sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(open-xchange): Enable ICAP and merge yaml and gotmpl files

Browse Source
This commit is contained in:
Thorsten Roßner
2024-01-06 13:15:45 +01:00
parent 5f5a65f59d
commit 306252da6f
10 changed files with 582 additions and 639 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -38,8 +38,7 @@ releases:
chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}" chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
version: "{{ .Values.charts.dovecot.version }}" version: "{{ .Values.charts.dovecot.version }}"
values: values:
- "values-dovecot.yaml" - "values-dovecot.yaml.gotmpl"
- "values-dovecot.gotmpl"
installed: {{ .Values.dovecot.enabled }} installed: {{ .Values.dovecot.enabled }}
timeout: 900 timeout: 900
@@ -47,10 +46,8 @@ releases:
chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}" chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
version: "{{ .Values.charts.openXchangeAppSuite.version }}" version: "{{ .Values.charts.openXchangeAppSuite.version }}"
values: values:
- "values-openxchange.yaml" - "values-openxchange.yaml.gotmpl"
- "values-openxchange.gotmpl" - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
- "values-openxchange-enterprise-contact-picker.yaml"
- "values-openxchange-enterprise-contact-picker.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }} installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900 timeout: 900
@@ -58,7 +55,7 @@ releases:
chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}" chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}" version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
values: values:
- "values-openxchange-bootstrap.gotmpl" - "values-openxchange-bootstrap.yaml.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }} installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900 timeout: 900

41
helmfile/apps/open-xchange/values-dovecot.yaml
View File

@@ -1,41 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "KILL"
- "NET_BIND_SERVICE"
- "SETGID"
- "SETUID"
- "SYS_CHROOT"
enabled: true
readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
dovecot:
ldap:
enabled: true
port: 389
base: "dc=swp-ldap,dc=internal"
oidc:
enabled: true
clientID: "opendesk-dovecot"
usernameAttribute: "opendesk_username"
submission:
enabled: true
ssl: "no"
host: "postfix:25"
podSecurityContext:
enabled: true
fsGroup: 1000
...

40
helmfile/apps/open-xchange/values-dovecot.gotmpl → helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
View File

@@ -18,16 +18,28 @@ dovecot:
mailDomain: {{ .Values.global.domain | quote }} mailDomain: {{ .Values.global.domain | quote }}
password: {{ .Values.secrets.dovecot.doveadm | quote }} password: {{ .Values.secrets.dovecot.doveadm | quote }}
ldap: ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" enabled: true
host: {{ .Values.ldap.host | quote }} host: {{ .Values.ldap.host | quote }}
port: 389
base: "dc=swp-ldap,dc=internal"
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
oidc: oidc:
enabled: true
clientID: "opendesk-dovecot"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect" introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} usernameAttribute: "opendesk_username"
clientID: "opendesk-dovecot"
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }} loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
submission:
enabled: true
ssl: "no"
host: "postfix:25"
certificate: certificate:
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -37,6 +49,28 @@ replicaCount: {{ .Values.replicas.dovecot }}
replicaCount: 1 replicaCount: 1
{{- end }} {{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "KILL"
- "NET_BIND_SERVICE"
- "SETGID"
- "SETUID"
- "SYS_CHROOT"
enabled: true
readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 1000
persistence: persistence:
{{- if .Values.cluster.persistence.readWriteMany.enabled }} {{- if .Values.cluster.persistence.readWriteMany.enabled }}
storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}

0
helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl → helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
View File

18
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
View File

@@ -1,18 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
appsuite:
core-mw:
secretYAMLFiles:
ldap-client-config.yml:
contactsLdapClient:
pool:
host:
address: {{ .Values.ldap.host | quote }}
port: 389
auth:
adminDN:
password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
...

4
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml → helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
View File

@@ -16,10 +16,14 @@ appsuite:
contactsLdapClient: contactsLdapClient:
pool: pool:
type: "simple" type: "simple"
host:
address: {{ .Values.ldap.host | quote }}
port: 389
auth: auth:
type: "adminDN" type: "adminDN"
adminDN: adminDN:
dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal" dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
uiSettings: uiSettings:
# Enterprise contact picker # Enterprise contact picker

222
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -1,222 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
mysql:
host: {{ .Values.databases.oxAppsuite.host | quote }}
database: {{ .Values.databases.oxAppsuite.name | quote }}
auth:
user: {{ .Values.databases.oxAppsuite.username | quote }}
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
istio:
enabled: {{ .Values.istio.enabled }}
nextcloud-integration-ui:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
public-sector-ui:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }}
repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
appsuite:
istio:
enabled: {{ .Values.istio.enabled }}
ingressGateway:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
virtualServices:
appsuite:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
dav:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
core-mw:
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
gotenberg:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
"com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
"com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
"com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
"com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
"com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
"com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
"com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretProperties:
com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
propertiesFiles:
"/opt/open-xchange/etc/ldapauth.properties":
bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Dynamic theme
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
secretETCFiles:
# Format of the OX Guard master key:
# MC+base64(20 random bytes)
# RC+base64(20 random bytes)
oxguardpass: |
{{ .Values.secrets.oxAppsuite.oxguardMC }}
{{ .Values.secrets.oxAppsuite.oxguardRC }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
update:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
core-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }}
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
core-ui-middleware:
ingress:
hosts:
- host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
enabled: false
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
resources:
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
updater:
resources:
{{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
core-documentconverter:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
resources:
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
core-guidedtours:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }}
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
core-imageconverter:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }}
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
guard-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
core-user-guide:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }}
repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
...

347
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -1,347 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
appsuite:
appsuite-toolkit:
enabled: false
istio:
ingressGateway:
name: "opendesk-gateway-istio-gateway"
switchboard:
enabled: false
core-mw:
enabled: true
masterAdmin: "admin"
gotenberg:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: "RuntimeDefault"
features:
status:
# enable admin pack
# admin: enabled
documents: "disabled"
guard: "enabled"
packages:
status:
open-xchange-oidc: "enabled"
open-xchange-authentication-database: "disabled"
open-xchange-authentication-oauth: "enabled"
properties:
com.openexchange.UIWebPath: "/appsuite/"
com.openexchange.showAdmin: "false"
# PDF Export
com.openexchange.capability.mail_export_pdf: "true"
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
com.openexchange.mail.exportpdf.collabora.enabled: "true"
com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
# OIDC
com.openexchange.oidc.enabled: "true"
com.openexchange.oidc.autologinCookieMode: "ox_direct"
com.openexchange.oidc.contextLookupClaim: "context"
com.openexchange.oidc.contextLookupNamePart: "full"
com.openexchange.oidc.backchannelLogoutEnabled: "true"
com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.userLookupNamePart: "full"
com.openexchange.oidc.userLookupClaim: "opendesk_username"
com.openexchange.oidc.clientId: "opendesk-oxappsuite"
# OAUTH
com.openexchange.oauth.provider.enabled: "true"
com.openexchange.oauth.provider.contextLookupClaim: "context"
com.openexchange.oauth.provider.contextLookupNamePart: "full"
com.openexchange.oauth.provider.mode: "expect_jwt"
com.openexchange.oauth.provider.userLookupNamePart: "full"
com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
# MAIL
com.openexchange.mail.authType: "xoauth2"
com.openexchange.mail.loginSource: "mail"
com.openexchange.mail.mailServer: "dovecot"
com.openexchange.mail.mailServerSource: "global"
com.openexchange.mail.transport.authType: "xoauth2"
com.openexchange.mail.transportServer: "postfix"
com.openexchange.mail.transportServerSource: "global"
# Mailfilter
com.openexchange.mail.filter.loginType: "global"
com.openexchange.mail.filter.credentialSource: "mail"
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Dovecot
com.openexchange.imap.attachmentMarker.enabled: "true"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
# New capabilities in 2.0
com.openexchange.capability.public-sector-element: "true"
com.openexchange.capability.public-sector-navigation: "true"
com.openexchange.capability.client-onboarding: "true"
com.openexchange.capability.dynamic-theme: "true"
com.openexchange.capability.filestorage_nextcloud: "true"
com.openexchange.capability.filestorage_nextcloud_oauth: "true"
com.openexchange.capability.guard: "true"
com.openexchange.capability.guard-mail: "true"
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
com.openexchange.capability.document_preview: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
# Nextcloud integration
com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
# GDPR
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.storage.file.fileStorageType: "file"
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
# http = (await import('./io.ox/core/http.js')).default
# await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
com.openexchange.smime.test: "true"
# Other
com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
propertiesFiles:
/opt/open-xchange/etc/AdminDaemon.properties:
MASTER_ACCOUNT_OVERRIDE: "true"
/opt/open-xchange/etc/system.properties:
SERVER_NAME: "oxserver"
/opt/open-xchange/etc/ldapauth.properties:
bindOnly: "false"
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
uiSettings:
# Show the Enterprise Picker in the top right corner instead of the launcher drop-down
io.ox/core//features/enterprisePicker/showLauncher: "false"
io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
# Text and icon color in the topbar
io.ox/dynamic-theme//topbarColor: "#000"
io.ox/dynamic-theme//logoWidth: "82"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
# Resources
io.ox/core//features/resourceCalendars: "true"
io.ox/core//features/managedResources: "true"
# Categories
io.ox/core//features/categories: "true"
io.ox/core//categories/predefined: >
[{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
# Nextcloud integration
# io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
# Central navigation
io.ox.public-sector//navigation/oxtabname: "tab_groupware"
# io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
io.ox/core//apps/quickLaunchCount: "0"
io.ox/core//coloredIcons: "false"
# Mail templates
io.ox/core//features/templates: "true"
# Contact Collector
io.ox/mail//contactCollectOnMailTransport: "true"
# io.ox/mail//contactCollectOnMailAccess: "true"
asConfig:
default:
host: "all"
pageHeaderPrefix: "as8.souvap App Suite"
oidcLogin: true
oidcPath: "/oidc"
redis:
enabled: true
mode: "standalone"
hosts:
- "redis-master"
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
mkdir -p /opt/open-xchange/guard-files
chown open-xchange:open-xchange /opt/open-xchange/guard-files
# Security context for core-mw has no effect yet
# podSecurityContext: {}
# securityContext: {}
core-ui:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-ui-middleware:
enabled: true
overrides: {}
redis:
mode: "standalone"
hosts:
- "redis-master:6379"
auth:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-guidedtours:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
guard-ui:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-cacheservice:
enabled: false
core-user-guide:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-imageconverter:
enabled: true
objectCache:
s3ObjectStores:
- id: -1
endpoint: "."
accessKey: "."
secretKey: "."
podSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
securityContext:
# missing:
# readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
core-spellcheck:
enabled: false
core-documentconverter:
enabled: true
documentConverter:
cache:
remoteCache:
enabled: false
podSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
securityContext:
# missing:
# readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
core-documents-collaboration:
enabled: false
office-web:
enabled: false
office-user-guide:
enabled: false
plugins-ui:
enabled: false
cloud-plugins-ui:
enabled: false
drive-client-windows-ox:
enabled: false
core-drive-help:
enabled: false
nextcloud-integration-ui:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
public-sector-ui:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
...

536
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl Normal file
View File

@@ -0,0 +1,536 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
mysql:
host: {{ .Values.databases.oxAppsuite.host | quote }}
database: {{ .Values.databases.oxAppsuite.name | quote }}
auth:
user: {{ .Values.databases.oxAppsuite.username | quote }}
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
istio:
enabled: {{ .Values.istio.enabled }}
nextcloud-integration-ui:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
public-sector-ui:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }}
repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
appsuite:
appsuite-toolkit:
enabled: false
switchboard:
enabled: false
istio:
enabled: {{ .Values.istio.enabled }}
ingressGateway:
name: "opendesk-gateway-istio-gateway"
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
virtualServices:
appsuite:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
dav:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
core-mw:
enabled: true
asConfig:
default:
host: "all"
pageHeaderPrefix: "as8.souvap App Suite"
oidcLogin: true
oidcPath: "/oidc"
masterAdmin: "admin"
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
features:
status:
# enable admin pack
# admin: enabled
documents: "disabled"
guard: "enabled"
gotenberg:
enabled: true
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: "RuntimeDefault"
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
mkdir -p /opt/open-xchange/guard-files
chown open-xchange:open-xchange /opt/open-xchange/guard-files
packages:
status:
open-xchange-oidc: "enabled"
open-xchange-authentication-database: "disabled"
open-xchange-authentication-oauth: "enabled"
properties:
com.openexchange.UIWebPath: "/appsuite/"
com.openexchange.showAdmin: "false"
# PDF Export
com.openexchange.capability.mail_export_pdf: "true"
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
com.openexchange.mail.exportpdf.collabora.enabled: "true"
com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
# OIDC
com.openexchange.oidc.enabled: "true"
com.openexchange.oidc.autologinCookieMode: "ox_direct"
com.openexchange.oidc.backchannelLogoutEnabled: "true"
com.openexchange.oidc.clientId: "opendesk-oxappsuite"
com.openexchange.oidc.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
com.openexchange.oidc.contextLookupClaim: "context"
com.openexchange.oidc.contextLookupNamePart: "full"
com.openexchange.oidc.opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
com.openexchange.oidc.opIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.userLookupClaim: "opendesk_username"
com.openexchange.oidc.userLookupNamePart: "full"
# OAUTH
com.openexchange.oauth.provider.enabled: "true"
com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
com.openexchange.oauth.provider.contextLookupClaim: "context"
com.openexchange.oauth.provider.contextLookupNamePart: "full"
com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
com.openexchange.oauth.provider.mode: "expect_jwt"
com.openexchange.oauth.provider.userLookupNamePart: "full"
com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
com.openexchange.authentication.oauth.tokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
# MAIL
com.openexchange.mail.authType: "xoauth2"
com.openexchange.mail.loginSource: "mail"
com.openexchange.mail.mailServer: "dovecot"
com.openexchange.mail.mailServerSource: "global"
com.openexchange.mail.transport.authType: "xoauth2"
com.openexchange.mail.transportServer: "postfix"
com.openexchange.mail.transportServerSource: "global"
# Mailfilter
com.openexchange.mail.filter.loginType: "global"
com.openexchange.mail.filter.credentialSource: "mail"
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Dovecot
com.openexchange.imap.attachmentMarker.enabled: "true"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
# New capabilities in 2.0
com.openexchange.capability.public-sector-element: "true"
com.openexchange.capability.public-sector-navigation: "true"
com.openexchange.capability.client-onboarding: "true"
com.openexchange.capability.dynamic-theme: "true"
com.openexchange.capability.filestorage_nextcloud: "true"
com.openexchange.capability.filestorage_nextcloud_oauth: "true"
com.openexchange.capability.guard: "true"
com.openexchange.capability.guard-mail: "true"
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
com.openexchange.capability.document_preview: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
# Nextcloud integration
com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
# GDPR
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.storage.file.fileStorageType: "file"
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
# http = (await import('./io.ox/core/http.js')).default
# await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
com.openexchange.smime.test: "true"
# Other
com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
secretProperties:
com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
propertiesFiles:
/opt/open-xchange/etc/AdminDaemon.properties:
MASTER_ACCOUNT_OVERRIDE: "true"
/opt/open-xchange/etc/system.properties:
SERVER_NAME: "oxserver"
/opt/open-xchange/etc/ldapauth.properties:
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
bindOnly: "false"
/opt/open-xchange/etc/antivirus.properties:
com.openexchange.antivirus.enabled: "true"
{{- if .Values.clamavDistributed.enabled }}
com.openexchange.antivirus.server: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }}
com.openexchange.antivirus.server: "clamav-simple"
{{- end }}
com.openexchange.antivirus.port: "1344"
com.openexchange.antivirus.maxFileSize: "1024"
uiSettings:
io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
io.ox.public-sector//ics/url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Show the Enterprise Picker in the top right corner instead of the launcher drop-down
io.ox/core//features/enterprisePicker/showLauncher: "false"
io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
# Text and icon color in the topbar
io.ox/dynamic-theme//topbarColor: "#000"
io.ox/dynamic-theme//logoWidth: "82"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
# Resources
io.ox/core//features/resourceCalendars: "true"
io.ox/core//features/managedResources: "true"
# Categories
io.ox/core//features/categories: "true"
io.ox/core//categories/predefined: >
[{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
# Nextcloud integration
# io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
# Central navigation
io.ox.public-sector//navigation/oxtabname: "tab_groupware"
# io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
io.ox/core//apps/quickLaunchCount: "0"
io.ox/core//coloredIcons: "false"
# Mail templates
io.ox/core//features/templates: "true"
# Contact Collector
io.ox/mail//contactCollectOnMailTransport: "true"
# io.ox/mail//contactCollectOnMailAccess: "true"
# Dynamic theme
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
secretETCFiles:
# Format of the OX Guard master key:
# MC+base64(20 random bytes)
# RC+base64(20 random bytes)
oxguardpass: |
{{ .Values.secrets.oxAppsuite.oxguardMC }}
{{ .Values.secrets.oxAppsuite.oxguardRC }}
redis:
enabled: true
mode: "standalone"
hosts:
- "redis-master"
auth:
password: {{ .Values.secrets.redis.password | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
# Security context for core-mw has no effect yet
# podSecurityContext: {}
# securityContext: {}
update:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
core-ui:
enabled: true
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }}
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-ui-middleware:
enabled: true
ingress:
hosts:
- host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
enabled: false
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
overrides: {}
redis:
mode: "standalone"
hosts:
- "redis-master:6379"
auth:
enabled: true
password: {{ .Values.secrets.redis.password | quote }}
resources:
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
updater:
resources:
{{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-cacheservice:
enabled: false
core-documentconverter:
enabled: true
documentConverter:
cache:
remoteCache:
enabled: false
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
podSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
resources:
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
securityContext:
# missing:
# readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
core-documents-collaboration:
enabled: false
office-web:
enabled: false
office-user-guide:
enabled: false
plugins-ui:
enabled: false
cloud-plugins-ui:
enabled: false
drive-client-windows-ox:
enabled: false
core-drive-help:
enabled: false
core-guidedtours:
enabled: true
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }}
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-imageconverter:
enabled: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }}
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
objectCache:
s3ObjectStores:
- id: -1
endpoint: "."
accessKey: "."
secretKey: "."
podSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
securityContext:
# missing:
# readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
guard-ui:
enabled: true
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-spellcheck:
enabled: false
core-user-guide:
enabled: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }}
repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
...

2
helmfile/environments/default/charts.yaml
View File

@@ -383,7 +383,7 @@ charts:
registry: "registry.opencode.de" registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize" repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
name: "opendesk-otterize" name: "opendesk-otterize"
version: "1.5.0" version: "1.6.0"
verify: true verify: true
# @supplier: "openDesk" # @supplier: "openDesk"