 100644 index 00000000..aa7654ee --- /dev/null +++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl @@ -0,0 +1,85 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + bot: + username: "meetings-bot" + display name: "Scheduler Bot" + openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}" + strings: + breakoutSessionWidgetName: "Breakout Sessions" + calendarRoomName: "Scheduler" + calendarWidgetName: "Scheduler" + cockpitWidgetName: "Meeting control" + jitsiWidgetName: "Video conference" + matrixNeoBoardWidgetName: "Whiteboard" + matrixNeoChoiceWidgetName: "Votes" + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }} + +extraEnvVars: + - name: "ACCESS_TOKEN" + valueFrom: + secretKeyRef: + name: "matrix-neodatefix-bot-account" + key: "access_token" + +image: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixBot.registry | quote }} + repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }} + tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: {{ .Values.ingress.tls.secretName | quote }} + +liveness sample: + enabled: true + +persistence: + size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }} + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} + +podAnnotations: {} + +podSecurityContext: + enabled: true + fsGroup: 101 + +readinessProbe: + enabled: true + +replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }} + +resources: + {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }} + +... diff --git a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl new file mode 100644 index 00000000..5b51d0eb --- /dev/null +++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl @@ -0,0 +1,62 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +configuration: + bot: + username: "meetings-bot" + homeserver: {{ .Values.global.matrixDomain | default .Values.global.domain }} + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }} + +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixWidget.registry | quote }} + repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }} + tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: {{ .Values.ingress.tls.secretName | quote }} + +podAnnotations: {} + +podSecurityContext: + enabled: true + fsGroup: 101 + +replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }} + +resources: + {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }} + +theme: + {{ .Values.theme | toYaml | nindent 2 }} + +... diff --git a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl new file mode 100644 index 00000000..f171e256 --- /dev/null +++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl @@ -0,0 +1,45 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +cleanup: + deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }} + deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }} + +configuration: + username: "uvs" + pod: "opendesk-synapse-0" + secretName: "opendesk-matrix-user-verification-service-account" + password: {{ .Values.secrets.matrixUserVerificationService.password | quote }} + +global: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }} + url: {{ .Values.images.synapseCreateUser.repository | quote }} + tag: {{ .Values.images.synapseCreateUser.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + +fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap" + +podAnnotations: {} + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }} +... diff --git a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl new file mode 100644 index 00000000..627cabe8 --- /dev/null +++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl @@ -0,0 +1,56 @@ +{{/* +SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH +SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }} + +extraEnvVars: + - name: "UVS_ACCESS_TOKEN" + valueFrom: + secretKeyRef: + name: "opendesk-matrix-user-verification-service-account" + key: "access_token" + - name: "UVS_DISABLE_IP_BLACKLIST" + value: "true" + +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixUserVerificationService.registry | quote }} + repository: {{ .Values.images.matrixUserVerificationService.repository | quote }} + tag: {{ .Values.images.matrixUserVerificationService.tag | quote }} + +podAnnotations: {} + +podSecurityContext: + enabled: true + fsGroup: 101 + +replicaCount: {{ .Values.replicas.matrixUserVerificationService }} + +resources: + {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }} + +... diff --git a/helmfile/apps/element/values-synapse.yaml.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl index 6285cb85..dd0f75cf 100644 --- a/helmfile/apps/element/values-synapse.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse.yaml.gotmpl @@ -12,6 +12,7 @@ configuration: room_prejoin_state: additional_event_types: - "m.space.parent" + - "net.nordeck.meetings.metadata" - "m.room.power_levels" # To allow intercom service logins for the users and also allow proper testautomation we want to raise the # ratelimit in a reasonable manner. @@ -32,6 +33,25 @@ configuration: homeserver: serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }} + appServiceConfigs: + - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }} + hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }} + id: intercom-service + namespaces: + users: + - exclusive: false + regex: "@.*" + url: null + sender_localpart: intercom-service + - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }} + hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }} + id: ox-appsuite + namespaces: + users: + - exclusive: false + regex: "@.*" + url: null + sender_localpart: ox-appsuite presence: enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }} @@ -70,6 +90,14 @@ configuration: transport: {{ .Values.turn.transport | quote }} {{- end }} + guestModule: + enabled: true + image: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }} + repository: {{ .Values.images.synapseGuestModule.repository | quote }} + tag: {{ .Values.images.synapseGuestModule.tag | quote }} + containerSecurityContext: allowPrivilegeEscalation: false capabilities: diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index f58908d3..660217fc 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -144,6 +144,56 @@ charts: name: "mariadb" version: "2.3.1" verify: true + matrixNeoboardWidget: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" + name: "matrix-neoboard-widget" + version: "3.5.0" + verify: true + matrixNeochoiseWidget: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" + name: "matrix-neochoice-widget" + version: "3.5.0" + verify: true + matrixNeodatefixBot: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" + name: "matrix-neodatefix-bot" + version: "3.5.0" + verify: true + matrixNeodatefixWidget: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" + name: "matrix-neodatefix-widget" + version: "3.5.0" + verify: true + matrixUserVerificationService: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" + name: "opendesk-matrix-user-verification-service" + version: "3.4.0" + verify: true memcached: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -332,6 +382,16 @@ charts: name: "opendesk-synapse" version: "3.4.1" verify: true + synapseCreateAccount: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" + name: "opendesk-synapse-create-account" + version: "3.4.1" + verify: true synapseWeb: # providerCategory: "Platform" # providerResponsible: "openDesk" diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index dc0f8cf5..9b4153b0 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -48,12 +48,12 @@ images: tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc" element: # providerCategory: "Supplier" - # providerResponsible: "Element" + # providerResponsible: "Nordeck" # upstreamRegistry: "https://registry.opencode.de" - # upstreamRepository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web" + # upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web" registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web" - tag: "1.11.4-amd64@sha256:1785ca0dcb608939533ce50067fb17c2152ceff00ea4e17a4cd500930727687b" + repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web" + tag: "1.11.2@sha256:faf57be74ff715e0f7c833a977f9f7b974ed3230d5d4e30733be7ed01b295a4c" freshclam: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -146,6 +146,56 @@ images: registry: "registry-1.docker.io" repository: "library/mariadb" tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f" + matrixNeoBoardWidget: + # providerCategory: "Supplier" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://ghcr.io" + # upstreamRepository: "nordeck/matrix-neoboard-widget" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["1", "4", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget" + tag: "1.20.0@sha256:e72bca018af1c0087587f6bcd1748c820ff520c8cf2a042b9b58354cdc878345" + matrixNeoChoiceWidget: + # providerCategory: "Supplier" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://ghcr.io" + # upstreamRepository: "nordeck/matrix-poll-widget" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["1", "4", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-poll-widget" + tag: "1.4.0@sha256:216cb88aaa47449a15af9a531d60eee593cb1923c4e8fcc67c119982972911e5" + matrixNeoDateFixBot: + # providerCategory: "Supplier" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://ghcr.io" + # upstreamRepository: "nordeck/matrix-meetings-bot" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["2", "7", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot" + tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c" + matrixNeoDateFixWidget: + # providerCategory: "Supplier" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://ghcr.io" + # upstreamRepository: "nordeck/matrix-meetings-widget" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["1", "6", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget" + tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd" + matrixUserVerificationService: + # providerCategory: "Supplier" + # providerResponsible: "Element" + # upstreamRegistry: "https://registry-1.docker.io" + # upstreamRepository: "matrixdotorg/matrix-user-verification-service" + # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["3", "0", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/element/images-mirror/matrix-user-verification-service" + tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008" memcached: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -729,6 +779,24 @@ images: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse" tag: "v1.115.0@sha256:abf4a5b5b2030f7deb555a8ec7b945607db9e98b057eb06364e66ba8308bdd40" + synapseCreateUser: + # providerCategory: "Community" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://registry-1.docker.io" + # upstreamRepository: "alpine/k8s" + registry: "registry-1.docker.io" + repository: "alpine/k8s" + tag: "1.30.0@sha256:d7a11b7032550e992667fd7725b039dcd639270fbceec368d7e66e3d9e41ee15" + synapseGuestModule: + # providerCategory: "Supplier" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://ghcr.io" + # upstreamRepository: "nordeck/synapse-guest-module" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["1", "0", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module" + tag: "2.0.0@sha256:0fb4ee93cf6fc58f3f3b2f7f8c95d5e6d259b9a5dc354bde516e441187819283" synapseWeb: # providerCategory: "Community" # providerResponsible: "Element" diff --git a/helmfile/environments/default/selinux.yaml b/helmfile/environments/default/selinux.yaml index f8646a85..ed99de3b 100644 --- a/helmfile/environments/default/selinux.yaml +++ b/helmfile/environments/default/selinux.yaml @@ -59,6 +59,8 @@ seLinuxOptions: prosody: ~ redis: ~ synapse: ~ + synapseCreateUser : ~ + synapseGuestModule : ~ synapseWeb: ~ umsGuardianAuthorizationApi: ~ umsGuardianManagementApi: ~