fix(nubus): Only configure apps that are deployed to show up in IAM admin UI and Keycloak

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -1103,9 +1103,7 @@ nubusStackDataUms:
     smtpStartTls: false
     ldapBase: {{ .Values.ldap.baseDn }}
   templateContext:
-    initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }}
+    apps: {{ .Values.apps | toYaml | nindent 6 }}
-    initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }}
-    initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
     portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
     portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
     portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
@@ -1118,9 +1116,10 @@ nubusStackDataUms:
     portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
     portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
     portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
+    portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
+    portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
+
     oxDefaultContext: "1"
-    componentEnabled:
-      notes: {{ .Values.apps.notes.enabled }}
     ldapSearchUsers:
       {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
       - username: {{ printf "ldapsearch_%s" $username | quote }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -22,31 +22,42 @@ cleanup:
 
 config:
   clientAccessRestrictions:
+    {{- if .Values.apps.element.enabled }}
     matrix:
       client: "opendesk-matrix"
       scope: "opendesk-matrix-scope"
       role: "opendesk-matrix-access-control"
       group: "managed-by-attribute-Livecollaboration"
+    {{- end }}
+    {{- if .Values.apps.jitsi.enabled }}
     jitsi:
       client: "opendesk-jitsi"
       scope: "opendesk-jitsi-scope"
       role: "opendesk-jitsi-access-control"
       group: "managed-by-attribute-Videoconference"
+    {{- end }}
+    {{- if .Values.apps.xwiki.enabled }}
     xwiki:
       client: "opendesk-xwiki"
       scope: "opendesk-xwiki-scope"
       role: "opendesk-xwiki-access-control"
       group: "managed-by-attribute-Knowledgemanagement"
+    {{- end }}
+    {{- if .Values.apps.openproject.enabled }}
     openproject:
       client: "opendesk-openproject"
       scope: "opendesk-openproject-scope"
       role: "opendesk-openproject-access-control"
       group: "managed-by-attribute-Projectmanagement"
+    {{- end }}
+    {{- if .Values.apps.nextcloud.enabled }}
     nextcloud:
       client: "opendesk-nextcloud"
       scope: "opendesk-nextcloud-scope"
       role: "opendesk-nextcloud-access-control"
       group: "managed-by-attribute-Fileshare"
+    {{- end }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
     oxAppSuite:
       client: "opendesk-oxappsuite"
       scope: "opendesk-oxappsuite-scope"
@@ -57,6 +68,7 @@ config:
       scope: "opendesk-dovecot-scope"
       role: "opendesk-dovecot-access-control"
       group: "managed-by-attribute-Groupware"
+    {{- end }}
     {{- if .Values.apps.notes.enabled }}
     notes:
       client: "opendesk-notes"
@@ -65,8 +77,6 @@ config:
       group: "managed-by-attribute-Notes"
     {{- end }}
 
-  componentEnabled:
-    notes: {{ .Values.apps.notes.enabled }}
   custom:
     clientScopes:
       {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -88,13 +98,14 @@ config:
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
   precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
-                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
+                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
-                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
+                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
-                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
+                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
-                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
+                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
-                     'managed-by-attribute-Videoconference',
+                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
-                     'managed-by-attribute-Groupware',
+                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
-                     'managed-by-attribute-Notes' ]
+                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
+                      ]
 
   opendesk:
     # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
@@ -105,6 +116,7 @@ config:
         protocol: "openid-connect"
       - name: "write_contacts"
         protocol: "openid-connect"
+      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject-scope"
         description: "Scope for the claims required by openDesk's OpenProject instance."
         protocol: "openid-connect"
@@ -178,6 +190,8 @@ config:
               access.token.claim: true
               claim.name: "family_name"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi-scope"
         description: "Scope for the claims required by openDesk's Jitsi instance."
         protocol: "openid-connect"
@@ -225,6 +239,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud-scope"
         description: "Scope for the claims required by openDesk's Nextcloud instance."
         protocol: "openid-connect"
@@ -274,6 +290,8 @@ config:
               access.token.claim: true
               claim.name: "context"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix-scope"
         description: "Scope for the claims required by openDesk's Matrix instance."
         protocol: "openid-connect"
@@ -321,6 +339,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
       - name: "opendesk-xwiki-scope"
         description: "Scope for the claims required by openDesk's XWiki instance."
         protocol: "openid-connect"
@@ -368,6 +388,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot-scope"
         description: "Scope for the claims required by openDesk's Dovecot instance."
         protocol: "openid-connect"
@@ -431,7 +453,8 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
-{{ if .Values.apps.notes.enabled }}
+      {{ end }}
+      {{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes-scope"
         description: "Scope for the claims required by openDesk's Notes instance."
         protocol: "openid-connect"
@@ -472,7 +495,7 @@ config:
               access.token.claim: true
               claim.name: "family_name"
               jsonType.label: "String"
-{{ end }}
+      {{ end }}
     clients:
       - name: "opendesk-intercom"
         clientId: "opendesk-intercom"
@@ -522,7 +545,7 @@ config:
               jsonType.label: "String"
         defaultClientScopes:
           - "offline_access"
-{{ if .Values.apps.notes.enabled }}
+      {{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes"
         clientId: "opendesk-notes"
         protocol: "openid-connect"
@@ -560,7 +583,8 @@ config:
           user.info.response.signature.alg: "RS256"
         defaultClientScopes:
           - "opendesk-notes-scope"
-{{ end }}
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
         protocol: "openid-connect"
@@ -574,6 +598,28 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
@@ -587,6 +633,8 @@ config:
         authorizationServicesEnabled: false
         defaultClientScopes:
           - "opendesk-jitsi-scope"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix"
         clientId: "opendesk-matrix"
         protocol: "openid-connect"
@@ -609,6 +657,8 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-matrix-scope"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud"
         clientId: "opendesk-nextcloud"
         protocol: "openid-connect"
@@ -629,6 +679,8 @@ config:
           - "opendesk-nextcloud-scope"
           - "read_contacts"
           - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject"
         clientId: "opendesk-openproject"
         protocol: "openid-connect"
@@ -648,26 +700,8 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-openproject-scope"
-      - name: "opendesk-oxappsuite"
+      {{ end }}
-        clientId: "opendesk-oxappsuite"
+      {{ if .Values.apps.xwiki.enabled }}
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
       - name: "opendesk-xwiki"
         clientId: "opendesk-xwiki"
         protocol: "openid-connect"
@@ -686,6 +720,7 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
+      {{ end }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/environments/default/charts.yaml.gotmpl

@@ -333,7 +333,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.2.3"
+    version: "2.3.0"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"

helmfile/environments/default/functional.yaml.gotmpl

@@ -91,6 +91,11 @@ functional:
     # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
     # trigger the login flow, e.g. but clicking on the "Login" portal tile.
     enforceLogin: true
+    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
+    linkLegalNotice: "https://opendesk.eu/impressum"
+    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
+    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
+
   chat:
     matrix:
       profile:

helmfile/environments/default/images.yaml.gotmpl

@@ -528,7 +528,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
+    tag: "1.10.0-trossner-selective-apps@sha256:630a845d493ed069dcbe425ef6c71b0b8ad2978a19f45139011f3e6eeb35d3e1"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"

helmfile/environments/default/theme.yaml.gotmpl

@@ -90,7 +90,7 @@ theme:
       realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
       realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
       # empty.svg
-      dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
       fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
       adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
       selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}