diff --git a/helmfile/apps/open-xchange/helmfile.yaml b/helmfile/apps/open-xchange/helmfile.yaml index 36ef1644..b99c7cb6 100644 --- a/helmfile/apps/open-xchange/helmfile.yaml +++ b/helmfile/apps/open-xchange/helmfile.yaml @@ -38,8 +38,7 @@ releases: chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}" version: "{{ .Values.charts.dovecot.version }}" values: - - "values-dovecot.yaml" - - "values-dovecot.gotmpl" + - "values-dovecot.yaml.gotmpl" installed: {{ .Values.dovecot.enabled }} timeout: 900 @@ -47,10 +46,8 @@ releases: chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}" version: "{{ .Values.charts.openXchangeAppSuite.version }}" values: - - "values-openxchange.yaml" - - "values-openxchange.gotmpl" - - "values-openxchange-enterprise-contact-picker.yaml" - - "values-openxchange-enterprise-contact-picker.gotmpl" + - "values-openxchange.yaml.gotmpl" + - "values-openxchange-enterprise-contact-picker.yaml.gotmpl" installed: {{ .Values.oxAppsuite.enabled }} timeout: 900 @@ -58,7 +55,7 @@ releases: chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}" version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}" values: - - "values-openxchange-bootstrap.gotmpl" + - "values-openxchange-bootstrap.yaml.gotmpl" installed: {{ .Values.oxAppsuite.enabled }} timeout: 900 diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml b/helmfile/apps/open-xchange/values-dovecot.yaml deleted file mode 100644 index 32694130..00000000 --- a/helmfile/apps/open-xchange/values-dovecot.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "KILL" - - "NET_BIND_SERVICE" - - "SETGID" - - "SETUID" - - "SYS_CHROOT" - enabled: true - readOnlyRootFilesystem: true - seccompProfile: - type: "RuntimeDefault" - -dovecot: - ldap: - enabled: true - port: 389 - base: "dc=swp-ldap,dc=internal" - - oidc: - enabled: true - clientID: "opendesk-dovecot" - usernameAttribute: "opendesk_username" - - submission: - enabled: true - ssl: "no" - host: "postfix:25" - -podSecurityContext: - enabled: true - fsGroup: 1000 -... diff --git a/helmfile/apps/open-xchange/values-dovecot.gotmpl b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl similarity index 78% rename from helmfile/apps/open-xchange/values-dovecot.gotmpl rename to helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl index 878e1e70..1386f6e7 100644 --- a/helmfile/apps/open-xchange/values-dovecot.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl @@ -18,16 +18,28 @@ dovecot: mailDomain: {{ .Values.global.domain | quote }} password: {{ .Values.secrets.dovecot.doveadm | quote }} ldap: - dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" + enabled: true host: {{ .Values.ldap.host | quote }} + port: 389 + base: "dc=swp-ldap,dc=internal" + dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }} oidc: + enabled: true + clientID: "opendesk-dovecot" + clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect" - clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} - clientID: "opendesk-dovecot" + usernameAttribute: "opendesk_username" loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }} + submission: + enabled: true + ssl: "no" + host: "postfix:25" + + + certificate: secretName: {{ .Values.ingress.tls.secretName | quote }} @@ -37,6 +49,28 @@ replicaCount: {{ .Values.replicas.dovecot }} replicaCount: 1 {{- end }} +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "KILL" + - "NET_BIND_SERVICE" + - "SETGID" + - "SETUID" + - "SYS_CHROOT" + enabled: true + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + +podSecurityContext: + enabled: true + fsGroup: 1000 + persistence: {{- if .Values.cluster.persistence.readWriteMany.enabled }} storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }} diff --git a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl similarity index 100% rename from helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl rename to helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl diff --git a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl deleted file mode 100644 index 5cde5f0a..00000000 --- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -appsuite: - core-mw: - secretYAMLFiles: - ldap-client-config.yml: - contactsLdapClient: - pool: - host: - address: {{ .Values.ldap.host | quote }} - port: 389 - auth: - adminDN: - password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }} -... diff --git a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl similarity index 99% rename from helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml rename to helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl index 1d10265e..b2195f9b 100644 --- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml +++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl @@ -16,10 +16,14 @@ appsuite: contactsLdapClient: pool: type: "simple" + host: + address: {{ .Values.ldap.host | quote }} + port: 389 auth: type: "adminDN" adminDN: dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal" + password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }} uiSettings: # Enterprise contact picker diff --git a/helmfile/apps/open-xchange/values-openxchange.gotmpl b/helmfile/apps/open-xchange/values-openxchange.gotmpl deleted file mode 100644 index 99e336a9..00000000 --- a/helmfile/apps/open-xchange/values-openxchange.gotmpl +++ /dev/null @@ -1,222 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -global: - hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" - mysql: - host: {{ .Values.databases.oxAppsuite.host | quote }} - database: {{ .Values.databases.oxAppsuite.name | quote }} - auth: - user: {{ .Values.databases.oxAppsuite.username | quote }} - password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }} - rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }} - -istio: - enabled: {{ .Values.istio.enabled }} - -nextcloud-integration-ui: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }} - repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }} - tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - resources: - {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }} - -public-sector-ui: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }} - repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }} - tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - resources: - {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }} - -appsuite: - istio: - enabled: {{ .Values.istio.enabled }} - ingressGateway: - hosts: - - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" - virtualServices: - appsuite: - hosts: - - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" - dav: - hosts: - - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" - - core-mw: - masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} - hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" - gotenberg: - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - image: - repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}" - tag: {{ .Values.images.openxchangeGotenberg.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - resources: - {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }} - properties: - "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" - "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" - "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" - "com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} - "com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth" - "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth" - "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" - "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" - "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" - "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} - "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout" - "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout" - "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - secretProperties: - com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }} - com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }} - com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }} - propertiesFiles: - "/opt/open-xchange/etc/ldapauth.properties": - bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }} - java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal" - uiSettings: - "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" - "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" - # Dynamic theme - io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }} - io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" - io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }} - io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }} - io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }} - io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }} - io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }} - io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }} - io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }} - secretETCFiles: - # Format of the OX Guard master key: - # MC+base64(20 random bytes) - # RC+base64(20 random bytes) - oxguardpass: | - {{ .Values.secrets.oxAppsuite.oxguardMC }} - {{ .Values.secrets.oxAppsuite.oxguardRC }} - redis: - auth: - password: {{ .Values.secrets.redis.password | quote }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }} - repository: {{ .Values.images.openxchangeCoreMW.repository | quote }} - tag: {{ .Values.images.openxchangeCoreMW.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - update: - image: - repository: {{ .Values.images.openxchangeCoreMW.repository | quote }} - tag: {{ .Values.images.openxchangeCoreMW.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - resources: - {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }} - - core-ui: - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }} - repository: {{ .Values.images.openxchangeCoreUI.repository | quote }} - tag: {{ .Values.images.openxchangeCoreUI.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - resources: - {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }} - - core-ui-middleware: - ingress: - hosts: - - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" - enabled: false - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }} - repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }} - tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - redis: - auth: - password: {{ .Values.secrets.redis.password | quote }} - resources: - {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }} - updater: - resources: - {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }} - - core-documentconverter: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }} - repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }} - tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }} - resources: - {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }} - - core-guidedtours: - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }} - repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }} - tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - resources: - {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }} - - core-imageconverter: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }} - repository: {{ .Values.images.openxchangeImageConverter.repository | quote }} - tag: {{ .Values.images.openxchangeImageConverter.tag | quote }} - resources: - {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }} - - guard-ui: - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - image: - repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}" - tag: {{ .Values.images.openxchangeGuardUI.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - resources: - {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }} - - core-user-guide: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }} - repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }} - tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - resources: - {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }} -... diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml b/helmfile/apps/open-xchange/values-openxchange.yaml deleted file mode 100644 index d1adb928..00000000 --- a/helmfile/apps/open-xchange/values-openxchange.yaml +++ /dev/null @@ -1,347 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -appsuite: - appsuite-toolkit: - enabled: false - istio: - ingressGateway: - name: "opendesk-gateway-istio-gateway" - - switchboard: - enabled: false - - core-mw: - enabled: true - masterAdmin: "admin" - gotenberg: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1001 - seccompProfile: - type: "RuntimeDefault" - features: - status: - # enable admin pack - # admin: enabled - documents: "disabled" - guard: "enabled" - packages: - status: - open-xchange-oidc: "enabled" - open-xchange-authentication-database: "disabled" - open-xchange-authentication-oauth: "enabled" - properties: - com.openexchange.UIWebPath: "/appsuite/" - com.openexchange.showAdmin: "false" - # PDF Export - com.openexchange.capability.mail_export_pdf: "true" - com.openexchange.mail.exportpdf.gotenberg.enabled: "true" - com.openexchange.mail.exportpdf.collabora.enabled: "true" - com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true" - com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980" - com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000" - # OIDC - com.openexchange.oidc.enabled: "true" - com.openexchange.oidc.autologinCookieMode: "ox_direct" - com.openexchange.oidc.contextLookupClaim: "context" - com.openexchange.oidc.contextLookupNamePart: "full" - com.openexchange.oidc.backchannelLogoutEnabled: "true" - com.openexchange.oidc.startDefaultBackend: "true" - com.openexchange.oidc.ssoLogout: "true" - com.openexchange.oidc.userLookupNamePart: "full" - com.openexchange.oidc.userLookupClaim: "opendesk_username" - com.openexchange.oidc.clientId: "opendesk-oxappsuite" - # OAUTH - com.openexchange.oauth.provider.enabled: "true" - com.openexchange.oauth.provider.contextLookupClaim: "context" - com.openexchange.oauth.provider.contextLookupNamePart: "full" - com.openexchange.oauth.provider.mode: "expect_jwt" - com.openexchange.oauth.provider.userLookupNamePart: "full" - com.openexchange.oauth.provider.userLookupClaim: "opendesk_username" - com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite" - # MAIL - com.openexchange.mail.authType: "xoauth2" - com.openexchange.mail.loginSource: "mail" - com.openexchange.mail.mailServer: "dovecot" - com.openexchange.mail.mailServerSource: "global" - com.openexchange.mail.transport.authType: "xoauth2" - com.openexchange.mail.transportServer: "postfix" - com.openexchange.mail.transportServerSource: "global" - # Mailfilter - com.openexchange.mail.filter.loginType: "global" - com.openexchange.mail.filter.credentialSource: "mail" - com.openexchange.mail.filter.server: "dovecot" - com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2" - # Dovecot - com.openexchange.imap.attachmentMarker.enabled: "true" - # Capabilities - # Old capability can be used to toggle all integrations with a single switch - com.openexchange.capability.public-sector: "true" - # New capabilities in 2.0 - com.openexchange.capability.public-sector-element: "true" - com.openexchange.capability.public-sector-navigation: "true" - com.openexchange.capability.client-onboarding: "true" - com.openexchange.capability.dynamic-theme: "true" - com.openexchange.capability.filestorage_nextcloud: "true" - com.openexchange.capability.filestorage_nextcloud_oauth: "true" - com.openexchange.capability.guard: "true" - com.openexchange.capability.guard-mail: "true" - com.openexchange.capability.smime: "true" - com.openexchange.capability.share_links: "false" - com.openexchange.capability.invite_guests: "false" - com.openexchange.capability.document_preview: "true" - # Secondary Accounts - com.openexchange.mail.secondary.authType: "XOAUTH2" - com.openexchange.mail.transport.secondary.authType: "xoauth2" - # Nextcloud integration - com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/" - com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user" - com.openexchange.nextcloud.filepicker.includeAccessToken: "false" - # GDPR - com.openexchange.gdpr.dataexport.enabled: "false" - com.openexchange.gdpr.dataexport.active: "false" - # Guard - com.openexchange.guard.storage.file.fileStorageType: "file" - com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/" - com.openexchange.guard.guestSMTPServer: "postfix" - # S/MIME - # Usage (in browser console after login): - # http = (await import('./io.ox/core/http.js')).default - # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } }) - com.openexchange.smime.test: "true" - # Other - com.openexchange.secret.secretSource: "\" + '@' + + '/' + \"" - propertiesFiles: - /opt/open-xchange/etc/AdminDaemon.properties: - MASTER_ACCOUNT_OVERRIDE: "true" - /opt/open-xchange/etc/system.properties: - SERVER_NAME: "oxserver" - /opt/open-xchange/etc/ldapauth.properties: - bindOnly: "false" - bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal" - - uiSettings: - # Show the Enterprise Picker in the top right corner instead of the launcher drop-down - io.ox/core//features/enterprisePicker/showLauncher: "false" - io.ox/core//features/enterprisePicker/showTopRightLauncher: "true" - # Text and icon color in the topbar - io.ox/dynamic-theme//topbarColor: "#000" - io.ox/dynamic-theme//logoWidth: "82" - io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)" - # Resources - io.ox/core//features/resourceCalendars: "true" - io.ox/core//features/managedResources: "true" - # Categories - io.ox/core//features/categories: "true" - io.ox/core//categories/predefined: > - [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }] - # Nextcloud integration - # io.ox.nextcloud//server: "https://ics./fs/" - # Central navigation - io.ox.public-sector//navigation/oxtabname: "tab_groupware" - # io.ox.public-sector//ics/url: "https://ics./" - io.ox/core//apps/quickLaunchCount: "0" - io.ox/core//coloredIcons: "false" - # Mail templates - io.ox/core//features/templates: "true" - # Contact Collector - io.ox/mail//contactCollectOnMailTransport: "true" - # io.ox/mail//contactCollectOnMailAccess: "true" - - asConfig: - default: - host: "all" - pageHeaderPrefix: "as8.souvap App Suite" - oidcLogin: true - oidcPath: "/oidc" - - redis: - enabled: true - mode: "standalone" - hosts: - - "redis-master" - - hooks: - beforeAppsuiteStart: - create-guard-dir.sh: | - mkdir -p /opt/open-xchange/guard-files - chown open-xchange:open-xchange /opt/open-xchange/guard-files - - # Security context for core-mw has no effect yet - # podSecurityContext: {} - # securityContext: {} - - core-ui: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - - core-ui-middleware: - enabled: true - overrides: {} - redis: - mode: "standalone" - hosts: - - "redis-master:6379" - auth: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - - core-guidedtours: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - - guard-ui: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - - core-cacheservice: - enabled: false - - core-user-guide: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - - core-imageconverter: - enabled: true - objectCache: - s3ObjectStores: - - id: -1 - endpoint: "." - accessKey: "." - secretKey: "." - podSecurityContext: - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 987 - seccompProfile: - type: "RuntimeDefault" - securityContext: - # missing: - # readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - - core-spellcheck: - enabled: false - - core-documentconverter: - enabled: true - documentConverter: - cache: - remoteCache: - enabled: false - podSecurityContext: - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 987 - seccompProfile: - type: "RuntimeDefault" - securityContext: - # missing: - # readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - - core-documents-collaboration: - enabled: false - office-web: - enabled: false - office-user-guide: - enabled: false - plugins-ui: - enabled: false - cloud-plugins-ui: - enabled: false - drive-client-windows-ox: - enabled: false - core-drive-help: - enabled: false - -nextcloud-integration-ui: - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - -public-sector-ui: - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" -... diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl new file mode 100644 index 00000000..2aa6895d --- /dev/null +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -0,0 +1,536 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + mysql: + host: {{ .Values.databases.oxAppsuite.host | quote }} + database: {{ .Values.databases.oxAppsuite.name | quote }} + auth: + user: {{ .Values.databases.oxAppsuite.username | quote }} + password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }} + rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }} + +istio: + enabled: {{ .Values.istio.enabled }} + +nextcloud-integration-ui: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }} + repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }} + tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + resources: + {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + +public-sector-ui: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }} + repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }} + tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + resources: + {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + +appsuite: + appsuite-toolkit: + enabled: false + switchboard: + enabled: false + istio: + enabled: {{ .Values.istio.enabled }} + ingressGateway: + name: "opendesk-gateway-istio-gateway" + hosts: + - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + virtualServices: + appsuite: + hosts: + - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + dav: + hosts: + - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + core-mw: + enabled: true + asConfig: + default: + host: "all" + pageHeaderPrefix: "as8.souvap App Suite" + oidcLogin: true + oidcPath: "/oidc" + masterAdmin: "admin" + masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} + hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + features: + status: + # enable admin pack + # admin: enabled + documents: "disabled" + guard: "enabled" + gotenberg: + enabled: true + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + image: + repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}" + tag: {{ .Values.images.openxchangeGotenberg.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + resources: + {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: "RuntimeDefault" + hooks: + beforeAppsuiteStart: + create-guard-dir.sh: | + mkdir -p /opt/open-xchange/guard-files + chown open-xchange:open-xchange /opt/open-xchange/guard-files + packages: + status: + open-xchange-oidc: "enabled" + open-xchange-authentication-database: "disabled" + open-xchange-authentication-oauth: "enabled" + properties: + com.openexchange.UIWebPath: "/appsuite/" + com.openexchange.showAdmin: "false" + # PDF Export + com.openexchange.capability.mail_export_pdf: "true" + com.openexchange.mail.exportpdf.gotenberg.enabled: "true" + com.openexchange.mail.exportpdf.collabora.enabled: "true" + com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true" + com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980" + com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000" + # OIDC + com.openexchange.oidc.enabled: "true" + com.openexchange.oidc.autologinCookieMode: "ox_direct" + com.openexchange.oidc.backchannelLogoutEnabled: "true" + com.openexchange.oidc.clientId: "opendesk-oxappsuite" + com.openexchange.oidc.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + com.openexchange.oidc.contextLookupClaim: "context" + com.openexchange.oidc.contextLookupNamePart: "full" + com.openexchange.oidc.opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth" + com.openexchange.oidc.opIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" + com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" + com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout" + com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" + com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth" + com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout" + com.openexchange.oidc.ssoLogout: "true" + com.openexchange.oidc.startDefaultBackend: "true" + com.openexchange.oidc.userLookupClaim: "opendesk_username" + com.openexchange.oidc.userLookupNamePart: "full" + # OAUTH + com.openexchange.oauth.provider.enabled: "true" + com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" + com.openexchange.oauth.provider.contextLookupClaim: "context" + com.openexchange.oauth.provider.contextLookupNamePart: "full" + com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" + com.openexchange.oauth.provider.mode: "expect_jwt" + com.openexchange.oauth.provider.userLookupNamePart: "full" + com.openexchange.oauth.provider.userLookupClaim: "opendesk_username" + com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite" + com.openexchange.authentication.oauth.tokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" + com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + # MAIL + com.openexchange.mail.authType: "xoauth2" + com.openexchange.mail.loginSource: "mail" + com.openexchange.mail.mailServer: "dovecot" + com.openexchange.mail.mailServerSource: "global" + com.openexchange.mail.transport.authType: "xoauth2" + com.openexchange.mail.transportServer: "postfix" + com.openexchange.mail.transportServerSource: "global" + # Mailfilter + com.openexchange.mail.filter.loginType: "global" + com.openexchange.mail.filter.credentialSource: "mail" + com.openexchange.mail.filter.server: "dovecot" + com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2" + # Dovecot + com.openexchange.imap.attachmentMarker.enabled: "true" + # Capabilities + # Old capability can be used to toggle all integrations with a single switch + com.openexchange.capability.public-sector: "true" + # New capabilities in 2.0 + com.openexchange.capability.public-sector-element: "true" + com.openexchange.capability.public-sector-navigation: "true" + com.openexchange.capability.client-onboarding: "true" + com.openexchange.capability.dynamic-theme: "true" + com.openexchange.capability.filestorage_nextcloud: "true" + com.openexchange.capability.filestorage_nextcloud_oauth: "true" + com.openexchange.capability.guard: "true" + com.openexchange.capability.guard-mail: "true" + com.openexchange.capability.smime: "true" + com.openexchange.capability.share_links: "false" + com.openexchange.capability.invite_guests: "false" + com.openexchange.capability.document_preview: "true" + # Secondary Accounts + com.openexchange.mail.secondary.authType: "XOAUTH2" + com.openexchange.mail.transport.secondary.authType: "xoauth2" + # Nextcloud integration + com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/" + com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user" + com.openexchange.nextcloud.filepicker.includeAccessToken: "false" + # GDPR + com.openexchange.gdpr.dataexport.enabled: "false" + com.openexchange.gdpr.dataexport.active: "false" + # Guard + com.openexchange.guard.storage.file.fileStorageType: "file" + com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/" + com.openexchange.guard.guestSMTPServer: "postfix" + # S/MIME + # Usage (in browser console after login): + # http = (await import('./io.ox/core/http.js')).default + # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } }) + com.openexchange.smime.test: "true" + # Other + com.openexchange.secret.secretSource: "\" + '@' + + '/' + \"" + secretProperties: + com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }} + com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }} + com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }} + propertiesFiles: + /opt/open-xchange/etc/AdminDaemon.properties: + MASTER_ACCOUNT_OVERRIDE: "true" + /opt/open-xchange/etc/system.properties: + SERVER_NAME: "oxserver" + /opt/open-xchange/etc/ldapauth.properties: + java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal" + bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal" + bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }} + bindOnly: "false" + /opt/open-xchange/etc/antivirus.properties: + com.openexchange.antivirus.enabled: "true" + {{- if .Values.clamavDistributed.enabled }} + com.openexchange.antivirus.server: "clamav-icap" + {{- else if .Values.clamavSimple.enabled }} + com.openexchange.antivirus.server: "clamav-simple" + {{- end }} + com.openexchange.antivirus.port: "1344" + com.openexchange.antivirus.maxFileSize: "1024" + uiSettings: + io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" + io.ox.public-sector//ics/url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" + # Show the Enterprise Picker in the top right corner instead of the launcher drop-down + io.ox/core//features/enterprisePicker/showLauncher: "false" + io.ox/core//features/enterprisePicker/showTopRightLauncher: "true" + # Text and icon color in the topbar + io.ox/dynamic-theme//topbarColor: "#000" + io.ox/dynamic-theme//logoWidth: "82" + io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)" + # Resources + io.ox/core//features/resourceCalendars: "true" + io.ox/core//features/managedResources: "true" + # Categories + io.ox/core//features/categories: "true" + io.ox/core//categories/predefined: > + [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }] + # Nextcloud integration + # io.ox.nextcloud//server: "https://ics./fs/" + # Central navigation + io.ox.public-sector//navigation/oxtabname: "tab_groupware" + # io.ox.public-sector//ics/url: "https://ics./" + io.ox/core//apps/quickLaunchCount: "0" + io.ox/core//coloredIcons: "false" + # Mail templates + io.ox/core//features/templates: "true" + # Contact Collector + io.ox/mail//contactCollectOnMailTransport: "true" + # io.ox/mail//contactCollectOnMailAccess: "true" + # Dynamic theme + io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }} + io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" + io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }} + io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }} + io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }} + io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }} + io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }} + io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }} + io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }} + secretETCFiles: + # Format of the OX Guard master key: + # MC+base64(20 random bytes) + # RC+base64(20 random bytes) + oxguardpass: | + {{ .Values.secrets.oxAppsuite.oxguardMC }} + {{ .Values.secrets.oxAppsuite.oxguardRC }} + redis: + enabled: true + mode: "standalone" + hosts: + - "redis-master" + auth: + password: {{ .Values.secrets.redis.password | quote }} + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }} + repository: {{ .Values.images.openxchangeCoreMW.repository | quote }} + tag: {{ .Values.images.openxchangeCoreMW.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + # Security context for core-mw has no effect yet + # podSecurityContext: {} + # securityContext: {} + update: + image: + repository: {{ .Values.images.openxchangeCoreMW.repository | quote }} + tag: {{ .Values.images.openxchangeCoreMW.tag | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + resources: + {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }} + + core-ui: + enabled: true + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }} + repository: {{ .Values.images.openxchangeCoreUI.repository | quote }} + tag: {{ .Values.images.openxchangeCoreUI.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + resources: + {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + + core-ui-middleware: + enabled: true + ingress: + hosts: + - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + enabled: false + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }} + repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }} + tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + overrides: {} + redis: + mode: "standalone" + hosts: + - "redis-master:6379" + auth: + enabled: true + password: {{ .Values.secrets.redis.password | quote }} + resources: + {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }} + updater: + resources: + {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + + core-cacheservice: + enabled: false + + core-documentconverter: + enabled: true + documentConverter: + cache: + remoteCache: + enabled: false + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }} + repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }} + tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }} + podSecurityContext: + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 987 + seccompProfile: + type: "RuntimeDefault" + resources: + {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }} + securityContext: + # missing: + # readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + + core-documents-collaboration: + enabled: false + office-web: + enabled: false + office-user-guide: + enabled: false + plugins-ui: + enabled: false + cloud-plugins-ui: + enabled: false + drive-client-windows-ox: + enabled: false + core-drive-help: + enabled: false + + core-guidedtours: + enabled: true + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }} + repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }} + tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + resources: + {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + + core-imageconverter: + enabled: true + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }} + repository: {{ .Values.images.openxchangeImageConverter.repository | quote }} + tag: {{ .Values.images.openxchangeImageConverter.tag | quote }} + objectCache: + s3ObjectStores: + - id: -1 + endpoint: "." + accessKey: "." + secretKey: "." + podSecurityContext: + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 987 + seccompProfile: + type: "RuntimeDefault" + resources: + {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }} + securityContext: + # missing: + # readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + + guard-ui: + enabled: true + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + image: + repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}" + tag: {{ .Values.images.openxchangeGuardUI.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + resources: + {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + + core-spellcheck: + enabled: false + + core-user-guide: + enabled: true + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }} + repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }} + tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + resources: + {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" +... diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index 05d57bd6..adf42683 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -383,7 +383,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize" name: "opendesk-otterize" - version: "1.5.0" + version: "1.6.0" verify: true # @supplier: "openDesk"