diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 28c95a63..52a00c5a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -465,15 +465,11 @@ env-stop:
.ums-default-password: &ums-default-password
- |
- UMS_PASSWORDS=$( \
- kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
- | yq '.properties.password' > passwords.txt \
- )
DEFAULT_USER_PASSWORD=$( \
- awk 'NR==1{print $1}' passwords.txt \
+ kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
)
DEFAULT_ADMIN_PASSWORD=$(
- awk 'NR==3{print $1}' passwords.txt \
+ kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d \
)
run-tests:
diff --git a/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl b/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
index a5a42aa0..bcc2bd6d 100644
--- a/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
@@ -5,7 +5,7 @@ repositories:
# Intercom Service
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
- name: "intercom-service-repo"
- keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+ keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.intercomService.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
diff --git a/helmfile/apps/intercom-service/values.yaml.gotmpl b/helmfile/apps/intercom-service/values.yaml.gotmpl
index b1f4c08a..694fb58d 100644
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -79,6 +79,25 @@ podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
+provisioning:
+ enabled: true
+ config:
+ nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
+ keycloak:
+ url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
+ username: "kcadmin"
+ realm: {{ .Values.platform.realm | quote }}
+ connection:
+ host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+ baseUrl: "http://ums-keycloak:8080"
+ credentialSecret:
+ name: "ums-opendesk-keycloak-credentials"
+ key: "admin_password"
+ ics_client:
+ clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+ credentialSecret:
+ key: "ics_secret"
+
replicaCount: {{ .Values.replicas.intercomService }}
resources:
diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index 3c495b48..1ac90ac2 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -9,6 +9,9 @@ global:
baseDn: {{ .Values.ldap.baseDn | quote }}
domainName: {{ .Values.global.domain | quote }}
domain: {{ .Values.global.domain | quote }}
+ subDomains:
+ portal: {{ .Values.global.hosts.nubus | quote }}
+ keycloak: {{ .Values.global.hosts.keycloak | quote }}
ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
@@ -26,6 +29,30 @@ global:
defaultUsers:
defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
+ defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
+ portalConsumer:
+ minio:
+ accessKey: {{ .Values.objectstores.nubus.username | quote }}
+ secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+ provisioningApi:
+ password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
+ provisioning:
+ api:
+ adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
+ natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
+ prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
+ udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
+ dispatcher:
+ natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
+ nats:
+ adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
+ prefill:
+ natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
+ udmTransformer:
+ natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
+ selfserviceConsumer:
+ provisioningApi:
+ password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
# -- Extensions to load. Add entries to load additional extensions into Nubus.
extensions:
@@ -52,6 +79,61 @@ global:
repository: {{ .Values.images.nubusPortalExtension.repository }}
tag: {{ .Values.images.nubusPortalExtension.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ configUcr:
+ directory:
+ manager:
+ web:
+ modules:
+ users:
+ user:
+ add:
+ default: cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}
+ properties:
+ description:
+ syntax: TextArea
+ firstname:
+ required: "true"
+ mailPrimaryAddress:
+ required: "true"
+ username:
+ syntax: uid
+ search:
+ autosearch: "False"
+ wizard:
+ property:
+ invite:
+ default: "True"
+ overridePWLength:
+ default: "False"
+ visible: "False"
+ pwdChangeNextLogin:
+ default: "True"
+ visible: "False"
+ wizard:
+ disabled: "No"
+
+ ucs:
+ web:
+ theme: light
+
+ umc:
+ cookie-banner:
+ show: "false"
+ login:
+ password-complexity-message:
+ de: "Das Passwort muss den folgenden Anforderungen entsprechen:
Anmerkung: Wird befinden uns nicht in einer Produktivumgebung."
+ en: "Password must comply with the following rules:
- Minimum length: 8 characters
Note: We are in a non production (dev/test/demo) system."
+ module:
+ udm:
+ oxmail:
+ oxcontext:
+ disabled: "True"
+ portals:
+ all:
+ disabled: "True"
+ self-service:
+ passwordreset:
+ token_validity_period: 172800
ingress:
certManager:
@@ -94,7 +176,13 @@ nubusGuardian:
provisioning:
enabled: false
config:
+ nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
keycloak:
+ realm: {{ .Values.platform.realm | quote }}
+ username: "kcadmin"
+ connection:
+ host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+ baseUrl: "http://ums-keycloak:8080"
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
@@ -206,13 +294,17 @@ nubusPortalFrontend:
secretName: {{ .Values.ingress.tls.secretName | quote }}
nubusPortalListener:
- portalListener:
+ enabled: false
+
+nubusPortalConsumer:
+ enabled: true
+ portalConsumer:
+ logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
- objectStorageCredentialSecret:
- name: "ums-portal-listener-minio-opendesk-credentials"
- accessKeyKey: "access-key-id"
- secretKeyKey: "secret-key-id"
+ provisioningApi:
+ auth:
+ username: "portal-consumer"
nubusPortalServer:
portalServer:
@@ -240,15 +332,22 @@ nubusUdmRestApi:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
-# NOTE: disabled until the next update.
nubusProvisioning:
- enabled: false
-nubusUdmListener:
- enabled: false
-nubusSelfServiceListener:
+ nats:
+ config:
+ lame_duck_grace_period: |
+ 10s
+ max_payload: 16MB
+ enabled: true
+
+nubusUdmListener:
+ enabled: true
+
+nubusSelfServiceListener:
+ enabled: false
+
+nubusSelfServiceConsumer:
enabled: true
- selfserviceListener:
- umcAdminUser: "default.admin"
# Nubus services
nubusStackDataUms:
@@ -262,7 +361,11 @@ nubusStackDataUms:
umcMemcachedUsername: ""
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
umcHtmlTitle: "openDesk Portal"
- installUmcPolicies: true
+ smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+ smtpPort: 25
+ smtpUser: ""
+ smtpStartTls: false
+ ldapBase: {{ .Values.ldap.baseDn }}
templateContext:
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
@@ -279,6 +382,7 @@ nubusStackDataUms:
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
+ ldapSystemUsers: []
portaltileGroupUserStandard:
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
@@ -300,47 +404,21 @@ nubusStackDataUms:
- 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupLiveCollaboration:
- 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-
+ systemInformation:
+ enabled: true
+ releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+ {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+ deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+ {{- else }}
+ deployDate: "not available"
+ {{- end }}
+ # In openDesk the external memcache does not expect a username to be set. Overwriting
+ # the default username of `selfservice` is part of the customizing:
nubusUmcServer:
memcached:
auth:
username: ""
-# TODO: Remove values when upstreaming fixes
-nubusStackDataSwp:
- additionalAnnotations:
- argocd.argoproj.io/hook: "Sync"
- argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
- stackDataSwp:
- systemInformation:
- {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
- deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
- {{- end }}
- releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
- stackDataContext:
- ldapSearchUsers:
- {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
- - username: {{ printf "ldapsearch_%s" $username | quote }}
- password: {{ $password | quote }}
- lastname: "LDAP-Search-User"
- {{- end }}
- externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
- smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
- smtpPort: 25
- smtpUser: ""
- smtpStartTls: false
- ldapBase: {{ .Values.ldap.baseDn }}
- # FIXME: Should be templated correctly in the future
- portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
- portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
- portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
- portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
- portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
- portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
- portalTitleDE: "openDesk Portal"
- portalTitleEN: "openDesk Portal"
- oxDefaultContext: "1"
-
nubusUmcServer:
postgresql:
bundled: false
@@ -441,10 +519,6 @@ extraSecrets:
stringData:
access-key-id: {{ .Values.objectstores.nubus.username | quote }}
secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
- - name: "ums-portal-listener-minio-opendesk-credentials"
- stringData:
- access-key-id: {{ .Values.objectstores.nubus.username | quote }}
- secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
- name: "ums-umc-server-smtp-credentials-custom"
stringData:
password: ""
diff --git a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
index 1e3fc819..4dbbbb3c 100644
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -87,15 +87,29 @@ nubusKeycloakExtensions:
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
-nubusPortalListener:
+nubusPortalConsumer:
podAnnotations:
- intents.otterize.com/service-name: "ums-portal-listener"
- replicaCount: {{ .Values.replicas.umsPortalListener }}
+ intents.otterize.com/service-name: "ums-portal-consumer"
+ replicaCount: {{ .Values.replicas.umsPortalConsumer }}
resources:
- {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
+ {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+ resourcesWaitForDependency:
+ {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
- size: {{ .Values.persistence.size.nubus.portalListener | quote }}
+ size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
+
+nubusPortalConsumer:
+ podAnnotations:
+ intents.otterize.com/service-name: "ums-portal-consumer"
+ replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+ resources:
+ {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+ resourcesWaitForDependency:
+ {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
+ persistence:
+ storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+ size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
nubusPortalServer:
additionalAnnotations:
@@ -129,7 +143,59 @@ nubusLdapServer:
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-
+ extraVolumes:
+ - name: "migration-scripts"
+ secret:
+ secretName: "ums-ldap-server-migration"
+ defaultMode: 0555
+ extraVolumeMounts:
+ - name: "migration-scripts"
+ mountPath: "/entrypoint.d/30-purge.sh"
+ subPath: "30-purge.sh"
+ - name: "migration-scripts"
+ mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
+ subPath: "95-slapadd-24-ldif.sh"
+ extraSecrets:
+ - name: "ums-ldap-server-migration"
+ stringData:
+ 30-purge.sh: |
+ #!/usr/bin/env bash
+ me=$(basename "$0")
+ echo "- Running ${me}"
+ if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+ echo "- Cleaning up /var/lib/univention-ldap."
+ cd /var/lib/univention-ldap
+ rm -rf internal
+ rm -rf ldap
+ ls -l
+ else
+ echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
+ fi
+ 95-slapadd-24-ldif.sh: |
+ #!/usr/bin/env bash
+ me=$(basename "$0")
+ echo "- Running ${me}"
+ ls -l /var/lib/univention-ldap
+ if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+ echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
+ ls -l /var/lib/univention-ldap/
+ rm -rf /var/lib/univention-ldap/ldap
+ rm -rf /var/lib/univention-ldap/internal
+ echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
+ ls -l /var/lib/univention-ldap/
+ mkdir /var/lib/univention-ldap/ldap
+ mkdir /var/lib/univention-ldap/internal
+ echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
+ ls -l /var/lib/univention-ldap/
+ /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
+ echo "- slapadd executed"
+ ls -l /var/lib/univention-ldap/
+ mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
+ echo "- import file renamed"
+ ls -l /var/lib/univention-ldap/
+ else
+ echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
+ fi
nubusPortalFrontend:
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-frontend"
@@ -152,18 +218,12 @@ nubusStackDataUms:
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
-nubusStackDataSwp:
- additionalAnnotations:
- intents.otterize.com/service-name: "ums-stack-data-swp"
- resources:
- {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
-
-nubusSelfServiceListener:
+nubusSelfServiceConsumer:
podAnnotations:
intents.otterize.com/service-name: "ums-selfservice-listener"
resources:
- {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
- replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
+ {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
+ replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
nubusUdmRestApi:
additionalAnnotations:
diff --git a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
index 75427fcc..92e73d46 100644
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -51,15 +51,6 @@ nubusLdapServer:
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
-
-nubusPortalConsumer:
- portalConsumer:
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
- repository: {{ .Values.images.nubusPortalConsumer.repository }}
- tag: {{ .Values.images.nubusPortalConsumer.tag }}
-
-
nubusNotificationsApi:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
@@ -72,11 +63,12 @@ nubusPortalFrontend:
repository: {{ .Values.images.nubusPortalFrontend.repository }}
tag: {{ .Values.images.nubusPortalFrontend.tag }}
-nubusPortalListener:
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalListener.registry | quote }}
- repository: {{ .Values.images.nubusPortalListener.repository }}
- tag: {{ .Values.images.nubusPortalListener.tag }}
+nubusPortalConsumer:
+ portalConsumer:
+ image:
+ registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
+ repository: {{ .Values.images.nubusPortalConsumer.repository }}
+ tag: {{ .Values.images.nubusPortalConsumer.tag }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -151,11 +143,6 @@ nubusUdmListener:
tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
nubusSelfServiceListener:
- selfserviceListener:
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceListener.registry | quote }}
- repository: {{ .Values.images.nubusSelfserviceListener.repository }}
- tag: {{ .Values.images.nubusSelfserviceListener.tag }}
selfserviceInvitation:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
@@ -225,9 +212,3 @@ nubusStackDataUms:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
repository: {{ .Values.images.nubusDataLoader.repository }}
tag: {{ .Values.images.nubusDataLoader.tag }}
-
-nubusStackDataSwp:
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
- repository: {{ .Values.images.nubusDataLoader.repository }}
- tag: {{ .Values.images.nubusDataLoader.tag }}
diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index 890d0958..97c39364 100644
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -29,7 +29,7 @@ config:
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
# 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
- clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+ clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -389,60 +389,6 @@ config:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk-dovecot-scope"
- - name: "opendesk-intercom"
- clientId: "opendesk-intercom"
- protocol: "openid-connect"
- clientAuthenticatorType: "client-secret"
- secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
- redirectUris:
- - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
- consentRequired: false
- frontchannelLogout: false
- publicClient: false
- authorizationServicesEnabled: false
- attributes:
- backchannel.logout.session.required: true
- backchannel.logout.revoke.offline.tokens: true
- backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
- protocolMappers:
- - name: "intercom-audience"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "opendesk-intercom"
- id.token.claim: false
- access.token.claim: true
- # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
- # it to `opendesk_useruuid` standard claim. For reference:
- # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
- - name: "entryuuid_temp"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "entryUUID"
- id.token.claim: true
- access.token.claim: true
- claim.name: "entryuuid"
- jsonType.label: "String"
- # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
- # set it to `opendesk_username` standard claim. For reference:
- # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
- - name: "phoenixusername_temp"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "uid"
- id.token.claim: true
- access.token.claim: true
- claim.name: "phoenixusername"
- jsonType.label: "String"
- defaultClientScopes:
- - "offline_access"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
@@ -571,296 +517,6 @@ config:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-xwiki-scope"
- - name: "guardian-management-api"
- clientId: "guardian-management-api"
- rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- protocol: "openid-connect"
- publicClient: false
- clientAuthenticatorType: "client-secret"
- secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- redirectUris:
- - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
- fullScopeAllowed: true
- standardFlowEnabled: true
- implicitFlowEnabled: false
- directAccessGrantsEnabled: false
- serviceAccountsEnabled: true
- protocolMappers:
- - name: "Client Host"
- protocol: "openid-connect"
- protocolMapper: "oidc-usersessionmodel-note-mapper"
- consentRequired: false
- config:
- user.session.note: "clientHost"
- userinfo.token.claim: true
- id.token.claim: true
- access.token.claim: true
- claim.name: "clientHost"
- jsonType.label: "String"
- - name: "Client ID"
- protocol: "openid-connect"
- protocolMapper: "oidc-usersessionmodel-note-mapper"
- consentRequired: false
- config:
- user.session.note: "client_id"
- userinfo.token.claim: true
- id.token.claim: true
- access.token.claim: true
- claim.name: "client_id"
- jsonType.label: "String"
- - name: "guardian-audience"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "guardian"
- userinfo.token.claim: false
- id.token.claim: false
- access.token.claim: true
- - name: "audiencemap"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "guardian-cli"
- userinfo.token.claim: true
- id.token.claim: true
- access.token.claim: true
- - name: "dn"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: false
- user.attribute: "LDAP_ENTRY_DN"
- id.token.claim: false
- access.token.claim: true
- claim.name: "dn"
- jsonType.label: "String"
- - name: "username"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-property-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "username"
- id.token.claim: true
- access.token.claim: true
- claim.name: "preferred_username"
- jsonType.label: "String"
- - name: "uid"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "uid"
- id.token.claim: true
- access.token.claim: true
- claim.name: "uid"
- jsonType.label: "String"
- - name: "email"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-property-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "email"
- id.token.claim: true
- access.token.claim: true
- claim.name: "email"
- jsonType.label: "String"
- - name: "Client IP Address"
- protocol: "openid-connect"
- protocolMapper: "oidc-usersessionmodel-note-mapper"
- consentRequired: false
- config:
- user.session.note: "clientAddress"
- userinfo.token.claim: true
- id.token.claim: true
- access.token.claim: true
- claim.name: "clientAddress"
- jsonType.label: "String"
- - name: "guardian-scripts"
- clientId: "guardian-scripts"
- description: ""
- rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- surrogateAuthRequired: false
- enabled: true
- alwaysDisplayInConsole: false
- clientAuthenticatorType: "client-secret"
- redirectUris:
- - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
- - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
- webOrigins:
- - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- bearerOnly: false
- consentRequired: false
- standardFlowEnabled: true
- implicitFlowEnabled: false
- directAccessGrantsEnabled: true
- serviceAccountsEnabled: false
- publicClient: true
- frontchannelLogout: false
- protocol: "openid-connect"
- fullScopeAllowed: true
- protocolMappers:
- - name: "email"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-property-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "email"
- id.token.claim: true
- access.token.claim: true
- claim.name: "email"
- jsonType.label: "String"
- - name: "guardian-audience"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "guardian"
- id.token.claim: false
- access.token.claim: true
- userinfo.token.claim: false
- - name: "username"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-property-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "username"
- id.token.claim: true
- access.token.claim: true
- claim.name: "preferred_username"
- jsonType.label: "String"
- - name: "uid"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "uid"
- id.token.claim: true
- access.token.claim: true
- claim.name: "uid"
- jsonType.label: "String"
- - name: "audiencemap"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "guardian-scripts"
- id.token.claim: true
- access.token.claim: true
- userinfo.token.claim: true
- - name: "dn"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- aggregate.attrs: false
- multivalued: false
- userinfo.token.claim: false
- user.attribute: "LDAP_ENTRY_DN"
- id.token.claim: false
- access.token.claim: true
- claim.name: "dn"
- jsonType.label: "String"
- defaultClientScopes:
- - "web-origins"
- - "acr"
- - "roles"
- - "profile"
- - "email"
- optionalClientScopes:
- - "address"
- - "phone"
- - "offline_access"
- - "microprofile-jwt"
- - name: "guardian-ui"
- clientId: "guardian-ui"
- rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
- clientAuthenticatorType: "client-secret"
- redirectUris:
- - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
- standardFlowEnabled: true
- publicClient: true
- implicitFlowEnabled: false
- directAccessGrantsEnabled: false
- serviceAccountsEnabled: false
- protocol: "openid-connect"
- fullScopeAllowed: true
- protocolMappers:
- - name: "uid"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "uid"
- id.token.claim: true
- access.token.claim: true
- claim.name: "uid"
- jsonType.label: "String"
- - name: "username"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-property-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "username"
- id.token.claim: true
- access.token.claim: true
- claim.name: "preferred_username"
- jsonType.label: "String"
- - name: "dn"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-attribute-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: "false"
- user.attribute: "LDAP_ENTRY_DN"
- id.token.claim: false
- access.token.claim: true
- claim.name: "dn"
- jsonType.label: "String"
- - name: "audiencemap"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "guardian"
- id.token.claim: true
- access.token.claim: true
- userinfo.token.claim: true
- - name: "email"
- protocol: "openid-connect"
- protocolMapper: "oidc-usermodel-property-mapper"
- consentRequired: false
- config:
- userinfo.token.claim: true
- user.attribute: "email"
- id.token.claim: true
- access.token.claim: true
- claim.name: "email"
- jsonType.label: "String"
- - name: "guardian-audience"
- protocol: "openid-connect"
- protocolMapper: "oidc-audience-mapper"
- consentRequired: false
- config:
- included.client.audience: "guardian"
- id.token.claim: false
- access.token.claim: true
- userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index 8a0fcf43..df8e0f5d 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -122,7 +122,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "intercom-service"
- version: "2.0.1"
+ version: "2.1.1"
verify: true
jitsi:
# providerCategory: "Platform"
@@ -162,7 +162,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
name: "opendesk-migrations"
- version: "1.2.3"
+ version: "1.3.2"
verify: true
minio:
# providerCategory: "Community"
@@ -214,7 +214,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "nubus"
- version: "0.39.2"
+ version: "0.57.3"
verify: true
opendeskKeycloakBootstrap:
# providerCategory: "Platform"
@@ -224,7 +224,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
name: "opendesk-keycloak-bootstrap"
- version: "2.1.1"
+ version: "2.1.2"
verify: true
openproject:
# providerCategory: "Supplier"
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index 93cd52be..9a010c0d 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -73,13 +73,13 @@ images:
intercom:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
- # upstreamRegistry: "https://quay.io"
- # upstreamRepository: "univention/intercom-service"
- # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
- # upstreamMirrorStartFrom: ["1", "6"]
+ # upstreamRegistry: "https://artifacts.software-univention.de"
+ # upstreamRepository: "nubus/images/intercom-service"
+ # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+ # upstreamMirrorStartFrom: ["2", "1", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
- tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
+ tag: "2.1.1@sha256:889b82681883b2cec1267a744f135f5b25a716de6ca584f7565ccd118b6f6c4f"
jibri:
# providerCategory: "Supplier"
# providerResponsible: "Nordeck"
@@ -161,7 +161,7 @@ images:
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
- tag: "1.2.2@sha256:32afdd71c5b8003ed1609e389494ce10c715c5db64d4ed32a74d65b0f0227e64"
+ tag: "1.3.9@sha256:dee06e4da27ff67cad12ba990aca58ca81eae89a02dfe4831bd3e9c67c08ddcf"
milter:
# providerCategory: "Community"
# providerResponsible: "openDesk"
@@ -219,7 +219,7 @@ images:
# upstreamMirrorStartFrom: ["0", "41", "5"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
- tag: "0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f"
+ tag: "0.69.3@sha256:2eed474783e27a70996b19fe1db1fdb3b4c100fa5f611241b6a72340db48e4af"
nubusGuardianAuthorizationApi:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -259,7 +259,7 @@ images:
# upstreamMirrorStartFrom: ["0", "3", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
- tag: "0.11.0@sha256:c691aecaf2074a9f1cc6ec5277a70792642bd677f0ff58a6278041b2d99c9d51"
+ tag: "0.13.0@sha256:0b0a4e4ab60a3d0f5e4872c9ed6d7b7db35e967007dd9b8ee7473daa5f6774f5"
nubusKeycloak:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -269,7 +269,7 @@ images:
# upstreamMirrorStartFrom: ["22", "0", "3"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
- tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
+ tag: "25.0.1-ucs1@sha256:61cb3e703672f6d8806af41bec8056ca84e295bbeb546fdb5349322d1174a43d"
nubusKeycloakBootstrap:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -279,7 +279,7 @@ images:
# upstreamMirrorStartFrom: ["0", "1", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
- tag: "0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0"
+ tag: "0.2.1@sha256:33acee89e870016d51b79d28213052b3fc40f9fed94898f6e11c51c2eb5677fb"
nubusKeycloakExtensionHandler:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -309,7 +309,7 @@ images:
# upstreamMirrorStartFrom: ["0", "8", "2"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
- tag: "0.20.0@sha256:d891fe11075740ff0fe1694b2c5fb72c43ac6d823904af8593e0ab359b9175e0"
+ tag: "0.24.0@sha256:c41ecc4e6446ae6182b6e0a01592c69c9a99c8e17b33d0373b6892d0669e9902"
nubusLdapServer:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -319,7 +319,7 @@ images:
# upstreamMirrorStartFrom: ["0", "8", "2"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
- tag: "0.20.0@sha256:ad73addd9201378fd5c978ab6bfc64bbd23bb279fc065cade9cb2f8e48a9c85f"
+ tag: "0.24.0@sha256:8db7292ec34291a2416bd72b1944b9076d651ed3b257890ebd8a990bcb8a7e98"
nubusLdapServerDhInitContainer:
# providerCategory: 'Community'
# providerResponsible: 'Univention'
@@ -361,7 +361,7 @@ images:
# upstreamMirrorStartFrom: ["0", "9", "4"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
- tag: "0.33.0@sha256:0ddb81d4789b2f43b55ded46ff88db4b99a68e7b1006e35877f582aac875c9ad"
+ tag: "0.38.3@sha256:3b74617c6a8b68b086be8ab648bfffb08ba6ddb052ff0dcd4731c1bcc5a87a03"
nubusOpendeskExtension:
# providerCategory: "Platform"
# providerResponsible: "openDesk"
@@ -369,7 +369,7 @@ images:
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
- tag: "1.2.1@sha256:479f072d8dd9fe445caa5fea4d882bf3aba24af0d22fc378a9839990c6f3a907"
+ tag: "1.5.0@sha256:2bfdf79028ec788162cf75bf80b08ed5aa3f747430bc85fd5e0427decc9994de"
nubusOpenPolicyAgent:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -399,7 +399,7 @@ images:
# upstreamMirrorStartFrom: ["0", "27", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
- tag: "0.32.0@sha256:7f38a8db34bfe67c9ad0711c0a2c615e278b20a1a7b66b77bd28faa339eaf897"
+ tag: "0.38.3@sha256:a4c7b57870aa7868174ef446f4212da1fc9f57d72c31dca245a5787699f2975b"
nubusPortalExtension:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -409,7 +409,7 @@ images:
# upstreamMirrorStartFrom: ["0", "28", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
- tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
+ tag: "0.38.0@sha256:aa6ec6b99810e05655d98fa1192bc2eabb855335f7a04aa4cd96ed5b5645d736"
nubusPortalFrontend:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -419,17 +419,7 @@ images:
# upstreamMirrorStartFrom: ["0", "9", "4"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
- tag: "0.33.0@sha256:9cce16009cc478ece11704521347fc4938a3ac5ee4570ac439dd50b08452a3ff"
- nubusPortalListener:
- # providerCategory: "Supplier"
- # providerResponsible: "Univention"
- # upstreamRegistry: "https://artifacts.software-univention.de"
- # upstreamRepository: "nubus/images/portal-listener"
- # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
- # upstreamMirrorStartFrom: ["0", "9", "4"]
- registry: "registry.opencode.de"
- repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
- tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
+ tag: "0.38.3@sha256:514ff5117331d0b446944b252d993db547daad64062fcfaab8794bfb4f5290a3"
nubusPortalServer:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -439,7 +429,7 @@ images:
# upstreamMirrorStartFrom: ["0", "9", "4"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
- tag: "0.33.1@sha256:82e9002786a9d1ec524c0f386838ac4ee1fa9a581b66d2e353ea57cc01e26a95"
+ tag: "0.38.3@sha256:0cd37fc82a7426013a1f93dcf4a72686f3b90b7532991dd1d50ae28cbca493e5"
nubusProvisioningDispatcher:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -449,7 +439,7 @@ images:
# upstreamMirrorStartFrom: ["0", "14", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
- tag: "0.36.0@sha256:34f03f48b4c9b470f9809b5fa6bfd6e96346e3f99ac0a2d7eaeac3cf9a4a633d"
+ tag: "0.39.0@sha256:cff262c399785594a07d61a0645ca304e4da044d37831c29f848d8d70b2e58c9"
nubusProvisioningEventsAndConsumerApi:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -459,7 +449,7 @@ images:
# upstreamMirrorStartFrom: ["0", "14", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
- tag: "0.36.0@sha256:69dd2946e7b05384304eeeca50dea645d20f7658d225e7c532381c3bdf2027ce"
+ tag: "0.39.0@sha256:9f537eb138863ea9c3f6f7b416e7787ab1841e3e0ba3a8dd39fe35464955d75d"
nubusProvisioningPrefill:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -469,7 +459,7 @@ images:
# upstreamMirrorStartFrom: ["0", "14", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
- tag: "0.36.0@sha256:147406648848c068aacc2cb467633d51c65cddbcaa622c352e5fe5349bf92ce6"
+ tag: "0.39.0@sha256:72ab91cd235b52875c03411c5488984b482aafc6d58f2064bd5313ab7a119cab"
nubusProvisioningUdmListener:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -479,7 +469,7 @@ images:
# upstreamMirrorStartFrom: ["0", "14", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
- tag: "0.36.0@sha256:8a960db9ff94b3c8a63be1588e47ccc1f62f3071abdce7ee2ef89afbe2674eed"
+ tag: "0.39.0@sha256:f0e63353f0ea28890c992a374b82ac65f379f9dfd4c7fe645f002b170df1da69"
nubusProvisioningUdmTransformer:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -489,7 +479,7 @@ images:
# upstreamMirrorStartFrom: ["0", "14", "0"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
- tag: "0.36.0@sha256:8080b55e705391aa2ac9b11db11dc1f984b5626271b2f175bfe26967b857b06d"
+ tag: "0.39.0@sha256:64166fae60856da544698b601b70037a93239e9f6072ced890cd5965fab148dc"
nubusSelfserviceInvitation:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -499,17 +489,7 @@ images:
# upstreamMirrorStartFrom: ["0", "3", "2"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
- tag: "0.6.5@sha256:5630c9df3da4134789d2ebafad7de9062375d21547a2074827b680debd7a909e"
- nubusSelfserviceListener:
- # providerCategory: "Supplier"
- # providerResponsible: "Univention"
- # upstreamRegistry: "https://artifacts.software-univention.de"
- # upstreamRepository: "nubus/images/selfservice-listener"
- # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
- # upstreamMirrorStartFrom: ["0", "3", "2"]
- registry: "registry.opencode.de"
- repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
- tag: "0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d"
+ tag: "0.7.2@sha256:a204a74575d4aed5f343d4ab4838fd6b11b4ae0d1a61e5cc464a5fde6d16ec37"
nubusUdmRestApi:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -519,7 +499,7 @@ images:
# upstreamMirrorStartFrom: ["0", "9", "3"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
- tag: "0.21.0@sha256:f3d189dd0ca619778c907569ddedbdf8772fba26f26cf9e6b8cde2a62618da63"
+ tag: "0.23.0@sha256:908e79f13bee54b6ee521278d8423b436071aa0628803f561c9cebdfebda1403"
nubusUmcGateway:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -529,7 +509,7 @@ images:
# upstreamMirrorStartFrom: ["0", "7", "3"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
- tag: "0.27.1@sha256:50991e4b8e13fd1b1a07228192eadd1b43d8a3502aba16f129ee5ba794720392"
+ tag: "0.30.0@sha256:73cd61b29c2d1e44c025c3da56ec8664c2509ee2ac49a0bccf0b357f017489e6"
nubusUmcServer:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
@@ -539,7 +519,7 @@ images:
# upstreamMirrorStartFrom: ["0", "7", "3"]
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
- tag: "0.27.1@sha256:006680e0a7ffcec3119c85eb30eaa6bbf9b2df54a14dd3d41b6bb7ce71226557"
+ tag: "0.30.0@sha256:78e20377a8cb3f6c5efa004a52aee444345e71d91e02e414c86c2a2631de5822"
nubusWaitForDependency:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
diff --git a/helmfile/environments/default/persistence.yaml b/helmfile/environments/default/persistence.yaml
index fcf87812..83706211 100644
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -19,7 +19,6 @@ persistence:
nubus:
ldapServerData: "1Gi"
ldapServerShared: "1Gi"
- portalListener: "1Gi"
- selfserviceListener: "1Gi"
+ portalConsumer: "1Gi"
xwiki: "1Gi"
...
diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml
index 4d64ae63..4eb683c5 100644
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -93,12 +93,12 @@ replicas:
umsNotificationsApi: 1
# -- scalable: true
umsPortalFrontend: 1
- # -- scalable: tbd
- umsPortalListener: 1
+ # -- scalable: false
+ umsPortalConsumer: 1
# -- scalable: true
umsPortalServer: 1
# -- scalable: tbd
- umsSelfserviceListener: 1
+ umsSelfserviceConsumer: 1
# -- scalable: tbd
umsStackGateway: 1
# -- scalable: true
diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml
index fd0ba445..173cfa8d 100644
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -499,14 +499,28 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
- umsPortalListener:
+ umsPortalConsumer:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
- umsPortalListenerDependencies:
+ umsPortalConsumerDependencies:
+ limits:
+ cpu: 99
+ memory: "1Gi"
+ requests:
+ cpu: 0.1
+ memory: "256Mi"
+ umsPortalConsumer:
+ limits:
+ cpu: 99
+ memory: "1Gi"
+ requests:
+ cpu: 0.1
+ memory: "256Mi"
+ umsPortalConsumerDependencies:
limits:
cpu: 99
memory: "1Gi"
@@ -555,7 +569,7 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
- umsSelfserviceListener:
+ umsSelfserviceConsumer:
limits:
cpu: 99
memory: "1Gi"
@@ -576,13 +590,6 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
- umsStackDataSwp:
- limits:
- cpu: 99
- memory: "1Gi"
- requests:
- cpu: 0.1
- memory: "256Mi"
umsStackGateway:
limits:
cpu: 99
diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl
index 657bdf8a..3d58934c 100644
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,21 +34,19 @@ secrets:
systemAccounts:
administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
- storeDavUsers:
- portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
- portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+ portalConsumer:
+ provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "provisioning-api" | sha1sum | quote }}
+ selfserviceConsumer:
+ provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-consumer" "provisioning-api" | sha1sum | quote }}
provisioning:
- apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
- apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
- apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
- dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
- prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
- prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
- udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+ api:
+ adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+ natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+ prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+ udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
- dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
- udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
- udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+ prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+ udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
guardian:
udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
nats:
diff --git a/helmfile/environments/default/selinux.yaml b/helmfile/environments/default/selinux.yaml
index cf646226..c243fda2 100644
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -77,7 +77,7 @@ seLinuxOptions:
umsNotificationsApi: ~
umsOpenPolicyAgent: ~
umsPortalFrontend: ~
- umsPortalListener: ~
+ umsPortalConsumer: ~
umsPortalServer: ~
umsProvisioningDispatcher: ~
umsProvisioningEventsAndConsumerApi: ~
@@ -86,7 +86,7 @@ seLinuxOptions:
umsProvisioningNatsReloader: ~
umsProvisioningUdmListener: ~
umsSelfserviceInvitation: ~
- umsSelfserviceListener: ~
+ umsSelfserviceConsumer: ~
umsStackGateway: ~
umsStoreDav: ~
umsUdmRestApi: ~