fix(univention-management-stack): Update otterize helm chart

2025-12-06 07:21:36 +01:00 · 2024-04-07 17:02:34 +02:00
parent 81ed9d9094
commit 4a23e39b6a
9 changed files with 116 additions and 65 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -48,7 +48,9 @@ variables:
        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    value: "dev"
  MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a seed to be used for generation of all internal secrets. Same seed will result in same secrets."
+    description: >
+      Optional: Provide a seed to be used for generation of all internal secrets.
+      Same seed will result in same secrets.
    value: ""
  ENV_STOP_BEFORE:
    description: "Stop environment/delete namespace for the deployment."
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -27,7 +27,8 @@ repositories:
      {{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
+  # Source:
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -40,8 +40,8 @@ releases:
    version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
    values:
      - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
-    # needs:
-    #   - "ums"
+    needs:
+      - "ums"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -151,6 +151,14 @@ ldap-notifier:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
+  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
+  resources:
+    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
+  securityContext:
+    seccompProfile:
+      type: "RuntimeDefault"
+    seLinuxOptions:
+      {{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }}
  volumes:
    claims:
      shared-data: "shared-data-ums-ldap-server-0"
@@ -160,6 +168,7 @@ ldap-server:
  enabled: true
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-ldap-server"
+  replicaCount: {{ .Values.replicas.umsLdapServer }}
  serviceAccount:
    annotations:
      intended.usage: "compliance"
@@ -167,7 +176,7 @@ ldap-server:
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
      repository: {{ .Values.images.umsWaitForDependency.repository }}
-      pullPolicy: {{ .Values.global.imagePullPolicy }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy }}
      pullSecrets:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
@@ -176,17 +185,17 @@ ldap-server:
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
      repository: {{ .Values.images.umsLdapServer.repository | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      pullSecrets:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
    config:
-      domainName: "{{ .Release.Namespace }}.gaia.open-desk.cloud"
+      domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}"
      ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-      samlMetadataUrl: "http://ums-keycloak:8080/realms/opendesk/protocol/saml/descriptor"
-      samlMetadataUrlInternal: "http://ums-keycloak:8080/realms/opendesk/protocol/saml/descriptor"
-      samlServiceProviders: "http://ums-keycloak:8000/univention/saml/metadata,http://ums-keycloak:8000/auth/realms/opendesk"
+      samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+      samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+      samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
    credentialSecret:
      name: ums-ldap-credentials
      key: adminPassword
@@ -247,6 +256,7 @@ notifications-api:
      username: {{ .Values.databases.umsNotificationsApi.username | quote }}
      database: {{ .Values.databases.umsNotificationsApi.name | quote }}
      existingSecret: "ums-notifications-api-postgresql-credentials"
+  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
  notificationsapi:
    apply_database_migrations: "True"
    dev_mode: "False"
@@ -255,7 +265,7 @@ notifications-api:
    sql_echo: "False"
    api_prefix: "/univention/portal/notifications-api"
  resources:
-    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
+    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}

 portal-frontend:
  enabled: true
@@ -267,7 +277,7 @@ portal-frontend:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
    repository: {{ .Values.images.umsPortalFrontend.repository }}
-    pullPolicy: {{ .Values.global.imagePullPolicy }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
    tag: {{ .Values.images.umsPortalFrontend.tag }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
@@ -298,7 +308,7 @@ portal-frontend:
      subPath: "portal_background_image.svg"
  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
  resources:
-    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
+    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}

 portal-listener:
  enabled: true
@@ -347,6 +357,7 @@ portal-listener:
    objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
    objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
    objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
  resources:
    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}

@@ -389,7 +400,7 @@ portal-server:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
    repository: {{ .Values.images.umsPortalServer.repository }}
-    pullPolicy: {{ .Values.global.imagePullPolicy }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
    tag: {{ .Values.images.umsPortalServer.tag }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
@@ -403,7 +414,7 @@ portal-server:
    umcGetUrl: "http://ums-umc-server/get"
    umcSessionUrl: "http://ums-umc-server/get/session-info"
    objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-    objectStorageBucket: "ums"
+    objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
    centralNavigation:
      enabled: true
    credentialSecret:
@@ -424,7 +435,7 @@ portal-server:
  replicaCount: {{ .Values.replicas.umsPortalServer }}

  resources:
-    {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
+    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}

 provisioning:
  enabled: false
@@ -582,12 +593,12 @@ stack-data-ums:
    ldapBase: {{ .Values.ldap.baseDn | quote }}
    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
    idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
-    umcSamlSpFqdn: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
+    umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
    idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
    ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
    initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
    initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
-    umcPostgresqlHostname: {{ .Values.databases.umsNotificationsApi.host | quote }}
+    umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
    umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
    umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
    umcMemcachedUsername: ""
@@ -606,7 +617,7 @@ stack-data-swp:
      - name: {{ . | quote }}
      {{- end }}
  stackDataContext:
-    ldapBase: "dc=swp-ldap,dc=internal"
+    ldapBase: {{ .Values.ldap.baseDn }}
    oxDefaultContext: "1"
    smtpStartTls: true
    ldapSearchUsers:
@@ -684,7 +695,7 @@ selfservice-listener:
    waitForDependency:
      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
      repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      tag: {{ .Values.images.umsWaitForDependency.tag | quote }}

  persistence:
@@ -697,6 +708,8 @@ selfservice-listener:
  resourcesDependencyWaiter:
    {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 4 }}

+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
+
  selfserviceListener:
    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
    ldapHost: {{ .Values.ldap.host | quote }}
@@ -780,6 +793,7 @@ umc-gateway:
    repository: {{ .Values.images.umsUmcGateway.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsUmcGateway.tag | quote }}
+  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  umcGateway:
    umcHtmlTitle: "openDesk - Admin"
  extraVolumes:
@@ -848,6 +862,7 @@ umc-server:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
+  replicaCount: {{ .Values.replicas.umsUmcServer }}
  umcServer:
    certPemFile: "/var/secrets/ssl/tls.crt"
    caCert: "Cg=="
@@ -957,7 +972,7 @@ keycloak:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }}
    repository: {{ .Values.images.umsKeycloak.repository | quote }}
    tag: {{ .Values.images.umsKeycloak.tag | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

  config:
    admin:
@@ -1096,6 +1111,7 @@ keycloak-extensions:
      username: {{ .Values.databases.keycloakExtension.username | quote }}
      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
  handler:
+    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
    # nameOverride: "keycloak-extensions-handler"
@@ -1130,8 +1146,9 @@ keycloak-extensions:
      runAsNonRoot: true
      seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
    resources:
-      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
+      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
  proxy:
+    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
    # nameOverride: "keycloak-extensions-proxy"
@@ -1186,7 +1203,7 @@ keycloak-extensions:
      runAsNonRoot: true
      seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
    resources:
-      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
+      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}

 keycloak-postgresql:
  enabled: false
@@ -1219,6 +1236,10 @@ stack-gateway:
  podSecurityContext:
    enabled: true
    fsGroup: 1001
+  replicaCount: {{ .Values.replicas.umsStackGateway }}
+
+  resources:
+    {{ .Values.resources.umsStackGateway | toYaml | nindent 4 }}

  containerSecurityContext:
    enabled: true
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -294,7 +294,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
    name: "opendesk-otterize"
-    version: "1.7.9"
+    version: "2.0.0"
    verify: true
  oxConnector:
    # providerCategory: 'Supplier'
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -44,9 +44,19 @@ replicas:
  redis: 1
  synapse: 1
  synapseWeb: 1
+  umsKeycloakExtensionsHandler: 1
+  umsKeycloakExtensionsProxy: 1
+  umsLdapNotifier: 1
+  umsLdapServer: 1
+  umsNotificationsApi: 1
  umsPortalFrontend: 1
+  umsPortalListener: 1
  umsPortalServer: 1
+  umsSelfserviceListener: 1
+  umsStackGateway: 1
  umsUdmRestApi: 1
+  umsUmcGateway: 1
+  umsUmcServer: 1
  wellKnown: 1
  xwiki: 1
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -501,6 +501,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
+  umsStackGateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
  umsUdmRestApi:
    limits:
      cpu: 99
--- a/helmfile/environments/test/values.yaml.gotmpl
+++ b/helmfile/environments/test/values.yaml.gotmpl
@@ -75,9 +75,19 @@ replicas:
  redis: 42
  synapse: 42
  synapseWeb: 42
+  umsKeycloakExtensionsHandler: 42
+  umsKeycloakExtensionsProxy: 42
+  umsLdapNotifier: 42
+  umsLdapServer: 42
+  umsNotificationsApi: 42
  umsPortalFrontend: 42
+  umsPortalListener: 42
  umsPortalServer: 42
+  umsSelfserviceListener: 42
+  umsStackGateway: 42
  umsUdmRestApi: 42
+  umsUmcGateway: 42
+  umsUmcServer: 42
  wellKnown: 42
  xwiki: 42
 ...