commit 533c5040faebd91f4012b604d0f4779ea1510424 Author: Dominik Kaminski Date: Thu Jul 20 10:25:23 2023 +0200 feat(sovereign-workplace): Initial commit diff --git a/.gitignore b/.gitignore new file mode 100755 index 00000000..da58f91e --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +.vscode +.idea diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 00000000..4e9aa0ec --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,323 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +stages: + - "env-cleanup" + - "env" + - "basic-services-deploy" + - "component-deploy" + - "component-bootstrap" + - "ucs-post-bootstrap" + - "run-tests" + - "env-stop" + +variables: + NAMESPACE: + description: "The name of namespaces to deploy to." + value: "" + CLUSTER: + description: "Define which cluster to use - don't select prototype when you are not explicitly knowing what you are doing!" + value: "develop" + options: + - "develop" + - "hubble" + - "dataport-dev" + - "prototype" + TLD: + description: "Define the Cluster Domain (TLD)." + value: "souvap-univention.de" + options: + - "souvap-univention.de" + - "at-univention.de" + - "souvap.cloud" + MASTER_PASSWORD: + description: "Optional: Provide a passphrase to be used for password generation." + value: "sovereign-workplace" + ENV_STOP_BEFORE: + description: "Stop environment/delete namespace for the deployment" + value: "no" + options: + - "yes" + - "no" + DEPLOY_ALL_COMPONENTS: + description: "Enable all component deployment (overwrites 'no' setting on component level)." + value: "no" + options: + - "yes" + - "no" + DEPLOY_SERVICES: + description: "Enable Service deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_UCS: + description: "Enable Univention Corporate Server deployment. Depends on `DEPLOY_KEYCLOAK` and `DEPLOY_VAULT`." + value: "no" + options: + - "yes" + - "no" + DEPLOY_PROVISIONING: + description: "Enable Provisioning Components." + value: "no" + options: + - "yes" + - "no" + DEPLOY_COLLABORA: + description: "Enable Collabora deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_KEYCLOAK: + description: "Enable Keycloak deployment. 'yes' deploys upstream (bitnami) Keycloak, select 'keycloak_univention' to install Univention maintained Keycloak." + value: "no" + options: + - "yes" + - "no" + DEPLOY_OX: + description: "Enable OX AppSuite8 deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_ICS: + description: "Enable ICS deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_XWIKI: + description: "Enable XWiki deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_NEXTCLOUD: + description: "Enable Nextcloud deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_OPENPROJECT: + description: "Enable OpenProject deployment." + value: "no" + options: + - "yes" + - "no" + DEPLOY_JITSI: + description: "Enable Jitsi deployment." + value: "no" + options: + - "yes" + - "no" + # please use the following set of variables with normalized names: + DOMAIN: "${NAMESPACE}.${CLUSTER}.${TLD}" + ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${TLD}" + +.deploy-common: + cache: {} + dependencies: [] + image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest" + secrets: + SMTP_PASSWORD: + vault: + engine: + name: "kv-v2" + path: "swp" + path: "accounts/brained/mail/relay@souvap-univention.de" + field: "password" + file: false + TURN_CREDENTIALS: + vault: + engine: + name: "kv-v2" + path: "swp" + path: "accounts/souvap-univention.de/develop/turn/secret" + field: "credentials" + file: false + script: + - cd "${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}" + # Match Cluster to helmfile environments + - | + if [ "${CLUSTER}" = "develop" ]; then + export HELMFILE_ENVIRONMENT=uv-develop + elif [ "${CLUSTER}" = "prototype" ]; then + export HELMFILE_ENVIRONMENT=uv-develop + elif [ "${CLUSTER}" = "hubble" ]; then + export HELMFILE_ENVIRONMENT=default + elif [ "${CLUSTER}" = "dataport-dev" ]; then + export HELMFILE_ENVIRONMENT=ionos + else + echo "Unsupported cluster chosen: ${CLUSTER}" + exit 1 + fi; + - echo "Installing ${COMPONENT} into ${NAMESPACE} namespace as ${HELMFILE_ENVIRONMENT} environment on ${CLUSTER}" + - helmfile --namespace ${NAMESPACE} apply --suppress-diff + tags: + - "docker" + - "kubernetes" + - "${CLUSTER}" + +env-cleanup: + extends: ".deploy-common" + environment: + name: "${NAMESPACE}" + action: "stop" + needs: [] + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $ENV_STOP_BEFORE != "no" + when: "always" + script: + - "helmfile destroy --namespace ${NAMESPACE}" + - "kubectl delete pvc --all --namespace ${NAMESPACE}" + stage: "env-cleanup" + +env-start: + environment: + name: "${NAMESPACE}" + url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}" + on_stop: "env-stop" + extends: ".deploy-common" + image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ + when: "always" + script: + - 'echo "Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster"' + - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -" + - > + kubectl create secret + --namespace "${NAMESPACE}" + docker-registry external-registry + --docker-server "external-registry.souvap-univention.de" + --docker-username sovereign-workplace + --docker-password "${EXTERNAL_REGISTRY_PASSWORD}" + --dry-run=client -o yaml | kubectl apply -f - + stage: "env" + +services-deploy: + stage: "basic-services-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no") + when: always + variables: + COMPONENT: "services" + +ucs-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no") + when: always + variables: + COMPONENT: "univention-corporate-container" + +provisioning-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no" || $DEPLOY_PROVISIONING != "no") + when: always + variables: + COMPONENT: "provisioning" + +keycloak-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no") + when: always + variables: + COMPONENT: "keycloak" + +keycloak-bootstrap-deploy: + stage: "component-deploy" + extends: ".deploy-common" + timeout: 30m + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no") + when: always + variables: + COMPONENT: "keycloak-bootstrap" + +ox-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OX != "no") + when: always + variables: + COMPONENT: "open-xchange" + +ics-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ICS != "no") + when: always + variables: + COMPONENT: "intercom-service" + +xwiki-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_XWIKI != "no") + when: always + variables: + COMPONENT: "xwiki" + +collabora-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_COLLABORA != "no") + when: always + variables: + COMPONENT: "collabora" + +nextcloud-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no") + when: always + variables: + COMPONENT: "nextcloud" + +openproject-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OPENPROJECT != "no") + when: always + variables: + COMPONENT: "openproject" + +jitsi-deploy: + stage: "component-deploy" + extends: ".deploy-common" + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_JITSI != "no") + when: always + variables: + COMPONENT: "jitsi" + +env-stop: + extends: ".deploy-common" + environment: + name: "${NAMESPACE}" + action: "stop" + image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6" + needs: [] + rules: + - if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ + when: "manual" + script: + - "echo 'We do not stop the env (delete the namespace) at the moment in this stage, as deleting a branches also triggers this env-stop stage and we do not want this to happen.'" + # - kubectl delete namespace "${NAMESPACE}" + stage: "env-stop" + variables: + GIT_STRATEGY: "none" diff --git a/COMPONENTS-FUNCTIONAL.md b/COMPONENTS-FUNCTIONAL.md new file mode 100644 index 00000000..22513727 --- /dev/null +++ b/COMPONENTS-FUNCTIONAL.md @@ -0,0 +1,28 @@ + +**Content / Quick navigation** + +[[_TOC_]] + +# Functional Components + +Functional components are the core of the SWP as they provide it's rich functionaly. We use the community versions of the named products. For production environments please use enterprise versions for support and scalabiliy reasons. + +## Groupware - Open-Xchange AppSuite + +## WebOffice - Collabora Development Edition + +## File & Share - Nextcloud + +## Kollaboration - dOnlineZusammenarbeit 2.0 + +## Videokonferenzen - Jitsi + +## Knowledge Management - XWiki + +## Project Management - OpenProject + +## IAM - Univention Corporate Services diff --git a/COMPONENTS-SERVICE.md b/COMPONENTS-SERVICE.md new file mode 100644 index 00000000..a7ee7a7e --- /dev/null +++ b/COMPONENTS-SERVICE.md @@ -0,0 +1,62 @@ + +**Content / Quick navigation** + +[[_TOC_]] + +# Service Components + +Service components are required to operate the SWP. The deployment automation contains a full set of service components in order for the deployment to be self contained. But please be aware that the components are not ment to be used in production scenarios. Check out the service components details to understand how to make use of external services in case you want to setup production environments. + +## Database - MariaDB + +This services is used by: +- Nextcloud +- Open-Xchange +- XWiki + +## Database - PostgreSQL + +This services is used by: +- Keycloak +- OpenProject + +## Redis + +This service is used by: +- Intercom-Service +- Nextcloud + +## Postfix + +This service is used by: +- Keycloak (e.g. new device login notification) +- Nextcloud (e.g. share file notifictions) +- Open-Xchange (emails) +- OpenProject (general notifications) +- UCS (e.g. password reset emails) +- XWiki (e.g. change notifications) + +## TURN Server + +- dOZ 2.0 +- Jitsi + +## NFS + +[remove this as it should be addressed by the RWX prerequsite!?] + +This service is used by +- Dovecot +- Nextcloud + +## ICAP + +This service is used by +- Nextcloud +- Open-Xchange + +## Objectstore - MinIO diff --git a/CONTRIBUTE.md b/CONTRIBUTE.md new file mode 100644 index 00000000..f5cdd1df --- /dev/null +++ b/CONTRIBUTE.md @@ -0,0 +1,57 @@ + +# How to contribute? + +When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests. + +# Standards and conventions + +## Branching + +We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow). + +## Verified commits + +We only allow verify commits: +- https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/ +- https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/ +- https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/ + +## Approval + +MRs require one approval from the SouvAP devops team with security clearance. + +## Conventional Commits + +See https://www.conventionalcommits.org/en/v1.0.0/#summary for reference. + +Commits that do not adhere to the standard might be rejected. + +## Semantic Release + +See https://github.com/semantic-release/semantic-release for reference. + +## Linting + +Following linters must pass: +- [yaml-lint](https://github.com/adrienverge/yamllint) +- [helm-lint](https://helm.sh/docs/helm/helm_lint/) + +## Helm vs. Operators vs. Manifests + +Due to DVS requirements: + +- we have to use [Helm charts](https://helm.sh/) (that can consist of Manifests). +- we should avoid stand alone Manifests. +- we do not use Operators. + +In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile). + +## Tooling + +We should not introduce a new tool without sharing the purpose with the team and let the team decide if the tool should be used. + +We should avoid adding unnecessary complexity. diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt new file mode 100644 index 00000000..5e5ac9cf --- /dev/null +++ b/LICENSES/Apache-2.0.txt @@ -0,0 +1,14 @@ + Copyright (C) 2023 Bundesministerium des Innern und für Heimat, + PG ZenDiS "Projektgruppe für Aufbau ZenDiS" + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 00000000..f6512181 --- /dev/null +++ b/README.md @@ -0,0 +1,207 @@ + +**Content / Quick navigation** + +[[_TOC_]] + +# Disclaimer July 2023 + +The current state of the SouvAP is missing two components that are not yet generally available to the public also outside the SouvAP (Element Starter Edition and Open-Xchange App Suite 8), and contains components that will be replaced (e.g. UCS container monolith with multiple Univention Management Stack containers). We not only expect upstream updates of the functional components within their feature scope but we are going to address operational issues like monitoring and network policies. + +Of course we will extend the documentation + + +# The Sovereign Workplace (SWP) + +The SWP's runtime environment is [Kubernetes](https://kubernetes.io/), often written in it's short form "K8s". + +While not all components are perfectly shaped for the execution as containers, one of the projects objectives is the make the applications more aligned with best practise when it comes to container design and operations. + +This documentation gives you - hopefully - all you need to setup your own instance of the SWP. You should have at least basic knowledge Kubernetes and Devops knowledge. + +To have an overview of what can be found at Open CoDE and the basic components of the SWP, please check out the [OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info). + +Especially check out the section ["Mitwirkung und Beteiligung"](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#mitwirkung-und-beteiligung) if you are missing something or you have questions. We appreciate your feedback to improve product and documentation. +## Prerequisites + +You have to take care about the following prerequisites in order to deploy the SWP: + +- Vanilla K8s cluster +- Domain and DNS Service [ToDo: manual setup docu with * record...] +- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy and Cillium) +- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and [HelmDiff](https://github.com/databus23/helm-diff) +- Volume provisioner supporting RWO (read-write-once) and RWX (read-write-many) +- Certificate handling with [cert-manager](https://cert-manager.io/) +- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are working with Open-Xchange to get rid of this component. + +### Feature based prerequisites + +- An external SMTP relay/gateway for sending mails from various components +- PKI / CI for Open-Xchange AppSuite S/MIME feature +- STUN/TURN server + +# + +- Domain and cert management (table with all hostnames we need to set (`.`), reference to cert-manager, manual requires in DNS service) +- Parametrisierungsdoku + - Service components + - Environments (ingress & storage definitions) + - Secrets (and "upstream" input secrets) + +[ggf. später] +- Debugging (explain the centralized debugging values and provide additional debugging info for each component - when available. Explain that the midterm goal is to have distroless containers!) +- Functional Components +- Service Components +- CONTRIBUTE.md + + +## Self contained deployment + +We differenciate between +- functional components (e.g. Fileshare, Groupware, IAM etc.) that are the actual focus of the SWP and +- service components (e.g. databases, storage) that are available within this deployment as well in order to make it self-contained. But in other than dev, test and demo scenarios we expect service components to be provided externally by the operator. + +**DEV-REQUIREMENT**: A functional component that makes use of a service component has to support a config option that allows the use of an external service and skips the installation of the given service component within the deployment, as long as no other functional compontent still relies on that service component. + +## CI based deployment + +**Note: Please only deploy components you need for your developmet, as the full stack is quite resource hungry and we have limited resources. There is a nightly (namespace `nighly`) build from `main` on the `develop` cluster with all components enabled.** + +**Note: Currently Gitlab sometimes does not load the configures pipeline variables as expected, so if you don't see any predefined variables on the pipelines mentioned in this document you want to reload the page in order to ensure there aren't any variables. It works on reload in 99% of the cases.** + +- Please use the `develop` cluster unless you are explicitly advised to use another cluster. +- Install prerequisites and gain access to the cluster following the instructions here: https://gitlab.souvap-univention.de/groups/souvap/devops/-/wikis/deployment/K8s-cluster +- In order to deploy an instance of the SWP with selected components by running the pipeline of this project you need to request a certificate first by executing this pipeline: https://gitlab.souvap-univention.de/souvap/infrastructure/k8s-certificates/-/pipelines/new stating your desired namespace. + - You might want to check the available certificates first: `kubectl -n istio-system get certificate` + - We have separated the cert-management from the actual deployment to avoid getting hit my letsencrypt's rate limits. + +Todos +- some info on the modules +- some info on how long a deployment takes +- rerun / update vs redeploy vs refresh complete namespace +- some info on "debugging" the deployment +- semantic release (on main) + +## Local deployments + +[..] + +## Helmfile + +### Setup + +helmfile needs `helm` and the helm plugin `helm-diff` to run properly. + +To install helm-diff ( helm >2.3.): +```bash +helm plugin install https://github.com/databus23/helm-diff +``` + +### Environment + +You need to expose following variables to run the default installation with helmfile + + +| name | default | description | +|---------------------|------------------------------|----------------------------------------------------------| +| `DOMAIN` | `souvap-univention.de` | External reachable TLD. | +| `ISTIO_DOMAIN` | `istio.souvap-univention.de` | External reachable TLD for Istio Gateway. | +| `MASTER_PASSWORD` | `sovereign-workplace` | The password where generated passwords are derived from. | +| `SMTP_PASSWORD` | | Password for STMP relay gateway. | +| `TURN_CREDENTIALS` | | Credentials for coturn server. | + +### Configuration + +In order to have a functional deployment, you need to adapt the default values to your infrastructure. + +#### Deployment selection + +As default, all available components are deployed. + +| Component | Name | Default | Description | +|-----------------------------|-------------------------------------|---------|---------------------------------| +| Certificates | `certificates.enabled` | `true` | TLS certificates. | +| ClamAV | `clamav.enabled` | `true` | Antivirus engine. | +| Collabora | `collabora.enabled` | `true` | Weboffice | +| Dovecot | `dovecot.enabled` | `true` | Mail backend (for development). | +| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange. | +| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | +| Keycloak | `keycloak.enabled` | `true` | Identity Provider | +| MariaDB | `mariadb.enabled` | `true` | Database (for development) | +| Nextcloud | `nextcloud.enabled` | `true` | File share | +| OpenProject | `openproject.enabled` | `true` | Project management | +| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | +| OX Connector | `oxConnector.enabled` | `true` | Backend provisioning | +| Postfix | `postfix.enabled` | `true` | MTA (for development) | +| PostgreSQL | `postgresql.enabled` | `true` | Database (for development) | +| Redis | `redis.enabled` | `true` | Cache (for development) | +| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | LDAP | +| XWIKI | `xwiki.enabled` | `true` | Knowledgebase | + +#### TLS Certificate + +The setup will create a `cert-manager.io` Certificate resource. + +You can set the ClusterIssuer via `certificate.issuerRef.name` + +#### Databases + +| Component | Name | Type | Parameter | Key | Default | +|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------| +| Keycloak | Keycloak | PostgreSQL | | | | +| | | | Name | `databases.keycloak.name` | `keycloak` | +| | | | Host | `databases.keycloak.host` | `postgresql` | +| | | | Port | `databases.keycloak.port` | `5432` | +| | | | Username | `databases.keycloak.username` | `keycloak_user` | +| | | | Password | `databases.keycloak.password` | | +| | Keycloak Extension | PostgreSQL | | | | +| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` | +| | | | Host | `databases.keycloakExtension.host` | `postgresql` | +| | | | Port | `databases.keycloakExtension.port` | `5432` | +| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` | +| | | | Password | `databases.keycloakExtension.password` | | +| Nextcloud | Nextcloud | MariaDB | | | | +| | | | Name | `databases.nextcloud.name` | `nextcloud` | +| | | | Host | `databases.nextcloud.host` | `mariadb` | +| | | | Username | `databases.nextcloud.username` | `nextcloud_user` | +| | | | Password | `databases.nextcloud.password` | | +| OpenProject | Keycloak | PostgreSQL | | | | +| | | | Name | `databases.openproject.name` | `openproject` | +| | | | Host | `databases.openproject.host` | `postgresql` | +| | | | Port | `databases.openproject.port` | `5432` | +| | | | Username | `databases.openproject.username` | `openproject_user` | +| | | | Password | `databases.openproject.password` | | +| OX Appsuite | OX Appsuite | MariaDB | | | | +| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` | +| | | | Host | `databases.oxAppsuite.host` | `mariadb` | +| | | | Username | `databases.oxAppsuite.username` | `root` | +| | | | Password | `databases.oxAppsuite.password` | | +| XWIKI | XWIKI | MariaDB | | | | +| | | | Name | `databases.xwiki.name` | `xwiki` | +| | | | Host | `databases.xwiki.host` | `mariadb` | +| | | | Username | `databases.xwiki.username` | `xwiki_user` | +| | | | Password | `databases.xwiki.password` | | + +#### Scaling + +Replicas for scalable components can be increased. + +| Component | Name | Default | Service | Scaling | +|-------------|------------------------|---------|--------------------|--------------------| +| ClamAV | `replicas.clamd` | `1` | :white_check_mark: | :white_check_mark: | +| | `replicas.freshclam` | `1` | :white_check_mark: | :x: | +| | `replicas.icap` | `1` | :white_check_mark: | :white_check_mark: | +| | `replicas.milter` | `1` | :white_check_mark: | :white_check_mark: | +| Collabora | `replicas.collabora` | `1` | :white_check_mark: | :white_check_mark: | +| Dovecot | `replicas.dovecot` | `1` | :white_check_mark: | :x: | +| Jitsi | `replicas.jibri` | `1` | :white_check_mark: | :white_check_mark: | +| | `replicas.jicofo` | `1` | :white_check_mark: | :white_check_mark: | +| | `replicas.jitsi ` | `1` | :white_check_mark: | :white_check_mark: | +| | `replicas.jvb ` | `1` | :white_check_mark: | :white_check_mark: | +| Keycloak | `replicas.keycloak` | `1` | :white_check_mark: | :white_check_mark: | +| Nextcloud | `replicas.nextcloud` | `1` | :white_check_mark: | :white_check_mark: | +| OpenProject | `replicas.openproject` | `1` | :white_check_mark: | :white_check_mark: | +| Postfix | `replicas.postfix` | `1` | :white_check_mark: | :x: | +| XWIKI | `replicas.xwiki` | `1` | :white_check_mark: | :white_check_mark: | diff --git a/helmfile.yaml b/helmfile.yaml new file mode 100644 index 00000000..ce4d184f --- /dev/null +++ b/helmfile.yaml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +# +# Advanced Configuration: Nested States +# +helmfiles: + # Path to the helmfile state file being processed BEFORE releases in this state file + - path: "helmfile/apps/services/helmfile.yaml" + - path: "helmfile/apps/keycloak/helmfile.yaml" + - path: "helmfile/apps/univention-corporate-container/helmfile.yaml" + - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml" + - path: "helmfile/apps/openproject/helmfile.yaml" + - path: "helmfile/apps/intercom-service/helmfile.yaml" + - path: "helmfile/apps/open-xchange/helmfile.yaml" + - path: "helmfile/apps/xwiki/helmfile.yaml" + - path: "helmfile/apps/collabora/helmfile.yaml" + - path: "helmfile/apps/nextcloud/helmfile.yaml" + - path: "helmfile/apps/jitsi/helmfile.yaml" + - path: "helmfile/apps/provisioning/helmfile.yaml" + +missingFileHandler: "Error" + +... diff --git a/helmfile/apps/collabora/helmfile.yaml b/helmfile/apps/collabora/helmfile.yaml new file mode 100644 index 00000000..cac931c5 --- /dev/null +++ b/helmfile/apps/collabora/helmfile.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "collabora-online" + url: "https://collaboraonline.github.io/online" + +releases: + - name: "collabora-online" + chart: "collabora-online/collabora-online" + version: "1.0.2" + values: + - "values.yaml" + - "values.gotmpl" + condition: "collabora.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/collabora/values.gotmpl b/helmfile/apps/collabora/values.gotmpl new file mode 100644 index 00000000..1a67d1b4 --- /dev/null +++ b/helmfile/apps/collabora/values.gotmpl @@ -0,0 +1,36 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}" + tag: "{{ .Values.images.collabora.tag }}" + +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + className: "{{ .Values.ingress.ingressClassName }}" + hosts: + - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}" + paths: + - path: "/" + pathType: "Prefix" + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}" + +collabora: + # Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html + username: "collabora-internal-admin" + password: {{ .Values.secrets.collabora.adminPassword }} + aliasgroups: + - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443" + +replicaCount: {{ .Values.replicas.collabora }} +... diff --git a/helmfile/apps/collabora/values.yaml b/helmfile/apps/collabora/values.yaml new file mode 100644 index 00000000..93b9e381 --- /dev/null +++ b/helmfile/apps/collabora/values.yaml @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/README.md or +# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/collabora-online/values.yaml + +fullnameOverride: "collabora" + +image: + pullPolicy: "IfNotPresent" + +collabora: + extra_params: "--o:ssl.enable=false --o:ssl.termination=true" + +securityContext: + capabilities: + add: + - "MKNOD" + +ingress: + annotations: + # nginx + nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc" + # HAProxy + haproxy.org/timeout-tunnel: "3600s" + haproxy.org/backend-config-snippet: | + mode http + balance leastconn + stick-table type string len 2048 size 1k store conn_cur + http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur() + http-request track-sc1 url_param(WOPISrc) + stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 } + stick store-request url_param(WOPISrc) + +autoscaling: + enabled: false +... diff --git a/helmfile/apps/intercom-service/helmfile.yaml b/helmfile/apps/intercom-service/helmfile.yaml new file mode 100644 index 00000000..06498480 --- /dev/null +++ b/helmfile/apps/intercom-service/helmfile.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "intercom-service" + url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" + +releases: + - name: "intercom-service" + chart: "intercom-service/intercom-service" + version: "1.1.3" + values: + - "values.yaml" + - "values.gotmpl" + condition: "intercom.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/intercom-service/values.gotmpl b/helmfile/apps/intercom-service/values.gotmpl new file mode 100644 index 00000000..f8469705 --- /dev/null +++ b/helmfile/apps/intercom-service/values.gotmpl @@ -0,0 +1,43 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +ics: + secret: {{ .Values.secrets.intercom.secret }} + issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" + originRegex: "{{ .Values.istio.domain }}" + default: + domain: "{{ .Values.global.domain }}" + oidc: + secret: {{ .Values.secrets.keycloak.clientSecret.intercom }} + matrix: + asSecret: {{ .Values.secrets.jitsi.synapseAsToken }} + serverName: "matrix.{{ .Values.global.domain }}" + portal: + apiKey: {{ .Values.secrets.centralnavigation.apiKey }} + redis: + password: {{ .Values.secrets.redis.password }} + openxchange: + url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.intercom.repository }}" + tag: "{{ .Values.images.intercom.tag }}" + +ingress: + host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}" + enabled: "{{ .Values.ingress.enabled }}" + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + tls: + enabled: "{{ .Values.ingress.tls.enabled }}" + secretName: "{{ .Values.ingress.tls.secretName }}" +... diff --git a/helmfile/apps/intercom-service/values.yaml b/helmfile/apps/intercom-service/values.yaml new file mode 100644 index 00000000..c20a4004 --- /dev/null +++ b/helmfile/apps/intercom-service/values.yaml @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +istio: + enabled: false + virtualService: + enabled: false +... diff --git a/helmfile/apps/jitsi/helmfile.yaml b/helmfile/apps/jitsi/helmfile.yaml new file mode 100644 index 00000000..b19f9747 --- /dev/null +++ b/helmfile/apps/jitsi/helmfile.yaml @@ -0,0 +1,18 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "jitsi" + url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable" + +releases: + - name: "jitsi" + chart: "jitsi/sovereign-workplace-jitsi" + version: "1.1.0" + values: + - "values-jitsi.gotmpl" + condition: "jitsi.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/jitsi/values-jitsi.gotmpl b/helmfile/apps/jitsi/values-jitsi.gotmpl new file mode 100644 index 00000000..58f77f5b --- /dev/null +++ b/helmfile/apps/jitsi/values-jitsi.gotmpl @@ -0,0 +1,120 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + registry: "{{ .Values.global.imageRegistry }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}" + tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}" + +settings: + jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}" + +jitsi: + publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}" + web: + replicaCount: {{ .Values.replicas.jitsi }} + image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}" + tag: "{{ .Values.images.jitsi.tag }}" + ingress: + enabled: "{{ .Values.ingress.enabled }}" + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + hosts: + - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}" + paths: + - "/" + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}" + extraEnvs: + TURN_ENABLE: "1" + resources: + {{ .Values.resources.openproject | toYaml | nindent 6 }} + prosody: + image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}" + tag: "{{ .Values.images.prosody.tag }}" + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + extraEnvs: + - name: "AUTH_TYPE" + value: "jwt" + - name: "JWT_APP_ID" + value: "myappid" + - name: "JWT_APP_SECRET" + value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}" + - name: TURNS_HOST + value: "{{ .Values.turn.tls.host }}" + - name: TURNS_PORT + value: "{{ .Values.turn.tls.port }}" + - name: TURN_HOST + value: "{{ .Values.turn.server.host }}" + - name: TURN_PORT + value: "{{ .Values.turn.server.port }}" + - name: TURN_TRANSPORT + value: "{{ .Values.turn.transport }}" + - name: TURN_CREDENTIALS + value: "{{ .Values.turn.credentials }}" + resources: + {{ .Values.resources.openproject | toYaml | nindent 6 }} + persistence: + size: "{{ .Values.persistence.size.prosody }}" + storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}" + jicofo: + replicaCount: {{ .Values.replicas.jicofo }} + image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}" + tag: "{{ .Values.images.jicofo.tag }}" + xmpp: + password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}" + componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}" + resources: + {{ .Values.resources.openproject | toYaml | nindent 6 }} + jvb: + replicaCount: {{ .Values.replicas.jvb }} + image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}" + tag: "{{ .Values.images.jvb.tag }}" + xmpp: + password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}" + resources: + {{ .Values.resources.openproject | toYaml | nindent 6 }} + jibri: + replicaCount: {{ .Values.replicas.jibri }} + image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}" + tag: "{{ .Values.images.jibri.tag }}" + recorder: + password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}" + xmpp: + password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}" + resources: + {{ .Values.resources.openproject | toYaml | nindent 6 }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + +patchJVB: + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.jitsiPatchJVB.repository }}" + tag: "{{ .Values.images.jitsiPatchJVB.v20230425 }}" +replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }} + +resources: + {{ .Values.resources.jitsiKeycloakAdapter | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/keycloak-bootstrap/helmfile.yaml b/helmfile/apps/keycloak-bootstrap/helmfile.yaml new file mode 100644 index 00000000..561eb060 --- /dev/null +++ b/helmfile/apps/keycloak-bootstrap/helmfile.yaml @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "swp-keycloak-bootstrap" + url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" + +releases: + - name: "swp-keycloak-bootstrap" + chart: "swp-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap" + version: "1.1.11" + values: + - "values-bootstrap.gotmpl" + - "values-bootstrap.yaml" + condition: "keycloak.enabled" + # as we have seen some slow clusters we want to ensure we not just fail due to a timeout. + timeout: 1800 +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl b/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl new file mode 100644 index 00000000..330c689c --- /dev/null +++ b/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl @@ -0,0 +1,25 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + registry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +config: + administrator: + password: "{{ .Values.secrets.keycloak.adminPassword }}" + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.keycloakBootstrap.repository }}" + tag: "{{ .Values.images.keycloakBootstrap.tag }}" + +resources: + {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml b/helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml new file mode 100644 index 00000000..9da971a7 --- /dev/null +++ b/helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +config: + administrator: + username: "kcadmin" + +cleanup: + deletePodsOnSuccess: true +... diff --git a/helmfile/apps/keycloak/helmfile.yaml b/helmfile/apps/keycloak/helmfile.yaml new file mode 100644 index 00000000..df89fa3a --- /dev/null +++ b/helmfile/apps/keycloak/helmfile.yaml @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "bitnami" + url: "https://charts.bitnami.com/bitnami" + - name: "keycloak-theme" + url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" + - name: "keycloak-extensions" + url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" + +releases: + - name: "keycloak-theme" + chart: "keycloak-theme/sovereign-workplace-theme" + version: "1.0.0" + values: + - "values-theme.gotmpl" + condition: "keycloak.enabled" + - name: "keycloak" + chart: "bitnami/keycloak" + version: "12.2.0" + values: + - "values-keycloak.gotmpl" + - "values-keycloak.yaml" + - "values-keycloak-idp.yaml" + wait: true + condition: "keycloak.enabled" + - name: "keycloak-extensions" + chart: "keycloak-extensions/keycloak-extensions" + version: "0.1.0" + needs: + - "keycloak" + values: + - "values-extensions.yaml" + - "values-extensions.gotmpl" + condition: "keycloak.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/keycloak/values-extensions.gotmpl b/helmfile/apps/keycloak/values-extensions.gotmpl new file mode 100644 index 00000000..a1f3eef9 --- /dev/null +++ b/helmfile/apps/keycloak/values-extensions.gotmpl @@ -0,0 +1,43 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + keycloak: + adminPassword: {{ .Values.secrets.keycloak.adminPassword }} + postgresql: + connection: + host: "{{ .Values.databases.keycloakExtension.host }}" + port: "{{ .Values.databases.keycloakExtension.port }}" + auth: + database: "{{ .Values.databases.keycloakExtension.name }}" + username: "{{ .Values.databases.keycloakExtension.username }}" + password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }} +handler: + appConfig: + smtpPassword: "{{ .Values.smtp.password }}" + smtpHost: "{{ .Values.smtp.host }}" + smtpUsername: "{{ .Values.smtp.username }}" + mailFrom: "noreply@{{ .Values.global.domain }}" + resources: + {{ .Values.resources.keycloakExtension | toYaml | nindent 4 }} +proxy: + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.keycloakExtension.repository }}" + tag: "{{ .Values.images.keycloakExtension.tag }}" + imagePullPolicy: "Always" + ingress: + enabled: "{{ .Values.ingress.enabled }}" + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + annotations: + nginx.org/proxy-buffer-size: "8k" + host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + tls: + enabled: "{{ .Values.ingress.tls.enabled }}" + secretName: "{{ .Values.ingress.tls.secretName }}" + resources: + {{ .Values.resources.keycloakProxy | toYaml | nindent 4 }} + +... diff --git a/helmfile/apps/keycloak/values-extensions.yaml b/helmfile/apps/keycloak/values-extensions.yaml new file mode 100644 index 00000000..9e2d765a --- /dev/null +++ b/helmfile/apps/keycloak/values-extensions.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +global: + keycloak: + host: "keycloak" + adminUsername: "kcadmin" + adminRealm: "master" + realm: "souvap" + +handler: + image: + tag: "latest" + appConfig: + captchaProtectionEnable: "False" + +postgresql: + enabled: false + +proxy: + image: + tag: "latest" +... diff --git a/helmfile/apps/keycloak/values-keycloak-idp.yaml b/helmfile/apps/keycloak/values-keycloak-idp.yaml new file mode 100644 index 00000000..a47ec514 --- /dev/null +++ b/helmfile/apps/keycloak/values-keycloak-idp.yaml @@ -0,0 +1,1691 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +keycloakConfigCli: + configuration: + idp.json: | + { + "id": "$(IDENTIFIER)", + "realm": "$(IDENTIFIER)", + "enabled": true, + "resetPasswordAllowed": true, + "rememberMe": true, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 1209600, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "eventsEnabled": true, + "eventsExpiration": 600, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [ + "LOGIN_ERROR", + "LOGIN" + ], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "browserSecurityHeaders": { + "xFrameOptions": "ALLOW-FROM https://www.google.com", + "contentSecurityPolicy": "frame-src 'self' https://www.google.com; frame-ancestors 'self' https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/univention; object-src 'none';" + }, + "clients": [ + { + "clientId": "intercom", + "name": "intercom", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_INTERCOM_PASSWORD)", + "redirectUris": [ + "https://$(INTERCOM_SERVICE_DOMAIN)/callback" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "backchannel.logout.revoke.offline.tokens": "true", + "backchannel.logout.session.required": "true", + "backchannel.logout.url": "https://$(INTERCOM_SERVICE_DOMAIN)/backchannel-logout", + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "intercom audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "intercom", + "id.token.claim": "false", + "access.token.claim": "true" + } + } + ], + "defaultClientScopes": [ + "phoenix", + "offline_access" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "jitsi", + "name": "jitsi", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)", + "redirectUris": [ + "https://$(JITSI_PLAIN_DOMAIN)/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "authorizationServicesEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "phoenix", + "profile" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "matrix", + "name": "matrix", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_MATRIX_PASSWORD)", + "redirectUris": [ + "https://$(ELEMENT_DOMAIN)/*", + "https://$(MATRIX_DOMAIN)/*", + "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "backchannel.logout.revoke.offline.tokens": "true", + "backchannel.logout.session.required": "true", + "backchannel.logout.url": "https://$(ELEMENT_DOMAIN)/_synapse/client/oidc/backchannel_logout", + "post.logout.redirect.uris": "https://$(ELEMENT_DOMAIN)/*##https://$(MATRIX_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "phoenix" + ], + "optionalClientScopes": [ + "profile", + "email" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "ncoidc", + "name": "ncoidc", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_NCOIDC_PASSWORD)", + "redirectUris": [ + "https://$(NEXTCLOUD_DOMAIN)/*", + "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "backchannel.logout.revoke.offline.tokens": "true", + "backchannel.logout.session.required": "true", + "backchannel.logout.url": "https://$(NEXTCLOUD_DOMAIN)/apps/user_oidc/backchannel-logout/ncoidc", + "post.logout.redirect.uris": "https://$(NEXTCLOUD_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*", + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "context", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "context", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "context", + "jsonType.label": "String" + } + }, + { + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + }, + { + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "phoenix", + "read_contacts", + "write_contacts", + "email" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "openproject", + "name": "openproject", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_OPENPROJECT_PASSWORD)", + "redirectUris": [ + "https://$(OPENPROJECT_DOMAIN)/*", + "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "backchannel.logout.url": "https://$(OPENPROJECT_DOMAIN)/auth/keycloak/backchannel-logout", + "post.logout.redirect.uris": "https://$(OPENPROJECT_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [], + "defaultClientScopes": [ + "phoenix", + "profile", + "email" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "xwiki", + "name": "xwiki", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_XWIKI_PASSWORD)", + "redirectUris": [ + "https://$(XWIKI_DOMAIN)/*", + "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "backchannel.logout.session.required": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "backchannel.logout.url": "https://$(XWIKI_DOMAIN)/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout", + "post.logout.redirect.uris": "https://$(XWIKI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [], + "defaultClientScopes": [ + "phoenix", + "profile", + "address", + "email" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "as8oidc", + "name": "as8oidc", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "$(CLIENT_SECRET_AS8OIDC_PASSWORD)", + "redirectUris": [ + "https://$(OPENXCHANGE_8_DOMAIN)/*", + "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "backchannel.logout.revoke.offline.tokens": "true", + "backchannel.logout.session.required": "true", + "backchannel.logout.url": "https://$(OPENXCHANGE_8_DOMAIN)/ajax/oidc/backchannel_logout", + "post.logout.redirect.uris": "https://$(OPENXCHANGE_8_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*", + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "context", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "context", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "context", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "phoenix", + "read_contacts", + "write_contacts" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, + { + "clientId": "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/univention/saml/metadata", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/univention/saml/" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "saml", + "attributes": { + "saml.force.post.binding": "true", + "saml.multivalued.roles": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml.signature.algorithm": "RSA_SHA256", + "require.pushed.authorization.requests": "false", + "saml.client.signature": "false", + "saml.allow.ecp.flow": "false", + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "true", + "saml_single_logout_service_url_post": "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/univention/saml/slo/", + "saml.encrypt": "false", + "saml_assertion_consumer_url_post": "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/univention/saml/", + "saml.server.signature": "true", + "exclude.session.state.from.auth.response": "false", + "saml.artifact.binding": "false", + "saml_single_logout_service_url_redirect": "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/univention/saml/slo/", + "saml_force_name_id_format": "false", + "saml_idp_initiated_sso_url_name": "ucs", + "saml_idp_initiated_sso_relay_state": "https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/", + "acr.loa.map": "{}", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "true", + "display.on.consent.screen": "false", + "saml.assertion.lifespan": "300", + "saml_name_id_format": "username", + "token.response.type.bearer.lower-case": "false", + "saml.onetimeuse.condition": "false", + "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "userid_mapper", + "protocol": "saml", + "protocolMapper": "saml-user-attribute-mapper", + "consentRequired": false, + "config": { + "attribute.nameformat": "URI Reference", + "user.attribute": "uid", + "friendly.name": "uid", + "attribute.name": "urn:oid:0.9.2342.19200300.100.1.1" + } + } + ], + "defaultClientScopes": [ + "role_list" + ], + "optionalClientScopes": [] + } + ], + "clientScopes": [ + { + "name": "phoenix", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "name": "entryuuid", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "entryuuid", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "entryuuid", + "jsonType.label": "String" + } + }, + { + "name": "phoenixusername", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoenixusername", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phoenixusername", + "jsonType.label": "String" + } + } + ] + }, + { + "name": "read_contacts", + "protocol": "openid-connect", + "attributes": {} + }, + { + "name": "write_contacts", + "protocol": "openid-connect", + "attributes": {} + } + ], + "loginTheme": "$(THEME)", + "internationalizationEnabled": true, + "supportedLocales": [ + "de", + "en" + ], + "defaultLocale": "de", + "components": { + "org.keycloak.storage.UserStorageProvider": [ + { + "name": "$(KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME)", + "providerId": "ldap", + "subComponents": { + "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [ + { + "name": "entryuuid", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "entryUUID" + ], + "is.mandatory.in.ldap": [ + "true" + ], + "read.only": [ + "true" + ], + "always.read.value.from.ldap": [ + "false" + ], + "user.model.attribute": [ + "entryuuid" + ] + } + }, + { + "name": "ldap-group-mapper", + "providerId": "group-ldap-mapper", + "subComponents": {}, + "config": { + "membership.attribute.type": [ + "UID" + ], + "group.name.ldap.attribute": [ + "cn" + ], + "membership.user.ldap.attribute": [ + "uid" + ], + "preserve.group.inheritance": [ + "false" + ], + "groups.dn": [ + "$(LDAP_GROUPS_DN)" + ], + "mode": [ + "READ_ONLY" + ], + "user.roles.retrieve.strategy": [ + "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" + ], + "membership.ldap.attribute": [ + "memberUid" + ], + "ignore.missing.groups": [ + "false" + ], + "memberof.ldap.attribute": [ + "memberOf" + ], + "group.object.classes": [ + "univentionGroup" + ], + "groups.path": [ + "/" + ], + "drop.non.existing.groups.during.sync": [ + "true" + ] + } + }, + { + "name": "uid", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "uid" + ], + "is.mandatory.in.ldap": [ + "true" + ], + "read.only": [ + "true" + ], + "always.read.value.from.ldap": [ + "false" + ], + "user.model.attribute": [ + "uid" + ] + } + }, + { + "name": "first name", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "givenName" + ], + "is.mandatory.in.ldap": [ + "false" + ], + "always.read.value.from.ldap": [ + "false" + ], + "read.only": [ + "true" + ], + "user.model.attribute": [ + "firstName" + ] + } + }, + { + "name": "phoenixusername", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "uid" + ], + "is.mandatory.in.ldap": [ + "true" + ], + "always.read.value.from.ldap": [ + "false" + ], + "read.only": [ + "true" + ], + "user.model.attribute": [ + "phoenixusername" + ] + } + }, + { + "name": "last name", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "sn" + ], + "is.mandatory.in.ldap": [ + "true" + ], + "read.only": [ + "true" + ], + "always.read.value.from.ldap": [ + "true" + ], + "user.model.attribute": [ + "lastName" + ] + } + }, + { + "name": "email", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "mailPrimaryAddress" + ], + "is.mandatory.in.ldap": [ + "true" + ], + "read.only": [ + "true" + ], + "always.read.value.from.ldap": [ + "false" + ], + "user.model.attribute": [ + "email" + ] + } + }, + { + "name": "context", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": [ + "oxContextIDNum" + ], + "is.mandatory.in.ldap": [ + "true" + ], + "always.read.value.from.ldap": [ + "false" + ], + "read.only": [ + "true" + ], + "user.model.attribute": [ + "context" + ] + } + } + ] + }, + "config": { + "pagination": [ + "true" + ], + "fullSyncPeriod": [ + "36000" + ], + "connectionPooling": [ + "true" + ], + "usersDn": [ + "$(LDAP_USERS_DN)" + ], + "cachePolicy": [ + "DEFAULT" + ], + "useKerberosForPasswordAuthentication": [ + "false" + ], + "importEnabled": [ + "false" + ], + "enabled": [ + "true" + ], + "changedSyncPeriod": [ + "3600" + ], + "usernameLDAPAttribute": [ + "uid" + ], + "bindCredential": [ + "$(LDAPSEARCH_PASSWORD)" + ], + "bindDn": [ + "uid=$(LDAPSEARCH_USERNAME),$(LDAP_USERS_DN)" + ], + "vendor": [ + "other" + ], + "uuidLDAPAttribute": [ + "entryUUID" + ], + "allowKerberosAuthentication": [ + "false" + ], + "connectionUrl": [ + "ldap://$(LDAP_SERVER_URL)" + ], + "syncRegistrations": [ + "false" + ], + "authType": [ + "simple" + ], + "debug": [ + "false" + ], + "searchScope": [ + "2" + ], + "useTruststoreSpi": [ + "ldapsOnly" + ], + "priority": [ + "0" + ], + "trustEmail": [ + "false" + ], + "userObjectClasses": [ + "inetOrgPerson, organizationalPerson" + ], + "rdnLDAPAttribute": [ + "uid" + ], + "editMode": [ + "READ_ONLY" + ], + "validatePasswordPolicy": [ + "false" + ], + "batchSizeForSync": [ + "1000" + ] + } + } + ] + }, + "authenticationFlows": [ + { + "alias": "2fa-browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "2fa-browser forms", + "userSetupAllowed": false + } + ] + }, + { + "alias": "2fa-browser Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticatorConfig": "2fa-role-mapping", + "authenticator": "conditional-user-role", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 21, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "2fa-browser forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "2fa-browser Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "alias": "2fa-role-mapping", + "config": { + "condUserRole": "Two-Factor-Authentication" + } + }, + { + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "2fa-browser" + } +... diff --git a/helmfile/apps/keycloak/values-keycloak.gotmpl b/helmfile/apps/keycloak/values-keycloak.gotmpl new file mode 100644 index 00000000..f3c845cd --- /dev/null +++ b/helmfile/apps/keycloak/values-keycloak.gotmpl @@ -0,0 +1,87 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.keycloak.repository }}" + tag: "{{ .Values.images.keycloak.tag }}" + digest: "{{ .Values.images.keycloak.digest }}" + +externalDatabase: + host: "{{ .Values.databases.keycloak.host }}" + port: {{ .Values.databases.keycloak.port }} + user: "{{ .Values.databases.keycloak.username }}" + database: "{{ .Values.databases.keycloak.name }}" + password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }} + +auth: + adminPassword: {{ .Values.secrets.keycloak.adminPassword }} + +replicaCount: {{ .Values.replicas.keycloak }} + +keycloakConfigCli: + extraEnvVars: + - name: "LDAP_GROUPS_DN" + value: "cn=groups,dc=swp-ldap,dc=internal" + - name: "LDAP_USERS_DN" + value: "cn=users,dc=swp-ldap,dc=internal" + - name: "LDAP_SERVER_URL" + value: "univention-corporate-container" + - name: "IDENTIFIER" + value: "souvap" + - name: "THEME" + value: "souvap" + - name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT" + value: "600s" + - name: "UNIVENTION_CORPORATE_SERVER_DOMAIN" + value: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" + - name: "KEYCLOAK_DOMAIN" + value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + - name: "OPENXCHANGE_8_DOMAIN" + value: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + - name: "XWIKI_DOMAIN" + value: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" + - name: "OPENPROJECT_DOMAIN" + value: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" + - name: "NEXTCLOUD_DOMAIN" + value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" + - name: "MATRIX_DOMAIN" + value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}" + - name: "JITSI_PLAIN_DOMAIN" + value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}" + - name: "ELEMENT_DOMAIN" + value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}" + - name: "INTERCOM_SERVICE_DOMAIN" + value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}" + - name: "CLIENT_SECRET_INTERCOM_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.intercom }} + - name: "CLIENT_SECRET_MATRIX_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.matrix }} + - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }} + - name: "CLIENT_SECRET_NCOIDC_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }} + - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.openproject }} + - name: "CLIENT_SECRET_XWIKI_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.xwiki }} + - name: "CLIENT_SECRET_AS8OIDC_PASSWORD" + value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }} + - name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME" + value: "storage_provider_ucsldap" + - name: "LDAPSEARCH_PASSWORD" + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }} + - name: "LDAPSEARCH_USERNAME" + value: "ldapsearch_keycloak" + +resources: + {{ .Values.resources.keycloak | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/keycloak/values-keycloak.yaml b/helmfile/apps/keycloak/values-keycloak.yaml new file mode 100644 index 00000000..fc7cfaa6 --- /dev/null +++ b/helmfile/apps/keycloak/values-keycloak.yaml @@ -0,0 +1,52 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +postgresql: + enabled: false +externalDatabase: + existingSecret: "" + existingSecretPasswordKey: "" +auth: + adminUser: "kcadmin" +# not working as expected with older helm chart, check if it works with most recent one. +# meanwhile we set the loglevel using the extraEnvVars a bit below. +#logging: +# level: "DEBUG" +extraEnvVars: + - name: "KC_LOG_LEVEL" + value: "INFO" +extraStartupArgs: "-Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" + +service: + type: "ClusterIP" +ingress: + enabled: false +extraVolumes: + - name: "keycloak-theme" + configMap: + name: "keycloak-theme" + items: + - key: "theme.properties" + path: "souvap/login/theme.properties" + - key: "messages_de.properties" + path: "souvap/login/messages/messages_de.properties" + - key: "messages_en.properties" + path: "souvap/login/messages/messages_en.properties" + - key: "styles.css" + path: "souvap/login/resources/css/styles.css" + - key: "logo.svg" + path: "souvap/login/resources/img/logo_phoenix.svg" + - key: "login.ftl" + path: "souvap/login/login.ftl" +extraVolumeMounts: + - name: "keycloak-theme" + mountPath: "/opt/bitnami/keycloak/themes" + +keycloakConfigCli: + enabled: true + command: [ "java", "-jar" ,"/opt/bitnami/keycloak-config-cli/keycloak-config-cli-19.0.3.jar" ] + args: [ "--import.var-substitution.enabled=true" ] + cache: + enabled: false + +... diff --git a/helmfile/apps/keycloak/values-theme.gotmpl b/helmfile/apps/keycloak/values-theme.gotmpl new file mode 100644 index 00000000..69bdcd1b --- /dev/null +++ b/helmfile/apps/keycloak/values-theme.gotmpl @@ -0,0 +1,10 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} +... diff --git a/helmfile/apps/nextcloud/helmfile.yaml b/helmfile/apps/nextcloud/helmfile.yaml new file mode 100644 index 00000000..3a9f1397 --- /dev/null +++ b/helmfile/apps/nextcloud/helmfile.yaml @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "swp-nextcloud-bootstrap" + url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" + - name: "nextcloud" + url: "https://nextcloud.github.io/helm/" + +releases: + - name: "swp-nextcloud-bootstrap" + chart: "swp-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap" + version: "2.0.5" + wait: true + timeout: 1800 + values: + - "values-bootstrap.gotmpl" + - "values-bootstrap.yaml" + condition: "nextcloud.enabled" + + - name: "nextcloud" + chart: "nextcloud/nextcloud" + version: "3.5.19" + needs: + - "swp-nextcloud-bootstrap" + values: + - "values-nextcloud.gotmpl" + - "values-nextcloud.yaml" + condition: "nextcloud.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/nextcloud/values-bootstrap.gotmpl b/helmfile/apps/nextcloud/values-bootstrap.gotmpl new file mode 100644 index 00000000..71631774 --- /dev/null +++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl @@ -0,0 +1,50 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + registry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +config: + administrator: + password: {{ .Values.secrets.nextcloud.adminPassword }} + apps: + integrationSwp: + password: {{ .Values.secrets.centralnavigation.apiKey }} + userOidc: + password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }} + + database: + host: "{{ .Values.databases.nextcloud.host }}" + name: "{{ .Values.databases.nextcloud.name }}" + user: "{{ .Values.databases.nextcloud.username }}" + password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}" + + ldapSearch: + password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}" + + smtp: + host: "{{ .Values.smtp.host }}" + username: "{{ .Values.smtp.username }}" + password: "{{ .Values.smtp.password }}" + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.nextcloud.repository }}" + tag: "{{ .Values.images.nextcloud.tag }}" + +persistence: + size: + main: "{{ .Values.persistence.size.nextcloud.main }}" + data: "{{ .Values.persistence.size.nextcloud.data }}" + storageClass: "{{ .Values.persistence.storageClassNames.RWX }}" + +resources: + {{ .Values.resources.nextcloud | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/nextcloud/values-bootstrap.yaml b/helmfile/apps/nextcloud/values-bootstrap.yaml new file mode 100644 index 00000000..94c39d01 --- /dev/null +++ b/helmfile/apps/nextcloud/values-bootstrap.yaml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +config: + administrator: + username: "nextcloud" + antivirus: + host: "clamav-sovereign-workplace-icap" + apps: + integrationSwp: + username: "phoenixusername" + userOidc: + username: "ncoidc" + +cleanup: + deletePodsOnSuccess: true +... diff --git a/helmfile/apps/nextcloud/values-nextcloud.gotmpl b/helmfile/apps/nextcloud/values-nextcloud.gotmpl new file mode 100644 index 00000000..c7567e3e --- /dev/null +++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl @@ -0,0 +1,41 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +nextcloud: + host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" + username: "nextcloud" + password: {{ .Values.secrets.nextcloud.adminPassword }} +externalDatabase: + database: "{{ .Values.databases.nextcloud.name }}" + user: "{{ .Values.databases.nextcloud.username }}" + host: "{{ .Values.databases.nextcloud.host }}" + password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}" +redis: + auth: + enabled: true + password: {{ .Values.secrets.redis.password }} +ingress: + enabled: {{ .Values.ingress.enabled }} + className: {{ .Values.ingress.ingressClassName }} + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" +image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}" + pullPolicy: "Always" + tag: "{{ .Values.images.nextcloud.tag }}" + pullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +metrics: + token: "{{ .Values.secrets.nextcloud.metricsToken }}" +persistence: + storageclass: "{{ .Values.persistence.storageClassNames.RWX }}" + +replicaCount: {{ .Values.replicas.nextcloud }} +resources: + {{ .Values.resources.nextcloud | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/nextcloud/values-nextcloud.yaml b/helmfile/apps/nextcloud/values-nextcloud.yaml new file mode 100644 index 00000000..37381039 --- /dev/null +++ b/helmfile/apps/nextcloud/values-nextcloud.yaml @@ -0,0 +1,42 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +persistence: + enabled: true + existingClaim: "nextcloud-main" + nextcloudData: + enabled: true + existingClaim: "nextcloud-data" + +redis: + enabled: false + +cronjob: + enabled: true + lifecycle: + postStartCommand: + - "sh" + - "-c" + - 'sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data' + +internalDatabase: + enabled: false +postgresql: + enabled: false +mariadb: + enabled: false +externalDatabase: + enabled: true + # The nextcloud helm chart provides a sub-chart for mariadb. + # If we use mariadb as a sub-chart it's linked to nextcloud, + # and it is not independent anymore. Since externalDatabase.type + # allows just mysql or postgres, mysql is chosen to connect + # to the mariadb: + type: "mysql" + +metrics: + enabled: false + +# this is not documented but can be found in values.yaml +service: + port: "80" diff --git a/helmfile/apps/open-xchange/helmfile.yaml b/helmfile/apps/open-xchange/helmfile.yaml new file mode 100644 index 00000000..c6de498a --- /dev/null +++ b/helmfile/apps/open-xchange/helmfile.yaml @@ -0,0 +1,39 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "dovecot" + url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" + - name: "openxchange" + url: "registry.open-xchange.com" + oci: true + passCredentials: true + # username is retrieve from the environment with the format _USERNAME for CI usage, here OPENXCHANGE_USERNAME + # username is retrieve from the environment with the format _PASSWORD for CI usage, here OPENXCHANGE_PASSWORD + - name: "sovereign-workplace-open-xchange-bootstrap" + url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" + +releases: + - name: "dovecot" + chart: "dovecot/dovecot" + version: "1.1.0" + values: + - "values-dovecot.yaml" + - "values-dovecot.gotmpl" + condition: "dovecot.enabled" + - name: "open-xchange" + chart: "openxchange/appsuite-core-public-sector/charts/appsuite-public-sector" + version: "1.1.8" + values: + - "values-openxchange.yaml" + - "values-openxchange.gotmpl" + condition: "oxAppsuite.enabled" + - name: "sovereign-workplace-open-xchange-bootstrap" + chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap" + version: "1.2.2" + values: + - "values-openxchange-bootstrap.yaml" + condition: "oxAppsuite.enabled" +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/open-xchange/values-dovecot.gotmpl b/helmfile/apps/open-xchange/values-dovecot.gotmpl new file mode 100644 index 00000000..077158ee --- /dev/null +++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl @@ -0,0 +1,39 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + registry: "{{ .Values.global.imageRegistry }}" + url: "{{ .Values.images.dovecot.repository }}" + tag: "{{ .Values.images.dovecot.tag }}" + +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} + +dovecot: + mailDomain: "{{ .Values.global.domain }}" + password: {{ .Values.secrets.dovecot.doveadm }} + ldap: + dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" + password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }} + oidc: + introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect" + clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }} + clientID: "as8oidc" + +ingress: + tls: + secretName: "{{ .Values.ingress.tls.secretName }}" + +replicaCount: {{ .Values.replicas.dovecot }} + +persistence: + size: "{{ .Values.persistence.size.dovecot }}" + storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}" + +resources: + {{ .Values.resources.dovecot | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml b/helmfile/apps/open-xchange/values-dovecot.yaml new file mode 100644 index 00000000..69944cc1 --- /dev/null +++ b/helmfile/apps/open-xchange/values-dovecot.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +persistence: + accessModes: + - "ReadWriteMany" + +dovecot: + loginTrustedNetworks: "10.0.0.0/8" + ldap: + enbaled: true + host: "univention-corporate-container" + port: 389 + base: "dc=swp-ldap,dc=internal" + + oidc: + enabled: true + clientID: "as8oidc" + usernameAttribute: "phoenixusername" + +ingress: + enabled: false +... diff --git a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml new file mode 100644 index 00000000..01802bea --- /dev/null +++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +cleanup: + deletePodsOnSuccess: false + +# resources: +# limits: +# # The max amount of CPUs to consume. +# cpu: 1 +# # The max amount of RAM to consume. +# memory: "1Gi" +# requests: +# # The amount of CPUs which has to be available on the scheduled node. +# cpu: 1 +# # The amount of RAM which has to be available on the scheduled node. +# memory: "256Mi" + +# Keep default values: +# coreMiddleware: +# statefulSet: "open-xchange-core-mw-default-0" +# pod: "open-xchange-core-mw-default-0" +... diff --git a/helmfile/apps/open-xchange/values-openxchange.gotmpl b/helmfile/apps/open-xchange/values-openxchange.gotmpl new file mode 100644 index 00000000..318fb20c --- /dev/null +++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl @@ -0,0 +1,130 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: "{{ .Values.global.imageRegistry }}" + hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + mysql: + host: "{{ .Values.databases.oxAppsuite.host }}" + database: "{{ .Values.databases.oxAppsuite.name }}" + auth: + user: "{{ .Values.databases.oxAppsuite.username }}" + password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}" + rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}" + +istio: + enabled: {{ .Values.istio.enabled }} + +nextcloud-integration-ui: + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + +public-sector-ui: + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + +appsuite: + istio: + enabled: {{ .Values.istio.enabled }} + ingressGateway: + hosts: + - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + virtualServices: + appsuite: + hosts: + - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + dav: + hosts: + - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + + core-mw: + masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} + hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + properties: + "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs" + "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" + "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token" + "com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + "com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth" + "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth" + "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token" + "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" + "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs" + "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout" + "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" + "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" + secretProperties: + com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }} + com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }} + com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }} + propertiesFiles: + "/opt/open-xchange/etc/ldapauth.properties": + bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} + uiSettings: + "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" + "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" + secretETCFiles: + # Format of the OX Guard master key: + # MC+base64(20 random bytes) + # RC+base64(20 random bytes) + oxguardpass: | + {{ .Values.secrets.oxAppsuite.oxguardMC }} + {{ .Values.secrets.oxAppsuite.oxguardRC }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + core-ui: + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + core-ui-middleware: + ingress: + hosts: + - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + core-guidedtours: + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + guard-ui: + image: + repository: "{{ .Values.global.imageRegistry }}/appsuite-core-public/guard-ui" + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + core-cacheservice: + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + core-user-guide: + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} +... diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml b/helmfile/apps/open-xchange/values-openxchange.yaml new file mode 100644 index 00000000..d3a0a8c7 --- /dev/null +++ b/helmfile/apps/open-xchange/values-openxchange.yaml @@ -0,0 +1,159 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +appsuite: + istio: + ingressGateway: + name: "sovereign-workplace-gateway-istio-gateway" + + core-mw: + enabled: true + masterAdmin: "admin" + features: + status: + # enable admin pack + # admin: enabled + documents: disabled + guard: enabled + packages: + status: + open-xchange-oidc: enabled + open-xchange-authentication-database: disabled + open-xchange-authentication-oauth: enabled + properties: + com.openexchange.UIWebPath: "/appsuite/" + # OIDC + com.openexchange.oidc.enabled: "true" + com.openexchange.oidc.autologinCookieMode: "ox_direct" + com.openexchange.oidc.contextLookupClaim: "context" + com.openexchange.oidc.contextLookupNamePart: "full" + com.openexchange.oidc.backchannelLogoutEnabled: "true" + com.openexchange.oidc.startDefaultBackend: "true" + com.openexchange.oidc.ssoLogout: "true" + com.openexchange.oidc.userLookupNamePart: "full" + com.openexchange.oidc.userLookupClaim: "phoenixusername" + com.openexchange.oidc.clientId: "as8oidc" + # OAUTH + com.openexchange.oauth.provider.enabled: "true" + com.openexchange.oauth.provider.contextLookupClaim: "context" + com.openexchange.oauth.provider.contextLookupNamePart: "full" + com.openexchange.oauth.provider.mode: "expect_jwt" + com.openexchange.oauth.provider.userLookupNamePart: "full" + com.openexchange.oauth.provider.userLookupClaim: "phoenixusername" + com.openexchange.authentication.oauth.clientId: "as8oidc" + # MAIL + com.openexchange.mail.authType: "xoauth2" + com.openexchange.mail.loginSource: "mail" + com.openexchange.mail.mailServer: "dovecot" + com.openexchange.mail.mailServerSource: "global" + com.openexchange.mail.transport.authType: "xoauth2" + com.openexchange.mail.transportServer: "postfix" + com.openexchange.mail.transportServerSource: "global" + # Mailfilter + com.openexchange.mail.filter.loginType: global + com.openexchange.mail.filter.credentialSource: mail + com.openexchange.mail.filter.server: dovecot + com.openexchange.mail.filter.preferredSaslMech: XOAUTH2 + # Capabilities + com.openexchange.capability.client-onboarding: "true" + com.openexchange.capability.dynamic-theme: "true" + com.openexchange.capability.filestorage_nextcloud: "true" + com.openexchange.capability.filestorage_nextcloud_oauth: "true" + com.openexchange.capability.guard: "true" + com.openexchange.capability.guard-mail: "true" + com.openexchange.capability.public-sector: "true" + com.openexchange.capability.smime: "true" + # Secondary Accounts + com.openexchange.mail.secondary.authType: XOAUTH2 + # Nextcloud integration + com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/" + com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user" + com.openexchange.nextcloud.filepicker.includeAccessToken: "false" + # GDPR + com.openexchange.gdpr.dataexport.enabled: "false" + com.openexchange.gdpr.dataexport.active: "false" + # Guard + com.openexchange.guard.guestSMTPServer: "postfix" + # S/MIME + # Usage (in browser console after login): + # http = (await import('./io.ox/core/http.js')).default + # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } }) + com.openexchange.smime.test: "true" + # Other + com.openexchange.secret.secretSource: "\" + '@' + + '/' + \"" + propertiesFiles: + /opt/open-xchange/etc/AdminDaemon.properties: + MASTER_ACCOUNT_OVERRIDE: "true" + /opt/open-xchange/etc/system.properties: + SERVER_NAME: "oxserver" + /opt/open-xchange/etc/ldapauth.properties: + java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal" + bindOnly: "false" + bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal" + + uiSettings: + # Resources + io.ox/core//features/resourceCalendars: "true" + io.ox/core//features/managedResources: "true" + # Categories + io.ox/core//features/categories: "true" + io.ox/core//categories/predefined: '[{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]' + # Nextcloud integration + # io.ox.nextcloud//server: "https://ics./fs/" + # Central navigation + io.ox.public-sector//navigation/oxtabname: tab_groupware + # io.ox.public-sector//ics/url: "https://ics./" + io.ox/core//apps/quickLaunchCount: "0" + io.ox/core//coloredIcons: "false" + # Dynamic theme + io.ox/dynamic-theme//mainColor: "#004B76" + io.ox/dynamic-theme//logoURL: io.ox.public-sector/logo.svg + io.ox/dynamic-theme//logoWidth: "80" + io.ox/dynamic-theme//topbarBackground: "#fff" + io.ox/dynamic-theme//topbarColor: "#1f1f1f" + io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)" + io.ox/dynamic-theme//listSelected: "#ADC8F0" + io.ox/dynamic-theme//listHover: "#ddd" + io.ox/dynamic-theme//folderBackground: "#fff" + io.ox/dynamic-theme//folderSelected: "#ADC8F0" + io.ox/dynamic-theme//folderHover: "#ddd" + + asConfig: + default: + host: all + pageHeaderPrefix: "as8.souvap App Suite" + oidcLogin: true + oidcPath: /oidc + + core-ui: + enabled: true + core-ui-middleware: + enabled: true + core-guidedtours: + enabled: true + guard-ui: + enabled: true + core-cacheservice: + enabled: true + core-user-guide: + enabled: true + core-imageconverter: + enabled: false + core-spellcheck: + enabled: false + core-documentconverter: + enabled: false + core-documents-collaboration: + enabled: false + office-web: + enabled: false + office-user-guide: + enabled: false + plugins-ui: + enabled: false + cloud-plugins-ui: + enabled: false + drive-client-windows-ox: + enabled: false + core-drive-help: + enabled: false diff --git a/helmfile/apps/openproject/helmfile.yaml b/helmfile/apps/openproject/helmfile.yaml new file mode 100644 index 00000000..6ba852fb --- /dev/null +++ b/helmfile/apps/openproject/helmfile.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "openproject" + url: "https://charts.openproject.org" + +releases: + - name: "openproject" + chart: "openproject/openproject" + version: "1.8.0" + values: + - "values.yaml" + - "values.gotmpl" + condition: "openproject.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/openproject/values.gotmpl b/helmfile/apps/openproject/values.gotmpl new file mode 100644 index 00000000..bbb27a0a --- /dev/null +++ b/helmfile/apps/openproject/values.gotmpl @@ -0,0 +1,71 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.openproject.repository }}" + pullPolicy: "Always" + tag: "{{ .Values.images.openproject.tag }}" + +memcached: + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.memcached.repository }}" + tag: "{{ .Values.images.memcached.tag }}" + +postgresql: + auth: + password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }} + username: "{{ .Values.databases.openproject.username }}" + database: "{{ .Values.databases.openproject.name }}" + connection: + host: "{{ .Values.databases.openproject.host }}" + port: "{{ .Values.databases.openproject.port }}" + +openproject: + host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" + # Will only be set on initial seed / installation + admin_user: + name: "OpenProject Interal Admin" + mail: "openproject-admin@swp-domain.internal" + password_reset: "false" + password: "{{ .Values.secrets.openproject.adminPassword }}" + +ingress: + host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" + enabled: {{ .Values.ingress.enabled }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: "{{ .Values.ingress.tls.secretName }}" + +environment: + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }} + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/" + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" + OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }} + OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" + OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}" + OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}" + OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}" + OPENPROJECT_SMTP__PORT: "587" # (default=587) + OPENPROJECT_SMTP__SSL: "false" # (default=false) + OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}" + +persistence: + size: "{{ .Values.persistence.size.openproject }}" + storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}" + +replicaCount: {{ .Values.replicas.openproject }} + +resources: + {{ .Values.resources.openproject | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/openproject/values.yaml b/helmfile/apps/openproject/values.yaml new file mode 100644 index 00000000..d45ff7a4 --- /dev/null +++ b/helmfile/apps/openproject/values.yaml @@ -0,0 +1,43 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +image: + registry: "registry.souvap-univention.de" + +probes: + liveness: + initialDelaySeconds: 300 + failureThreshold: 30 + readiness: + initialDelaySeconds: 150 + failureThreshold: 30 + +postgresql: + bundled: false + +openproject: + oidc: + enabled: true + provider: "keycloak" + identifier: "openproject" + authorizationEndpoint: "/realms/souvap/protocol/openid-connect/auth" + tokenEndpoint: "/realms/souvap/protocol/openid-connect/token" + userinfoEndpoint: "/realms/souvap/protocol/openid-connect/userinfo" + scope: "[openid,phoenix]" + # seed will only be executed on initial installation + seed_locale: "de" + +# For more details and more options see https://www.openproject.org/docs/installation-and-operations/configuration/environment/ +environment: + OPENPROJECT_LOG__LEVEL: "info" + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername" + OPENPROJECT_LOGIN__REQUIRED: "true" + OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true" + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak" + OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200" + OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp" + OPENPROJECT_SMTP__AUTHENTICATION: "plain" + OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true" + OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer" + +... diff --git a/helmfile/apps/provisioning/helmfile.yaml b/helmfile/apps/provisioning/helmfile.yaml new file mode 100644 index 00000000..5327a2a6 --- /dev/null +++ b/helmfile/apps/provisioning/helmfile.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "ox-connector" + url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" + +releases: + - name: "ox-connector" + chart: "ox-connector/ox-connector" + version: "0.1.0-pre-jconde-standalone-listener" + values: + - "values-oxconnector.yaml" + - "values-oxconnector.gotmpl" + condition: "oxConnector.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/provisioning/values-oxconnector.gotmpl b/helmfile/apps/provisioning/values-oxconnector.gotmpl new file mode 100644 index 00000000..44b6123c --- /dev/null +++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl @@ -0,0 +1,30 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.oxConnector.repository }}" + pullPolicy: "Always" + tag: "{{ .Values.images.oxConnector.tag }}" + +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} + +persistence: + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + +oxConnector: + domainName: "{{ .Values.global.domain }}" + #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))" + oxMasterAdmin: "admin" + oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}" + oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + oxDefaultContext: "1" + +resources: + {{ .Values.resources.oxConnector | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml b/helmfile/apps/provisioning/values-oxconnector.yaml new file mode 100644 index 00000000..a6e093b8 --- /dev/null +++ b/helmfile/apps/provisioning/values-oxconnector.yaml @@ -0,0 +1,47 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +ingress: + enabled: false + +oxConnector: + ldapHost: "univention-corporate-container" + #ldapHostIp: "" + ldapBaseDn: "dc=swp-ldap,dc=internal" + ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal" + notifierServer: "univention-corporate-container" + tlsMode: "plain" + # current static password for UCC + ldapPassword: "ucctempldapstring" + caCert: "ucctempldapstring" + debugLevel: "5" + logLevel: "DEBUG" + oxDefaultContext: "1" + oxLocalTimezone: "Europe/Berlin" + oxLanguage: "de_DE" + oxSmtpServer: "smtp://127.0.0.1:587" + oxImapServer: "imap://127.0.0.1:143" + +## Container deployment probes +probes: + liveness: + enabled: true + initialDelaySeconds: 120 + timeoutSeconds: 3 + periodSeconds: 30 + failureThreshold: 3 + successThreshold: 1 + + readiness: + enabled: true + initialDelaySeconds: 30 + timeoutSeconds: 3 + periodSeconds: 15 + failureThreshold: 30 + successThreshold: 1 + + +serviceAccount: + create: true + +... diff --git a/helmfile/apps/services/helmfile.yaml b/helmfile/apps/services/helmfile.yaml new file mode 100644 index 00000000..64858fbd --- /dev/null +++ b/helmfile/apps/services/helmfile.yaml @@ -0,0 +1,69 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "sovereign-workplace-certificates" + url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" + - name: "postgresql" + url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" + - name: "mariadb" + url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" + - name: "postfix" + url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" + - name: "istio-resources" + url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" + - name: "clamav" + url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" + - name: "bitnami" + url: "https://charts.bitnami.com/bitnami" + +releases: + - name: "sovereign-workplace-certificates" + chart: "sovereign-workplace-certificates/sovereign-workplace-certificates" + version: "^1.0.0" + values: + - "values-certificates.gotmpl" + condition: "certificates.enabled" + - name: "redis" + chart: "bitnami/redis" + version: "^17.9.3" + values: + - "values-redis.gotmpl" + - "values-redis.yaml" + condition: "redis.enabled" + - name: "postgresql" + chart: "postgresql/postgresql" + version: "^1.0.0" + values: + - "values-postgresql.yaml" + - "values-postgresql.gotmpl" + condition: "postgresql.enabled" + - name: "mariadb" + chart: "mariadb/mariadb" + version: "^1.0.0" + values: + - "values-mariadb.yaml" + - "values-mariadb.gotmpl" + condition: "mariadb.enabled" + - name: "postfix" + chart: "postfix/postfix" + version: "^1.0.0" + values: + - "values-postfix.yaml" + - "values-postfix.gotmpl" + condition: "postfix.enabled" + - name: "clamav" + chart: "clamav/sovereign-workplace-clamav" + version: "^2.0.0" + values: + - "values-clamav.gotmpl" + condition: "clamav.enabled" + - name: "sovereign-workplace-gateway" + chart: "istio-resources/istio-gateway" + version: "^1.1.0" + values: + - "values-istio-gateway.gotmpl" + condition: "istio.enabled" +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/services/values-certificates.gotmpl b/helmfile/apps/services/values-certificates.gotmpl new file mode 100644 index 00000000..ebcf43be --- /dev/null +++ b/helmfile/apps/services/values-certificates.gotmpl @@ -0,0 +1,21 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + +issuerRef: + name: "{{ .Values.certificate.issuerRef.name }}" + +{{- if .Values.istio.enabled }} +istio: + enabled: {{ .Values.istio.enabled }} + domain: {{ .Values.istio.domain }} + issuerRef: + name: "{{ .Values.istio.issuerRef.name }}" +{{- end }} +... diff --git a/helmfile/apps/services/values-clamav.gotmpl b/helmfile/apps/services/values-clamav.gotmpl new file mode 100644 index 00000000..e921f6d3 --- /dev/null +++ b/helmfile/apps/services/values-clamav.gotmpl @@ -0,0 +1,58 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +clamd: + podSecurityContext: + {{/* Disabled until NFS Provisioner on IONOS is fixed */}} + enabled: false + replicaCount: {{ .Values.replicas.clamd }} + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.clamd.repository }}" + tag: "{{ .Values.images.clamd.tag }}" + resources: + {{ .Values.resources.clamd | toYaml | nindent 4 }} + +freshclam: + podSecurityContext: + {{/* Disabled until NFS Provisioner on IONOS is fixed */}} + enabled: false + replicaCount: {{ .Values.replicas.freshclam }} + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.freshclam.repository }}" + tag: "{{ .Values.images.freshclam.tag }}" + resources: + {{ .Values.resources.freshclam | toYaml | nindent 4 }} + +global: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +icap: + replicaCount: {{ .Values.replicas.icap }} + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.icap.repository }}" + tag: "{{ .Values.images.icap.tag }}" + resources: + {{ .Values.resources.icap | toYaml | nindent 4 }} + +milter: + podSecurityContext: + {{/* Disabled until NFS Provisioner on IONOS is fixed */}} + enabled: false + replicaCount: {{ .Values.replicas.milter }} + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.milter.repository }}" + tag: "{{ .Values.images.milter.tag }}" + resources: + {{ .Values.resources.milter | toYaml | nindent 4 }} + +persistence: + storageClass: "{{ .Values.persistence.storageClassNames.RWX }}" + size: "{{ .Values.persistence.size.clamav }}" +... diff --git a/helmfile/apps/services/values-istio-gateway.gotmpl b/helmfile/apps/services/values-istio-gateway.gotmpl new file mode 100644 index 00000000..4ae828ab --- /dev/null +++ b/helmfile/apps/services/values-istio-gateway.gotmpl @@ -0,0 +1,13 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.istio.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + +tls: + secretName: "{{ .Values.istio.domain }}-tls" +... diff --git a/helmfile/apps/services/values-mariadb.gotmpl b/helmfile/apps/services/values-mariadb.gotmpl new file mode 100644 index 00000000..9040518c --- /dev/null +++ b/helmfile/apps/services/values-mariadb.gotmpl @@ -0,0 +1,40 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + repository: "{{ .Values.images.mariadb.repository }}" + tag: "{{ .Values.images.mariadb.tag }}" + +job: + users: + - username: "xwiki_user" + password: "{{ .Values.secrets.mariadb.xwikiUser }}" + - username: "openxchange_user" + password: "{{ .Values.secrets.mariadb.openxchangeUser }}" + - username: "nextcloud_user" + password: "{{ .Values.secrets.mariadb.nextcloudUser }}" + databases: + - name: "xwiki" + user: "xwiki_user" + - name: "nextcloud" + user: "nextcloud_user" + - name: "openxchange" + user: "openxchange_user" + +mariadb: + rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}" + +persistence: + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + size: "{{ .Values.persistence.size.mariadb }}" + +resources: + {{ .Values.resources.mariadb | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/services/values-mariadb.yaml b/helmfile/apps/services/values-mariadb.yaml new file mode 100644 index 00000000..299a80d8 --- /dev/null +++ b/helmfile/apps/services/values-mariadb.yaml @@ -0,0 +1,6 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +job: + enabled: true +... diff --git a/helmfile/apps/services/values-postfix.gotmpl b/helmfile/apps/services/values-postfix.gotmpl new file mode 100644 index 00000000..15e168db --- /dev/null +++ b/helmfile/apps/services/values-postfix.gotmpl @@ -0,0 +1,36 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}" + tag: "{{ .Values.images.postfix.tag }}" + +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} + +postfix: + domain: "{{ .Values.global.domain }}" + virtualMailboxDomains: "{{ .Values.global.domain }}" + overrides: + - fileName: "sasl_passwd.map" + content: + - "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}" + relayHost: "[{{ .Values.smtp.host }}]:587" + +persistence: + size: "{{ .Values.persistence.size.postfix }}" + storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}" + +replicaCount: {{ .Values.replicas.postfix }} + +resources: + {{ .Values.resources.postfix | toYaml | nindent 2 }} + +ingress: + tls: + secretName: "{{ .Values.ingress.tls.secretName }}" +... diff --git a/helmfile/apps/services/values-postfix.yaml b/helmfile/apps/services/values-postfix.yaml new file mode 100644 index 00000000..df6a85f2 --- /dev/null +++ b/helmfile/apps/services/values-postfix.yaml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +postfix: + relayNets: "10.0.0.0/8" + virtualTransport: "lmtps:dovecot:24" + smtpdSASLPath: "inet:dovecot:3659" + smtpdMilters: "inet:clamav-milter:7357" + hostname: "postfix" + inetProtocols: "ipv4" + smtpSASLAuthEnable: "yes" + smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map" + smtpUseTLS: "yes" + smtpdSASLAuthEnable: "no" + smtpdSASLSecurityOptions: "noanonymous" + smtpdSASLType: "dovecot" + smtpdUseTLS: "yes" + smtpdTLSCertFile: "/etc/tls/tls.crt" + smtpdKeyFile: "/etc/tls/tls.key" + milterDefaultAction: "accept" + rspamdHost: "" + amavisHost: "" + amavisPortIn: "" +... diff --git a/helmfile/apps/services/values-postgresql.gotmpl b/helmfile/apps/services/values-postgresql.gotmpl new file mode 100644 index 00000000..2de22bf0 --- /dev/null +++ b/helmfile/apps/services/values-postgresql.gotmpl @@ -0,0 +1,49 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: {{ .Values.global.imageRegistry }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + repository: "{{ .Values.images.postgresql.repository }}" + tag: "{{ .Values.images.postgresql.tag }}" + +job: + users: + - username: "keycloak_user" + password: {{ .Values.secrets.postgresql.keycloakUser }} + - username: "openproject_user" + password: {{ .Values.secrets.postgresql.openprojectUser }} + - username: "keycloak_extensions_user" + password: {{ .Values.secrets.postgresql.keycloakExtensionUser }} + - username: "matrix_user" + password: {{ .Values.secrets.postgresql.matrixUser }} + - username: "notificationsapi_user" + password: {{ .Values.secrets.postgresql.notificationsapiUser }} + databases: + - name: "keycloak" + user: "keycloak_user" + - name: "keycloak_extensions" + user: "keycloak_extensions_user" + - name: "openproject" + user: "openproject_user" + - name: "matrix" + user: "matrix_user" + additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0" + - name: "notificationsapi" + user: "notificationsapi_user" + +persistence: + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + size: "{{ .Values.persistence.size.postgresql }}" + +postgres: + password: {{ .Values.secrets.postgresql.postgresUser }} + +resources: + {{ .Values.resources.postgresql | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/services/values-postgresql.yaml b/helmfile/apps/services/values-postgresql.yaml new file mode 100644 index 00000000..9f92c2ad --- /dev/null +++ b/helmfile/apps/services/values-postgresql.yaml @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +enabled: true +job: + image: + digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73" + +postgres: + user: "postgres" +... diff --git a/helmfile/apps/services/values-redis.gotmpl b/helmfile/apps/services/values-redis.gotmpl new file mode 100644 index 00000000..53a0e101 --- /dev/null +++ b/helmfile/apps/services/values-redis.gotmpl @@ -0,0 +1,26 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +auth: + password: {{ .Values.secrets.redis.password }} + +global: + imageRegistry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.redis.repository }}" + tag: "{{ .Values.images.redis.tag }}" + +master: + persistence: + size: "{{ .Values.persistence.size.redis }}" + + resources: + {{ .Values.resources.redis | toYaml | nindent 4 }} +... diff --git a/helmfile/apps/services/values-redis.yaml b/helmfile/apps/services/values-redis.yaml new file mode 100644 index 00000000..9dc3b61e --- /dev/null +++ b/helmfile/apps/services/values-redis.yaml @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +architecture: "standalone" + +sentinel: + enabled: false + +metrics: + enabled: false +... diff --git a/helmfile/apps/univention-corporate-container/helmfile.yaml b/helmfile/apps/univention-corporate-container/helmfile.yaml new file mode 100644 index 00000000..6e9f7148 --- /dev/null +++ b/helmfile/apps/univention-corporate-container/helmfile.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "univention-corporate-container" + url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" + +releases: + - name: "univention-corporate-container" + chart: "univention-corporate-container/univention-corporate-container" + version: "1.0.10" + values: + - "values.yaml" + - "values.gotmpl" + condition: "univentionCorporateServer.enabled" + +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/univention-corporate-container/values.gotmpl b/helmfile/apps/univention-corporate-container/values.gotmpl new file mode 100644 index 00000000..e3df256b --- /dev/null +++ b/helmfile/apps/univention-corporate-container/values.gotmpl @@ -0,0 +1,68 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + registry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: "{{ .Values.global.imageRegistry }}" + imagePullPolicy: "Always" + repository: "{{ .Values.images.univentionCorporateServer.repository }}" + tag: "{{ .Values.images.univentionCorporateServer.tag }}" + +ingress: + host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" + enabled: {{ .Values.ingress.enabled }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + tls: + enabled: {{ .Values.ingress.tls.enabled }} + secretName: "{{ .Values.ingress.tls.secretName }}" + +persistence: + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + size: "{{ .Values.persistence.size.univentionCorporateServer }}" + +extraEnvVars: + - name: ISTIO_DOMAIN + value: {{ .Values.istio.domain }} + - name: CENTRALNAVIGATION_API_SECRET + value: {{ .Values.secrets.centralnavigation.apiKey }} + - name: LDAPSEARCH_OX_USERNAME + value: "ldapsearch_ox" + - name: LDAPSEARCH_OX_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }} + - name: LDAPSEARCH_DOVECOT_USERNAME + value: "ldapsearch_dovecot" + - name: LDAPSEARCH_DOVECOT_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }} + - name: LDAPSEARCH_KEYCLOAK_USERNAME + value: "ldapsearch_keycloak" + - name: LDAPSEARCH_KEYCLOAK_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }} + - name: LDAPSEARCH_NEXTCLOUD_USERNAME + value: "ldapsearch_nextcloud" + - name: LDAPSEARCH_NEXTCLOUD_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }} + - name: LDAPSEARCH_OPENPROJECT_USERNAME + value: "ldapsearch_openproject" + - name: LDAPSEARCH_OPENPROJECT_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }} + - name: LDAPSEARCH_XWIKI_USERNAME + value: "ldapsearch_xwiki" + - name: LDAPSEARCH_XWIKI_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }} + - name: DEFAULT_ACCOUNT_USER_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }} + - name: DEFAULT_ACCOUNT_ADMIN_PASSWORD + value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }} + +resources: + {{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/univention-corporate-container/values.yaml b/helmfile/apps/univention-corporate-container/values.yaml new file mode 100644 index 00000000..a481e72d --- /dev/null +++ b/helmfile/apps/univention-corporate-container/values.yaml @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +service: + nodePort: + enabled: false +... diff --git a/helmfile/apps/xwiki/helmfile.yaml b/helmfile/apps/xwiki/helmfile.yaml new file mode 100644 index 00000000..04f9b368 --- /dev/null +++ b/helmfile/apps/xwiki/helmfile.yaml @@ -0,0 +1,30 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + - name: "xwiki" + url: "https://xwiki-contrib.github.io/xwiki-helm" + - name: "xwiki-init" + url: "https://gitlab.souvap-univention.de/api/v4/projects/136/packages/helm/stable" + +releases: + - name: "xwiki" + chart: "xwiki/xwiki" + version: "1.1.0" + wait: true + timeout: 600 + values: + - "values.yaml" + - "values.gotmpl" + condition: "xwiki.enabled" + - name: "xwiki-init" + chart: "xwiki-init/xwiki-init" + version: "1.2.0" + needs: + - "xwiki" + values: + - "values-init.gotmpl" + condition: "xwiki.enabled" +bases: + - "../../bases/environments.yaml" +... diff --git a/helmfile/apps/xwiki/values-init.gotmpl b/helmfile/apps/xwiki/values-init.gotmpl new file mode 100644 index 00000000..d6f6957e --- /dev/null +++ b/helmfile/apps/xwiki/values-init.gotmpl @@ -0,0 +1,20 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +xwiki: + url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/" + superadmin: + username: "superadmin" + password: {{ .Values.secrets.xwiki.superadminpassword | quote }} + +image: + repository: "{{ .Values.images.xwikiInit.repository }}" + tag: "{{ .Values.images.xwikiInit.tag }}" +... diff --git a/helmfile/apps/xwiki/values.gotmpl b/helmfile/apps/xwiki/values.gotmpl new file mode 100644 index 00000000..57df7812 --- /dev/null +++ b/helmfile/apps/xwiki/values.gotmpl @@ -0,0 +1,55 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}" + tag: "{{ .Values.images.xwiki.tag }}" + +externalDB: + password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}" + database: "{{ .Values.databases.xwiki.name }}" + user: "{{ .Values.databases.xwiki.username }}" + host: "{{ .Values.databases.xwiki.host }}" + +customConfigs: + "xwiki.cfg": + "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }} + "xwiki.properties": + "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth" + "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token" + "oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo" + "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" + "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki }} + "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" + "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }} + +properties: + "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" + +ingress: + enabled: {{ .Values.ingress.enabled }} + className: "{{ .Values.ingress.ingressClassName }}" + annotations: + haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" + hosts: + - host: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" + paths: + - path: / + pathType: "ImplementationSpecific" + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + - "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" + +persistence: + size: "{{ .Values.persistence.size.xwiki }}" + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + +replicaCount: {{ .Values.replicas.xwiki }} + +resources: + {{ .Values.resources.xwiki | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/xwiki/values.yaml b/helmfile/apps/xwiki/values.yaml new file mode 100644 index 00000000..7a891a8f --- /dev/null +++ b/helmfile/apps/xwiki/values.yaml @@ -0,0 +1,62 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +image: + name: "git.xwikisas.com:5050/xwikisas/swp/xwiki" + tag: "0.4-mariadb-tomcat" + pullPolicy: "Always" + +ingress: + # enabled: true + annotations: + kubernetes.io/ingress.class: null + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "250m" + +istio: + enabled: false + +service: + externalPort: 80 + enabled: true + +mysql: + enabled: false + +postgresql: + enabled: false + +mariadb: + enabled: false + +properties: + "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg" + "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de" + "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-color": "@brand-primary" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-color": "@brand-primary" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color": "@brand-primary" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff" + "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; }'" + "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc" + +customConfigs: + xwiki.cfg: + xwiki.url.protocol: "https" + xwiki.properties: + oidc.scope: "openid,profile,email,address,phoenix" + oidc.endpoint.userinfo.method: "GET" + oidc.user.nameFormater: '${oidc.user.phoenixusername._lowerCase}' + oidc.user.subjectFormater: '${oidc.user.subject}' + oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype" + oidc.clientid: "xwiki" + oidc.endpoint.token.auth_method: "client_secret_basic" + oidc.skipped: false + oidc.logoutMechanism: "rpInitiated" +... diff --git a/helmfile/bases/environments.yaml b/helmfile/bases/environments.yaml new file mode 100644 index 00000000..fe5d9da9 --- /dev/null +++ b/helmfile/bases/environments.yaml @@ -0,0 +1,16 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +environments: + default: + values: + - "../../environments/default/*.gotmpl" + ionos: + values: + - "../../environments/default/*.gotmpl" + - "../../environments/ionos/values.yaml" + uv-develop: + values: + - "../../environments/default/*.gotmpl" + - "../../environments/uv-develop/values.yaml" +... diff --git a/helmfile/environments/default/certificate.gotmpl b/helmfile/environments/default/certificate.gotmpl new file mode 100644 index 00000000..64103c88 --- /dev/null +++ b/helmfile/environments/default/certificate.gotmpl @@ -0,0 +1,9 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +certificate: + issuerRef: + name: "letsencrypt-prod" +... diff --git a/helmfile/environments/default/database.gotmpl b/helmfile/environments/default/database.gotmpl new file mode 100644 index 00000000..dd93d1ca --- /dev/null +++ b/helmfile/environments/default/database.gotmpl @@ -0,0 +1,40 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +databases: + keycloak: + name: "keycloak" + host: "postgresql" + port: 5432 + username: "keycloak_user" + password: "" + keycloakExtension: + name: "keycloak_extensions" + host: "postgresql" + port: 5432 + username: "keycloak_extensions_user" + password: "" + nextcloud: + name: "nextcloud" + host: "mariadb" + username: "nextcloud_user" + password: "" + openproject: + name: "openproject" + host: "postgresql" + port: 5432 + username: "openproject_user" + password: "" + oxAppsuite: + host: "mariadb" + name: "CONFIGDB" + username: "root" + password: "" + xwiki: + name: "xwiki" + host: "mariadb" + username: "xwiki_user" + password: "" +... diff --git a/helmfile/environments/default/global.gotmpl b/helmfile/environments/default/global.gotmpl new file mode 100644 index 00000000..38f47d82 --- /dev/null +++ b/helmfile/environments/default/global.gotmpl @@ -0,0 +1,48 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +## The global properties are used to configure multiple charts at once. +# +global: + + ## Define ingress/virtualservice host. + # + hosts: + collabora: "collabora" + dimension: "integration" + element: "ucc" + etherpad: "etherpad" + intercomService: "ics" + jitsi: "av" + jitsiPlain: "jitsi" + keycloak: "id" + meetingWidgetsBot: "meeting-widgets-bot" + meetingWidgets: "meeting-widgets" + newWorkBoardWidget: "whiteboard-widget" + moodle: "learn" + nextcloud: "fs" + openproject: "project" + openxchange: "webmail" + openxchangeProvisioning: "ox-provisioning" + pollWidget: "poll-widget" + synapse: "matrix" + univentionCorporateServer: "portal" + whiteboard: "whiteboard" + xwiki: "wiki" + + ## Define host + # + domain: {{ env "DOMAIN" | default "souvap-univention.de" }} + + ## Define docker registry address. + # + imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace" + + ## Credentials to fetch images from private registry + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # + imagePullSecrets: + - "external-registry" +... diff --git a/helmfile/environments/default/images.gotmpl b/helmfile/environments/default/images.gotmpl new file mode 100644 index 00000000..74dafacf --- /dev/null +++ b/helmfile/environments/default/images.gotmpl @@ -0,0 +1,92 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +images: + clamd: + repository: "clamav/clamav" + tag: "1.1.0_base" + collabora: + repository: "souvap/tooling/images/collabora" + tag: "23.05.1.2.1" + dovecot: + repository: "dovecot/dovecot" + tag: "2.3.20" + freshclam: + repository: "clamav/clamav" + tag: "1.1.0_base" + jibri: + repository: "jitsi/jibri" + tag: "stable-8615" + jicofo: + repository: "jitsi/jicofo" + tag: "stable-8615" + jitsi: + repository: "jitsi/web" + tag: "stable-8615" + jitsiKeycloakAdapter: + repository: "nordeck/jitsi-keycloak-adapter" + tag: "v20230425" + jitsiPatchJVB: + repository: "bitnami/kubectl" + tag: "1.26.6" + jvb: + repository: "jitsi/jvb" + tag: "stable-8615" + icap: + repository: "/souvap/tooling/images/c-icap/c-icap-clamav" + tag: "1.0.4" + intercom: + repository: "univention/intercom-service" + tag: "1.4-kubernetes" + keycloak: + repository: "bitnami/keycloak" + tag: "19.0.3-debian-11-r15" + digest: "" + keycloakBootstrap: + repository: "souvap/tooling/images/ansible" + tag: "4.10.0" + keycloakExtension: + repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy" + tag: "latest" + mariadb: + repository: "mariadb" + tag: "10" + memcached: + repository: "bitnami/memcached" + tag: "1.6.21-debian-11-r4" + milter: + repository: "clamav/clamav" + tag: "1.1.0_base" + nextcloud: + repository: "nextcloud" + tag: "26.0.1-apache" + openproject: + repository: "souvap/tooling/images/openproject/souvap" + tag: "dev" + oxConnector: + repository: "souvap/tooling/images/ox-connector/ox-connector-standalone" + tag: "tilt-56c67cc45d91a3a6" + postfix: + repository: "souvap/tooling/images/postfix" + tag: "1.0.0" + postgresql: + repository: "postgres" + tag: "15-alpine" + prosody: + repository: "jitsi/prosody" + tag: "stable-8615" + redis: + repository: "bitnami/redis" + tag: "7.0.12-debian-11-r0" + univentionCorporateServer: + repository: "souvap/tooling/images/univention-corporate-server-swp/ucs" + tag: "20230719T143819" + xwiki: + repository: "xwikisas/swp/xwiki" + tag: "0.4-mariadb-tomcat" + xwikiInit: + repository: "curlimages/curl" + tag: "8.1.2" +... diff --git a/helmfile/environments/default/ingress.gotmpl b/helmfile/environments/default/ingress.gotmpl new file mode 100644 index 00000000..9062cd66 --- /dev/null +++ b/helmfile/environments/default/ingress.gotmpl @@ -0,0 +1,12 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +ingress: + enabled: true + ingressClassName: "cilium" + tls: + enabled: true + secretName: "sovereign-workplace-certificates-tls" +... diff --git a/helmfile/environments/default/istio.gotmpl b/helmfile/environments/default/istio.gotmpl new file mode 100644 index 00000000..c995c9d3 --- /dev/null +++ b/helmfile/environments/default/istio.gotmpl @@ -0,0 +1,15 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +istio: + enabled: true + domain: {{ env "ISTIO_DOMAIN" | default "souvap-univention.de" }} + virtualService: + enabled: false + gateway: + enabled: true + issuerRef: + name: "letsencrypt-istio-prod" +... diff --git a/helmfile/environments/default/persistence.gotmpl b/helmfile/environments/default/persistence.gotmpl new file mode 100644 index 00000000..edb6e0bd --- /dev/null +++ b/helmfile/environments/default/persistence.gotmpl @@ -0,0 +1,24 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +persistence: + storageClassNames: + RWX: "csi-cephfs-sc" + RWO: "csi-rbd-sc" + size: + clamav: "1Gi" + dovecot: "1Gi" + mariadb: "1Gi" + nextcloud: + main: "1Gi" + data: "10Gi" + openproject: "1Gi" + postfix: "1Gi" + postgresql: "1Gi" + prosody: "1Gi" + redis: "1Gi" + univentionCorporateServer: "1Gi" + xwiki: "1Gi" +... diff --git a/helmfile/environments/default/replicas.gotmpl b/helmfile/environments/default/replicas.gotmpl new file mode 100644 index 00000000..74b46209 --- /dev/null +++ b/helmfile/environments/default/replicas.gotmpl @@ -0,0 +1,23 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +replicas: + clamd: 1 + collabora: 1 + dovecot: 1 + freshclam: 1 + icap: 1 + jibri: 1 + jicofo: 1 + jitsi: 1 + jitsiKeycloakAdapter: 1 + jvb: 1 + keycloak: 1 + milter: 1 + nextcloud: 1 + openproject: 1 + postfix: 1 + xwiki: 1 +... diff --git a/helmfile/environments/default/resources.gotmpl b/helmfile/environments/default/resources.gotmpl new file mode 100644 index 00000000..0ded3826 --- /dev/null +++ b/helmfile/environments/default/resources.gotmpl @@ -0,0 +1,176 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +resources: + clamd: + limits: + cpu: 4 + memory: "4Gi" + requests: + cpu: 0.1 + memory: "2Gi" + dovecot: + limits: + cpu: 0.5 + memory: "0.25Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + freshclam: + limits: + cpu: 1 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + icap: + limits: + cpu: 2 + memory: "4Gi" + requests: + cpu: 0.1 + memory: "2Gi" + jibri: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + jicofo: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + jitsi: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + jitsiKeycloakAdapter: + limits: + cpu: "100m" + memory: "128Mi" + requests: + cpu: "10m" + memory: "16Mi" + jvb: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + keycloak: + limits: + cpu: 2 + memory: "2Gi" + requests: + cpu: 0.1 + memory: "0.75Gi" + keycloakExtension: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + keycloakBootstrap: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.25Gi" + keycloakProxy: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + mariadb: + limits: + cpu: 2 + memory: "2Gi" + requests: + cpu: 0.1 + memory: "0.5Gi" + milter: + limits: + cpu: 4 + memory: "4Gi" + requests: + cpu: 0.1 + memory: "2Gi" + nextcloud: + limits: + cpu: 2 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "0.5Gi" + openproject: + limits: + cpu: 2 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "0.25Gi" + oxConnector: + limits: + cpu: 2 + memory: "2Gi" + requests: + cpu: 0.1 + memory: "0.25Gi" + postfix: + limits: + cpu: 0.5 + memory: "0.25Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + postgresql: + limits: + cpu: 2 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "0.25Gi" + prosody: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + redis: + limits: + cpu: 1 + memory: "0.5Gi" + requests: + cpu: 0.1 + memory: "0.1Gi" + univentionCorporateServer: + limits: + cpu: 2 + memory: "4Gi" + requests: + cpu: 0.5 + memory: "1Gi" + xwiki: + limits: + cpu: 2 + memory: "8Gi" + requests: + cpu: 0.1 + memory: "6Gi" + +... diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl new file mode 100644 index 00000000..3abc14e8 --- /dev/null +++ b/helmfile/environments/default/secrets.gotmpl @@ -0,0 +1,88 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +secrets: + oxAppsuite: + adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum) }} + cookieHashSalt: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum) }} + sessiondEncryptionKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum) }} + shareCryptKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum) }} + oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }} + oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }} + univentionCorporateServer: + authSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum) }} + defaultAccounts: + userPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum) }} + adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum) }} + ldapSearch: + keycloak: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum) }} + nextcloud: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum) }} + dovecot: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum) }} + ox: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum) }} + openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }} + xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }} + postgresql: + postgresUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum) }} + keycloakUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum) }} + keycloakExtensionUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum) }} + matrixUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum) }} + openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum) }} + notificationsapiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum) }} + mariadb: + rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum) }} + xwikiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum) }} + openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum) }} + nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum) }} + keycloak: + adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum) }} + clientSecret: + intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }} + matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }} + jitsiPlain: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }} + ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }} + openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }} + xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }} + as8oidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum) }} + nextcloud: + adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum) }} + metricsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum) }} + openproject: + adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum) }} + collabora: + adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }} + jitsi: + synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "as_token" | sha1sum) }} + synapseHsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "hs_token" | sha1sum) }} + jicofoAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jicofo_auth" | sha1sum) }} + componentAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "component_auth" | sha1sum) }} + jvbAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jvb_auth" | sha1sum) }} + jigasiAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jigasi_auth" | sha1sum) }} + jibriUserAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_user_auth" | sha1sum) }} + jibriRecorderAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_recorder_auth" | sha1sum) }} + rageshakeListingPass: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "rageshakeListingPass" | sha1sum) }} + conferencemapperSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "conferencemapperSecret" | sha1sum) }} + jitsiFeedbackBackend: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jitsiFeedbackBackend" | sha1sum) }} + jitsiPlain: + jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }} + jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }} + jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }} + jicofoAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum) }} + jicofoComponentPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum) }} + jvbAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum) }} + etherpad: + apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }} + whiteboard: + apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }} + centralnavigation: + apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum) }} + redis: + password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum) }} + dovecot: + doveadm: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum) }} + xwiki: + superadminpassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum) }} + intercom: + secret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum) }} +... diff --git a/helmfile/environments/default/smtp.gotmpl b/helmfile/environments/default/smtp.gotmpl new file mode 100644 index 00000000..3b528274 --- /dev/null +++ b/helmfile/environments/default/smtp.gotmpl @@ -0,0 +1,10 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +smtp: + host: "mail.brained.io" + username: "relay@souvap-univention.de" + password: "{{ env "SMTP_PASSWORD" }}" +... diff --git a/helmfile/environments/default/turn.gotmpl b/helmfile/environments/default/turn.gotmpl new file mode 100644 index 00000000..710a9cfb --- /dev/null +++ b/helmfile/environments/default/turn.gotmpl @@ -0,0 +1,16 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +turn: + transport: "udp" + credentials: "{{ env "TURN_CREDENTIALS" }}" + server: + host: "turn.develop.souvap-univention.de" + port: "3478" + tls: + host: "turn.develop.souvap-univention.de" + port: "5349" + +... diff --git a/helmfile/environments/default/workplace.gotmpl b/helmfile/environments/default/workplace.gotmpl new file mode 100644 index 00000000..b214f85a --- /dev/null +++ b/helmfile/environments/default/workplace.gotmpl @@ -0,0 +1,42 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +masterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" }} + +certificates: + enabled: true +clamav: + enabled: true +collabora: + enabled: true +dovecot: + enabled: true +intercom: + enabled: true +jitsi: + enabled: true +keycloak: + enabled: true +mariadb: + enabled: true +nextcloud: + enabled: true +openproject: + enabled: true +oxAppsuite: + enabled: true +oxConnector: + enabled: true +postfix: + enabled: true +postgresql: + enabled: true +redis: + enabled: true +univentionCorporateServer: + enabled: true +xwiki: + enabled: true +... diff --git a/helmfile/environments/ionos/values.yaml b/helmfile/environments/ionos/values.yaml new file mode 100644 index 00000000..49e7f881 --- /dev/null +++ b/helmfile/environments/ionos/values.yaml @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +ingress: + ingressClassName: "dedicated-haproxy-external" + +persistence: + storageClassNames: + RWX: "nfs-client" + RWO: "ionos-enterprise-ssd" +... diff --git a/helmfile/environments/uv-develop/values.yaml b/helmfile/environments/uv-develop/values.yaml new file mode 100644 index 00000000..b8962094 --- /dev/null +++ b/helmfile/environments/uv-develop/values.yaml @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +ingress: + ingressClassName: "nginx" + +...