sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Remove UCS container monolith and make UMS standard IAM

Browse Source
This commit is contained in:
merge-request-bot
2023-12-14 07:10:12 +00:00
committed by Thorsten Rossner
parent 4b6a20faa4
commit 450c434ed0
59 changed files with 593 additions and 409 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
.gitlab-ci.yml
View File

@@ -56,14 +56,11 @@ variables:
options: options:
- "yes" - "yes"
- "no" - "no"
DEPLOY_UCS: DEPLOY_UMS:
description: >- description: "Enable Univention Management Stack deployment."
Enable Univention Corporate Server deployment.
"ums-eval" does deploy the Univention Management Stack instead of the UCS container.
value: "no" value: "no"
options: options:
- "yes" - "yes"
- "ums-eval"
- "no" - "no"
DEPLOY_PROVISIONING: DEPLOY_PROVISIONING:
description: "Enable Provisioning Components." description: "Enable Provisioning Components."
@@ -154,7 +151,8 @@ variables:
cache: {} cache: {}
dependencies: [] dependencies: []
extends: ".environments" extends: ".environments"
image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest" image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
@sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
script: script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}" - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -233,18 +231,6 @@ services-deploy:
variables: variables:
COMPONENT: "services" COMPONENT: "services"
ucs-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
when: "always"
variables:
COMPONENT: "univention-corporate-container"
provisioning-deploy: provisioning-deploy:
stage: "component-deploy-stage-2" stage: "component-deploy-stage-2"
extends: ".deploy-common" extends: ".deploy-common"
@@ -252,7 +238,7 @@ provisioning-deploy:
- if: > - if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ && $NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no" || $DEPLOY_PROVISIONING != "no") ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
when: "always" when: "always"
variables: variables:
COMPONENT: "provisioning" COMPONENT: "provisioning"
@@ -264,7 +250,7 @@ ums-deploy:
- if: > - if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ && $NAMESPACE =~ /.+/ &&
$DEPLOY_UCS == "ums-eval" ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
when: "always" when: "always"
variables: variables:
COMPONENT: "univention-management-stack" COMPONENT: "univention-management-stack"
@@ -434,6 +420,19 @@ env-stop:
variables: variables:
GIT_STRATEGY: "none" GIT_STRATEGY: "none"
.ums-default-password: &ums-default-password
- |
UMS_PASSWORDS=$( \
kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
| yq '.properties.password' > passwords.txt \
)
DEFAULT_USER_PASSWORD=$( \
awk 'NR==1{print $1}' passwords.txt \
)
DEFAULT_ADMIN_PASSWORD=$(
awk 'NR==3{print $1}' passwords.txt \
)
run-tests: run-tests:
extends: ".deploy-common" extends: ".deploy-common"
environment: environment:
@@ -444,24 +443,8 @@ run-tests:
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes" $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
when: "always" when: "always"
script: script:
- *ums-default-password
- | - |
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
curl --request POST \ curl --request POST \
--header "Content-Type: application/json" \ --header "Content-Type: application/json" \
--data "{ \ --data "{ \
@@ -483,7 +466,7 @@ run-tests:
\"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \ \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
\"DEPLOY_OX\": \"${DEPLOY_OX}\", \ \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
\"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \ \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
\"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \ \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
\"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \ \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
\"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \ \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
} \ } \
@@ -500,24 +483,8 @@ run-souvap-dev-tests:
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes" $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
when: "always" when: "always"
script: script:
- *ums-default-password
- | - |
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
curl --request POST \ curl --request POST \
--header "Content-Type: application/json" \ --header "Content-Type: application/json" \
--data "{ \ --data "{ \
@@ -570,6 +537,14 @@ generate-release-assets:
image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest" image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
tags: [] tags: []
conventional-commits-linter:
rules:
- if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
common-yaml-linter: common-yaml-linter:
rules: rules:
- if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'" - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"

2
COMPONENTS-SERVICE.md
View File

@@ -37,7 +37,7 @@ This service is used by:
- Nextcloud (e.g. share file notifictions) - Nextcloud (e.g. share file notifictions)
- Open-Xchange (emails) - Open-Xchange (emails)
- OpenProject (general notifications) - OpenProject (general notifications)
- UCS (e.g. password reset emails) - UMS (e.g. password reset emails)
- XWiki (e.g. change notifications) - XWiki (e.g. change notifications)
## TURN Server ## TURN Server

2
CONTRIBUTING.md
View File

@@ -59,7 +59,7 @@ Valid commit scopes:
- `openproject` - `openproject`
- `provisioning` - `provisioning`
- `services` - `services`
- `univention-corporate-container` - `univention-management-stack`
- `xwiki` - `xwiki`
## Semantic Release ## Semantic Release

1
README.md
View File

@@ -48,7 +48,6 @@ While most components support upgrades, major configuration or component changes
at the moment always installing from scratch. at the moment always installing from scratch.
Components that are going to be replaced soon are: Components that are going to be replaced soon are:
- the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and - the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector. - Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.

28
docs/getting-started.md
View File

@@ -52,7 +52,7 @@ For the following guide, we will use `dev` as environment, where variables can b
### Domain ### Domain
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain. `*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
A list of all subdomains can be found in `helmfile/environments/default/global.yaml`. A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
@@ -118,8 +118,7 @@ All available apps and their default value can be found in `helmfile/environment
| Postfix | `postfix.enabled` | `true` | MTA | | Postfix | `postfix.enabled` | `true` | MTA |
| PostgreSQL | `postgresql.enabled` | `true` | Database | | PostgreSQL | `postgresql.enabled` | `true` | Database |
| Redis | `redis.enabled` | `true` | Cache Database | | Redis | `redis.enabled` | `true` | Cache Database |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | | Univention Management Stack | `univentionManagementStack.enabled` | `true` | Identity Management & Portal |
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal |
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | | XWiki | `xwiki.enabled` | `true` | Knowledgebase |
Exemplary, Jitsi can be disabled like: Exemplary, Jitsi can be disabled like:
@@ -316,7 +315,7 @@ certificate:
### Password seed ### Password seed
All secrets are generated from a single master password via Master Password (algorithm). All secrets are generated from a single master password via Master Password (algorithm).
To prevent others from using your openDesk instance, we highly recommend setting an individual master password via: To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
```shell ```shell
@@ -369,7 +368,7 @@ When all apps are successfully deployed and pod status' went to `Running` or `Su
https://portal.domain.tld https://portal.domain.tld
``` ```
If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal` If you change the subdomain of `univentionManagementStack`, you need to replace `portal`
by your specified subdomain. by your specified subdomain.
**Credentials:** **Credentials:**
@@ -378,20 +377,13 @@ by your specified subdomain.
# Replace with your namespace # Replace with your namespace
NAMESPACE=your-namespace NAMESPACE=your-namespace
# Get UCS container, which contains passwords as env var. # Get credentials from ConfigMap
CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}') kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container | yq '.properties.username,.properties.password'
# # default.user
# NAME READY STATUS RESTARTS AGE
# univention-corporate-container-8665c6f8b7-nlhc6 1/1 Running 0 10m
# Password of `default.user`
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
# 40615..............................e9e2f # 40615..............................e9e2f
# ---
# Password of `default.admin` # default.admin
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
# bdbbb..............................04db6 # bdbbb..............................04db6
``` ```

110
docs/security.md
View File

@@ -42,7 +42,6 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| ox-connector-repo | no | :x: | | ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: | | postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: | | postgresql-repo | yes | :white_check_mark: |
| univention-corporate-container-repo | yes | :white_check_mark: |
| ums-repo | no | :x: | | ums-repo | no | :x: |
| xwiki-repo | no | :x: | | xwiki-repo | no | :x: |
@@ -51,55 +50,66 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
This list gives you an overview of default security settings and if they comply with security standards: This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | | Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| |-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | | Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 | | CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 | | Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | | | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | | IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | | Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | | | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | | Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 | | Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | | Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 | | Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 | | | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 | | | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | | Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | | | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - | | | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | | OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | | Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 | | Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
| UCC | univention-corporate-container | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - | | Univention Management Stack | ldap-notifier | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 | | | ldap-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | | | notifications-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | udm-rest-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | umc-gateway | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | umc-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
## NetworkPolicies ## NetworkPolicies

5
examples/private-helm-registry.yaml.gotmpl
View File

@@ -254,11 +254,6 @@ charts:
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }} username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
univentionCorporateServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
xwiki: xwiki:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }} registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}

1
helmfile.yaml
View File

@@ -8,7 +8,6 @@ helmfiles:
# Path to the helmfile state file being processed BEFORE releases in this state file # Path to the helmfile state file being processed BEFORE releases in this state file
- path: "helmfile/apps/services/helmfile.yaml" - path: "helmfile/apps/services/helmfile.yaml"
- path: "helmfile/apps/keycloak/helmfile.yaml" - path: "helmfile/apps/keycloak/helmfile.yaml"
- path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
- path: "helmfile/apps/univention-management-stack/helmfile.yaml" - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
- path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml" - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
- path: "helmfile/apps/intercom-service/helmfile.yaml" - path: "helmfile/apps/intercom-service/helmfile.yaml"

3
helmfile/apps/collabora/helmfile.yaml
View File

@@ -8,8 +8,9 @@ repositories:
# Collabora Online # Collabora Online
# Source: https://github.com/CollaboraOnline/online # Source: https://github.com/CollaboraOnline/online
- name: "collabora-online-repo" - name: "collabora-online-repo"
username: "{{ .Values.charts.collabora.username }}" username: {{ .Values.charts.collabora.username | quote }}
password: {{ .Values.charts.collabora.password | quote }} password: {{ .Values.charts.collabora.password | quote }}
oci: {{ .Values.charts.collabora.oci }}
url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}" url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
releases: releases:

3
helmfile/apps/cryptpad/helmfile.yaml
View File

@@ -8,8 +8,9 @@ repositories:
# CryptPad # CryptPad
# Source: https://github.com/cryptpad/helm # Source: https://github.com/cryptpad/helm
- name: "cryptpad-repo" - name: "cryptpad-repo"
username: "{{ .Values.charts.cryptpad.username }}" username: {{ .Values.charts.cryptpad.username | quote }}
password: {{ .Values.charts.cryptpad.password | quote }} password: {{ .Values.charts.cryptpad.password | quote }}
oci: {{ .Values.charts.cryptpad.oci }}
url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}" url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
releases: releases:

48
helmfile/apps/element/helmfile.yaml
View File

@@ -8,77 +8,77 @@ repositories:
# openDesk Element # openDesk Element
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
- name: "element-repo" - name: "element-repo"
oci: true oci: {{ .Values.charts.element.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }} verify: {{ .Values.charts.element.verify }}
username: "{{ .Values.charts.element.username }}" username: {{ .Values.charts.element.username | quote }}
password: {{ .Values.charts.element.password | quote }} password: {{ .Values.charts.element.password | quote }}
url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}" url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
- name: "element-well-known-repo" - name: "element-well-known-repo"
oci: true oci: {{ .Values.charts.elementWellKnown.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }} verify: {{ .Values.charts.elementWellKnown.verify }}
username: "{{ .Values.charts.elementWellKnown.username }}" username: {{ .Values.charts.elementWellKnown.username | quote }}
password: {{ .Values.charts.elementWellKnown.password | quote }} password: {{ .Values.charts.elementWellKnown.password | quote }}
url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}" url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
- name: "synapse-web-repo" - name: "synapse-web-repo"
oci: true oci: {{ .Values.charts.synapseWeb.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }} verify: {{ .Values.charts.synapseWeb.verify }}
username: "{{ .Values.charts.synapseWeb.username }}" username: {{ .Values.charts.synapseWeb.username | quote }}
password: {{ .Values.charts.synapseWeb.password | quote }} password: {{ .Values.charts.synapseWeb.password | quote }}
url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}" url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
- name: "synapse-repo" - name: "synapse-repo"
oci: true oci: {{ .Values.charts.synapse.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }} verify: {{ .Values.charts.synapse.verify }}
username: "{{ .Values.charts.synapse.username }}" username: {{ .Values.charts.synapse.username | quote }}
password: {{ .Values.charts.synapse.password | quote }} password: {{ .Values.charts.synapse.password | quote }}
url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}" url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
- name: "synapse-create-account-repo" - name: "synapse-create-account-repo"
oci: true oci: {{ .Values.charts.synapseCreateAccount.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }} verify: {{ .Values.charts.synapseCreateAccount.verify }}
username: "{{ .Values.charts.synapseCreateAccount.username }}" username: {{ .Values.charts.synapseCreateAccount.username | quote }}
password: {{ .Values.charts.synapseCreateAccount.password | quote }} password: {{ .Values.charts.synapseCreateAccount.password | quote }}
url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}" url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
# openDesk Matrix Widgets # openDesk Matrix Widgets
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
- name: "matrix-user-verification-service-repo" - name: "matrix-user-verification-service-repo"
oci: true oci: {{ .Values.charts.matrixUserVerificationService.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixUserVerificationService.verify }} verify: {{ .Values.charts.matrixUserVerificationService.verify }}
username: "{{ .Values.charts.matrixUserVerificationService.username }}" username: {{ .Values.charts.matrixUserVerificationService.username | quote }}
password: {{ .Values.charts.matrixUserVerificationService.password | quote }} password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\ url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
{{ .Values.charts.matrixUserVerificationService.repository }}" {{ .Values.charts.matrixUserVerificationService.repository }}"
- name: "matrix-neoboard-widget-repo" - name: "matrix-neoboard-widget-repo"
oci: true oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }} verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: "{{ .Values.charts.matrixNeoboardWidget.username }}" username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }} password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neochoice-widget-repo" - name: "matrix-neochoice-widget-repo"
oci: true oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }} verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: "{{ .Values.charts.matrixNeoboardWidget.username }}" username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }} password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neodatefix-widget-repo" - name: "matrix-neodatefix-widget-repo"
oci: true oci: {{ .Values.charts.matrixNeodatefixWidget.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeodatefixWidget.verify }} verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
username: "{{ .Values.charts.matrixNeodatefixWidget.username }}" username: {{ .Values.charts.matrixNeodatefixWidget.username | quote }}
password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }} password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}" url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
- name: "matrix-neodatefix-bot-repo" - name: "matrix-neodatefix-bot-repo"
oci: true oci: {{ .Values.charts.matrixNeodatefixBot.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeodatefixBot.verify }} verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
username: "{{ .Values.charts.matrixNeodatefixBot.username }}" username: {{ .Values.charts.matrixNeodatefixBot.username | quote }}
password: {{ .Values.charts.matrixNeodatefixBot.password | quote }} password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}" url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"

6
helmfile/apps/element/values-element.gotmpl
View File

@@ -13,15 +13,15 @@ global:
configuration: configuration:
additionalConfiguration: additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
"net.nordeck.element_web.module.opendesk": "net.nordeck.element_web.module.opendesk":
config: config:
banner: banner:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json" ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent" ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/" portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
custom_css_variables: custom_css_variables:
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }} --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
widget_types: widget_types:

4
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -8,10 +8,10 @@ repositories:
# Intercom Service # Intercom Service
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
- name: "intercom-service-repo" - name: "intercom-service-repo"
oci: true oci: {{ .Values.charts.intercomService.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.intercomService.verify }} verify: {{ .Values.charts.intercomService.verify }}
username: "{{ .Values.charts.intercomService.username }}" username: {{ .Values.charts.intercomService.username | quote }}
password: {{ .Values.charts.intercomService.password | quote }} password: {{ .Values.charts.intercomService.password | quote }}
url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}" url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"

4
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -8,10 +8,10 @@ repositories:
# openDesk Jitsi # openDesk Jitsi
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
- name: "jitsi-repo" - name: "jitsi-repo"
oci: true oci: {{ .Values.charts.jitsi.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.jitsi.verify }} verify: {{ .Values.charts.jitsi.verify }}
username: "{{ .Values.charts.jitsi.username }}" username: {{ .Values.charts.jitsi.username | quote }}
password: {{ .Values.charts.jitsi.password | quote }} password: {{ .Values.charts.jitsi.password | quote }}
url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}" url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"

4
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -8,10 +8,10 @@ repositories:
# openDesk Keycloak Bootstrap # openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
- name: "opendesk-keycloak-bootstrap-repo" - name: "opendesk-keycloak-bootstrap-repo"
oci: true oci: {{ .Values.charts.keycloakBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloakBootstrap.verify }} verify: {{ .Values.charts.keycloakBootstrap.verify }}
username: "{{ .Values.charts.keycloakBootstrap.username }}" username: {{ .Values.charts.keycloakBootstrap.username | quote }}
password: {{ .Values.charts.keycloakBootstrap.password | quote }} password: {{ .Values.charts.keycloakBootstrap.password | quote }}
url: "{{ .Values.charts.keycloakBootstrap.registry }}/{{ .Values.charts.keycloakBootstrap.repository }}" url: "{{ .Values.charts.keycloakBootstrap.registry }}/{{ .Values.charts.keycloakBootstrap.repository }}"

11
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -8,26 +8,27 @@ repositories:
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
- name: "keycloak-repo" - name: "keycloak-repo"
oci: true oci: {{ .Values.charts.keycloak.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloak.verify }} verify: {{ .Values.charts.keycloak.verify }}
username: "{{ .Values.charts.keycloak.username }}" username: {{ .Values.charts.keycloak.username | quote }}
password: {{ .Values.charts.keycloak.password | quote }} password: {{ .Values.charts.keycloak.password | quote }}
url: "{{ .Values.charts.keycloak.registry }}/{{ .Values.charts.keycloak.repository }}" url: "{{ .Values.charts.keycloak.registry }}/{{ .Values.charts.keycloak.repository }}"
# openDesk Keycloak Theme # openDesk Keycloak Theme
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
- name: "keycloak-theme-repo" - name: "keycloak-theme-repo"
oci: true oci: {{ .Values.charts.keycloakTheme.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloakTheme.verify }} verify: {{ .Values.charts.keycloakTheme.verify }}
username: "{{ .Values.charts.keycloakTheme.username }}" username: {{ .Values.charts.keycloakTheme.username | quote }}
password: {{ .Values.charts.keycloakTheme.password | quote }} password: {{ .Values.charts.keycloakTheme.password | quote }}
url: "{{ .Values.charts.keycloakTheme.registry }}/{{ .Values.charts.keycloakTheme.repository }}" url: "{{ .Values.charts.keycloakTheme.registry }}/{{ .Values.charts.keycloakTheme.repository }}"
# openDesk Keycloak Extensions # openDesk Keycloak Extensions
- name: "keycloak-extensions-repo" - name: "keycloak-extensions-repo"
username: "{{ .Values.charts.keycloakExtensions.username }}" oci: {{ .Values.charts.keycloakExtensions.oci }}
username: {{ .Values.charts.keycloakExtensions.username | quote }}
password: {{ .Values.charts.keycloakExtensions.password | quote }} password: {{ .Values.charts.keycloakExtensions.password | quote }}
url: "{{ .Values.charts.keycloakExtensions.registry }}/{{ .Values.charts.keycloakExtensions.repository }}" url: "{{ .Values.charts.keycloakExtensions.registry }}/{{ .Values.charts.keycloakExtensions.repository }}"

4
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -42,7 +42,7 @@ keycloakConfigCli:
- name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT" - name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT"
value: "600s" value: "600s"
- name: "UNIVENTION_CORPORATE_SERVER_DOMAIN" - name: "UNIVENTION_CORPORATE_SERVER_DOMAIN"
value: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" value: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
- name: "KEYCLOAK_DOMAIN" - name: "KEYCLOAK_DOMAIN"
value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
- name: "OPENXCHANGE_8_DOMAIN" - name: "OPENXCHANGE_8_DOMAIN"
@@ -78,7 +78,7 @@ keycloakConfigCli:
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME" - name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
value: "storage_provider_ucsldap" value: "storage_provider_ucsldap"
- name: "LDAPSEARCH_PASSWORD" - name: "LDAPSEARCH_PASSWORD"
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }} value: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
- name: "LDAPSEARCH_USERNAME" - name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak" value: "ldapsearch_keycloak"
resources: resources:

10
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -6,20 +6,20 @@ bases:
--- ---
repositories: repositories:
# openDesk Keycloak Bootstrap # openDesk Keycloak Bootstrap
# Source: # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
# https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
- name: "nextcloud-bootstrap-repo" - name: "nextcloud-bootstrap-repo"
oci: true oci: {{ .Values.charts.nextcloudBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nextcloudBootstrap.verify }} verify: {{ .Values.charts.nextcloudBootstrap.verify }}
username: "{{ .Values.charts.nextcloudBootstrap.username }}" username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
password: {{ .Values.charts.nextcloudBootstrap.password | quote }} password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}" url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
# Nextcloud # Nextcloud
# Source: https://github.com/nextcloud/helm/ # Source: https://github.com/nextcloud/helm/
- name: "nextcloud-repo" - name: "nextcloud-repo"
username: "{{ .Values.charts.nextcloud.username }}" oci: {{ .Values.charts.nextcloud.oci }}
username: {{ .Values.charts.nextcloud.username | quote }}
password: {{ .Values.charts.nextcloud.password | quote }} password: {{ .Values.charts.nextcloud.password | quote }}
url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}" url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"

2
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -37,7 +37,7 @@ config:
ldapSearch: ldapSearch:
host: {{ .Values.ldap.host | quote }} host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
serverinfo: serverinfo:
token: {{ .Values.secrets.nextcloud.metricsToken | quote }} token: {{ .Values.secrets.nextcloud.metricsToken | quote }}

12
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -8,27 +8,27 @@ repositories:
# openDesk Dovecot # openDesk Dovecot
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
- name: "dovecot-repo" - name: "dovecot-repo"
oci: true oci: {{ .Values.charts.dovecot.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.dovecot.verify }} verify: {{ .Values.charts.dovecot.verify }}
username: "{{ .Values.charts.dovecot.username }}" username: {{ .Values.charts.dovecot.username | quote }}
password: {{ .Values.charts.dovecot.password | quote }} password: {{ .Values.charts.dovecot.password | quote }}
url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}" url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
# Open-Xchange # Open-Xchange
- name: "open-xchange-repo" - name: "open-xchange-repo"
oci: true oci: {{ .Values.charts.openXchangeAppSuite.oci }}
username: "{{ .Values.charts.openXchangeAppSuite.username }}" username: {{ .Values.charts.openXchangeAppSuite.username | quote }}
password: {{ .Values.charts.openXchangeAppSuite.password | quote }} password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}" url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
# openDesk Open-Xchange Bootstrap # openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
- name: "open-xchange-bootstrap-repo" - name: "open-xchange-bootstrap-repo"
oci: true oci: {{ .Values.charts.openXchangeAppSuiteBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }} verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
username: "{{ .Values.charts.openXchangeAppSuiteBootstrap.username }}" username: {{ .Values.charts.openXchangeAppSuiteBootstrap.username | quote }}
password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }} password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\ url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}" {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"

2
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -20,7 +20,7 @@ dovecot:
ldap: ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
host: {{ .Values.ldap.host | quote }} host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
oidc: oidc:
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect" introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"

2
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
View File

@@ -14,5 +14,5 @@ appsuite:
port: 389 port: 389
auth: auth:
adminDN: adminDN:
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
... ...

6
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -81,21 +81,21 @@ appsuite:
"com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout" "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
"com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretProperties: secretProperties:
com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }} com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }} com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }} com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
propertiesFiles: propertiesFiles:
"/opt/open-xchange/etc/ldapauth.properties": "/opt/open-xchange/etc/ldapauth.properties":
bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal" java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
uiSettings: uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Dynamic theme # Dynamic theme
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }} io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }} io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }} io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }} io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}

4
helmfile/apps/openproject-bootstrap/helmfile.yaml
View File

@@ -8,10 +8,10 @@ repositories:
# openDesk OpenProject Bootstrap # openDesk OpenProject Bootstrap
# Source: Set when repo is managed on Open CoDE # Source: Set when repo is managed on Open CoDE
- name: "openproject-bootstrap-repo" - name: "openproject-bootstrap-repo"
oci: true oci: {{ .Values.charts.openprojectBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.openprojectBootstrap.verify }} verify: {{ .Values.charts.openprojectBootstrap.verify }}
username: "{{ .Values.charts.openprojectBootstrap.username }}" username: {{ .Values.charts.openprojectBootstrap.username | quote }}
password: {{ .Values.charts.openprojectBootstrap.password | quote }} password: {{ .Values.charts.openprojectBootstrap.password | quote }}
url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}" url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"

4
helmfile/apps/openproject/helmfile.yaml
View File

@@ -8,10 +8,10 @@ repositories:
# OpenProject # OpenProject
# Source: https://github.com/opf/helm-charts # Source: https://github.com/opf/helm-charts
- name: "openproject-repo" - name: "openproject-repo"
oci: true oci: {{ .Values.charts.openproject.oci }}
keyring: "../../files/gpg-pubkeys/openproject-com.gpg" keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
verify: {{ .Values.charts.openproject.verify }} verify: {{ .Values.charts.openproject.verify }}
username: "{{ .Values.charts.openproject.username }}" username: {{ .Values.charts.openproject.username | quote }}
password: {{ .Values.charts.openproject.password | quote }} password: {{ .Values.charts.openproject.password | quote }}
url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}" url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"

4
helmfile/apps/openproject/values.gotmpl
View File

@@ -67,7 +67,7 @@ environment:
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }} OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389" OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }} OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }} OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }} OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }} OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
@@ -76,7 +76,7 @@ environment:
OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }} OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}" OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }} OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
{{ if ne .Values.objectstores.openproject.backend "aws" }} {{ if ne .Values.objectstores.openproject.backend "aws" }}
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true" OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"

3
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -7,7 +7,8 @@ bases:
repositories: repositories:
# OX Connector # OX Connector
- name: "ox-connector-repo" - name: "ox-connector-repo"
username: "{{ .Values.charts.oxConnector.username }}" oci: {{ .Values.charts.oxConnector.oci }}
username: {{ .Values.charts.oxConnector.username | quote }}
password: {{ .Values.charts.oxConnector.password | quote }} password: {{ .Values.charts.oxConnector.password | quote }}
url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}" url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

2
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -26,7 +26,7 @@ oxConnector:
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1" oxDefaultContext: "1"
ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }} ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources: resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }} {{ .Values.resources.oxConnector | toYaml | nindent 2 }}

44
helmfile/apps/services/helmfile.yaml
View File

@@ -8,101 +8,101 @@ repositories:
# openDesk Otterize # openDesk Otterize
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
- name: "otterize-repo" - name: "otterize-repo"
oci: true oci: {{ .Values.charts.otterize.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.otterize.verify }} verify: {{ .Values.charts.otterize.verify }}
username: "{{ .Values.charts.otterize.username }}" username: {{ .Values.charts.otterize.username | quote }}
password: {{ .Values.charts.otterize.password | quote }} password: {{ .Values.charts.otterize.password | quote }}
url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}" url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
# openDesk Certificates # openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
- name: "certificates-repo" - name: "certificates-repo"
oci: true oci: {{ .Values.charts.certificates.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.certificates.verify }} verify: {{ .Values.charts.certificates.verify }}
username: "{{ .Values.charts.certificates.username }}" username: {{ .Values.charts.certificates.username | quote }}
password: {{ .Values.charts.certificates.password | quote }} password: {{ .Values.charts.certificates.password | quote }}
url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}" url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
# openDesk PostgreSQL # openDesk PostgreSQL
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
- name: "postgresql-repo" - name: "postgresql-repo"
oci: true oci: {{ .Values.charts.postgresql.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.postgresql.verify }} verify: {{ .Values.charts.postgresql.verify }}
username: "{{ .Values.charts.postgresql.username }}" username: {{ .Values.charts.postgresql.username | quote }}
password: {{ .Values.charts.postgresql.password | quote }} password: {{ .Values.charts.postgresql.password | quote }}
url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}" url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
# openDesk MariaDB # openDesk MariaDB
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb
- name: "mariadb-repo" - name: "mariadb-repo"
oci: true oci: {{ .Values.charts.mariadb.oci }}
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.mariadb.verify }} verify: {{ .Values.charts.mariadb.verify }}
username: "{{ .Values.charts.mariadb.username }}" username: {{ .Values.charts.mariadb.username | quote }}
password: {{ .Values.charts.mariadb.password | quote }} password: {{ .Values.charts.mariadb.password | quote }}
url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}" url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
# openDesk Postfix # openDesk Postfix
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
- name: "postfix-repo" - name: "postfix-repo"
oci: true oci: {{ .Values.charts.postfix.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.postfix.verify }} verify: {{ .Values.charts.postfix.verify }}
username: "{{ .Values.charts.postfix.username }}" username: {{ .Values.charts.postfix.username | quote }}
password: {{ .Values.charts.postfix.password | quote }} password: {{ .Values.charts.postfix.password | quote }}
url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}" url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
# openDesk Istio Resources # openDesk Istio Resources
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
- name: "istio-resources-repo" - name: "istio-resources-repo"
oci: true oci: {{ .Values.charts.istioResources.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.istioResources.verify }} verify: {{ .Values.charts.istioResources.verify }}
username: "{{ .Values.charts.istioResources.username }}" username: {{ .Values.charts.istioResources.username | quote }}
password: {{ .Values.charts.istioResources.password | quote }} password: {{ .Values.charts.istioResources.password | quote }}
url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}" url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
# openDesk ClamAV # openDesk ClamAV
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
- name: "clamav-repo" - name: "clamav-repo"
oci: true oci: {{ .Values.charts.clamav.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.clamav.verify }} verify: {{ .Values.charts.clamav.verify }}
username: "{{ .Values.charts.clamav.username }}" username: {{ .Values.charts.clamav.username | quote }}
password: {{ .Values.charts.clamav.password | quote }} password: {{ .Values.charts.clamav.password | quote }}
url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}" url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
- name: "clamav-simple-repo" - name: "clamav-simple-repo"
oci: true oci: {{ .Values.charts.clamavSimple.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.clamavSimple.verify }} verify: {{ .Values.charts.clamavSimple.verify }}
username: "{{ .Values.charts.clamavSimple.username }}" username: {{ .Values.charts.clamavSimple.username | quote }}
password: {{ .Values.charts.clamavSimple.password | quote }} password: {{ .Values.charts.clamavSimple.password | quote }}
url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}" url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
- name: "memcached-repo" - name: "memcached-repo"
oci: true oci: {{ .Values.charts.memcached.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.memcached.verify }} verify: {{ .Values.charts.memcached.verify }}
username: "{{ .Values.charts.memcached.username }}" username: {{ .Values.charts.memcached.username | quote }}
password: {{ .Values.charts.memcached.password | quote }} password: {{ .Values.charts.memcached.password | quote }}
url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}" url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
- name: "redis-repo" - name: "redis-repo"
oci: true oci: {{ .Values.charts.redis.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.redis.verify }} verify: {{ .Values.charts.redis.verify }}
username: "{{ .Values.charts.redis.username }}" username: {{ .Values.charts.redis.username | quote }}
password: {{ .Values.charts.redis.password | quote }} password: {{ .Values.charts.redis.password | quote }}
url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}" url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
- name: "minio-repo" - name: "minio-repo"
oci: true oci: {{ .Values.charts.minio.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.minio.verify }} verify: {{ .Values.charts.minio.verify }}
username: "{{ .Values.charts.minio.username }}" username: {{ .Values.charts.minio.username | quote }}
password: {{ .Values.charts.minio.password | quote }} password: {{ .Values.charts.minio.password | quote }}
url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}" url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"

2
helmfile/apps/services/values-otterize.gotmpl
View File

@@ -42,8 +42,6 @@ apps:
enabled: {{ .Values.postgresql.enabled }} enabled: {{ .Values.postgresql.enabled }}
redis: redis:
enabled: {{ .Values.redis.enabled }} enabled: {{ .Values.redis.enabled }}
univentionCorporateServer:
enabled: {{ .Values.univentionCorporateServer.enabled }}
univentionManagementStack: univentionManagementStack:
enabled: {{ .Values.univentionManagementStack.enabled }} enabled: {{ .Values.univentionManagementStack.enabled }}
xwiki: xwiki:

30
helmfile/apps/univention-corporate-container/helmfile.yaml
View File

@@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Univention Corporate Server (as eval Container)
- name: "univention-corporate-container-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.univentionCorporateServer.verify }}
username: "{{ .Values.charts.univentionCorporateServer.username }}"
password: {{ .Values.charts.univentionCorporateServer.password | quote }}
url: "{{ .Values.charts.univentionCorporateServer.registry }}/\
{{ .Values.charts.univentionCorporateServer.repository }}"
releases:
- name: "univention-corporate-container"
chart: "univention-corporate-container-repo/{{ .Values.charts.univentionCorporateServer.name }}"
version: "{{ .Values.charts.univentionCorporateServer.version }}"
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.univentionCorporateServer.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-corporate-container"
...

68
helmfile/apps/univention-corporate-container/values.gotmpl
View File

@@ -1,68 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
extraEnvVars:
- name: ISTIO_DOMAIN
value: {{ .Values.istio.domain | quote }}
- name: CENTRALNAVIGATION_API_SECRET
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
- name: LDAPSEARCH_DOVECOT_USERNAME
value: "ldapsearch_dovecot"
- name: LDAPSEARCH_DOVECOT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
- name: LDAPSEARCH_KEYCLOAK_USERNAME
value: "ldapsearch_keycloak"
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
value: "ldapsearch_nextcloud"
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
- name: LDAPSEARCH_OPENPROJECT_USERNAME
value: "ldapsearch_openproject"
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
- name: LDAPSEARCH_XWIKI_USERNAME
value: "ldapsearch_xwiki"
- name: LDAPSEARCH_XWIKI_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
- name: DEFAULT_ACCOUNT_USER_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
resources:
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
...

7
helmfile/apps/univention-corporate-container/values.yaml
View File

@@ -1,7 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
nodePort:
enabled: false
...

97
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -6,10 +6,72 @@ bases:
--- ---
repositories: repositories:
# Univention Management Stack # Univention Management Stack
- name: "ums-repo" - name: "ums-store-dav-repo"
url: >- oci: {{ .Values.charts.umsStoreDav.oci }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | username: {{ .Values.charts.umsStoreDav.username | quote }}
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }} password: {{ .Values.charts.umsStoreDav.password | quote }}
url: "{{ .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
- name: "ums-ldap-server-repo"
oci: {{ .Values.charts.umsLdapServer.oci }}
username: {{ .Values.charts.umsLdapServer.username | quote }}
password: {{ .Values.charts.umsLdapServer.password | quote }}
url: "{{ .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
- name: "ums-ldap-notifier-repo"
oci: {{ .Values.charts.umsLdapNotifier.oci }}
username: {{ .Values.charts.umsLdapNotifier.username | quote }}
password: {{ .Values.charts.umsLdapNotifier.password | quote }}
url: "{{ .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
- name: "ums-udm-rest-api-repo"
oci: {{ .Values.charts.umsUdmRestApi.oci }}
username: {{ .Values.charts.umsUdmRestApi.username | quote }}
password: {{ .Values.charts.umsUdmRestApi.password | quote }}
url: "{{ .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
- name: "ums-stack-data-ums-repo"
oci: {{ .Values.charts.umsStackDataUms.oci }}
username: {{ .Values.charts.umsStackDataUms.username | quote }}
password: {{ .Values.charts.umsStackDataUms.password | quote }}
url: "{{ .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
- name: "ums-stack-data-swp-repo"
oci: {{ .Values.charts.umsStackDataSwp.oci }}
username: {{ .Values.charts.umsStackDataSwp.username | quote }}
password: {{ .Values.charts.umsStackDataSwp.password | quote }}
url: "{{ .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
- name: "ums-portal-server-repo"
oci: {{ .Values.charts.umsPortalServer.oci }}
username: {{ .Values.charts.umsPortalServer.username | quote }}
password: {{ .Values.charts.umsPortalServer.password | quote }}
url: "{{ .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
- name: "ums-notifications-api-repo"
oci: {{ .Values.charts.umsNotificationsApi.oci }}
username: {{ .Values.charts.umsNotificationsApi.username | quote }}
password: {{ .Values.charts.umsNotificationsApi.password | quote }}
url: "{{ .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
- name: "ums-portal-listener-repo"
oci: {{ .Values.charts.umsPortalListener.oci }}
username: {{ .Values.charts.umsPortalListener.username | quote }}
password: {{ .Values.charts.umsPortalListener.password | quote }}
url: "{{ .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
- name: "ums-portal-frontend-repo"
oci: {{ .Values.charts.umsPortalFrontend.oci }}
username: {{ .Values.charts.umsPortalFrontend.username | quote }}
password: {{ .Values.charts.umsPortalFrontend.password | quote }}
url: "{{ .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
- name: "ums-umc-gateway-repo"
oci: {{ .Values.charts.umsUmcGateway.oci }}
username: {{ .Values.charts.umsUmcGateway.username | quote }}
password: {{ .Values.charts.umsUmcGateway.password | quote }}
url: "{{ .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
- name: "ums-umc-server-repo"
oci: {{ .Values.charts.umsUmcServer.oci }}
username: {{ .Values.charts.umsUmcServer.username | quote }}
password: {{ .Values.charts.umsUmcServer.password | quote }}
url: "{{ .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
- name: "ums-selfservice-listener-repo"
oci: {{ .Values.charts.umsSelfserviceListener.oci }}
username: {{ .Values.charts.umsSelfserviceListener.username | quote }}
password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
- name: "nginx-repo" - name: "nginx-repo"
@@ -30,16 +92,17 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-store-dav" - name: "ums-store-dav"
chart: "ums-repo/{{ .Values.charts.umsStoreDav.name }}" chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
version: "{{ .Values.charts.umsStoreDav.version }}" version: "{{ .Values.charts.umsStoreDav.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-store-dav.gotmpl" - "values-store-dav.gotmpl"
- "values-store-dav.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server" - name: "ums-ldap-server"
chart: "ums-repo/{{ .Values.charts.umsLdapServer.name }}" chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "{{ .Values.charts.umsLdapServer.version }}" version: "{{ .Values.charts.umsLdapServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -49,7 +112,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier" - name: "ums-ldap-notifier"
chart: "ums-repo/{{ .Values.charts.umsLdapNotifier.name }}" chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "{{ .Values.charts.umsLdapNotifier.version }}" version: "{{ .Values.charts.umsLdapNotifier.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -59,7 +122,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api" - name: "ums-udm-rest-api"
chart: "ums-repo/{{ .Values.charts.umsUdmRestApi.name }}" chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "{{ .Values.charts.umsUdmRestApi.version }}" version: "{{ .Values.charts.umsUdmRestApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -69,7 +132,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums" - name: "ums-stack-data-ums"
chart: "ums-repo/{{ .Values.charts.umsStackDataUms.name }}" chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "{{ .Values.charts.umsStackDataUms.version }}" version: "{{ .Values.charts.umsStackDataUms.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -79,7 +142,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp" - name: "ums-stack-data-swp"
chart: "ums-repo/{{ .Values.charts.umsStackDataSwp.name }}" chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "{{ .Values.charts.umsStackDataSwp.version }}" version: "{{ .Values.charts.umsStackDataSwp.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -89,7 +152,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server" - name: "ums-portal-server"
chart: "ums-repo/{{ .Values.charts.umsPortalServer.name }}" chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "{{ .Values.charts.umsPortalServer.version }}" version: "{{ .Values.charts.umsPortalServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -99,7 +162,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api" - name: "ums-notifications-api"
chart: "ums-repo/{{ .Values.charts.umsNotificationsApi.name }}" chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "{{ .Values.charts.umsNotificationsApi.version }}" version: "{{ .Values.charts.umsNotificationsApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -109,7 +172,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener" - name: "ums-portal-listener"
chart: "ums-repo/{{ .Values.charts.umsPortalListener.name }}" chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "{{ .Values.charts.umsPortalListener.version }}" version: "{{ .Values.charts.umsPortalListener.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -119,7 +182,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend" - name: "ums-portal-frontend"
chart: "ums-repo/{{ .Values.charts.umsPortalFrontend.name }}" chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "{{ .Values.charts.umsPortalFrontend.version }}" version: "{{ .Values.charts.umsPortalFrontend.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -129,7 +192,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway" - name: "ums-umc-gateway"
chart: "ums-repo/{{ .Values.charts.umsUmcGateway.name }}" chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "{{ .Values.charts.umsUmcGateway.version }}" version: "{{ .Values.charts.umsUmcGateway.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -139,7 +202,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server" - name: "ums-umc-server"
chart: "ums-repo/{{ .Values.charts.umsUmcServer.name }}" chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "{{ .Values.charts.umsUmcServer.version }}" version: "{{ .Values.charts.umsUmcServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
@@ -149,7 +212,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-selfservice-listener" - name: "ums-selfservice-listener"
chart: "ums-repo/{{ .Values.charts.umsSelfserviceListener.name }}" chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}" version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"

8
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
View File

@@ -7,4 +7,12 @@ volumes:
shared-data: "shared-data-ums-ldap-server-0" shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0" shared-run: "shared-run-ums-ldap-server-0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

21
helmfile/apps/univention-management-stack/values-ldap-server.yaml
View File

@@ -30,4 +30,25 @@ extraVolumeMounts:
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema" subPath: "opendeskProjectmanagement.schema"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

8
helmfile/apps/univention-management-stack/values-notifications-api.yaml
View File

@@ -9,4 +9,12 @@ notificationsapi:
sql_echo: "False" sql_echo: "False"
api_prefix: "/univention/portal/notifications-api" api_prefix: "/univention/portal/notifications-api"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

20
helmfile/apps/univention-management-stack/values-portal-frontend.yaml
View File

@@ -70,4 +70,24 @@ extraVolumeMounts:
mountPath: "/var/www/html/custom/portal_background_image.svg" mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg" subPath: "portal_background_image.svg"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

20
helmfile/apps/univention-management-stack/values-portal-listener.yaml
View File

@@ -13,4 +13,24 @@ portalListener:
store-dav: store-dav:
bundled: false bundled: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

20
helmfile/apps/univention-management-stack/values-portal-server.yaml
View File

@@ -11,4 +11,24 @@ portalServer:
centralNavigation: centralNavigation:
enabled: true enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

20
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml
View File

@@ -8,4 +8,24 @@ selfserviceListener:
umcServerUrl: "http://ums-umc-server" umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin" umcAdminUser: "default.admin"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

4
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
View File

@@ -8,7 +8,7 @@ stackDataSwp:
stackDataContext: stackDataContext:
ldapSearchUsers: ldapSearchUsers:
{{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }} {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }} - username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }} password: {{ $password | quote }}
lastname: "LDAP-Search-User" lastname: "LDAP-Search-User"
@@ -23,6 +23,8 @@ stackDataContext:
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }} portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }} portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }} portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
smtpHost: {{ .Values.smtp.host | quote }} smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }} smtpPort: {{ .Values.smtp.port | quote }}

11
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml
View File

@@ -8,9 +8,18 @@ stackDataSwp:
stackDataContext: stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal" ldapBase: "dc=swp-ldap,dc=internal"
oxDefaultContext: "10" oxDefaultContext: "1"
smtpStartTls: true smtpStartTls: true
additionalAnnotations: additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp" intents.otterize.com/service-name: "ums-stack-data-swp"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

9
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml
View File

@@ -14,4 +14,13 @@ stackDataContext:
additionalAnnotations: additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums" intents.otterize.com/service-name: "ums-stack-data-ums"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

24
helmfile/apps/univention-management-stack/values-store-dav.yaml Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

20
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml
View File

@@ -18,4 +18,24 @@ extraVolumeMounts:
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json" subPath: "flag_to_group_mapping.json"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

21
helmfile/apps/univention-management-stack/values-umc-gateway.yaml
View File

@@ -20,4 +20,25 @@ extraVolumeMounts:
"/usr/share/univention-management-console-frontend/js/dijit/themes\ "/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png" /umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png" subPath: "udm-portals-announcement.png"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

21
helmfile/apps/univention-management-stack/values-umc-server.yaml
View File

@@ -51,4 +51,25 @@ memcached:
auth: auth:
username: null username: null
password: null password: null
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

17
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
View File

@@ -238,4 +238,21 @@ serverBlock: |
} }
} }
podSecurityContext:
enabled: true
fsGroup: 1001
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
... ...

3
helmfile/apps/xwiki/helmfile.yaml
View File

@@ -8,7 +8,8 @@ repositories:
# XWiki # XWiki
# Source: https://github.com/xwiki-contrib/xwiki-helm # Source: https://github.com/xwiki-contrib/xwiki-helm
- name: "xwiki-repo" - name: "xwiki-repo"
username: "{{ .Values.charts.xwiki.username }}" oci: {{ .Values.charts.xwiki.oci }}
username: {{ .Values.charts.xwiki.username | quote }}
password: {{ .Values.charts.xwiki.password | quote }} password: {{ .Values.charts.xwiki.password | quote }}
url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}" url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"

6
helmfile/apps/xwiki/values.gotmpl
View File

@@ -22,7 +22,7 @@ customConfigs:
xwiki.authentication.ldap.port: 389 xwiki.authentication.ldap.port: 389
## Authentication to the LDAP server ## Authentication to the LDAP server
xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal" xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }} xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionManagementStack.ldapSearch.xwiki | quote }}
## Base DN used for searching for users ## Base DN used for searching for users
xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal" xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
## Allow short update cycles of the LDAP group cache ## Allow short update cycles of the LDAP group cache
@@ -35,8 +35,8 @@ customConfigs:
"oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
"url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
"workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json" "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
"workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" "workplaceServices.base": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
"workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }} "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
properties: properties:

5
helmfile/environments/default/_helper.gotmpl
View File

@@ -3,9 +3,8 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0 SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
## Define LDAP service (supports "ums_eval" from the CI pipeline)
ldap: ldap:
host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }} host: "ums-ldap-server"
notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }} notifierHost: "ums-ldap-notifier"
baseDn: "dc=swp-ldap,dc=internal" baseDn: "dc=swp-ldap,dc=internal"
... ...

95
helmfile/environments/default/charts.yaml
View File

@@ -11,6 +11,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates"
name: "opendesk-certificates" name: "opendesk-certificates"
oci: true
version: "2.1.0" version: "2.1.0"
verify: true verify: true
username: ~ username: ~
@@ -25,6 +26,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/clamav" repository: "sovereign-workplace/souvap/tooling/charts/clamav"
name: "opendesk-clamav" name: "opendesk-clamav"
oci: true
version: "4.0.0" version: "4.0.0"
verify: true verify: true
username: ~ username: ~
@@ -40,6 +42,7 @@ charts:
repository: "sovereign-workplace/souvap/tooling/charts/clamav" repository: "sovereign-workplace/souvap/tooling/charts/clamav"
name: "clamav-simple" name: "clamav-simple"
version: "4.0.0" version: "4.0.0"
oci: true
verify: true verify: true
username: ~ username: ~
password: ~ password: ~
@@ -53,6 +56,7 @@ charts:
registry: "https://collaboraonline.github.io" registry: "https://collaboraonline.github.io"
repository: "online" repository: "online"
name: "collabora-online" name: "collabora-online"
oci: false
version: "1.0.2" version: "1.0.2"
username: ~ username: ~
password: ~ password: ~
@@ -66,6 +70,7 @@ charts:
registry: "https://cryptpad.github.io" registry: "https://cryptpad.github.io"
repository: "helm" repository: "helm"
name: "cryptpad" name: "cryptpad"
oci: false
version: "0.0.14" version: "0.0.14"
username: ~ username: ~
password: ~ password: ~
@@ -79,6 +84,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/dovecot" repository: "sovereign-workplace/souvap/tooling/charts/dovecot"
name: "dovecot" name: "dovecot"
oci: true
version: "1.3.6" version: "1.3.6"
verify: true verify: true
username: ~ username: ~
@@ -93,6 +99,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-element" name: "opendesk-element"
oci: true
version: "2.6.0" version: "2.6.0"
verify: true verify: true
username: ~ username: ~
@@ -107,6 +114,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-well-known" name: "opendesk-well-known"
oci: true
version: "2.6.0" version: "2.6.0"
verify: true verify: true
username: ~ username: ~
@@ -121,6 +129,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/intercom-service" repository: "sovereign-workplace/souvap/tooling/charts/intercom-service"
name: "intercom-service" name: "intercom-service"
oci: true
version: "2.0.1" version: "2.0.1"
verify: true verify: true
username: ~ username: ~
@@ -135,6 +144,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/istio-ressources" repository: "sovereign-workplace/souvap/tooling/charts/istio-ressources"
name: "istio-gateway" name: "istio-gateway"
oci: true
version: "2.0.0" version: "2.0.0"
verify: true verify: true
username: ~ username: ~
@@ -149,6 +159,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi"
name: "sovereign-workplace-jitsi" name: "sovereign-workplace-jitsi"
oci: true
version: "1.7.2" version: "1.7.2"
verify: true verify: true
username: ~ username: ~
@@ -163,6 +174,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts" repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "keycloak" name: "keycloak"
oci: true
version: "12.1.5" version: "12.1.5"
verify: true verify: true
username: ~ username: ~
@@ -177,6 +189,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap"
name: "sovereign-workplace-keycloak-bootstrap" name: "sovereign-workplace-keycloak-bootstrap"
oci: true
version: "1.1.12" version: "1.1.12"
verify: true verify: true
username: ~ username: ~
@@ -191,6 +204,7 @@ charts:
registry: "https://gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/77/packages/helm/stable" repository: "api/v4/projects/77/packages/helm/stable"
name: "keycloak-extensions" name: "keycloak-extensions"
oci: false
version: "0.1.0" version: "0.1.0"
username: ~ username: ~
password: ~ password: ~
@@ -204,6 +218,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/keycloak-theme" repository: "sovereign-workplace/souvap/tooling/charts/keycloak-theme"
name: "opendesk-keycloak-theme" name: "opendesk-keycloak-theme"
oci: true
version: "2.0.0" version: "2.0.0"
verify: true verify: true
username: ~ username: ~
@@ -218,6 +233,7 @@ charts:
registry: "registry.opencode.de" registry: "registry.opencode.de"
repository: "bmi/opendesk/components/charts/opendesk-mariadb" repository: "bmi/opendesk/components/charts/opendesk-mariadb"
name: "mariadb" name: "mariadb"
oci: true
version: "2.2.0" version: "2.2.0"
verify: true verify: true
username: ~ username: ~
@@ -232,6 +248,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neoboard-widget" name: "matrix-neoboard-widget"
oci: true
version: "3.3.0" version: "3.3.0"
verify: true verify: true
username: ~ username: ~
@@ -246,6 +263,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neochoice-widget" name: "matrix-neochoice-widget"
oci: true
version: "3.3.0" version: "3.3.0"
verify: true verify: true
username: ~ username: ~
@@ -260,6 +278,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neodatefix-bot" name: "matrix-neodatefix-bot"
oci: true
version: "3.3.0" version: "3.3.0"
verify: true verify: true
username: ~ username: ~
@@ -274,6 +293,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neodatefix-widget" name: "matrix-neodatefix-widget"
oci: true
version: "3.3.0" version: "3.3.0"
verify: true verify: true
username: ~ username: ~
@@ -288,6 +308,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-matrix-user-verification-service" name: "opendesk-matrix-user-verification-service"
oci: true
version: "2.6.0" version: "2.6.0"
verify: true verify: true
username: ~ username: ~
@@ -302,6 +323,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts" repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "memcached" name: "memcached"
oci: true
version: "6.6.2" version: "6.6.2"
verify: true verify: true
username: ~ username: ~
@@ -316,6 +338,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts" repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "minio" name: "minio"
oci: true
version: "12.8.19" version: "12.8.19"
verify: true verify: true
username: ~ username: ~
@@ -329,6 +352,7 @@ charts:
# dependencyType=vendor # dependencyType=vendor
registry: "https://nextcloud.github.io" registry: "https://nextcloud.github.io"
repository: "helm" repository: "helm"
oci: false
name: "nextcloud" name: "nextcloud"
version: "3.5.19" version: "3.5.19"
username: ~ username: ~
@@ -343,6 +367,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap"
name: "opendesk-nextcloud-bootstrap" name: "opendesk-nextcloud-bootstrap"
oci: true
version: "3.2.6" version: "3.2.6"
verify: true verify: true
username: ~ username: ~
@@ -357,6 +382,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts" repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "nginx" name: "nginx"
oci: true
version: "15.3.5" version: "15.3.5"
verify: true verify: true
username: ~ username: ~
@@ -371,6 +397,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/opf/helm-charts" repository: "sovereign-workplace/opf/helm-charts"
name: "openproject" name: "openproject"
oci: true
version: "3.0.2" version: "3.0.2"
verify: true verify: true
username: ~ username: ~
@@ -385,6 +412,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" repository: "sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap"
name: "opendesk-openproject-bootstrap" name: "opendesk-openproject-bootstrap"
oci: true
version: "1.2.1" version: "1.2.1"
verify: true verify: true
username: ~ username: ~
@@ -399,6 +427,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/appsuite-public-sector/charts" repository: "sovereign-workplace/appsuite-public-sector/charts"
name: "appsuite-public-sector" name: "appsuite-public-sector"
oci: true
version: "2.2.34" version: "2.2.34"
username: ~ username: ~
password: ~ password: ~
@@ -412,6 +441,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap"
name: "sovereign-workplace-open-xchange-bootstrap" name: "sovereign-workplace-open-xchange-bootstrap"
oci: true
version: "1.3.1" version: "1.3.1"
verify: true verify: true
username: ~ username: ~
@@ -426,7 +456,8 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-otterize" repository: "sovereign-workplace/souvap/tooling/charts/opendesk-otterize"
name: "opendesk-otterize" name: "opendesk-otterize"
version: "1.1.5" oci: true
version: "1.1.6"
verify: true verify: true
username: ~ username: ~
password: ~ password: ~
@@ -440,6 +471,7 @@ charts:
registry: "https://gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/128/packages/helm/stable" repository: "api/v4/projects/128/packages/helm/stable"
name: "ox-connector" name: "ox-connector"
oci: false
version: "0.1.0-pre-jconde-listener-entrypoint-chaining" version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
username: ~ username: ~
password: ~ password: ~
@@ -453,6 +485,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/postfix" repository: "sovereign-workplace/souvap/tooling/charts/postfix"
name: "postfix" name: "postfix"
oci: true
version: "2.0.4" version: "2.0.4"
verify: true verify: true
username: ~ username: ~
@@ -467,6 +500,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/postgresql" repository: "sovereign-workplace/souvap/tooling/charts/postgresql"
name: "postgresql" name: "postgresql"
oci: true
version: "2.0.3" version: "2.0.3"
verify: true verify: true
username: ~ username: ~
@@ -481,6 +515,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts" repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "redis" name: "redis"
oci: true
version: "18.1.2" version: "18.1.2"
verify: true verify: true
username: ~ username: ~
@@ -495,6 +530,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse" name: "opendesk-synapse"
oci: true
version: "2.6.0" version: "2.6.0"
verify: true verify: true
username: ~ username: ~
@@ -509,6 +545,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse-create-account" name: "opendesk-synapse-create-account"
oci: true
version: "2.6.0" version: "2.6.0"
verify: true verify: true
username: ~ username: ~
@@ -523,6 +560,7 @@ charts:
registry: "external-registry.souvap-univention.de" registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse-web" name: "opendesk-synapse-web"
oci: true
version: "2.6.0" version: "2.6.0"
verify: true verify: true
username: ~ username: ~
@@ -534,9 +572,10 @@ charts:
# packageName=ldap-notifier # packageName=ldap-notifier
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "ldap-notifier" name: "ldap-notifier"
oci: false
version: "0.7.0" version: "0.7.0"
username: ~ username: ~
password: ~ password: ~
@@ -547,9 +586,10 @@ charts:
# packageName=ldap-server # packageName=ldap-server
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "ldap-server" name: "ldap-server"
oci: false
version: "0.7.0" version: "0.7.0"
username: ~ username: ~
password: ~ password: ~
@@ -560,9 +600,10 @@ charts:
# packageName=notifications-api # packageName=notifications-api
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "notifications-api" name: "notifications-api"
oci: false
version: "0.9.1" version: "0.9.1"
username: ~ username: ~
password: ~ password: ~
@@ -573,9 +614,10 @@ charts:
# packageName=portal-frontend # packageName=portal-frontend
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "portal-frontend" name: "portal-frontend"
oci: false
version: "0.9.1" version: "0.9.1"
username: ~ username: ~
password: ~ password: ~
@@ -586,9 +628,10 @@ charts:
# packageName=portal-listener # packageName=portal-listener
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "portal-listener" name: "portal-listener"
oci: false
version: "0.9.1" version: "0.9.1"
username: ~ username: ~
password: ~ password: ~
@@ -599,9 +642,10 @@ charts:
# packageName=portal-server # packageName=portal-server
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "portal-server" name: "portal-server"
oci: false
version: "0.9.1" version: "0.9.1"
username: ~ username: ~
password: ~ password: ~
@@ -612,9 +656,10 @@ charts:
# packageName=umc-server # packageName=umc-server
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "selfservice-listener" name: "selfservice-listener"
oci: false
version: "0.2.0" version: "0.2.0"
username: ~ username: ~
password: ~ password: ~
@@ -625,9 +670,10 @@ charts:
# packageName=stack-data-swp # packageName=stack-data-swp
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "stack-data-swp" name: "stack-data-swp"
oci: false
version: "0.39.3" version: "0.39.3"
username: ~ username: ~
password: ~ password: ~
@@ -638,9 +684,10 @@ charts:
# packageName=stack-data-ums # packageName=stack-data-ums
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "stack-data-ums" name: "stack-data-ums"
oci: false
version: "0.39.3" version: "0.39.3"
username: ~ username: ~
password: ~ password: ~
@@ -651,9 +698,10 @@ charts:
# packageName=store-dav # packageName=store-dav
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "store-dav" name: "store-dav"
oci: false
version: "0.9.1" version: "0.9.1"
username: ~ username: ~
password: ~ password: ~
@@ -664,9 +712,10 @@ charts:
# packageName=udm-rest-api # packageName=udm-rest-api
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "udm-rest-api" name: "udm-rest-api"
oci: false
version: "0.4.1" version: "0.4.1"
username: ~ username: ~
password: ~ password: ~
@@ -677,9 +726,10 @@ charts:
# packageName=umc-gateway # packageName=umc-gateway
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "umc-gateway" name: "umc-gateway"
oci: false
version: "0.6.2" version: "0.6.2"
username: ~ username: ~
password: ~ password: ~
@@ -690,27 +740,14 @@ charts:
# packageName=umc-server # packageName=umc-server
# dataSource=helm # dataSource=helm
# dependencyType=vendor # dependencyType=vendor
registry: "gitlab.souvap-univention.de" registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable" repository: "api/v4/projects/155/packages/helm/stable"
name: "umc-server" name: "umc-server"
oci: false
version: "0.6.2" version: "0.6.2"
username: ~ username: ~
password: ~ password: ~
univentionCorporateServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/univention-corporate-container/univention-corporate-container
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention-corporate-container"
name: "univention-corporate-container"
version: "1.0.10"
verify: true
username: ~
password: ~
xwiki: xwiki:
# renovate: # renovate:
# registryUrl=https://xwiki-contrib.github.io/xwiki-helm # registryUrl=https://xwiki-contrib.github.io/xwiki-helm
@@ -719,9 +756,9 @@ charts:
# dependencyType=vendor # dependencyType=vendor
registry: "https://xwiki-contrib.github.io" registry: "https://xwiki-contrib.github.io"
repository: "xwiki-helm" repository: "xwiki-helm"
oci: false
name: "xwiki" name: "xwiki"
version: "1.2.3" version: "1.2.3"
verify: true
username: ~ username: ~
password: ~ password: ~
... ...

1
helmfile/environments/default/global.yaml
View File

@@ -26,7 +26,6 @@ global:
openxchange: "webmail" openxchange: "webmail"
openxchangeProvisioning: "ox-provisioning" openxchangeProvisioning: "ox-provisioning"
synapse: "matrix" synapse: "matrix"
univentionCorporateServer: "portal"
univentionManagementStack: "portal" univentionManagementStack: "portal"
whiteboard: "whiteboard" whiteboard: "whiteboard"
xwiki: "wiki" xwiki: "wiki"

7
helmfile/environments/default/images.yaml
View File

@@ -382,13 +382,6 @@ images:
repository: "rapidfort/haproxy-official" repository: "rapidfort/haproxy-official"
tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd" tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
# @supplier: "Element" # @supplier: "Element"
univentionCorporateServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
# @supplier: "Univention"
umsConfigHtpasswd: umsConfigHtpasswd:
# renovate: # renovate:
# registryUrl=https://registry.souvap-univention.de # registryUrl=https://registry.souvap-univention.de

1
helmfile/environments/default/persistence.yaml
View File

@@ -19,7 +19,6 @@ persistence:
prosody: "1Gi" prosody: "1Gi"
redis: "1Gi" redis: "1Gi"
synapse: "1Gi" synapse: "1Gi"
univentionCorporateServer: "1Gi"
univentionManagementStack: univentionManagementStack:
ldapServerData: "1Gi" ldapServerData: "1Gi"
ldapServerShared: "1Gi" ldapServerShared: "1Gi"

7
helmfile/environments/default/resources.yaml
View File

@@ -340,13 +340,6 @@ resources:
requests: requests:
cpu: 0.1 cpu: 0.1
memory: "64Mi" memory: "64Mi"
univentionCorporateServer:
limits:
cpu: 99
memory: "4Gi"
requests:
cpu: 0.5
memory: "1Gi"
umsLdapNotifier: umsLdapNotifier:
limits: limits:
cpu: 99 cpu: 99

9
helmfile/environments/default/secrets.gotmpl
View File

@@ -11,11 +11,8 @@ secrets:
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }} shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }} oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }}
oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }} oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }}
univentionCorporateServer: univentionManagementStack:
authSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum | quote }} ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
defaultAccounts:
userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
ldapSearch: ldapSearch:
keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum | quote }} keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum | quote }}
nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum | quote }} nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum | quote }}
@@ -23,8 +20,6 @@ secrets:
ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum | quote }} ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum | quote }}
openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum | quote }} openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum | quote }}
xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum | quote }} xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum | quote }}
univentionManagementStack:
ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
defaultAccounts: defaultAccounts:
administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }} administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }} userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}

4
helmfile/environments/default/workplace.yaml
View File

@@ -41,10 +41,8 @@ postgresql:
enabled: true enabled: true
redis: redis:
enabled: true enabled: true
univentionCorporateServer:
enabled: true
univentionManagementStack: univentionManagementStack:
enabled: false enabled: true
xwiki: xwiki:
enabled: true enabled: true
... ...