diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml index eecbfc92..b2afc0df 100644 --- a/helmfile/apps/univention-management-stack/helmfile.yaml +++ b/helmfile/apps/univention-management-stack/helmfile.yaml @@ -350,6 +350,15 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} timeout: 900 + - name: "ums-provisioning-udm-listener" + chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}" + version: "{{ .Values.charts.umsProvisioningUdmListener.version }}" + values: + - "values-common.yaml.gotmpl" + - "values-provisioning-udm-listener.yaml.gotmpl" + installed: {{ .Values.univentionManagementStack.enabled }} + timeout: 900 + - name: "ums-guardian-management-api" chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}" version: "{{ .Values.charts.umsGuardianManagementApi.version }}" diff --git a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl new file mode 100644 index 00000000..ceb123ad --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl @@ -0,0 +1,28 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} + repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + +config: + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} + ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + notifierServer: {{ .Values.ldap.notifierHost | quote }} + tlsMode: "off" + natsHost: "ums-provisioning-nats" + natsPort: "4222" + +resources: + {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }} +... diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl index 029c00a5..c4f2cd37 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl @@ -15,22 +15,13 @@ dispatcher: - name: {{ . | quote }} {{- end }} resources: - {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - readOnlyRootFilesystem: false - seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }} + {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }} + config: + UDM_HOST: "ums-udm-rest-api" + UDM_PORT: 9979 + UDM_USERNAME: "cn=admin" -events-and-consumer-api: +api: image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }} @@ -40,98 +31,51 @@ events-and-consumer-api: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} {{- end }} - rootPath: "/univention/provisioning-api" - ingress: - # copied from values-common.yaml.gotmpl - # Intentionally not using the Ingress configuration of the UMS stack at the - # moment, since it does depend on rewriting capabilities of the ingress - # controller. Those are encapsulated into the release "stack-gateway" so that - # the compatibility with all ingress controllers is increased. - enabled: false - host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} + config: + rootPath: "/univention/provisioning-api" resources: - {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - readOnlyRootFilesystem: false - seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }} - -udm-listener: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} - repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} + {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }} + +prefill: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }} + repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }} + tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }} pullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} {{- end }} - config: - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} resources: - {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - readOnlyRootFilesystem: false - seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }} + {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }} nats: - global: - image: - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - pullSecretNames: {{ .Values.global.imagePullSecrets }} - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }} - container: - image: - registry: {{ .Values.global.imageRegistry }} - repository: {{ .Values.images.umsProvisioningNats.repository | quote }} - tag: {{ .Values.images.umsProvisioningNats.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - natsBox: - container: - image: - registry: {{ .Values.global.imageRegistry }} - repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }} - tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - reloader: - image: - repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }} - tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }} - registry: {{ .Values.global.imageRegistry }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + bundled: true + nameOverride: "" + resources: + {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }} + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + +podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: "Always" + sysctls: + - name: "net.ipv4.ip_unprivileged_port_start" + value: "1" + + ... diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl index a3a9bc9b..541994a2 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl @@ -280,12 +280,6 @@ serverBlock: | proxy_pass http://ums-portal-frontend:80/; } - ## ums-provisioning - location /univention/provisioning-api/ { - rewrite ^/univention/provisioning-api(/.*)$ $1 break; - proxy_pass http://ums-provisioning-events-and-consumer-api:80; - } - ## guardian location /univention/guardian/management-ui { proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui; diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index fb10011b..434bbde4 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -343,7 +343,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize" name: "opendesk-otterize" - version: "1.7.3" + version: "1.7.5" verify: true # @supplier: "openDesk" @@ -623,7 +623,21 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "provisioning" - version: "0.9.5" + version: "0.14.0" + verify: true + # @supplier: "Univention" + # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' + # @mirrorFrom: ['0', '9', '5'] + + umsProvisioningUdmListener: + # renovate: + # upstreamRegistry=registry.souvap-univention.de + # upstreamRepository=souvap/tooling/charts/univention/udm-listener + # dependencyType=supplier + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/charts-mirror" + name: "udm-listener" + version: "0.14.0" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index d825bd5e..5422b617 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -762,68 +762,50 @@ images: umsProvisioningDispatcher: # renovate: # upstreamRegistry=registry.souvap-univention.de - # upstreamRepository=souvap/tooling/images/univention/dispatcher + # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatcher # dependencyType=supplier - registry: "registry.souvap-univention.de" - repository: "souvap/tooling/images/univention/dispatcher" - tag: "0.11.1@sha256:e3f9f185c21ff893a654e0f08ebd6c59ce4d7513150cac530792ad656348ecfa" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher" + tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' - # @mirrorFrom: ['0', '11', '1'] + # @mirrorFrom: ['0', '14', '0'] umsProvisioningEventsAndConsumerApi: # renovate: # upstreamRegistry=registry.souvap-univention.de - # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api + # upstreamRepository=souvap/tooling/images/univention/provisioning-events-and-consumer-api # dependencyType=supplier - registry: "registry.souvap-univention.de" - repository: "souvap/tooling/images/univention/events-and-consumer-api" - tag: "0.11.1@sha256:c56c862e9687a9bcc0d3f808bf12b67fbc457cc1bb10d82505706572078282d6" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api" + tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' - # @mirrorFrom: ['0', '11', '1'] + # @mirrorFrom: ['0', '14', '0'] - umsProvisioningNats: + umsProvisioningPrefill: # renovate: - # upstreamRegistry=registry-1.docker.io - # upstreamRepository=library/nats - # dependencyType=external - registry: "registry-1.docker.io" - repository: "library/nats" - tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79" - # @supplier: "Univention" - - umsProvisioningNatsBox: - # renovate: - # upstreamRegistry=registry-1.docker.io - # upstreamRepository=natsio/nats-box - # dependencyType=external - registry: "registry-1.docker.io" - repository: "natsio/nats-box" - tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4" - # @supplier: "Univention" - - umsProvisioningNatsReloader: - # renovate: - # upstreamRegistry=registry-1.docker.io - # upstreamRepository=natsio/nats-server-config-reloader - # dependencyType=external - registry: "registry-1.docker.io" - repository: "natsio/nats-server-config-reloader" - tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783" + # upstreamRegistry=registry.souvap-univention.de + # upstreamRepository=souvap/tooling/images/univention/provisioning-prefill + # dependencyType=supplier + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill" + tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0" # @supplier: "Univention" + # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' + # @mirrorFrom: ['0', '14', '0'] umsProvisioningUdmListener: # renovate: # upstreamRegistry=registry.souvap-univention.de - # upstreamRepository=souvap/tooling/images/univention/udm-listener + # upstreamRepository=souvap/tooling/images/univention/provisioning-udm-listener # dependencyType=supplier - registry: "registry.souvap-univention.de" - repository: "souvap/tooling/images/univention/udm-listener" - tag: "0.11.1@sha256:27e01c9941d19a60ced4aeac84a64a4ef566d764302ac892256b9b5dc3d7548f" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener" + tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' - # @mirrorFrom: ['0', '11', '1'] + # @mirrorFrom: ['0', '14', '0'] umsSelfserviceInvitation: # renovate: diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 5693ab0c..d5870411 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -431,7 +431,35 @@ resources: requests: cpu: 0.1 memory: "256Mi" - umsProvisioning: + umsProvisioningEventsAndConsumerApi: + limits: + cpu: 99 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "256Mi" + umsProvisioningDispatcher: + limits: + cpu: 99 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "256Mi" + umsProvisioningPrefill: + limits: + cpu: 99 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "256Mi" + umsProvisioningUdmListener: + limits: + cpu: 99 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "256Mi" + umsProvisioningNats: limits: cpu: 99 memory: "1Gi"