diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl index 223ac430..4c2b0a9d 100644 --- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -1103,9 +1103,7 @@ nubusStackDataUms: smtpStartTls: false ldapBase: {{ .Values.ldap.baseDn }} templateContext: - initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }} - initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }} - initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }} + apps: {{ .Values.apps | toYaml | nindent 6 }} portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }} portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }} portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }} @@ -1118,9 +1116,10 @@ nubusStackDataUms: portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }} portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}" portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}" + portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }} + portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }} + oxDefaultContext: "1" - componentEnabled: - notes: {{ .Values.apps.notes.enabled }} ldapSearchUsers: {{- range $username, $password := .Values.secrets.nubus.ldapSearch }} - username: {{ printf "ldapsearch_%s" $username | quote }} diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 975cedd5..c2ca5f8c 100644 --- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -22,31 +22,42 @@ cleanup: config: clientAccessRestrictions: + {{- if .Values.apps.element.enabled }} matrix: client: "opendesk-matrix" scope: "opendesk-matrix-scope" role: "opendesk-matrix-access-control" group: "managed-by-attribute-Livecollaboration" + {{- end }} + {{- if .Values.apps.jitsi.enabled }} jitsi: client: "opendesk-jitsi" scope: "opendesk-jitsi-scope" role: "opendesk-jitsi-access-control" group: "managed-by-attribute-Videoconference" + {{- end }} + {{- if .Values.apps.xwiki.enabled }} xwiki: client: "opendesk-xwiki" scope: "opendesk-xwiki-scope" role: "opendesk-xwiki-access-control" group: "managed-by-attribute-Knowledgemanagement" + {{- end }} + {{- if .Values.apps.openproject.enabled }} openproject: client: "opendesk-openproject" scope: "opendesk-openproject-scope" role: "opendesk-openproject-access-control" group: "managed-by-attribute-Projectmanagement" + {{- end }} + {{- if .Values.apps.nextcloud.enabled }} nextcloud: client: "opendesk-nextcloud" scope: "opendesk-nextcloud-scope" role: "opendesk-nextcloud-access-control" group: "managed-by-attribute-Fileshare" + {{- end }} + {{- if .Values.apps.oxAppSuite.enabled }} oxAppSuite: client: "opendesk-oxappsuite" scope: "opendesk-oxappsuite-scope" @@ -57,6 +68,7 @@ config: scope: "opendesk-dovecot-scope" role: "opendesk-dovecot-access-control" group: "managed-by-attribute-Groupware" + {{- end }} {{- if .Values.apps.notes.enabled }} notes: client: "opendesk-notes" @@ -65,8 +77,6 @@ config: group: "managed-by-attribute-Notes" {{- end }} - componentEnabled: - notes: {{ .Values.apps.notes.enabled }} custom: clientScopes: {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }} @@ -88,13 +98,14 @@ config: twoFactorSettings: additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }} precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access', - 'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin', - 'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin', - 'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin', - 'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin', - 'managed-by-attribute-Videoconference', - 'managed-by-attribute-Groupware', - 'managed-by-attribute-Notes' ] + {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }} + {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }} + {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }} + {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }} + {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }} + {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }} + {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }} + ] opendesk: # We use client specific scopes as we bind them to Keycloak role membership which itself is linked @@ -105,6 +116,7 @@ config: protocol: "openid-connect" - name: "write_contacts" protocol: "openid-connect" + {{ if .Values.apps.openproject.enabled }} - name: "opendesk-openproject-scope" description: "Scope for the claims required by openDesk's OpenProject instance." protocol: "openid-connect" @@ -178,6 +190,8 @@ config: access.token.claim: true claim.name: "family_name" jsonType.label: "String" + {{ end }} + {{ if .Values.apps.jitsi.enabled }} - name: "opendesk-jitsi-scope" description: "Scope for the claims required by openDesk's Jitsi instance." protocol: "openid-connect" @@ -225,6 +239,8 @@ config: access.token.claim: true claim.name: "email" jsonType.label: "String" + {{ end }} + {{ if .Values.apps.nextcloud.enabled }} - name: "opendesk-nextcloud-scope" description: "Scope for the claims required by openDesk's Nextcloud instance." protocol: "openid-connect" @@ -274,6 +290,8 @@ config: access.token.claim: true claim.name: "context" jsonType.label: "String" + {{ end }} + {{ if .Values.apps.element.enabled }} - name: "opendesk-matrix-scope" description: "Scope for the claims required by openDesk's Matrix instance." protocol: "openid-connect" @@ -321,6 +339,8 @@ config: access.token.claim: true claim.name: "email" jsonType.label: "String" + {{ end }} + {{ if .Values.apps.xwiki.enabled }} - name: "opendesk-xwiki-scope" description: "Scope for the claims required by openDesk's XWiki instance." protocol: "openid-connect" @@ -368,6 +388,8 @@ config: access.token.claim: true claim.name: "email" jsonType.label: "String" + {{ end }} + {{ if .Values.apps.oxAppSuite.enabled }} - name: "opendesk-dovecot-scope" description: "Scope for the claims required by openDesk's Dovecot instance." protocol: "openid-connect" @@ -431,7 +453,8 @@ config: access.token.claim: true claim.name: "opendesk_username" jsonType.label: "String" -{{ if .Values.apps.notes.enabled }} + {{ end }} + {{ if .Values.apps.notes.enabled }} - name: "opendesk-notes-scope" description: "Scope for the claims required by openDesk's Notes instance." protocol: "openid-connect" @@ -472,7 +495,7 @@ config: access.token.claim: true claim.name: "family_name" jsonType.label: "String" -{{ end }} + {{ end }} clients: - name: "opendesk-intercom" clientId: "opendesk-intercom" @@ -522,7 +545,7 @@ config: jsonType.label: "String" defaultClientScopes: - "offline_access" -{{ if .Values.apps.notes.enabled }} + {{ if .Values.apps.notes.enabled }} - name: "opendesk-notes" clientId: "opendesk-notes" protocol: "openid-connect" @@ -560,7 +583,8 @@ config: user.info.response.signature.alg: "RS256" defaultClientScopes: - "opendesk-notes-scope" -{{ end }} + {{ end }} + {{ if .Values.apps.oxAppSuite.enabled }} - name: "opendesk-dovecot" clientId: "opendesk-dovecot" protocol: "openid-connect" @@ -574,6 +598,28 @@ config: backchannel.logout.session.required: false defaultClientScopes: - "opendesk-dovecot-scope" + - name: "opendesk-oxappsuite" + clientId: "opendesk-oxappsuite" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk-oxappsuite-scope" + - "read_contacts" + - "write_contacts" + {{ end }} + {{ if .Values.apps.jitsi.enabled }} - name: "opendesk-jitsi" clientId: "opendesk-jitsi" protocol: "openid-connect" @@ -587,6 +633,8 @@ config: authorizationServicesEnabled: false defaultClientScopes: - "opendesk-jitsi-scope" + {{ end }} + {{ if .Values.apps.element.enabled }} - name: "opendesk-matrix" clientId: "opendesk-matrix" protocol: "openid-connect" @@ -609,6 +657,8 @@ config: post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" defaultClientScopes: - "opendesk-matrix-scope" + {{ end }} + {{ if .Values.apps.nextcloud.enabled }} - name: "opendesk-nextcloud" clientId: "opendesk-nextcloud" protocol: "openid-connect" @@ -629,6 +679,8 @@ config: - "opendesk-nextcloud-scope" - "read_contacts" - "write_contacts" + {{ end }} + {{ if .Values.apps.openproject.enabled }} - name: "opendesk-openproject" clientId: "opendesk-openproject" protocol: "openid-connect" @@ -648,26 +700,8 @@ config: post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" defaultClientScopes: - "opendesk-openproject-scope" - - name: "opendesk-oxappsuite" - clientId: "opendesk-oxappsuite" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: true - backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout" - post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" - defaultClientScopes: - - "opendesk-oxappsuite-scope" - - "read_contacts" - - "write_contacts" + {{ end }} + {{ if .Values.apps.xwiki.enabled }} - name: "opendesk-xwiki" clientId: "opendesk-xwiki" protocol: "openid-connect" @@ -686,6 +720,7 @@ config: post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" defaultClientScopes: - "opendesk-xwiki-scope" + {{ end }} containerSecurityContext: allowPrivilegeEscalation: false diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 459ab385..e8e173c1 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -333,7 +333,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap" name: "opendesk-keycloak-bootstrap" - version: "2.2.3" + version: "2.3.0" verify: true opendeskStaticFiles: # providerCategory: "Platform" diff --git a/helmfile/environments/default/functional.yaml.gotmpl b/helmfile/environments/default/functional.yaml.gotmpl index 5ba53d34..9a3e11ab 100644 --- a/helmfile/environments/default/functional.yaml.gotmpl +++ b/helmfile/environments/default/functional.yaml.gotmpl @@ -91,6 +91,11 @@ functional: # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively # trigger the login flow, e.g. but clicking on the "Login" portal tile. enforceLogin: true + # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link + linkLegalNotice: "https://opendesk.eu/impressum" + # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link + linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung" + chat: matrix: profile: diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 25b92fa8..45b17483 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -528,7 +528,7 @@ images: # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus" registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus" - tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9" + tag: "1.10.0-trossner-selective-apps@sha256:630a845d493ed069dcbe425ef6c71b0b8ad2978a19f45139011f3e6eeb35d3e1" nubusOpenPolicyAgent: # providerCategory: "Supplier" # providerResponsible: "Univention" diff --git a/helmfile/environments/default/theme.yaml.gotmpl b/helmfile/environments/default/theme.yaml.gotmpl index 35fda541..3c53520a 100644 --- a/helmfile/environments/default/theme.yaml.gotmpl +++ b/helmfile/environments/default/theme.yaml.gotmpl @@ -90,7 +90,7 @@ theme: realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }} realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }} # empty.svg - dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }} + empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }} fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }} adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }} selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}