sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): Update openDesk CI Lint to v2.3.1

Browse Source
This commit is contained in:
Dominik Kaminski
2024-02-01 15:46:55 +01:00
parent d2b1f0b07b
commit 250ef2bc3f
9 changed files with 213 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.gitlab/lint/lint-common.yml
View File

@@ -1,11 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
variables:
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
@sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
@sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.3.1\
@sha256:7bd1c03b1e443000d7016e37b7a085c400ee1873ad5a62c2e3181ea307b5133d"
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
@sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
.lint-common:
cache: {}

4
.gitlab/lint/lint-kyverno.yml
View File

@@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
@@ -27,7 +27,7 @@ lint-kyverno:
script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
- "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
- "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
- "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
- "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
- "cd ${CI_PROJECT_DIR}/.kyverno"
- "kyverno test ."

279
.kyverno/_apps.yaml
View File

@@ -1,279 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
pod:
- resource: "mariadb"
kind: "StatefulSet"
app: "services"
- resource: "postgresql"
kind: "StatefulSet"
app: "services"
- resource: "clamav-simple"
kind: "StatefulSet"
app: "services"
- resource: "redis-master"
kind: "StatefulSet"
app: "services"
- resource: "ums-store-dav"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-ldap-server"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-ldap-notifier"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-portal-listener"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-selfservice-listener"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-provisioning-nats"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-management-api"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-management-ui"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-authorization-api"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-open-policy-agent"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "open-xchange-core-mw-default"
kind: "StatefulSet"
app: "open-xchange"
- resource: "jitsi-prosody"
kind: "StatefulSet"
app: "jitsi"
- resource: "opendesk-synapse"
kind: "StatefulSet"
app: "element"
- resource: "xwiki"
kind: "StatefulSet"
app: "xwiki"
- resource: "ox-connector"
kind: "StatefulSet"
app: "provisioning"
- resource: "minio"
kind: "Deployment"
app: "services"
- resource: "cryptpad"
kind: "Deployment"
app: "cryptpad"
- resource: "memcached"
kind: "Deployment"
app: "services"
- resource: "postfix"
kind: "Deployment"
app: "services"
- resource: "ums-keycloak"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-stack-gateway"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-udm-rest-api"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-portal-server"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-notifications-api"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-portal-frontend"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-umc-gateway"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-umc-server"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-provisioning-nats-box"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-keycloak-extensions-handler"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-keycloak-extensions-proxy"
kind: "Deployment"
app: "univention-management-stack"
- resource: "intercom-service"
kind: "Deployment"
app: "intercom-service"
- resource: "dovecot"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-documentconverter"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-guidedtours"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-imageconverter"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-gotenberg"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui-middleware"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui-middleware-updater"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-user-guide"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-guard-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-nextcloud-integration-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-public-sector-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "opendesk-nextcloud-apache2"
kind: "Deployment"
app: "nextcloud"
- resource: "opendesk-nextcloud-exporter"
kind: "Deployment"
app: "nextcloud"
- resource: "opendesk-nextcloud-php"
kind: "Deployment"
app: "nextcloud"
- resource: "collabora"
kind: "Deployment"
app: "collabora"
- resource: "jitsi-jibri"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-jicofo"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-jvb"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-web"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-opendesk-jitsi-keycloak-adapter"
kind: "Deployment"
app: "jitsi"
- resource: "opendesk-element"
kind: "Deployment"
app: "element"
- resource: "opendesk-well-known"
kind: "Deployment"
app: "element"
- resource: "opendesk-synapse-web"
kind: "Deployment"
app: "element"
- resource: "opendesk-matrix-user-verification-service"
kind: "Deployment"
app: "element"
- resource: "matrix-neoboard-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neochoice-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neodatefix-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neodatefix-bot"
kind: "Deployment"
app: "element"
- resource: "openproject-web"
kind: "Deployment"
app: "openproject"
- resource: "openproject-worker"
kind: "Deployment"
app: "openproject"
- resource: "mariadb-bootstrap"
kind: "Job"
app: "services"
- resource: "postgresql-bootstrap"
kind: "Job"
app: "services"
- resource: "minio-provisioning"
kind: "Job"
app: "services"
- resource: "ums-stack-data-ums-1"
kind: "Job"
app: "univention-management-stack"
- resource: "ums-stack-data-swp-1"
kind: "Job"
app: "univention-management-stack"
- resource: "ums-keycloak-bootstrap-bootstrap-1"
kind: "Job"
app: "univention-management-stack"
- resource: "opendesk-keycloak-bootstrap-bootstrap-1"
kind: "Job"
app: "univention-management-stack"
- resource: "opendesk-open-xchange-bootstrap"
kind: "Job"
app: "open-xchange"
- resource: "opendesk-nextcloud-management-1"
kind: "Job"
app: "nextcloud"
- resource: "jitsi-opendesk-jitsi"
kind: "Job"
app: "jitsi"
- resource: "opendesk-matrix-user-verification-service-bootstrap"
kind: "Job"
app: "element"
- resource: "matrix-neodatefix-bot-bootstrap"
kind: "Job"
app: "element"
- resource: "opendesk-openproject-bootstrap-bootstrap-1"
kind: "Job"
app: "openproject-bootstrap"
# # Has timestamp in resource name - not supported yet.
# - resource: "openproject-seeder-*"
# kind: "Job"
# - resource: "ums-store-dav-test-connection"
# kind: "Pod"
# - resource: "ums-udm-rest-api-test-connection"
# kind: "Pod"
# - resource: "ums-portal-server-test-connection"
# kind: "Pod"
# - resource: "ums-notifications-api-test-connection"
# kind: "Pod"
# - resource: "ums-portal-frontend-test-connection"
# kind: "Pod"
# - resource: "ums-provisioning-nats-test-request-reply"
# kind: "Pod"
# - resource: "ums-provisioning-provisioning-api-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-guidedtours-test-connection"
# kind: "Pod"
# - resource: "open-xchange-gotenberg-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-user-guide-test-connection"
# kind: "Pod"
# - resource: "open-xchange-guard-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-nextcloud-integration-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-public-sector-ui-test-connection"
# kind: "Pod"
# - resource: "jitsi-prosody-test-connection"
# kind: "Pod"
# - resource: "jitsi-web-test-connection"
# kind: "Pod"
# - resource: "openproject-test-connection"
# kind: "Pod"
...

117
.kyverno/policies/_policies.yaml
View File

@@ -5,51 +5,164 @@ pod:
- name: "require-tag-and-digest"
rule: "require-tag-and-digest"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-default-serviceaccount"
rule: "require-sa"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-imagepullsecrets"
rule: "require-imagepullsecrets"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-latest-tag"
rule: "validate-image-tag"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-imagepullpolicy-always"
rule: "require-imagepullpolicy-always"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-health-and-liveness-check"
rule: "require-health-and-liveness-check"
type: "required"
excludeKinds:
- "Job"
kinds:
- "StatefulSet"
- "Deployment"
- "Pod"
- "DaemonSet"
- name: "require-storage"
rule: "require-storageclass-pvc"
type: "required"
kinds:
- "PersistentVolumeClaim"
- name: "require-storage"
rule: "require-storageclass-pod"
type: "required"
kinds:
- "StatefulSet"
- name: "require-storage"
rule: "require-storage-size-pvc"
type: "required"
kinds:
- "PersistentVolumeClaim"
- name: "require-storage"
rule: "require-storage-size-pod"
type: "required"
kinds:
- "StatefulSet"
- name: "require-requests-limits"
rule: "validate-resources"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "restrict-image-registries"
rule: "validate-registries"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-ro-rootfs"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-no-privilege-escalation"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-all-capabilities-dropped"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-no-privileged"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-run-as-user"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-run-as-group"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-seccomp-profile"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-run-as-non-root"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
...

61
.kyverno/policies/require-storage.yaml Normal file
View File

@@ -0,0 +1,61 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-storage"
spec:
background: true
rules:
- match:
resources:
kinds:
- "StatefulSet"
name: "require-storageclass-pod"
validate:
message: "VolumeClaims inside pods need to have storageClass set when templated."
pattern:
spec:
(volumeClaimTemplates):
- spec:
storageClassName: "kyverno-test"
- match:
resources:
kinds:
- "PersistentVolumeClaim"
name: "require-storageclass-pvc"
validate:
message: "Persistent Volume Claim need to have storageClassName set when templated."
pattern:
spec:
storageClassName: "kyverno-test"
- match:
resources:
kinds:
- "StatefulSet"
name: "require-storage-size-pod"
validate:
message: "VolumeClaims inside pods need to have storageClass set when templated."
pattern:
spec:
(volumeClaimTemplates):
- spec:
resources:
requests:
storage: "42Gi"
- match:
resources:
kinds:
- "PersistentVolumeClaim"
name: "require-storage-size-pvc"
validate:
message: "Persistent Volume Claim need to have storageClassName set when templated."
pattern:
spec:
resources:
requests:
storage: "42Gi"
validationFailureAction: "audit"
...

2
helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -27,7 +27,7 @@ image:
persistence:
size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
podSecurityContext:
enabled: true

8
helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -45,11 +45,11 @@ ldapServer:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
sharedData:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
sharedRun:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
securityContext:

3
helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
View File

@@ -22,7 +22,8 @@ image:
{{- end }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
data:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
resources:

22
helmfile/environments/test/values.yaml.gotmpl
View File

@@ -5,4 +5,26 @@ SPDX-License-Identifier: Apache-2.0
---
global:
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
persistence:
storageClassNames:
RWX: "kyverno-test"
RWO: "kyverno-test"
size:
clamav: "42Gi"
dovecot: "42Gi"
mariadb: "42Gi"
matrixNeoDateFixBot: "42Gi"
minio: "42Gi"
postfix: "42Gi"
postgresql: "42Gi"
prosody: "42Gi"
redis: "42Gi"
synapse: "42Gi"
univentionManagementStack:
ldapServerData: "42Gi"
ldapServerShared: "42Gi"
portalListener: "42Gi"
selfserviceListener: "42Gi"
storeDav: "42Gi"
xwiki: "42Gi"
...