diff --git a/docs/architecture.md b/docs/architecture.md index 8762d40d..33aae5fa 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -77,7 +77,7 @@ configured to use the aforementioned OpenLDAP. When the user is authenticated by Keycloak, the portal shows the applications the user is permitted to access. -The user can now access applications and use the corresponding functionality without the need to authenticate +The user can now access applications and use the corresponding functionality without the need to authenticate again. This is implemented using the OpenID Connect (OIDC) protocol. # Nubus (IAM) @@ -443,7 +443,7 @@ While the IAM manages users centrally, some applications come with local account | Element | `uvs` | The account for the "User Verification Service". It is used by Jitsi integrated into Element. | `secrets.matrixUserVerificationService.password` | | | `meeting-bot` | Used by the Nordeck Meeting-Bot to manage meeting rooms in Synapse. | `secrets.matrixNeoDateFixBot.password` | | Nextcloud | `nextcloud` | Bootstrap the Nextcloud fileshare for OpenProject with `opendesk-openproject-bootstrap` job[^1]. | `secrets.nextcloud.adminPassword` | -| OX App Suite | `admin` | OX-Connector to provision context, users, groups etc. | `secrets.oxAppsuite.adminPassword` | +| OX App Suite | `admin` | OX Connector to provision context, users, groups etc. | `secrets.oxAppsuite.adminPassword` | | OpenProject | set in `secrets.openproject.apiAdminUsername` | Bootstrap the Nextcloud fileshare for OpenProject with `opendesk-openproject-bootstrap` job[^1]. | `secrets.openproject.apiAdminPassword` | | XWiki | `superadmin` | Only available with `debug.enabled: true`, can be used for interactive login using `/bin/view/Main/?oidc.skipped=true`. | `secrets.xwiki.superadminpassword` | diff --git a/docs/architecture/apis.md b/docs/architecture/apis.md index 49380a9d..ff308998 100644 --- a/docs/architecture/apis.md +++ b/docs/architecture/apis.md @@ -65,12 +65,12 @@ This chapter presents APIs available in openDesk, grouped by application. # IAM - Nubus -![Overview of functional components in Univention Nubus for Kubernetes](./apis_images/IAM-overview_functional_components_structured.svg) +![Overview of functional components in Univention Nubus for Kubernetes](./apis_images/IAM-overview_functional_components_structured.svg) [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/components.html#overview-components-fig) ## UMC Python API -![Composition of UMC component with APIs highlighted](./apis_images/IAM-umc-architecture.png) +![Composition of UMC component with APIs highlighted](./apis_images/IAM-umc-architecture.png) [Source](https://docs.software-univention.de/developer-reference/latest/en/umc/architecture.html#umc-api) | Name | UMC Python API | @@ -143,7 +143,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s ## UDM Simple API -![Architecture of UDM](./apis_images/IAM-udm-architecture.svg) +![Architecture of UDM](./apis_images/IAM-udm-architecture.svg) [Source](https://docs.software-univention.de/architecture/latest/en/services/udm.html#architecture-model-udm) | Name | UDM Simple API | @@ -180,7 +180,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s ## UCR Python API -![Architecture overview of UCR](./apis_images/IAM-ucr-architecture.svg) +![Architecture overview of UCR](./apis_images/IAM-ucr-architecture.svg) [Source](https://docs.software-univention.de/architecture/latest/en/services/ucr.html#services-ucr-architecture-model) | Name | UCR Python API | @@ -200,7 +200,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s ## Identity Store and Directory Service (LDAP) -![Overview of the Identity Store and Directory Service](./apis_images/IAM-functional_component_identity_store.svg) +![Overview of the Identity Store and Directory Service](./apis_images/IAM-functional_component_identity_store.svg) [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/identity-store.html#component-identity-store-figure) | Name | Identity Store and Directory Service (LDAP) | @@ -220,7 +220,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s ## Nubus Provisioning Service -![Overview of the Provisioning Service and its components](./apis_images/IAM-functional_component_provisioning_service_complete.svg) +![Overview of the Provisioning Service and its components](./apis_images/IAM-functional_component_provisioning_service_complete.svg) [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/provisioning-service.html#component-provisioning-service-complete-figure) | Name | Nubus Proisioning Service | @@ -229,7 +229,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s ## Nubus Authorization Service -![ArchiMate view of the interfaces and protocols of the Authorization Service](./apis_images/IAM-interfaces_authorization_service.svg) +![ArchiMate view of the interfaces and protocols of the Authorization Service](./apis_images/IAM-interfaces_authorization_service.svg) [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/interfaces-protocols.html#authorization-service) | Name | Nubus Authorization Service | @@ -288,7 +288,7 @@ The following are the APIs used by the Groupware application: | In openDesk provided by | OX AppSuite Middleware | | Transport protocol | HTTP(S) | | Usage within component | none | -| Usage within openDesk | OX-Connector synchronizes the state of the objects (users, groups etc.) managed in the LDAP. | +| Usage within openDesk | OX Connector synchronizes the state of the objects (users, groups etc.) managed in the LDAP. | | Usage for external integration | none | | Parallel access | Allowed | | Message protocol | XML based, exactly following the format of Java RMI. | diff --git a/docs/data-storage.md b/docs/data-storage.md index 7636d017..ba57d3f7 100644 --- a/docs/data-storage.md +++ b/docs/data-storage.md @@ -104,8 +104,8 @@ XWiki,PersistentVolume,1 | | | Yes | OX Guard related settings | `oxguard*` | | | | S3 | Yes | Attachments of meetings, contacts and tasks | `openxchange` | | | | Redis | Optional | Cache, session related data, distributed maps | | | -| | PVC | Yes | OX-Connector: OXAPI access details | `ox-connector-appcenter-ox-connector-0` | `/var/lib/univention-appcenter/apps/ox-connector` | -| | | Yes | OX-Connector: Application's meta data | `ox-connector-ox-contexts-ox-connector-0` | `/etc/ox-secrets` | +| | PVC | Yes | OX Connector: OXAPI access details | `ox-connector-appcenter-ox-connector-0` | `/var/lib/univention-appcenter/apps/ox-connector` | +| | | Yes | OX Connector: Application's meta data | `ox-connector-ox-contexts-ox-connector-0` | `/etc/ox-secrets` | | **Postfix** | PVC | Yes | Mail spool | `postfix` | `/var/spool/postfix` | | **XWiki** | PostgreSQL | Yes | Application's main database | `xwiki` | | | | PVC | Yes | Attachments | `xwiki-data-xwiki-0` | `/usr/local/xwiki/data` | diff --git a/docs/migrations.md b/docs/migrations.md index d2f42b54..06d98e24 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -10,9 +10,12 @@ SPDX-License-Identifier: Apache-2.0 * [Deprecation warnings](#deprecation-warnings) * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path) * [Manual checks/actions](#manual-checksactions) + * [v1.7.0+](#v170) + * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170) + * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes) * [v1.6.0+](#v160) * [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160) - * [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets) + * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets) * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser) * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange) * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade) @@ -94,6 +97,8 @@ This section should provide you with an overview of what changes to expect in th - `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step. - We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema. +- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`. +- The currently used Helm chart for Notes will be replaced requiring some config updates. # Automated migrations - Overview and mandatory upgrade path @@ -117,11 +122,40 @@ If you would like more details about the automated migrations, please read secti # Manual checks/actions +## v1.7.0+ + +### Post-upgrade to v1.7.0+ + +#### Upstream fix: Provisioning of functional mailboxes + +**Target group:** Deployments with OX App Suite that make use of IAM maintained functional mailboxes. + +The update of OX Connector included in openDesk 1.7.0 fixes an issue with the provisioning of IAM maintained functional mailboxes. If your deployment makes use of these mailboxes it is recommended to trigger a full sync of the OX App Suite provisioning by recreating the OX Connector's provisioning subscription using calls to the provisioning API that is temporary port-forwarded in the example below: + +```shell +export NAMESPACE= +export SUBSCRIPTION_NAME=ox-connector +export SUBSCRIPTION_SECRET_NAME=ums-provisioning-ox-credentials +export TEMPORARY_CONSUMER_JSON=$(mktemp) +export PROVISIONING_API_POD_NAME=$(kubectl -n ${NAMESPACE} get pods --no-headers -o custom-columns=":metadata.name" | grep ums-provisioning-api | tr -d '\n') +kubectl -n ${NAMESPACE} port-forward ${PROVISIONING_API_POD_NAME} 7777:7777 & +export PROVISIONING_PORT_FORWARD_PID=$! +sleep 10 +kubectl -n ${NAMESPACE} get secret ${SUBSCRIPTION_SECRET_NAME} -o json | jq '.data | map_values(@base64d)' | jq -r '."ox-connector.json"' > ${TEMPORARY_CONSUMER_JSON}.json +export PROVISIONING_ADMIN_PASSWORD=$(kubectl -n ${NAMESPACE} get secret ums-provisioning-api-admin -o jsonpath='{.data.password}' | base64 --decode) +# Delete the current subscription +curl -o - -u "admin:${PROVISIONING_ADMIN_PASSWORD}" -X DELETE http://localhost:7777/v1/subscriptions/${SUBSCRIPTION_NAME} +# Recreate the subscription +curl -u "admin:${PROVISIONING_ADMIN_PASSWORD}" -H 'Content-Type: application/json' -d @${TEMPORARY_CONSUMER_JSON}.json http://localhost:7777/v1/subscriptions +kill ${PROVISIONING_PORT_FORWARD_PID} +rm ${TEMPORARY_CONSUMER_JSON} +``` + ## v1.6.0+ ### Pre-upgrade to v1.6.0+ -#### Upstream contraint: Nubus' external secrets +#### Upstream constraint: Nubus' external secrets **Target group:** Operators that use external secrets for Nubus. diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl index 22b39a96..0cb34761 100644 --- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -1310,6 +1310,8 @@ nubusStackDataUms: portalLinkFeedback: {{ .Values.functional.portal.linkFeedback | quote }} oxDefaultContext: "1" oxContextHidden: true + oxSystemUserPassword: {{ .Values.secrets.nubus.ldapSearch.ox }} + portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }} ldapSearchUsers: {{- range $username, $password := .Values.secrets.nubus.ldapSearch }} - username: {{ printf "ldapsearch_%s" $username | quote }} diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl index 605aa34d..3a5ef2b8 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -406,7 +406,7 @@ appsuite: com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum" com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))" com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID" - # Requirements for OX-Connector + # Requirements for OX Connector com.openexchange.user.enforceUniqueDisplayName: "false" com.openexchange.folderstorage.database.preferDisplayName: "false" # Mailfilter diff --git a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl index fdd1c107..a511ed3c 100644 --- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl @@ -65,7 +65,7 @@ resourcesWaitForDependency: persistence: size: {{ .Values.persistence.storages.oxConnector.size | quote }} - storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }} + #storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }} podAnnotations: {{ .Values.annotations.nubusOxConnector.pod | toYaml | nindent 2 }} diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index e25a34b0..2c3d2761 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -419,7 +419,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "ox-connector" - version: "0.19.0" + version: "0.27.2" verify: true postfix: # providerCategory: "Platform" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 2fc8da3f..b3782bf9 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -578,7 +578,7 @@ images: # upstreamMirrorStartFrom: ["0", "10", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension" - tag: "0.11.1@sha256:e57df5c02d0480ccf1d299964e3c676d92440d5e959b4f587945f08624da3ae9" + tag: "0.27.2@sha256:7bb54f5ae0e797172fb92bd7a8a479f179ebd51c1fb5af98fa7b6025f9ffaca4" nubusPortalConsumer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -896,7 +896,7 @@ images: # upstreamMirrorStartFrom: ["0", "4", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone" - tag: "0.19.0@sha256:447e3c3e0cdd8bf1f86004d2088c24fcf6141ff6fef78ade8dfe86f7f16ba40e" + tag: "0.27.2@sha256:4753a1d4a01acb7c6946fc9c8596fd328afe0d3c0b3098adfe85cef89fb1b7d7" postfix: # providerCategory: "Platform" # providerResponsible: "openDesk" diff --git a/helmfile/environments/default/persistence.yaml.gotmpl b/helmfile/environments/default/persistence.yaml.gotmpl index 7bbf943f..4cf3fb2f 100644 --- a/helmfile/environments/default/persistence.yaml.gotmpl +++ b/helmfile/environments/default/persistence.yaml.gotmpl @@ -46,6 +46,7 @@ persistence: #storageClassName: "" oxConnector: size: "1Gi" + # This value is not passed on to the related Helm chart yet, but required for linting purposes. storageClassName: ~ postfix: size: "1Gi"