From 432d926242230aebfab3d58c9eeb0bb4ca84b348 Mon Sep 17 00:00:00 2001 From: Norbert Tretkowski Date: Tue, 13 May 2025 16:13:06 +0200 Subject: [PATCH] feat(nubus): Update to v1.9.1 --- helmfile/apps/nubus/values-nubus.yaml.gotmpl | 116 +++++++++--------- .../environments/default/charts.yaml.gotmpl | 2 +- .../environments/default/images.yaml.gotmpl | 44 +++---- 3 files changed, 84 insertions(+), 78 deletions(-) diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl index aedf7cac..b5087bf5 100644 --- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -256,6 +256,20 @@ keycloak: nubusGuardian: authorizationApi: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }} repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }} @@ -274,20 +288,6 @@ nubusGuardian: replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }} resources: {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }} global: podAnnotations: {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }} @@ -350,6 +350,20 @@ nubusGuardian: # enabled: true secretName: "" managementApi: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }} repository: {{ .Values.images.nubusGuardianManagementApi.repository }} @@ -368,7 +382,8 @@ nubusGuardian: replicaCount: {{ .Values.replicas.umsGuardianManagementApi }} resources: {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} - securityContext: + managementUi: + containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: @@ -381,8 +396,7 @@ nubusGuardian: seccompProfile: type: RuntimeDefault seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }} - managementUi: + {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }} repository: {{ .Values.images.nubusGuardianManagementUi.repository }} @@ -398,7 +412,8 @@ nubusGuardian: replicaCount: {{ .Values.replicas.umsGuardianManagementUi }} resources: {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }} - securityContext: + openPolicyAgent: + containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: @@ -410,9 +425,8 @@ nubusGuardian: runAsUser: 1000 seccompProfile: type: RuntimeDefault - seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }} - openPolicyAgent: + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }} repository: {{ .Values.images.nubusOpenPolicyAgent.repository }} @@ -428,20 +442,6 @@ nubusGuardian: replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }} resources: {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - seLinuxOptions: - {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }} postgresql: connection: host: {{ .Values.databases.umsGuardianManagementApi.host | quote }} @@ -449,26 +449,29 @@ nubusGuardian: auth: username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} database: {{ .Values.databases.umsGuardianManagementApi.name | quote }} - credentialSecret: + existingSecret: name: "ums-guardian-postgresql-opendesk-credentials" - key: "guardianDatabasePassword" + keyMapping: + password: "guardianDatabasePassword" provisioning: enabled: false config: nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }} keycloak: - realm: {{ .Values.platform.realm | quote }} - username: "kcadmin" - connection: - host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - baseUrl: "http://ums-keycloak:8080" credentialSecret: name: "ums-opendesk-keycloak-credentials" key: "admin_password" - managementApi: - credentialSecret: + realm: {{ .Values.platform.realm | quote }} + username: "kcadmin" + keycloak: + auth: + existingSecret: name: "ums-opendesk-guardian-client-secret" - key: "managementApiClientSecret" + keyMapping: + password: "managementApiClientSecret" + connection: + host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + baseUrl: "http://ums-keycloak:8080" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }} repository: {{ .Values.images.nubusGuardianProvisioning.repository }} @@ -787,8 +790,15 @@ nubusPortalConsumer: logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }} objectStorage: auth: + accessKeyId: {{ .Values.objectstores.nubus.username | quote }} accessKey: {{ .Values.objectstores.nubus.username | quote }} + secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }} secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }} + existingSecret: + name: "{{ .Release.Name }}-portal-consumer-minio-credentials" + keyMapping: + accessKey: "accessKey" + secretKey: "secretKey" bucketName: {{ .Values.objectstores.nubus.bucket | quote }} endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} persistence: @@ -800,10 +810,6 @@ nubusPortalConsumer: {{- with .Values.annotations.nubusPortalConsumer.pod }} {{ . | toYaml | nindent 4 }} {{- end }} - provisioningApi: - auth: - username: "portal-consumer" - password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote }} replicaCount: {{ .Values.replicas.umsPortalConsumer }} resources: {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }} @@ -1557,12 +1563,12 @@ nubusUmcServer: capabilities: drop: - "ALL" - runAsUser: 0 - runAsGroup: 0 + runAsUser: 999 + runAsGroup: 999 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true - runAsNonRoot: false + runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} containerSecurityContextInit: @@ -1598,12 +1604,12 @@ nubusUmcServer: - "MKNOD" - "NET_BIND_SERVICE" - "SYS_CHROOT" - runAsUser: 0 - runAsGroup: 0 + runAsUser: 999 + runAsGroup: 999 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true - runAsNonRoot: false + runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} image: diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 41998133..2e497bca 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -303,7 +303,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "nubus" - version: "1.8.0" + version: "1.9.1" verify: true opendeskAlerts: # providerCategory: "Platform" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index ef924cdc..01b629fa 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -370,7 +370,7 @@ images: # upstreamMirrorStartFrom: ["0", "41", "5"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader" - tag: "0.89.0@sha256:3ed16810357ed01152e1e3f0d1cd66825bde53302f32d3caf700e324f7c1cffb" + tag: "0.90.0@sha256:a776ea84ca5d4f984a1ecf1f97d8c90cd98894c3568401be6858a8e955c7ed92" nubusGuardianAuthorizationApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -410,17 +410,17 @@ images: # upstreamMirrorStartFrom: ["0", "3", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init" - tag: "0.17.0@sha256:56acfc53c3d3e0a20ff77fe427ae794adbf03ccc66972c95188e0da9e87c4a62" + tag: "0.19.1@sha256:9030841a136d9addc37b2b62d39d80b113b824e50bd9cdcd5cf2c22bad74eeb0" nubusKeycloak: # providerCategory: "Supplier" # providerResponsible: "Univention" # upstreamRegistry: "https://artifacts.software-univention.de" # upstreamRepository: "nubus/images/keycloak" - # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+).+$' - # upstreamMirrorStartFrom: ["22", "0", "3"] + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["0", "0", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak" - tag: "25.0.6-ucs6@sha256:1db8af70741bca9badeb3d5b0b145244dde1a2579fe4f966e488ce730cb07d65" + tag: "0.0.1@sha256:86ad28bf36620df833bcff7bb93081ee176ab6528de4f39b810730c8d03cf659" nubusKeycloakBootstrap: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -430,7 +430,7 @@ images: # upstreamMirrorStartFrom: ["0", "1", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap" - tag: "0.10.2@sha256:7406bfee267dff6520b8b3c0db098a79e7f9fe1b45307ea6b1edf26a2bcfc1aa" + tag: "0.11.0@sha256:55ad741e01dd91bb9b0332fd602a6262d3618abdf97a86c13f1e6148b36bd242" nubusKeycloakExtensionHandler: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -460,7 +460,7 @@ images: # upstreamMirrorStartFrom: ["0", "8", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier" - tag: "0.34.1@sha256:02d1a0d6ce7e154738f4a1c2323f901245b62c23c8e6c27ce19a57ab44cfdaa7" + tag: "0.37.0@sha256:b148e15c268badc45db9a6ce12c97cce332d25b86e86fec47fc417b8fe74d0d2" nubusLdapServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -470,7 +470,7 @@ images: # upstreamMirrorStartFrom: ["0", "8", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server" - tag: "0.34.1@sha256:5bb7931393d2023dc63c1338632b01d4c50372cb83192cdb329512b93e109984" + tag: "0.37.0@sha256:caf7de9e121e5500c52dc8338b80057acd3eaa1e3877b526a5ae944bb53fe876" nubusLdapServerDhInitContainer: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -488,7 +488,7 @@ images: # upstreamMirrorStartFrom: ["0", "29", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector" - tag: "0.33.0@sha256:c1304a156094b276199fb263baf93e3704ceece478d7f663061b1b1f05f5931c" + tag: "0.37.0@sha256:c9580e33ea48ec5d7ab2d4816926ca1b2ef72787f7615f31b124119c376c4324" nubusNats: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -522,7 +522,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api" - tag: "0.63.0@sha256:4c2e01e609fb83df6d090c389b5c63d4b1477bdb133b910cacf2f2a1ce1c39e1" + tag: "0.67.0@sha256:da28ce84d97b78027eafbe0bcf8286a333efffdfc52a8abe852caed9d8cde339" nubusOpendeskExtension: # providerCategory: "Platform" # providerResponsible: "openDesk" @@ -568,7 +568,7 @@ images: # upstreamMirrorStartFrom: ["0", "27", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer" - tag: "0.63.0@sha256:e331f87738e716b0a16199b6aeaec917509946ce7b7ee91e608e70091dd279cc" + tag: "0.67.1@sha256:580adf9079d27f53f6efd0c519252c7855f6907e3badc033b994165856b16126" nubusPortalExtension: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -596,7 +596,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server" - tag: "0.63.0@sha256:04cff7bb6b565e4ff03ffd1a6b6ab6c76b98bb9ea0fb8e703551f1b586ea7c27" + tag: "0.67.0@sha256:d9418c7a1db7541ced1e3034f45683c190bf63270c6ba8f3d67c1fe0ac2edb1a" nubusProvisioningDispatcher: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -606,7 +606,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher" - tag: "0.49.3@sha256:1089683a7e04259b335c79c13ceca2879d5d834a13d9c93ef62315f3086c9efd" + tag: "0.51.0@sha256:f0cea25f788ff565b883e50c6138874c6f0338e0f91c5f8a32595323059930ef" nubusProvisioningEventsAndConsumerApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -616,7 +616,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api" - tag: "0.49.3@sha256:56a5ca05a570f5a0f68ac67abbf8726541455f03bf0bada0495187d1a0fe963a" + tag: "0.51.0@sha256:66fec83fd5033cf32cd759e9c73f7ae659a4ec45a433f13417a12e007b1d4db6" nubusProvisioningPrefill: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -626,7 +626,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill" - tag: "0.49.3@sha256:761863e5499eb702d0a606e9a58d10055c637ed286ff18998125cb5f82a7c788" + tag: "0.51.0@sha256:ff04d8cec6ecc0b33cdea164e1ba1222c90ed9fe8370057a58329b4521e56de1" nubusProvisioningUdmListener: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -636,7 +636,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener" - tag: "0.49.3@sha256:9bd8dd7531e3247761a6347a1889640821121c56435a96c286d1f6385a3152e7" + tag: "0.51.0@sha256:5f0bba855945da2fa97d40b0fe51a14e3495b0b6da83562def6a6fcf4c21c059" nubusProvisioningUdmTransformer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -646,7 +646,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer" - tag: "0.49.3@sha256:9ce6b3798fb6faba6ebfac1be19b51d12bc8b312decf87f482a2371cb961805e" + tag: "0.51.0@sha256:ce9c312699ebe42c2e1df0d6caf150dfda1e4cc3fc1aaebe62c9ea5de8c11780" nubusSelfServiceConsumer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -656,7 +656,7 @@ images: # upstreamMirrorStartFrom: ["0", "3", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation" - tag: "0.14.0@sha256:999c50058a02f6006a8d1732b651a5c738c5ee91fc453dc8ae3fcdbb9d4192c0" + tag: "0.15.0@sha256:a7c4c097029de8903e3c2eee2082d740b5352dcc7a7a2a3c330bd9ebd7ad5b62" nubusUdmRestApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -666,7 +666,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api" - tag: "0.29.0@sha256:2b061d1cf244aeadcb790a08cac94804a32abe73dd442382355a6657b05c0ff2" + tag: "0.30.0@sha256:9503666bac5f44a1d7cb6f17c6fd11a7d6976bc9059938596b6ac9f7bb581ca5" nubusUmcGateway: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -676,7 +676,7 @@ images: # upstreamMirrorStartFrom: ["0", "7", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway" - tag: "0.38.0@sha256:5abece086fc55cc318453a23634094bdf4e0f9922debce87fbb1aa4d55b9eac1" + tag: "0.43.1@sha256:e1f23a199e1e35667e2ba6a45866bcb6d37bc2b13f3b8134e511ae95973c743b" nubusUmcServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -686,7 +686,7 @@ images: # upstreamMirrorStartFrom: ["0", "7", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server" - tag: "0.38.0@sha256:2733c21900c8f861f53cff5f65ed20a21881180ff80472491c014e1e2a9c2a9d" + tag: "0.43.1@sha256:1aef76db446164c3ffaeaf233e9ef6303ebb1609b47f918ac4ab6714abf95283" nubusUmcServerProxy: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -704,7 +704,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency" - tag: "0.28.0@sha256:816ad27b76046be360398274ba3c1f1bcec8f58c2ea5a200b2fb675aab1a5ab8" + tag: "0.30.0@sha256:fa804c2a10aa42439bf3f388007d7e55c046d6da6dc8a74c27f5a989fd422c8d" opendeskKeycloakBootstrap: # providerCategory: "Platform" # providerResponsible: "openDesk"