sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Provisioning version bump

Browse Source 
fix(univention-management-stack): Use bundled NATS
This commit is contained in:
jconde
2024-02-27 09:18:09 +01:00
committed by Thorsten Roßner
parent 8b065fd9d7
commit 410a023714
7 changed files with 149 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -350,6 +350,15 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-provisioning-udm-listener"
chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-provisioning-udm-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-guardian-management-api"
chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
version: "{{ .Values.charts.umsGuardianManagementApi.version }}"

28
helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl Normal file
View File

@@ -0,0 +1,28 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
tlsMode: "off"
natsHost: "ums-provisioning-nats"
natsPort: "4222"
resources:
{{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
...

142
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -15,22 +15,13 @@ dispatcher:
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
config:
UDM_HOST: "ums-udm-rest-api"
UDM_PORT: 9979
UDM_USERNAME: "cn=admin"
events-and-consumer-api:
api:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
@@ -40,98 +31,51 @@ events-and-consumer-api:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
rootPath: "/univention/provisioning-api"
ingress:
# copied from values-common.yaml.gotmpl
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
config:
rootPath: "/univention/provisioning-api"
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
udm-listener:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
{{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
prefill:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
nats:
global:
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecretNames: {{ .Values.global.imagePullSecrets }}
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
container:
image:
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
natsBox:
container:
image:
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
reloader:
image:
repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
registry: {{ .Values.global.imageRegistry }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
bundled: true
nameOverride: ""
resources:
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
sysctls:
- name: "net.ipv4.ip_unprivileged_port_start"
value: "1"
...

6
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -280,12 +280,6 @@ serverBlock: |
proxy_pass http://ums-portal-frontend:80/;
}
## ums-provisioning
location /univention/provisioning-api/ {
rewrite ^/univention/provisioning-api(/.*)$ $1 break;
proxy_pass http://ums-provisioning-events-and-consumer-api:80;
}
## guardian
location /univention/guardian/management-ui {
proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;

18
helmfile/environments/default/charts.yaml
View File

@@ -343,7 +343,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
name: "opendesk-otterize"
version: "1.7.3"
version: "1.7.5"
verify: true
# @supplier: "openDesk"
@@ -623,7 +623,21 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "provisioning"
version: "0.9.5"
version: "0.14.0"
verify: true
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '9', '5']
umsProvisioningUdmListener:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/charts/univention/udm-listener
# dependencyType=supplier
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "udm-listener"
version: "0.14.0"
verify: true
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'

66
helmfile/environments/default/images.yaml
View File

@@ -762,68 +762,50 @@ images:
umsProvisioningDispatcher:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/dispatcher
# upstreamRepository=souvap/tooling/images/univention/provisioning-dispatcher
# dependencyType=supplier
registry: "registry.souvap-univention.de"
repository: "souvap/tooling/images/univention/dispatcher"
tag: "0.11.1@sha256:e3f9f185c21ff893a654e0f08ebd6c59ce4d7513150cac530792ad656348ecfa"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '11', '1']
# @mirrorFrom: ['0', '14', '0']
umsProvisioningEventsAndConsumerApi:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
# upstreamRepository=souvap/tooling/images/univention/provisioning-events-and-consumer-api
# dependencyType=supplier
registry: "registry.souvap-univention.de"
repository: "souvap/tooling/images/univention/events-and-consumer-api"
tag: "0.11.1@sha256:c56c862e9687a9bcc0d3f808bf12b67fbc457cc1bb10d82505706572078282d6"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '11', '1']
# @mirrorFrom: ['0', '14', '0']
umsProvisioningNats:
umsProvisioningPrefill:
# renovate:
# upstreamRegistry=registry-1.docker.io
# upstreamRepository=library/nats
# dependencyType=external
registry: "registry-1.docker.io"
repository: "library/nats"
tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
# @supplier: "Univention"
umsProvisioningNatsBox:
# renovate:
# upstreamRegistry=registry-1.docker.io
# upstreamRepository=natsio/nats-box
# dependencyType=external
registry: "registry-1.docker.io"
repository: "natsio/nats-box"
tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
# @supplier: "Univention"
umsProvisioningNatsReloader:
# renovate:
# upstreamRegistry=registry-1.docker.io
# upstreamRepository=natsio/nats-server-config-reloader
# dependencyType=external
registry: "registry-1.docker.io"
repository: "natsio/nats-server-config-reloader"
tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/provisioning-prefill
# dependencyType=supplier
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '14', '0']
umsProvisioningUdmListener:
# renovate:
# upstreamRegistry=registry.souvap-univention.de
# upstreamRepository=souvap/tooling/images/univention/udm-listener
# upstreamRepository=souvap/tooling/images/univention/provisioning-udm-listener
# dependencyType=supplier
registry: "registry.souvap-univention.de"
repository: "souvap/tooling/images/univention/udm-listener"
tag: "0.11.1@sha256:27e01c9941d19a60ced4aeac84a64a4ef566d764302ac892256b9b5dc3d7548f"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '11', '1']
# @mirrorFrom: ['0', '14', '0']
umsSelfserviceInvitation:
# renovate:

30
helmfile/environments/default/resources.yaml
View File

@@ -431,7 +431,35 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
umsProvisioning:
umsProvisioningEventsAndConsumerApi:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsProvisioningDispatcher:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsProvisioningPrefill:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsProvisioningUdmListener:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsProvisioningNats:
limits:
cpu: 99
memory: "1Gi"