fix(ci): Update openDesk CI Lint to v2.3.1

2025-12-06 07:21:36 +01:00 · 2024-02-01 15:46:55 +01:00
parent d2b1f0b07b
commit 250ef2bc3f
9 changed files with 213 additions and 295 deletions
--- a/.gitlab/lint/lint-common.yml
+++ b/.gitlab/lint/lint-common.yml
@@ -1,11 +1,11 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.3.1\
-    @sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
+    @sha256:7bd1c03b1e443000d7016e37b7a085c400ee1873ad5a62c2e3181ea307b5133d"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
-    @sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
+    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
 .lint-common:
  cache: {}
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -27,7 +27,7 @@ lint-kyverno:
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
+    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - "cd ${CI_PROJECT_DIR}/.kyverno"
    - "kyverno test ."
--- a/.kyverno/_apps.yaml
+++ b/.kyverno/_apps.yaml
@@ -1,279 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 pod:
  - resource: "mariadb"
    kind: "StatefulSet"
    app: "services"
  - resource: "postgresql"
    kind: "StatefulSet"
    app: "services"
  - resource: "clamav-simple"
    kind: "StatefulSet"
    app: "services"
  - resource: "redis-master"
    kind: "StatefulSet"
    app: "services"
  - resource: "ums-store-dav"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-ldap-server"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-ldap-notifier"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-portal-listener"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-selfservice-listener"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-provisioning-nats"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-guardian-management-api"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-guardian-management-ui"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-guardian-authorization-api"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "ums-open-policy-agent"
    kind: "StatefulSet"
    app: "univention-management-stack"
  - resource: "open-xchange-core-mw-default"
    kind: "StatefulSet"
    app: "open-xchange"
  - resource: "jitsi-prosody"
    kind: "StatefulSet"
    app: "jitsi"
  - resource: "opendesk-synapse"
    kind: "StatefulSet"
    app: "element"
  - resource: "xwiki"
    kind: "StatefulSet"
    app: "xwiki"
  - resource: "ox-connector"
    kind: "StatefulSet"
    app: "provisioning"
  - resource: "minio"
    kind: "Deployment"
    app: "services"
  - resource: "cryptpad"
    kind: "Deployment"
    app: "cryptpad"
  - resource: "memcached"
    kind: "Deployment"
    app: "services"
  - resource: "postfix"
    kind: "Deployment"
    app: "services"
  - resource: "ums-keycloak"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-stack-gateway"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-udm-rest-api"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-portal-server"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-notifications-api"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-portal-frontend"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-umc-gateway"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-umc-server"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-provisioning-nats-box"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-keycloak-extensions-handler"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "ums-keycloak-extensions-proxy"
    kind: "Deployment"
    app: "univention-management-stack"
  - resource: "intercom-service"
    kind: "Deployment"
    app: "intercom-service"
  - resource: "dovecot"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-documentconverter"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-guidedtours"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-imageconverter"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-gotenberg"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-ui-middleware"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-ui-middleware-updater"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-ui"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-core-user-guide"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-guard-ui"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-nextcloud-integration-ui"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "open-xchange-public-sector-ui"
    kind: "Deployment"
    app: "open-xchange"
  - resource: "opendesk-nextcloud-apache2"
    kind: "Deployment"
    app: "nextcloud"
  - resource: "opendesk-nextcloud-exporter"
    kind: "Deployment"
    app: "nextcloud"
  - resource: "opendesk-nextcloud-php"
    kind: "Deployment"
    app: "nextcloud"
  - resource: "collabora"
    kind: "Deployment"
    app: "collabora"
  - resource: "jitsi-jibri"
    kind: "Deployment"
    app: "jitsi"
  - resource: "jitsi-jicofo"
    kind: "Deployment"
    app: "jitsi"
  - resource: "jitsi-jvb"
    kind: "Deployment"
    app: "jitsi"
  - resource: "jitsi-web"
    kind: "Deployment"
    app: "jitsi"
  - resource: "jitsi-opendesk-jitsi-keycloak-adapter"
    kind: "Deployment"
    app: "jitsi"
  - resource: "opendesk-element"
    kind: "Deployment"
    app: "element"
  - resource: "opendesk-well-known"
    kind: "Deployment"
    app: "element"
  - resource: "opendesk-synapse-web"
    kind: "Deployment"
    app: "element"
  - resource: "opendesk-matrix-user-verification-service"
    kind: "Deployment"
    app: "element"
  - resource: "matrix-neoboard-widget"
    kind: "Deployment"
    app: "element"
  - resource: "matrix-neochoice-widget"
    kind: "Deployment"
    app: "element"
  - resource: "matrix-neodatefix-widget"
    kind: "Deployment"
    app: "element"
  - resource: "matrix-neodatefix-bot"
    kind: "Deployment"
    app: "element"
  - resource: "openproject-web"
    kind: "Deployment"
    app: "openproject"
  - resource: "openproject-worker"
    kind: "Deployment"
    app: "openproject"
  - resource: "mariadb-bootstrap"
    kind: "Job"
    app: "services"
  - resource: "postgresql-bootstrap"
    kind: "Job"
    app: "services"
  - resource: "minio-provisioning"
    kind: "Job"
    app: "services"
  - resource: "ums-stack-data-ums-1"
    kind: "Job"
    app: "univention-management-stack"
  - resource: "ums-stack-data-swp-1"
    kind: "Job"
    app: "univention-management-stack"
  - resource: "ums-keycloak-bootstrap-bootstrap-1"
    kind: "Job"
    app: "univention-management-stack"
  - resource: "opendesk-keycloak-bootstrap-bootstrap-1"
    kind: "Job"
    app: "univention-management-stack"
  - resource: "opendesk-open-xchange-bootstrap"
    kind: "Job"
    app: "open-xchange"
  - resource: "opendesk-nextcloud-management-1"
    kind: "Job"
    app: "nextcloud"
  - resource: "jitsi-opendesk-jitsi"
    kind: "Job"
    app: "jitsi"
  - resource: "opendesk-matrix-user-verification-service-bootstrap"
    kind: "Job"
    app: "element"
  - resource: "matrix-neodatefix-bot-bootstrap"
    kind: "Job"
    app: "element"
  - resource: "opendesk-openproject-bootstrap-bootstrap-1"
    kind: "Job"
    app: "openproject-bootstrap"
 #  # Has timestamp in resource name - not supported yet.
 #  - resource: "openproject-seeder-*"
 #    kind: "Job"
 #  - resource: "ums-store-dav-test-connection"
 #    kind: "Pod"
 #  - resource: "ums-udm-rest-api-test-connection"
 #    kind: "Pod"
 #  - resource: "ums-portal-server-test-connection"
 #    kind: "Pod"
 #  - resource: "ums-notifications-api-test-connection"
 #    kind: "Pod"
 #  - resource: "ums-portal-frontend-test-connection"
 #    kind: "Pod"
 #  - resource: "ums-provisioning-nats-test-request-reply"
 #    kind: "Pod"
 #  - resource: "ums-provisioning-provisioning-api-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-core-guidedtours-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-gotenberg-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-core-ui-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-core-user-guide-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-guard-ui-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-nextcloud-integration-ui-test-connection"
 #    kind: "Pod"
 #  - resource: "open-xchange-public-sector-ui-test-connection"
 #    kind: "Pod"
 #  - resource: "jitsi-prosody-test-connection"
 #    kind: "Pod"
 #  - resource: "jitsi-web-test-connection"
 #    kind: "Pod"
 #  - resource: "openproject-test-connection"
 #    kind: "Pod"
 ...
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -5,51 +5,164 @@ pod:
  - name: "require-tag-and-digest"
    rule: "require-tag-and-digest"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "disallow-default-serviceaccount"
    rule: "require-sa"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-imagepullsecrets"
    rule: "require-imagepullsecrets"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "disallow-latest-tag"
    rule: "validate-image-tag"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-imagepullpolicy-always"
    rule: "require-imagepullpolicy-always"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-health-and-liveness-check"
    rule: "require-health-and-liveness-check"
    type: "required"
-    excludeKinds:
+    kinds:
-      - "Job"
+      - "StatefulSet"
      - "Deployment"
      - "Pod"
      - "DaemonSet"
  - name: "require-storage"
    rule: "require-storageclass-pvc"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
  - name: "require-storage"
    rule: "require-storageclass-pod"
    type: "required"
    kinds:
      - "StatefulSet"
  - name: "require-storage"
    rule: "require-storage-size-pvc"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
  - name: "require-storage"
    rule: "require-storage-size-pod"
    type: "required"
    kinds:
      - "StatefulSet"
  - name: "require-requests-limits"
    rule: "validate-resources"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "restrict-image-registries"
    rule: "validate-registries"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-ro-rootfs"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-no-privilege-escalation"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-all-capabilities-dropped"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-no-privileged"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-run-as-user"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-run-as-group"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-seccomp-profile"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-run-as-non-root"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
 ...
--- a/.kyverno/policies/require-storage.yaml
+++ b/.kyverno/policies/require-storage.yaml
@@ -0,0 +1,61 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-storage"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "StatefulSet"
      name: "require-storageclass-pod"
      validate:
        message: "VolumeClaims inside pods need to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
              - spec:
                  storageClassName: "kyverno-test"
    - match:
        resources:
          kinds:
            - "PersistentVolumeClaim"
      name: "require-storageclass-pvc"
      validate:
        message: "Persistent Volume Claim need to have storageClassName set when templated."
        pattern:
          spec:
            storageClassName: "kyverno-test"
    - match:
        resources:
          kinds:
            - "StatefulSet"
      name: "require-storage-size-pod"
      validate:
        message: "VolumeClaims inside pods need to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
              - spec:
                  resources:
                    requests:
                      storage: "42Gi"
    - match:
        resources:
          kinds:
            - "PersistentVolumeClaim"
      name: "require-storage-size-pvc"
      validate:
        message: "Persistent Volume Claim need to have storageClassName set when templated."
        pattern:
          spec:
            resources:
              requests:
                storage: "42Gi"
  validationFailureAction: "audit"
 ...
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -27,7 +27,7 @@ image:
 persistence:
  size: {{ .Values.persistence.size.postfix | quote }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -45,11 +45,11 @@ ldapServer:
  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
 persistence:
-  data:
+  sharedData:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  shared:
+  sharedRun:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
 securityContext:
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -22,8 +22,9 @@ image:
      {{- end }}
 persistence:
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  data:
-  size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
 resources:
  {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
--- a/helmfile/environments/test/values.yaml.gotmpl
+++ b/helmfile/environments/test/values.yaml.gotmpl
@@ -5,4 +5,26 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
 persistence:
  storageClassNames:
    RWX: "kyverno-test"
    RWO: "kyverno-test"
  size:
    clamav: "42Gi"
    dovecot: "42Gi"
    mariadb: "42Gi"
    matrixNeoDateFixBot: "42Gi"
    minio: "42Gi"
    postfix: "42Gi"
    postgresql: "42Gi"
    prosody: "42Gi"
    redis: "42Gi"
    synapse: "42Gi"
    univentionManagementStack:
      ldapServerData: "42Gi"
      ldapServerShared: "42Gi"
      portalListener: "42Gi"
      selfserviceListener: "42Gi"
      storeDav: "42Gi"
    xwiki: "42Gi"
 ...