sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(sovereign-workplace): Initial commit

Browse Source
This commit is contained in:
Dominik Kaminski
2023-07-20 10:25:23 +02:00
commit 533c5040fa
78 changed files with 5099 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Executable file
View File

@@ -0,0 +1,4 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
.vscode
.idea

323
.gitlab-ci.yml Normal file
View File

@@ -0,0 +1,323 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stages:
- "env-cleanup"
- "env"
- "basic-services-deploy"
- "component-deploy"
- "component-bootstrap"
- "ucs-post-bootstrap"
- "run-tests"
- "env-stop"
variables:
NAMESPACE:
description: "The name of namespaces to deploy to."
value: ""
CLUSTER:
description: "Define which cluster to use - don't select prototype when you are not explicitly knowing what you are doing!"
value: "develop"
options:
- "develop"
- "hubble"
- "dataport-dev"
- "prototype"
TLD:
description: "Define the Cluster Domain (TLD)."
value: "souvap-univention.de"
options:
- "souvap-univention.de"
- "at-univention.de"
- "souvap.cloud"
MASTER_PASSWORD:
description: "Optional: Provide a passphrase to be used for password generation."
value: "sovereign-workplace"
ENV_STOP_BEFORE:
description: "Stop environment/delete namespace for the deployment"
value: "no"
options:
- "yes"
- "no"
DEPLOY_ALL_COMPONENTS:
description: "Enable all component deployment (overwrites 'no' setting on component level)."
value: "no"
options:
- "yes"
- "no"
DEPLOY_SERVICES:
description: "Enable Service deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_UCS:
description: "Enable Univention Corporate Server deployment. Depends on `DEPLOY_KEYCLOAK` and `DEPLOY_VAULT`."
value: "no"
options:
- "yes"
- "no"
DEPLOY_PROVISIONING:
description: "Enable Provisioning Components."
value: "no"
options:
- "yes"
- "no"
DEPLOY_COLLABORA:
description: "Enable Collabora deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_KEYCLOAK:
description: "Enable Keycloak deployment. 'yes' deploys upstream (bitnami) Keycloak, select 'keycloak_univention' to install Univention maintained Keycloak."
value: "no"
options:
- "yes"
- "no"
DEPLOY_OX:
description: "Enable OX AppSuite8 deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_ICS:
description: "Enable ICS deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_XWIKI:
description: "Enable XWiki deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_NEXTCLOUD:
description: "Enable Nextcloud deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_OPENPROJECT:
description: "Enable OpenProject deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_JITSI:
description: "Enable Jitsi deployment."
value: "no"
options:
- "yes"
- "no"
# please use the following set of variables with normalized names:
DOMAIN: "${NAMESPACE}.${CLUSTER}.${TLD}"
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${TLD}"
.deploy-common:
cache: {}
dependencies: []
image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
secrets:
SMTP_PASSWORD:
vault:
engine:
name: "kv-v2"
path: "swp"
path: "accounts/brained/mail/relay@souvap-univention.de"
field: "password"
file: false
TURN_CREDENTIALS:
vault:
engine:
name: "kv-v2"
path: "swp"
path: "accounts/souvap-univention.de/develop/turn/secret"
field: "credentials"
file: false
script:
- cd "${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# Match Cluster to helmfile environments
- |
if [ "${CLUSTER}" = "develop" ]; then
export HELMFILE_ENVIRONMENT=uv-develop
elif [ "${CLUSTER}" = "prototype" ]; then
export HELMFILE_ENVIRONMENT=uv-develop
elif [ "${CLUSTER}" = "hubble" ]; then
export HELMFILE_ENVIRONMENT=default
elif [ "${CLUSTER}" = "dataport-dev" ]; then
export HELMFILE_ENVIRONMENT=ionos
else
echo "Unsupported cluster chosen: ${CLUSTER}"
exit 1
fi;
- echo "Installing ${COMPONENT} into ${NAMESPACE} namespace as ${HELMFILE_ENVIRONMENT} environment on ${CLUSTER}"
- helmfile --namespace ${NAMESPACE} apply --suppress-diff
tags:
- "docker"
- "kubernetes"
- "${CLUSTER}"
env-cleanup:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
action: "stop"
needs: []
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $ENV_STOP_BEFORE != "no"
when: "always"
script:
- "helmfile destroy --namespace ${NAMESPACE}"
- "kubectl delete pvc --all --namespace ${NAMESPACE}"
stage: "env-cleanup"
env-start:
environment:
name: "${NAMESPACE}"
url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
on_stop: "env-stop"
extends: ".deploy-common"
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/
when: "always"
script:
- 'echo "Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster"'
- "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
- >
kubectl create secret
--namespace "${NAMESPACE}"
docker-registry external-registry
--docker-server "external-registry.souvap-univention.de"
--docker-username sovereign-workplace
--docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
--dry-run=client -o yaml | kubectl apply -f -
stage: "env"
services-deploy:
stage: "basic-services-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
when: always
variables:
COMPONENT: "services"
ucs-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
when: always
variables:
COMPONENT: "univention-corporate-container"
provisioning-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no" || $DEPLOY_PROVISIONING != "no")
when: always
variables:
COMPONENT: "provisioning"
keycloak-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
when: always
variables:
COMPONENT: "keycloak"
keycloak-bootstrap-deploy:
stage: "component-deploy"
extends: ".deploy-common"
timeout: 30m
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
when: always
variables:
COMPONENT: "keycloak-bootstrap"
ox-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OX != "no")
when: always
variables:
COMPONENT: "open-xchange"
ics-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ICS != "no")
when: always
variables:
COMPONENT: "intercom-service"
xwiki-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_XWIKI != "no")
when: always
variables:
COMPONENT: "xwiki"
collabora-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_COLLABORA != "no")
when: always
variables:
COMPONENT: "collabora"
nextcloud-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no")
when: always
variables:
COMPONENT: "nextcloud"
openproject-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OPENPROJECT != "no")
when: always
variables:
COMPONENT: "openproject"
jitsi-deploy:
stage: "component-deploy"
extends: ".deploy-common"
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_JITSI != "no")
when: always
variables:
COMPONENT: "jitsi"
env-stop:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
action: "stop"
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
needs: []
rules:
- if: $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/
when: "manual"
script:
- "echo 'We do not stop the env (delete the namespace) at the moment in this stage, as deleting a branches also triggers this env-stop stage and we do not want this to happen.'"
# - kubectl delete namespace "${NAMESPACE}"
stage: "env-stop"
variables:
GIT_STRATEGY: "none"

28
COMPONENTS-FUNCTIONAL.md Normal file
View File

@@ -0,0 +1,28 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
**Content / Quick navigation**
[[_TOC_]]
# Functional Components
Functional components are the core of the SWP as they provide it's rich functionaly. We use the community versions of the named products. For production environments please use enterprise versions for support and scalabiliy reasons.
## Groupware - Open-Xchange AppSuite
## WebOffice - Collabora Development Edition
## File & Share - Nextcloud
## Kollaboration - dOnlineZusammenarbeit 2.0
## Videokonferenzen - Jitsi
## Knowledge Management - XWiki
## Project Management - OpenProject
## IAM - Univention Corporate Services

62
COMPONENTS-SERVICE.md Normal file
View File

@@ -0,0 +1,62 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
**Content / Quick navigation**
[[_TOC_]]
# Service Components
Service components are required to operate the SWP. The deployment automation contains a full set of service components in order for the deployment to be self contained. But please be aware that the components are not ment to be used in production scenarios. Check out the service components details to understand how to make use of external services in case you want to setup production environments.
## Database - MariaDB
This services is used by:
- Nextcloud
- Open-Xchange
- XWiki
## Database - PostgreSQL
This services is used by:
- Keycloak
- OpenProject
## Redis
This service is used by:
- Intercom-Service
- Nextcloud
## Postfix
This service is used by:
- Keycloak (e.g. new device login notification)
- Nextcloud (e.g. share file notifictions)
- Open-Xchange (emails)
- OpenProject (general notifications)
- UCS (e.g. password reset emails)
- XWiki (e.g. change notifications)
## TURN Server
- dOZ 2.0
- Jitsi
## NFS
[remove this as it should be addressed by the RWX prerequsite!?]
This service is used by
- Dovecot
- Nextcloud
## ICAP
This service is used by
- Nextcloud
- Open-Xchange
## Objectstore - MinIO

57
CONTRIBUTE.md Normal file
View File

@@ -0,0 +1,57 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
# How to contribute?
When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
# Standards and conventions
## Branching
We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
## Verified commits
We only allow verify commits:
- https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
- https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
- https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
## Approval
MRs require one approval from the SouvAP devops team with security clearance.
## Conventional Commits
See https://www.conventionalcommits.org/en/v1.0.0/#summary for reference.
Commits that do not adhere to the standard might be rejected.
## Semantic Release
See https://github.com/semantic-release/semantic-release for reference.
## Linting
Following linters must pass:
- [yaml-lint](https://github.com/adrienverge/yamllint)
- [helm-lint](https://helm.sh/docs/helm/helm_lint/)
## Helm vs. Operators vs. Manifests
Due to DVS requirements:
- we have to use [Helm charts](https://helm.sh/) (that can consist of Manifests).
- we should avoid stand alone Manifests.
- we do not use Operators.
In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
## Tooling
We should not introduce a new tool without sharing the purpose with the team and let the team decide if the tool should be used.
We should avoid adding unnecessary complexity.

14
LICENSES/Apache-2.0.txt Normal file
View File

@@ -0,0 +1,14 @@
Copyright (C) 2023 Bundesministerium des Innern und für Heimat,
PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

207
README.md Normal file
View File

@@ -0,0 +1,207 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
**Content / Quick navigation**
[[_TOC_]]
# Disclaimer July 2023
The current state of the SouvAP is missing two components that are not yet generally available to the public also outside the SouvAP (Element Starter Edition and Open-Xchange App Suite 8), and contains components that will be replaced (e.g. UCS container monolith with multiple Univention Management Stack containers). We not only expect upstream updates of the functional components within their feature scope but we are going to address operational issues like monitoring and network policies.
Of course we will extend the documentation
# The Sovereign Workplace (SWP)
The SWP's runtime environment is [Kubernetes](https://kubernetes.io/), often written in it's short form "K8s".
While not all components are perfectly shaped for the execution as containers, one of the projects objectives is the make the applications more aligned with best practise when it comes to container design and operations.
This documentation gives you - hopefully - all you need to setup your own instance of the SWP. You should have at least basic knowledge Kubernetes and Devops knowledge.
To have an overview of what can be found at Open CoDE and the basic components of the SWP, please check out the [OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
Especially check out the section ["Mitwirkung und Beteiligung"](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#mitwirkung-und-beteiligung) if you are missing something or you have questions. We appreciate your feedback to improve product and documentation.
## Prerequisites
You have to take care about the following prerequisites in order to deploy the SWP:
- Vanilla K8s cluster
- Domain and DNS Service [ToDo: manual setup docu with * record...]
- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy and Cillium)
- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and [HelmDiff](https://github.com/databus23/helm-diff)
- Volume provisioner supporting RWO (read-write-once) and RWX (read-write-many)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are working with Open-Xchange to get rid of this component.
### Feature based prerequisites
- An external SMTP relay/gateway for sending mails from various components
- PKI / CI for Open-Xchange AppSuite S/MIME feature
- STUN/TURN server
#
- Domain and cert management (table with all hostnames we need to set (`<function>.<domain>`), reference to cert-manager, manual requires in DNS service)
- Parametrisierungsdoku
- Service components
- Environments (ingress & storage definitions)
- Secrets (and "upstream" input secrets)
[ggf. später]
- Debugging (explain the centralized debugging values and provide additional debugging info for each component - when available. Explain that the midterm goal is to have distroless containers!)
- Functional Components
- Service Components
- CONTRIBUTE.md
## Self contained deployment
We differenciate between
- functional components (e.g. Fileshare, Groupware, IAM etc.) that are the actual focus of the SWP and
- service components (e.g. databases, storage) that are available within this deployment as well in order to make it self-contained. But in other than dev, test and demo scenarios we expect service components to be provided externally by the operator.
**DEV-REQUIREMENT**: A functional component that makes use of a service component has to support a config option that allows the use of an external service and skips the installation of the given service component within the deployment, as long as no other functional compontent still relies on that service component.
## CI based deployment
**Note: Please only deploy components you need for your developmet, as the full stack is quite resource hungry and we have limited resources. There is a nightly (namespace `nighly`) build from `main` on the `develop` cluster with all components enabled.**
**Note: Currently Gitlab sometimes does not load the configures pipeline variables as expected, so if you don't see any predefined variables on the pipelines mentioned in this document you want to reload the page in order to ensure there aren't any variables. It works on reload in 99% of the cases.**
- Please use the `develop` cluster unless you are explicitly advised to use another cluster.
- Install prerequisites and gain access to the cluster following the instructions here: https://gitlab.souvap-univention.de/groups/souvap/devops/-/wikis/deployment/K8s-cluster
- In order to deploy an instance of the SWP with selected components by running the pipeline of this project you need to request a certificate first by executing this pipeline: https://gitlab.souvap-univention.de/souvap/infrastructure/k8s-certificates/-/pipelines/new stating your desired namespace.
- You might want to check the available certificates first: `kubectl -n istio-system get certificate`
- We have separated the cert-management from the actual deployment to avoid getting hit my letsencrypt's rate limits.
Todos
- some info on the modules
- some info on how long a deployment takes
- rerun / update vs redeploy vs refresh complete namespace
- some info on "debugging" the deployment
- semantic release (on main)
## Local deployments
[..]
## Helmfile
### Setup
helmfile needs `helm` and the helm plugin `helm-diff` to run properly.
To install helm-diff ( helm >2.3.):
```bash
helm plugin install https://github.com/databus23/helm-diff
```
### Environment
You need to expose following variables to run the default installation with helmfile
| name | default | description |
|---------------------|------------------------------|----------------------------------------------------------|
| `DOMAIN` | `souvap-univention.de` | External reachable TLD. |
| `ISTIO_DOMAIN` | `istio.souvap-univention.de` | External reachable TLD for Istio Gateway. |
| `MASTER_PASSWORD` | `sovereign-workplace` | The password where generated passwords are derived from. |
| `SMTP_PASSWORD` | | Password for STMP relay gateway. |
| `TURN_CREDENTIALS` | | Credentials for coturn server. |
### Configuration
In order to have a functional deployment, you need to adapt the default values to your infrastructure.
#### Deployment selection
As default, all available components are deployed.
| Component | Name | Default | Description |
|-----------------------------|-------------------------------------|---------|---------------------------------|
| Certificates | `certificates.enabled` | `true` | TLS certificates. |
| ClamAV | `clamav.enabled` | `true` | Antivirus engine. |
| Collabora | `collabora.enabled` | `true` | Weboffice |
| Dovecot | `dovecot.enabled` | `true` | Mail backend (for development). |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange. |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider |
| MariaDB | `mariadb.enabled` | `true` | Database (for development) |
| Nextcloud | `nextcloud.enabled` | `true` | File share |
| OpenProject | `openproject.enabled` | `true` | Project management |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware |
| OX Connector | `oxConnector.enabled` | `true` | Backend provisioning |
| Postfix | `postfix.enabled` | `true` | MTA (for development) |
| PostgreSQL | `postgresql.enabled` | `true` | Database (for development) |
| Redis | `redis.enabled` | `true` | Cache (for development) |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | LDAP |
| XWIKI | `xwiki.enabled` | `true` | Knowledgebase |
#### TLS Certificate
The setup will create a `cert-manager.io` Certificate resource.
You can set the ClusterIssuer via `certificate.issuerRef.name`
#### Databases
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
| Keycloak | Keycloak | PostgreSQL | | | |
| | | | Name | `databases.keycloak.name` | `keycloak` |
| | | | Host | `databases.keycloak.host` | `postgresql` |
| | | | Port | `databases.keycloak.port` | `5432` |
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
| | | | Password | `databases.keycloak.password` | |
| | Keycloak Extension | PostgreSQL | | | |
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
| | | | Port | `databases.keycloakExtension.port` | `5432` |
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
| | | | Password | `databases.keycloakExtension.password` | |
| Nextcloud | Nextcloud | MariaDB | | | |
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
| | | | Host | `databases.nextcloud.host` | `mariadb` |
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
| | | | Password | `databases.nextcloud.password` | |
| OpenProject | Keycloak | PostgreSQL | | | |
| | | | Name | `databases.openproject.name` | `openproject` |
| | | | Host | `databases.openproject.host` | `postgresql` |
| | | | Port | `databases.openproject.port` | `5432` |
| | | | Username | `databases.openproject.username` | `openproject_user` |
| | | | Password | `databases.openproject.password` | |
| OX Appsuite | OX Appsuite | MariaDB | | | |
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
| | | | Username | `databases.oxAppsuite.username` | `root` |
| | | | Password | `databases.oxAppsuite.password` | |
| XWIKI | XWIKI | MariaDB | | | |
| | | | Name | `databases.xwiki.name` | `xwiki` |
| | | | Host | `databases.xwiki.host` | `mariadb` |
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
#### Scaling
Replicas for scalable components can be increased.
| Component | Name | Default | Service | Scaling |
|-------------|------------------------|---------|--------------------|--------------------|
| ClamAV | `replicas.clamd` | `1` | :white_check_mark: | :white_check_mark: |
| | `replicas.freshclam` | `1` | :white_check_mark: | :x: |
| | `replicas.icap` | `1` | :white_check_mark: | :white_check_mark: |
| | `replicas.milter` | `1` | :white_check_mark: | :white_check_mark: |
| Collabora | `replicas.collabora` | `1` | :white_check_mark: | :white_check_mark: |
| Dovecot | `replicas.dovecot` | `1` | :white_check_mark: | :x: |
| Jitsi | `replicas.jibri` | `1` | :white_check_mark: | :white_check_mark: |
| | `replicas.jicofo` | `1` | :white_check_mark: | :white_check_mark: |
| | `replicas.jitsi ` | `1` | :white_check_mark: | :white_check_mark: |
| | `replicas.jvb ` | `1` | :white_check_mark: | :white_check_mark: |
| Keycloak | `replicas.keycloak` | `1` | :white_check_mark: | :white_check_mark: |
| Nextcloud | `replicas.nextcloud` | `1` | :white_check_mark: | :white_check_mark: |
| OpenProject | `replicas.openproject` | `1` | :white_check_mark: | :white_check_mark: |
| Postfix | `replicas.postfix` | `1` | :white_check_mark: | :x: |
| XWIKI | `replicas.xwiki` | `1` | :white_check_mark: | :white_check_mark: |

24
helmfile.yaml Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
#
# Advanced Configuration: Nested States
#
helmfiles:
# Path to the helmfile state file being processed BEFORE releases in this state file
- path: "helmfile/apps/services/helmfile.yaml"
- path: "helmfile/apps/keycloak/helmfile.yaml"
- path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
- path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
- path: "helmfile/apps/openproject/helmfile.yaml"
- path: "helmfile/apps/intercom-service/helmfile.yaml"
- path: "helmfile/apps/open-xchange/helmfile.yaml"
- path: "helmfile/apps/xwiki/helmfile.yaml"
- path: "helmfile/apps/collabora/helmfile.yaml"
- path: "helmfile/apps/nextcloud/helmfile.yaml"
- path: "helmfile/apps/jitsi/helmfile.yaml"
- path: "helmfile/apps/provisioning/helmfile.yaml"
missingFileHandler: "Error"
...

19
helmfile/apps/collabora/helmfile.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "collabora-online"
url: "https://collaboraonline.github.io/online"
releases:
- name: "collabora-online"
chart: "collabora-online/collabora-online"
version: "1.0.2"
values:
- "values.yaml"
- "values.gotmpl"
condition: "collabora.enabled"
bases:
- "../../bases/environments.yaml"
...

36
helmfile/apps/collabora/values.gotmpl Normal file
View File

@@ -0,0 +1,36 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
tag: "{{ .Values.images.collabora.tag }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: "{{ .Values.ingress.ingressClassName }}"
hosts:
- host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "Prefix"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
- "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
collabora:
# Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
username: "collabora-internal-admin"
password: {{ .Values.secrets.collabora.adminPassword }}
aliasgroups:
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
replicaCount: {{ .Values.replicas.collabora }}
...

37
helmfile/apps/collabora/values.yaml Normal file
View File

@@ -0,0 +1,37 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/README.md or
# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/collabora-online/values.yaml
fullnameOverride: "collabora"
image:
pullPolicy: "IfNotPresent"
collabora:
extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
securityContext:
capabilities:
add:
- "MKNOD"
ingress:
annotations:
# nginx
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
# HAProxy
haproxy.org/timeout-tunnel: "3600s"
haproxy.org/backend-config-snippet: |
mode http
balance leastconn
stick-table type string len 2048 size 1k store conn_cur
http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
http-request track-sc1 url_param(WOPISrc)
stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
stick store-request url_param(WOPISrc)
autoscaling:
enabled: false
...

19
helmfile/apps/intercom-service/helmfile.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "intercom-service"
url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
releases:
- name: "intercom-service"
chart: "intercom-service/intercom-service"
version: "1.1.3"
values:
- "values.yaml"
- "values.gotmpl"
condition: "intercom.enabled"
bases:
- "../../bases/environments.yaml"
...

43
helmfile/apps/intercom-service/values.gotmpl Normal file
View File

@@ -0,0 +1,43 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ics:
secret: {{ .Values.secrets.intercom.secret }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
originRegex: "{{ .Values.istio.domain }}"
default:
domain: "{{ .Values.global.domain }}"
oidc:
secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
matrix:
asSecret: {{ .Values.secrets.jitsi.synapseAsToken }}
serverName: "matrix.{{ .Values.global.domain }}"
portal:
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
redis:
password: {{ .Values.secrets.redis.password }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.intercom.repository }}"
tag: "{{ .Values.images.intercom.tag }}"
ingress:
host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
...

8
helmfile/apps/intercom-service/values.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
istio:
enabled: false
virtualService:
enabled: false
...

18
helmfile/apps/jitsi/helmfile.yaml Normal file
View File

@@ -0,0 +1,18 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "jitsi"
url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
releases:
- name: "jitsi"
chart: "jitsi/sovereign-workplace-jitsi"
version: "1.1.0"
values:
- "values-jitsi.gotmpl"
condition: "jitsi.enabled"
bases:
- "../../bases/environments.yaml"
...

120
helmfile/apps/jitsi/values-jitsi.gotmpl Normal file
View File

@@ -0,0 +1,120 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
settings:
jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
jitsi:
publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
web:
replicaCount: {{ .Values.replicas.jitsi }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
tag: "{{ .Values.images.jitsi.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
hosts:
- host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
paths:
- "/"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
- "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
extraEnvs:
TURN_ENABLE: "1"
resources:
{{ .Values.resources.openproject | toYaml | nindent 6 }}
prosody:
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
tag: "{{ .Values.images.prosody.tag }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
extraEnvs:
- name: "AUTH_TYPE"
value: "jwt"
- name: "JWT_APP_ID"
value: "myappid"
- name: "JWT_APP_SECRET"
value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
- name: TURNS_HOST
value: "{{ .Values.turn.tls.host }}"
- name: TURNS_PORT
value: "{{ .Values.turn.tls.port }}"
- name: TURN_HOST
value: "{{ .Values.turn.server.host }}"
- name: TURN_PORT
value: "{{ .Values.turn.server.port }}"
- name: TURN_TRANSPORT
value: "{{ .Values.turn.transport }}"
- name: TURN_CREDENTIALS
value: "{{ .Values.turn.credentials }}"
resources:
{{ .Values.resources.openproject | toYaml | nindent 6 }}
persistence:
size: "{{ .Values.persistence.size.prosody }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
jicofo:
replicaCount: {{ .Values.replicas.jicofo }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
tag: "{{ .Values.images.jicofo.tag }}"
xmpp:
password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
resources:
{{ .Values.resources.openproject | toYaml | nindent 6 }}
jvb:
replicaCount: {{ .Values.replicas.jvb }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
tag: "{{ .Values.images.jvb.tag }}"
xmpp:
password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
resources:
{{ .Values.resources.openproject | toYaml | nindent 6 }}
jibri:
replicaCount: {{ .Values.replicas.jibri }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
tag: "{{ .Values.images.jibri.tag }}"
recorder:
password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
xmpp:
password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
resources:
{{ .Values.resources.openproject | toYaml | nindent 6 }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
patchJVB:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
tag: "{{ .Values.images.jitsiPatchJVB.v20230425 }}"
replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
resources:
{{ .Values.resources.jitsiKeycloakAdapter | toYaml | nindent 2 }}
...

20
helmfile/apps/keycloak-bootstrap/helmfile.yaml Normal file
View File

@@ -0,0 +1,20 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "swp-keycloak-bootstrap"
url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
releases:
- name: "swp-keycloak-bootstrap"
chart: "swp-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
version: "1.1.11"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "keycloak.enabled"
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
timeout: 1800
bases:
- "../../bases/environments.yaml"
...

25
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl Normal file
View File

@@ -0,0 +1,25 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
config:
administrator:
password: "{{ .Values.secrets.keycloak.adminPassword }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakBootstrap.repository }}"
tag: "{{ .Values.images.keycloakBootstrap.tag }}"
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
...

10
helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
config:
administrator:
username: "kcadmin"
cleanup:
deletePodsOnSuccess: true
...

40
helmfile/apps/keycloak/helmfile.yaml Normal file
View File

@@ -0,0 +1,40 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "bitnami"
url: "https://charts.bitnami.com/bitnami"
- name: "keycloak-theme"
url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
- name: "keycloak-extensions"
url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
releases:
- name: "keycloak-theme"
chart: "keycloak-theme/sovereign-workplace-theme"
version: "1.0.0"
values:
- "values-theme.gotmpl"
condition: "keycloak.enabled"
- name: "keycloak"
chart: "bitnami/keycloak"
version: "12.2.0"
values:
- "values-keycloak.gotmpl"
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
condition: "keycloak.enabled"
- name: "keycloak-extensions"
chart: "keycloak-extensions/keycloak-extensions"
version: "0.1.0"
needs:
- "keycloak"
values:
- "values-extensions.yaml"
- "values-extensions.gotmpl"
condition: "keycloak.enabled"
bases:
- "../../bases/environments.yaml"
...

43
helmfile/apps/keycloak/values-extensions.gotmpl Normal file
View File

@@ -0,0 +1,43 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
keycloak:
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
postgresql:
connection:
host: "{{ .Values.databases.keycloakExtension.host }}"
port: "{{ .Values.databases.keycloakExtension.port }}"
auth:
database: "{{ .Values.databases.keycloakExtension.name }}"
username: "{{ .Values.databases.keycloakExtension.username }}"
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
handler:
appConfig:
smtpPassword: "{{ .Values.smtp.password }}"
smtpHost: "{{ .Values.smtp.host }}"
smtpUsername: "{{ .Values.smtp.username }}"
mailFrom: "noreply@{{ .Values.global.domain }}"
resources:
{{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
proxy:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtension.repository }}"
tag: "{{ .Values.images.keycloakExtension.tag }}"
imagePullPolicy: "Always"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
annotations:
nginx.org/proxy-buffer-size: "8k"
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
resources:
{{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
...

23
helmfile/apps/keycloak/values-extensions.yaml Normal file
View File

@@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
keycloak:
host: "keycloak"
adminUsername: "kcadmin"
adminRealm: "master"
realm: "souvap"
handler:
image:
tag: "latest"
appConfig:
captchaProtectionEnable: "False"
postgresql:
enabled: false
proxy:
image:
tag: "latest"
...

1691
helmfile/apps/keycloak/values-keycloak-idp.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

87
helmfile/apps/keycloak/values-keycloak.gotmpl Normal file
View File

@@ -0,0 +1,87 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloak.repository }}"
tag: "{{ .Values.images.keycloak.tag }}"
digest: "{{ .Values.images.keycloak.digest }}"
externalDatabase:
host: "{{ .Values.databases.keycloak.host }}"
port: {{ .Values.databases.keycloak.port }}
user: "{{ .Values.databases.keycloak.username }}"
database: "{{ .Values.databases.keycloak.name }}"
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
auth:
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
replicaCount: {{ .Values.replicas.keycloak }}
keycloakConfigCli:
extraEnvVars:
- name: "LDAP_GROUPS_DN"
value: "cn=groups,dc=swp-ldap,dc=internal"
- name: "LDAP_USERS_DN"
value: "cn=users,dc=swp-ldap,dc=internal"
- name: "LDAP_SERVER_URL"
value: "univention-corporate-container"
- name: "IDENTIFIER"
value: "souvap"
- name: "THEME"
value: "souvap"
- name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT"
value: "600s"
- name: "UNIVENTION_CORPORATE_SERVER_DOMAIN"
value: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
- name: "KEYCLOAK_DOMAIN"
value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
- name: "OPENXCHANGE_8_DOMAIN"
value: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
- name: "XWIKI_DOMAIN"
value: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
- name: "OPENPROJECT_DOMAIN"
value: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
- name: "NEXTCLOUD_DOMAIN"
value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
- name: "MATRIX_DOMAIN"
value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
- name: "JITSI_PLAIN_DOMAIN"
value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
- name: "ELEMENT_DOMAIN"
value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
- name: "INTERCOM_SERVICE_DOMAIN"
value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
- name: "CLIENT_SECRET_INTERCOM_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
- name: "CLIENT_SECRET_MATRIX_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
- name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
- name: "CLIENT_SECRET_NCOIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
- name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.openproject }}
- name: "CLIENT_SECRET_XWIKI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.xwiki }}
- name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
value: "storage_provider_ucsldap"
- name: "LDAPSEARCH_PASSWORD"
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:
{{ .Values.resources.keycloak | toYaml | nindent 2 }}
...

52
helmfile/apps/keycloak/values-keycloak.yaml Normal file
View File

@@ -0,0 +1,52 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
postgresql:
enabled: false
externalDatabase:
existingSecret: ""
existingSecretPasswordKey: ""
auth:
adminUser: "kcadmin"
# not working as expected with older helm chart, check if it works with most recent one.
# meanwhile we set the loglevel using the extraEnvVars a bit below.
#logging:
# level: "DEBUG"
extraEnvVars:
- name: "KC_LOG_LEVEL"
value: "INFO"
extraStartupArgs: "-Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"
service:
type: "ClusterIP"
ingress:
enabled: false
extraVolumes:
- name: "keycloak-theme"
configMap:
name: "keycloak-theme"
items:
- key: "theme.properties"
path: "souvap/login/theme.properties"
- key: "messages_de.properties"
path: "souvap/login/messages/messages_de.properties"
- key: "messages_en.properties"
path: "souvap/login/messages/messages_en.properties"
- key: "styles.css"
path: "souvap/login/resources/css/styles.css"
- key: "logo.svg"
path: "souvap/login/resources/img/logo_phoenix.svg"
- key: "login.ftl"
path: "souvap/login/login.ftl"
extraVolumeMounts:
- name: "keycloak-theme"
mountPath: "/opt/bitnami/keycloak/themes"
keycloakConfigCli:
enabled: true
command: [ "java", "-jar" ,"/opt/bitnami/keycloak-config-cli/keycloak-config-cli-19.0.3.jar" ]
args: [ "--import.var-substitution.enabled=true" ]
cache:
enabled: false
...

10
helmfile/apps/keycloak/values-theme.gotmpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
...

33
helmfile/apps/nextcloud/helmfile.yaml Normal file
View File

@@ -0,0 +1,33 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "swp-nextcloud-bootstrap"
url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
- name: "nextcloud"
url: "https://nextcloud.github.io/helm/"
releases:
- name: "swp-nextcloud-bootstrap"
chart: "swp-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
version: "2.0.5"
wait: true
timeout: 1800
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "nextcloud.enabled"
- name: "nextcloud"
chart: "nextcloud/nextcloud"
version: "3.5.19"
needs:
- "swp-nextcloud-bootstrap"
values:
- "values-nextcloud.gotmpl"
- "values-nextcloud.yaml"
condition: "nextcloud.enabled"
bases:
- "../../bases/environments.yaml"
...

50
helmfile/apps/nextcloud/values-bootstrap.gotmpl Normal file
View File

@@ -0,0 +1,50 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
config:
administrator:
password: {{ .Values.secrets.nextcloud.adminPassword }}
apps:
integrationSwp:
password: {{ .Values.secrets.centralnavigation.apiKey }}
userOidc:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
database:
host: "{{ .Values.databases.nextcloud.host }}"
name: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
ldapSearch:
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
smtp:
host: "{{ .Values.smtp.host }}"
username: "{{ .Values.smtp.username }}"
password: "{{ .Values.smtp.password }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.nextcloud.repository }}"
tag: "{{ .Values.images.nextcloud.tag }}"
persistence:
size:
main: "{{ .Values.persistence.size.nextcloud.main }}"
data: "{{ .Values.persistence.size.nextcloud.data }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}
...

17
helmfile/apps/nextcloud/values-bootstrap.yaml Normal file
View File

@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
config:
administrator:
username: "nextcloud"
antivirus:
host: "clamav-sovereign-workplace-icap"
apps:
integrationSwp:
username: "phoenixusername"
userOidc:
username: "ncoidc"
cleanup:
deletePodsOnSuccess: true
...

41
helmfile/apps/nextcloud/values-nextcloud.gotmpl Normal file
View File

@@ -0,0 +1,41 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
nextcloud:
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword }}
externalDatabase:
database: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: "{{ .Values.databases.nextcloud.host }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
redis:
auth:
enabled: true
password: {{ .Values.secrets.redis.password }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
pullPolicy: "Always"
tag: "{{ .Values.images.nextcloud.tag }}"
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
metrics:
token: "{{ .Values.secrets.nextcloud.metricsToken }}"
persistence:
storageclass: "{{ .Values.persistence.storageClassNames.RWX }}"
replicaCount: {{ .Values.replicas.nextcloud }}
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}
...

42
helmfile/apps/nextcloud/values-nextcloud.yaml Normal file
View File

@@ -0,0 +1,42 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
persistence:
enabled: true
existingClaim: "nextcloud-main"
nextcloudData:
enabled: true
existingClaim: "nextcloud-data"
redis:
enabled: false
cronjob:
enabled: true
lifecycle:
postStartCommand:
- "sh"
- "-c"
- 'sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data'
internalDatabase:
enabled: false
postgresql:
enabled: false
mariadb:
enabled: false
externalDatabase:
enabled: true
# The nextcloud helm chart provides a sub-chart for mariadb.
# If we use mariadb as a sub-chart it's linked to nextcloud,
# and it is not independent anymore. Since externalDatabase.type
# allows just mysql or postgres, mysql is chosen to connect
# to the mariadb:
type: "mysql"
metrics:
enabled: false
# this is not documented but can be found in values.yaml
service:
port: "80"

39
helmfile/apps/open-xchange/helmfile.yaml Normal file
View File

@@ -0,0 +1,39 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "dovecot"
url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
- name: "openxchange"
url: "registry.open-xchange.com"
oci: true
passCredentials: true
# username is retrieve from the environment with the format <registryNameUpperCase>_USERNAME for CI usage, here OPENXCHANGE_USERNAME
# username is retrieve from the environment with the format <registryNameUpperCase>_PASSWORD for CI usage, here OPENXCHANGE_PASSWORD
- name: "sovereign-workplace-open-xchange-bootstrap"
url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
releases:
- name: "dovecot"
chart: "dovecot/dovecot"
version: "1.1.0"
values:
- "values-dovecot.yaml"
- "values-dovecot.gotmpl"
condition: "dovecot.enabled"
- name: "open-xchange"
chart: "openxchange/appsuite-core-public-sector/charts/appsuite-public-sector"
version: "1.1.8"
values:
- "values-openxchange.yaml"
- "values-openxchange.gotmpl"
condition: "oxAppsuite.enabled"
- name: "sovereign-workplace-open-xchange-bootstrap"
chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
version: "1.2.2"
values:
- "values-openxchange-bootstrap.yaml"
condition: "oxAppsuite.enabled"
bases:
- "../../bases/environments.yaml"
...

39
helmfile/apps/open-xchange/values-dovecot.gotmpl Normal file
View File

@@ -0,0 +1,39 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.dovecot.repository }}"
tag: "{{ .Values.images.dovecot.tag }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
dovecot:
mailDomain: "{{ .Values.global.domain }}"
password: {{ .Values.secrets.dovecot.doveadm }}
ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
oidc:
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
clientID: "as8oidc"
ingress:
tls:
secretName: "{{ .Values.ingress.tls.secretName }}"
replicaCount: {{ .Values.replicas.dovecot }}
persistence:
size: "{{ .Values.persistence.size.dovecot }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
resources:
{{ .Values.resources.dovecot | toYaml | nindent 2 }}
...

23
helmfile/apps/open-xchange/values-dovecot.yaml Normal file
View File

@@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
persistence:
accessModes:
- "ReadWriteMany"
dovecot:
loginTrustedNetworks: "10.0.0.0/8"
ldap:
enbaled: true
host: "univention-corporate-container"
port: 389
base: "dc=swp-ldap,dc=internal"
oidc:
enabled: true
clientID: "as8oidc"
usernameAttribute: "phoenixusername"
ingress:
enabled: false
...

23
helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml Normal file
View File

@@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
cleanup:
deletePodsOnSuccess: false
# resources:
# limits:
# # The max amount of CPUs to consume.
# cpu: 1
# # The max amount of RAM to consume.
# memory: "1Gi"
# requests:
# # The amount of CPUs which has to be available on the scheduled node.
# cpu: 1
# # The amount of RAM which has to be available on the scheduled node.
# memory: "256Mi"
# Keep default values:
# coreMiddleware:
# statefulSet: "open-xchange-core-mw-default-0"
# pod: "open-xchange-core-mw-default-0"
...

130
helmfile/apps/open-xchange/values-openxchange.gotmpl Normal file
View File

@@ -0,0 +1,130 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
mysql:
host: "{{ .Values.databases.oxAppsuite.host }}"
database: "{{ .Values.databases.oxAppsuite.name }}"
auth:
user: "{{ .Values.databases.oxAppsuite.username }}"
password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
istio:
enabled: {{ .Values.istio.enabled }}
nextcloud-integration-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
public-sector-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
appsuite:
istio:
enabled: {{ .Values.istio.enabled }}
ingressGateway:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
virtualServices:
appsuite:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
dav:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
core-mw:
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
"com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
"com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
"com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
"com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
"com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
secretProperties:
com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
propertiesFiles:
"/opt/open-xchange/etc/ldapauth.properties":
bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
secretETCFiles:
# Format of the OX Guard master key:
# MC+base64(20 random bytes)
# RC+base64(20 random bytes)
oxguardpass: |
{{ .Values.secrets.oxAppsuite.oxguardMC }}
{{ .Values.secrets.oxAppsuite.oxguardRC }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
core-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
core-ui-middleware:
ingress:
hosts:
- host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
core-guidedtours:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
guard-ui:
image:
repository: "{{ .Values.global.imageRegistry }}/appsuite-core-public/guard-ui"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
core-cacheservice:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
core-user-guide:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
...

159
helmfile/apps/open-xchange/values-openxchange.yaml Normal file
View File

@@ -0,0 +1,159 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
appsuite:
istio:
ingressGateway:
name: "sovereign-workplace-gateway-istio-gateway"
core-mw:
enabled: true
masterAdmin: "admin"
features:
status:
# enable admin pack
# admin: enabled
documents: disabled
guard: enabled
packages:
status:
open-xchange-oidc: enabled
open-xchange-authentication-database: disabled
open-xchange-authentication-oauth: enabled
properties:
com.openexchange.UIWebPath: "/appsuite/"
# OIDC
com.openexchange.oidc.enabled: "true"
com.openexchange.oidc.autologinCookieMode: "ox_direct"
com.openexchange.oidc.contextLookupClaim: "context"
com.openexchange.oidc.contextLookupNamePart: "full"
com.openexchange.oidc.backchannelLogoutEnabled: "true"
com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.userLookupNamePart: "full"
com.openexchange.oidc.userLookupClaim: "phoenixusername"
com.openexchange.oidc.clientId: "as8oidc"
# OAUTH
com.openexchange.oauth.provider.enabled: "true"
com.openexchange.oauth.provider.contextLookupClaim: "context"
com.openexchange.oauth.provider.contextLookupNamePart: "full"
com.openexchange.oauth.provider.mode: "expect_jwt"
com.openexchange.oauth.provider.userLookupNamePart: "full"
com.openexchange.oauth.provider.userLookupClaim: "phoenixusername"
com.openexchange.authentication.oauth.clientId: "as8oidc"
# MAIL
com.openexchange.mail.authType: "xoauth2"
com.openexchange.mail.loginSource: "mail"
com.openexchange.mail.mailServer: "dovecot"
com.openexchange.mail.mailServerSource: "global"
com.openexchange.mail.transport.authType: "xoauth2"
com.openexchange.mail.transportServer: "postfix"
com.openexchange.mail.transportServerSource: "global"
# Mailfilter
com.openexchange.mail.filter.loginType: global
com.openexchange.mail.filter.credentialSource: mail
com.openexchange.mail.filter.server: dovecot
com.openexchange.mail.filter.preferredSaslMech: XOAUTH2
# Capabilities
com.openexchange.capability.client-onboarding: "true"
com.openexchange.capability.dynamic-theme: "true"
com.openexchange.capability.filestorage_nextcloud: "true"
com.openexchange.capability.filestorage_nextcloud_oauth: "true"
com.openexchange.capability.guard: "true"
com.openexchange.capability.guard-mail: "true"
com.openexchange.capability.public-sector: "true"
com.openexchange.capability.smime: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: XOAUTH2
# Nextcloud integration
com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
# GDPR
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
# http = (await import('./io.ox/core/http.js')).default
# await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
com.openexchange.smime.test: "true"
# Other
com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
propertiesFiles:
/opt/open-xchange/etc/AdminDaemon.properties:
MASTER_ACCOUNT_OVERRIDE: "true"
/opt/open-xchange/etc/system.properties:
SERVER_NAME: "oxserver"
/opt/open-xchange/etc/ldapauth.properties:
java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
bindOnly: "false"
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
uiSettings:
# Resources
io.ox/core//features/resourceCalendars: "true"
io.ox/core//features/managedResources: "true"
# Categories
io.ox/core//features/categories: "true"
io.ox/core//categories/predefined: '[{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]'
# Nextcloud integration
# io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
# Central navigation
io.ox.public-sector//navigation/oxtabname: tab_groupware
# io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
io.ox/core//apps/quickLaunchCount: "0"
io.ox/core//coloredIcons: "false"
# Dynamic theme
io.ox/dynamic-theme//mainColor: "#004B76"
io.ox/dynamic-theme//logoURL: io.ox.public-sector/logo.svg
io.ox/dynamic-theme//logoWidth: "80"
io.ox/dynamic-theme//topbarBackground: "#fff"
io.ox/dynamic-theme//topbarColor: "#1f1f1f"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
io.ox/dynamic-theme//listSelected: "#ADC8F0"
io.ox/dynamic-theme//listHover: "#ddd"
io.ox/dynamic-theme//folderBackground: "#fff"
io.ox/dynamic-theme//folderSelected: "#ADC8F0"
io.ox/dynamic-theme//folderHover: "#ddd"
asConfig:
default:
host: all
pageHeaderPrefix: "as8.souvap App Suite"
oidcLogin: true
oidcPath: /oidc
core-ui:
enabled: true
core-ui-middleware:
enabled: true
core-guidedtours:
enabled: true
guard-ui:
enabled: true
core-cacheservice:
enabled: true
core-user-guide:
enabled: true
core-imageconverter:
enabled: false
core-spellcheck:
enabled: false
core-documentconverter:
enabled: false
core-documents-collaboration:
enabled: false
office-web:
enabled: false
office-user-guide:
enabled: false
plugins-ui:
enabled: false
cloud-plugins-ui:
enabled: false
drive-client-windows-ox:
enabled: false
core-drive-help:
enabled: false

19
helmfile/apps/openproject/helmfile.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "openproject"
url: "https://charts.openproject.org"
releases:
- name: "openproject"
chart: "openproject/openproject"
version: "1.8.0"
values:
- "values.yaml"
- "values.gotmpl"
condition: "openproject.enabled"
bases:
- "../../bases/environments.yaml"
...

71
helmfile/apps/openproject/values.gotmpl Normal file
View File

@@ -0,0 +1,71 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.openproject.repository }}"
pullPolicy: "Always"
tag: "{{ .Values.images.openproject.tag }}"
memcached:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
postgresql:
auth:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
username: "{{ .Values.databases.openproject.username }}"
database: "{{ .Values.databases.openproject.name }}"
connection:
host: "{{ .Values.databases.openproject.host }}"
port: "{{ .Values.databases.openproject.port }}"
openproject:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
# Will only be set on initial seed / installation
admin_user:
name: "OpenProject Interal Admin"
mail: "openproject-admin@swp-domain.internal"
password_reset: "false"
password: "{{ .Values.secrets.openproject.adminPassword }}"
ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
OPENPROJECT_SMTP__PORT: "587" # (default=587)
OPENPROJECT_SMTP__SSL: "false" # (default=false)
OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
persistence:
size: "{{ .Values.persistence.size.openproject }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
replicaCount: {{ .Values.replicas.openproject }}
resources:
{{ .Values.resources.openproject | toYaml | nindent 2 }}
...

43
helmfile/apps/openproject/values.yaml Normal file
View File

@@ -0,0 +1,43 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: "registry.souvap-univention.de"
probes:
liveness:
initialDelaySeconds: 300
failureThreshold: 30
readiness:
initialDelaySeconds: 150
failureThreshold: 30
postgresql:
bundled: false
openproject:
oidc:
enabled: true
provider: "keycloak"
identifier: "openproject"
authorizationEndpoint: "/realms/souvap/protocol/openid-connect/auth"
tokenEndpoint: "/realms/souvap/protocol/openid-connect/token"
userinfoEndpoint: "/realms/souvap/protocol/openid-connect/userinfo"
scope: "[openid,phoenix]"
# seed will only be executed on initial installation
seed_locale: "de"
# For more details and more options see https://www.openproject.org/docs/installation-and-operations/configuration/environment/
environment:
OPENPROJECT_LOG__LEVEL: "info"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
OPENPROJECT_LOGIN__REQUIRED: "true"
OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
OPENPROJECT_SMTP__AUTHENTICATION: "plain"
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
...

19
helmfile/apps/provisioning/helmfile.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "ox-connector"
url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
releases:
- name: "ox-connector"
chart: "ox-connector/ox-connector"
version: "0.1.0-pre-jconde-standalone-listener"
values:
- "values-oxconnector.yaml"
- "values-oxconnector.gotmpl"
condition: "oxConnector.enabled"
bases:
- "../../bases/environments.yaml"
...

30
helmfile/apps/provisioning/values-oxconnector.gotmpl Normal file
View File

@@ -0,0 +1,30 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.oxConnector.repository }}"
pullPolicy: "Always"
tag: "{{ .Values.images.oxConnector.tag }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
oxConnector:
domainName: "{{ .Values.global.domain }}"
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
oxMasterAdmin: "admin"
oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1"
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
...

47
helmfile/apps/provisioning/values-oxconnector.yaml Normal file
View File

@@ -0,0 +1,47 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: false
oxConnector:
ldapHost: "univention-corporate-container"
#ldapHostIp: ""
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
notifierServer: "univention-corporate-container"
tlsMode: "plain"
# current static password for UCC
ldapPassword: "ucctempldapstring"
caCert: "ucctempldapstring"
debugLevel: "5"
logLevel: "DEBUG"
oxDefaultContext: "1"
oxLocalTimezone: "Europe/Berlin"
oxLanguage: "de_DE"
oxSmtpServer: "smtp://127.0.0.1:587"
oxImapServer: "imap://127.0.0.1:143"
## Container deployment probes
probes:
liveness:
enabled: true
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readiness:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
serviceAccount:
create: true
...

69
helmfile/apps/services/helmfile.yaml Normal file
View File

@@ -0,0 +1,69 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "sovereign-workplace-certificates"
url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
- name: "postgresql"
url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
- name: "mariadb"
url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
- name: "postfix"
url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
- name: "istio-resources"
url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
- name: "clamav"
url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
- name: "bitnami"
url: "https://charts.bitnami.com/bitnami"
releases:
- name: "sovereign-workplace-certificates"
chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
version: "^1.0.0"
values:
- "values-certificates.gotmpl"
condition: "certificates.enabled"
- name: "redis"
chart: "bitnami/redis"
version: "^17.9.3"
values:
- "values-redis.gotmpl"
- "values-redis.yaml"
condition: "redis.enabled"
- name: "postgresql"
chart: "postgresql/postgresql"
version: "^1.0.0"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
condition: "postgresql.enabled"
- name: "mariadb"
chart: "mariadb/mariadb"
version: "^1.0.0"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
condition: "mariadb.enabled"
- name: "postfix"
chart: "postfix/postfix"
version: "^1.0.0"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
condition: "postfix.enabled"
- name: "clamav"
chart: "clamav/sovereign-workplace-clamav"
version: "^2.0.0"
values:
- "values-clamav.gotmpl"
condition: "clamav.enabled"
- name: "sovereign-workplace-gateway"
chart: "istio-resources/istio-gateway"
version: "^1.1.0"
values:
- "values-istio-gateway.gotmpl"
condition: "istio.enabled"
bases:
- "../../bases/environments.yaml"
...

21
helmfile/apps/services/values-certificates.gotmpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
issuerRef:
name: "{{ .Values.certificate.issuerRef.name }}"
{{- if .Values.istio.enabled }}
istio:
enabled: {{ .Values.istio.enabled }}
domain: {{ .Values.istio.domain }}
issuerRef:
name: "{{ .Values.istio.issuerRef.name }}"
{{- end }}
...

58
helmfile/apps/services/values-clamav.gotmpl Normal file
View File

@@ -0,0 +1,58 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
clamd:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.clamd }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
freshclam:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.freshclam }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.freshclam.repository }}"
tag: "{{ .Values.images.freshclam.tag }}"
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
icap:
replicaCount: {{ .Values.replicas.icap }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
milter:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.milter }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.milter.repository }}"
tag: "{{ .Values.images.milter.tag }}"
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
size: "{{ .Values.persistence.size.clamav }}"
...

13
helmfile/apps/services/values-istio-gateway.gotmpl Normal file
View File

@@ -0,0 +1,13 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.istio.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
tls:
secretName: "{{ .Values.istio.domain }}-tls"
...

40
helmfile/apps/services/values-mariadb.gotmpl Normal file
View File

@@ -0,0 +1,40 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
repository: "{{ .Values.images.mariadb.repository }}"
tag: "{{ .Values.images.mariadb.tag }}"
job:
users:
- username: "xwiki_user"
password: "{{ .Values.secrets.mariadb.xwikiUser }}"
- username: "openxchange_user"
password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
- username: "nextcloud_user"
password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
databases:
- name: "xwiki"
user: "xwiki_user"
- name: "nextcloud"
user: "nextcloud_user"
- name: "openxchange"
user: "openxchange_user"
mariadb:
rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.mariadb }}"
resources:
{{ .Values.resources.mariadb | toYaml | nindent 2 }}
...

6
helmfile/apps/services/values-mariadb.yaml Normal file
View File

@@ -0,0 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
job:
enabled: true
...

36
helmfile/apps/services/values-postfix.gotmpl Normal file
View File

@@ -0,0 +1,36 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
tag: "{{ .Values.images.postfix.tag }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
postfix:
domain: "{{ .Values.global.domain }}"
virtualMailboxDomains: "{{ .Values.global.domain }}"
overrides:
- fileName: "sasl_passwd.map"
content:
- "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
relayHost: "[{{ .Values.smtp.host }}]:587"
persistence:
size: "{{ .Values.persistence.size.postfix }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
replicaCount: {{ .Values.replicas.postfix }}
resources:
{{ .Values.resources.postfix | toYaml | nindent 2 }}
ingress:
tls:
secretName: "{{ .Values.ingress.tls.secretName }}"
...

24
helmfile/apps/services/values-postfix.yaml Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
postfix:
relayNets: "10.0.0.0/8"
virtualTransport: "lmtps:dovecot:24"
smtpdSASLPath: "inet:dovecot:3659"
smtpdMilters: "inet:clamav-milter:7357"
hostname: "postfix"
inetProtocols: "ipv4"
smtpSASLAuthEnable: "yes"
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
smtpUseTLS: "yes"
smtpdSASLAuthEnable: "no"
smtpdSASLSecurityOptions: "noanonymous"
smtpdSASLType: "dovecot"
smtpdUseTLS: "yes"
smtpdTLSCertFile: "/etc/tls/tls.crt"
smtpdKeyFile: "/etc/tls/tls.key"
milterDefaultAction: "accept"
rspamdHost: ""
amavisHost: ""
amavisPortIn: ""
...

49
helmfile/apps/services/values-postgresql.gotmpl Normal file
View File

@@ -0,0 +1,49 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: {{ .Values.global.imageRegistry }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
repository: "{{ .Values.images.postgresql.repository }}"
tag: "{{ .Values.images.postgresql.tag }}"
job:
users:
- username: "keycloak_user"
password: {{ .Values.secrets.postgresql.keycloakUser }}
- username: "openproject_user"
password: {{ .Values.secrets.postgresql.openprojectUser }}
- username: "keycloak_extensions_user"
password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
- username: "matrix_user"
password: {{ .Values.secrets.postgresql.matrixUser }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.notificationsapiUser }}
databases:
- name: "keycloak"
user: "keycloak_user"
- name: "keycloak_extensions"
user: "keycloak_extensions_user"
- name: "openproject"
user: "openproject_user"
- name: "matrix"
user: "matrix_user"
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
- name: "notificationsapi"
user: "notificationsapi_user"
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.postgresql }}"
postgres:
password: {{ .Values.secrets.postgresql.postgresUser }}
resources:
{{ .Values.resources.postgresql | toYaml | nindent 2 }}
...

11
helmfile/apps/services/values-postgresql.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
enabled: true
job:
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
postgres:
user: "postgres"
...

26
helmfile/apps/services/values-redis.gotmpl Normal file
View File

@@ -0,0 +1,26 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
auth:
password: {{ .Values.secrets.redis.password }}
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.redis.repository }}"
tag: "{{ .Values.images.redis.tag }}"
master:
persistence:
size: "{{ .Values.persistence.size.redis }}"
resources:
{{ .Values.resources.redis | toYaml | nindent 4 }}
...

11
helmfile/apps/services/values-redis.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
architecture: "standalone"
sentinel:
enabled: false
metrics:
enabled: false
...

19
helmfile/apps/univention-corporate-container/helmfile.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "univention-corporate-container"
url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
releases:
- name: "univention-corporate-container"
chart: "univention-corporate-container/univention-corporate-container"
version: "1.0.10"
values:
- "values.yaml"
- "values.gotmpl"
condition: "univentionCorporateServer.enabled"
bases:
- "../../bases/environments.yaml"
...

68
helmfile/apps/univention-corporate-container/values.gotmpl Normal file
View File

@@ -0,0 +1,68 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "Always"
repository: "{{ .Values.images.univentionCorporateServer.repository }}"
tag: "{{ .Values.images.univentionCorporateServer.tag }}"
ingress:
host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionCorporateServer }}"
extraEnvVars:
- name: ISTIO_DOMAIN
value: {{ .Values.istio.domain }}
- name: CENTRALNAVIGATION_API_SECRET
value: {{ .Values.secrets.centralnavigation.apiKey }}
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
- name: LDAPSEARCH_DOVECOT_USERNAME
value: "ldapsearch_dovecot"
- name: LDAPSEARCH_DOVECOT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
- name: LDAPSEARCH_KEYCLOAK_USERNAME
value: "ldapsearch_keycloak"
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
value: "ldapsearch_nextcloud"
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
- name: LDAPSEARCH_OPENPROJECT_USERNAME
value: "ldapsearch_openproject"
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
- name: LDAPSEARCH_XWIKI_USERNAME
value: "ldapsearch_xwiki"
- name: LDAPSEARCH_XWIKI_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
- name: DEFAULT_ACCOUNT_USER_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
resources:
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
...

7
helmfile/apps/univention-corporate-container/values.yaml Normal file
View File

@@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
nodePort:
enabled: false
...

30
helmfile/apps/xwiki/helmfile.yaml Normal file
View File

@@ -0,0 +1,30 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
repositories:
- name: "xwiki"
url: "https://xwiki-contrib.github.io/xwiki-helm"
- name: "xwiki-init"
url: "https://gitlab.souvap-univention.de/api/v4/projects/136/packages/helm/stable"
releases:
- name: "xwiki"
chart: "xwiki/xwiki"
version: "1.1.0"
wait: true
timeout: 600
values:
- "values.yaml"
- "values.gotmpl"
condition: "xwiki.enabled"
- name: "xwiki-init"
chart: "xwiki-init/xwiki-init"
version: "1.2.0"
needs:
- "xwiki"
values:
- "values-init.gotmpl"
condition: "xwiki.enabled"
bases:
- "../../bases/environments.yaml"
...

20
helmfile/apps/xwiki/values-init.gotmpl Normal file
View File

@@ -0,0 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
xwiki:
url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
superadmin:
username: "superadmin"
password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
image:
repository: "{{ .Values.images.xwikiInit.repository }}"
tag: "{{ .Values.images.xwikiInit.tag }}"
...

55
helmfile/apps/xwiki/values.gotmpl Normal file
View File

@@ -0,0 +1,55 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
tag: "{{ .Values.images.xwiki.tag }}"
externalDB:
password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}"
database: "{{ .Values.databases.xwiki.name }}"
user: "{{ .Values.databases.xwiki.username }}"
host: "{{ .Values.databases.xwiki.host }}"
customConfigs:
"xwiki.cfg":
"xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
"xwiki.properties":
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
"oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo"
"oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki }}
"url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
"workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
"workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }}
properties:
"attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
ingress:
enabled: {{ .Values.ingress.enabled }}
className: "{{ .Values.ingress.ingressClassName }}"
annotations:
haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
hosts:
- host: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
paths:
- path: /
pathType: "ImplementationSpecific"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
- "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
persistence:
size: "{{ .Values.persistence.size.xwiki }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
replicaCount: {{ .Values.replicas.xwiki }}
resources:
{{ .Values.resources.xwiki | toYaml | nindent 2 }}
...

62
helmfile/apps/xwiki/values.yaml Normal file
View File

@@ -0,0 +1,62 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
name: "git.xwikisas.com:5050/xwikisas/swp/xwiki"
tag: "0.4-mariadb-tomcat"
pullPolicy: "Always"
ingress:
# enabled: true
annotations:
kubernetes.io/ingress.class: null
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "250m"
istio:
enabled: false
service:
externalPort: 80
enabled: true
mysql:
enabled: false
postgresql:
enabled: false
mariadb:
enabled: false
properties:
"property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
"property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
"property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-color": "@brand-primary"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-color": "@brand-primary"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color": "@brand-primary"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; }'"
"property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
customConfigs:
xwiki.cfg:
xwiki.url.protocol: "https"
xwiki.properties:
oidc.scope: "openid,profile,email,address,phoenix"
oidc.endpoint.userinfo.method: "GET"
oidc.user.nameFormater: '${oidc.user.phoenixusername._lowerCase}'
oidc.user.subjectFormater: '${oidc.user.subject}'
oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
oidc.clientid: "xwiki"
oidc.endpoint.token.auth_method: "client_secret_basic"
oidc.skipped: false
oidc.logoutMechanism: "rpInitiated"
...

16
helmfile/bases/environments.yaml Normal file
View File

@@ -0,0 +1,16 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
environments:
default:
values:
- "../../environments/default/*.gotmpl"
ionos:
values:
- "../../environments/default/*.gotmpl"
- "../../environments/ionos/values.yaml"
uv-develop:
values:
- "../../environments/default/*.gotmpl"
- "../../environments/uv-develop/values.yaml"
...

9
helmfile/environments/default/certificate.gotmpl Normal file
View File

@@ -0,0 +1,9 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
certificate:
issuerRef:
name: "letsencrypt-prod"
...

40
helmfile/environments/default/database.gotmpl Normal file
View File

@@ -0,0 +1,40 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
databases:
keycloak:
name: "keycloak"
host: "postgresql"
port: 5432
username: "keycloak_user"
password: ""
keycloakExtension:
name: "keycloak_extensions"
host: "postgresql"
port: 5432
username: "keycloak_extensions_user"
password: ""
nextcloud:
name: "nextcloud"
host: "mariadb"
username: "nextcloud_user"
password: ""
openproject:
name: "openproject"
host: "postgresql"
port: 5432
username: "openproject_user"
password: ""
oxAppsuite:
host: "mariadb"
name: "CONFIGDB"
username: "root"
password: ""
xwiki:
name: "xwiki"
host: "mariadb"
username: "xwiki_user"
password: ""
...

48
helmfile/environments/default/global.gotmpl Normal file
View File

@@ -0,0 +1,48 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
## The global properties are used to configure multiple charts at once.
#
global:
## Define ingress/virtualservice host.
#
hosts:
collabora: "collabora"
dimension: "integration"
element: "ucc"
etherpad: "etherpad"
intercomService: "ics"
jitsi: "av"
jitsiPlain: "jitsi"
keycloak: "id"
meetingWidgetsBot: "meeting-widgets-bot"
meetingWidgets: "meeting-widgets"
newWorkBoardWidget: "whiteboard-widget"
moodle: "learn"
nextcloud: "fs"
openproject: "project"
openxchange: "webmail"
openxchangeProvisioning: "ox-provisioning"
pollWidget: "poll-widget"
synapse: "matrix"
univentionCorporateServer: "portal"
whiteboard: "whiteboard"
xwiki: "wiki"
## Define host
#
domain: {{ env "DOMAIN" | default "souvap-univention.de" }}
## Define docker registry address.
#
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
## Credentials to fetch images from private registry
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
#
imagePullSecrets:
- "external-registry"
...

92
helmfile/environments/default/images.gotmpl Normal file
View File

@@ -0,0 +1,92 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
images:
clamd:
repository: "clamav/clamav"
tag: "1.1.0_base"
collabora:
repository: "souvap/tooling/images/collabora"
tag: "23.05.1.2.1"
dovecot:
repository: "dovecot/dovecot"
tag: "2.3.20"
freshclam:
repository: "clamav/clamav"
tag: "1.1.0_base"
jibri:
repository: "jitsi/jibri"
tag: "stable-8615"
jicofo:
repository: "jitsi/jicofo"
tag: "stable-8615"
jitsi:
repository: "jitsi/web"
tag: "stable-8615"
jitsiKeycloakAdapter:
repository: "nordeck/jitsi-keycloak-adapter"
tag: "v20230425"
jitsiPatchJVB:
repository: "bitnami/kubectl"
tag: "1.26.6"
jvb:
repository: "jitsi/jvb"
tag: "stable-8615"
icap:
repository: "/souvap/tooling/images/c-icap/c-icap-clamav"
tag: "1.0.4"
intercom:
repository: "univention/intercom-service"
tag: "1.4-kubernetes"
keycloak:
repository: "bitnami/keycloak"
tag: "19.0.3-debian-11-r15"
digest: ""
keycloakBootstrap:
repository: "souvap/tooling/images/ansible"
tag: "4.10.0"
keycloakExtension:
repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
tag: "latest"
mariadb:
repository: "mariadb"
tag: "10"
memcached:
repository: "bitnami/memcached"
tag: "1.6.21-debian-11-r4"
milter:
repository: "clamav/clamav"
tag: "1.1.0_base"
nextcloud:
repository: "nextcloud"
tag: "26.0.1-apache"
openproject:
repository: "souvap/tooling/images/openproject/souvap"
tag: "dev"
oxConnector:
repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
tag: "tilt-56c67cc45d91a3a6"
postfix:
repository: "souvap/tooling/images/postfix"
tag: "1.0.0"
postgresql:
repository: "postgres"
tag: "15-alpine"
prosody:
repository: "jitsi/prosody"
tag: "stable-8615"
redis:
repository: "bitnami/redis"
tag: "7.0.12-debian-11-r0"
univentionCorporateServer:
repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
tag: "20230719T143819"
xwiki:
repository: "xwikisas/swp/xwiki"
tag: "0.4-mariadb-tomcat"
xwikiInit:
repository: "curlimages/curl"
tag: "8.1.2"
...

12
helmfile/environments/default/ingress.gotmpl Normal file
View File

@@ -0,0 +1,12 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
enabled: true
ingressClassName: "cilium"
tls:
enabled: true
secretName: "sovereign-workplace-certificates-tls"
...

15
helmfile/environments/default/istio.gotmpl Normal file
View File

@@ -0,0 +1,15 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
istio:
enabled: true
domain: {{ env "ISTIO_DOMAIN" | default "souvap-univention.de" }}
virtualService:
enabled: false
gateway:
enabled: true
issuerRef:
name: "letsencrypt-istio-prod"
...

24
helmfile/environments/default/persistence.gotmpl Normal file
View File

@@ -0,0 +1,24 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
persistence:
storageClassNames:
RWX: "csi-cephfs-sc"
RWO: "csi-rbd-sc"
size:
clamav: "1Gi"
dovecot: "1Gi"
mariadb: "1Gi"
nextcloud:
main: "1Gi"
data: "10Gi"
openproject: "1Gi"
postfix: "1Gi"
postgresql: "1Gi"
prosody: "1Gi"
redis: "1Gi"
univentionCorporateServer: "1Gi"
xwiki: "1Gi"
...

23
helmfile/environments/default/replicas.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
replicas:
clamd: 1
collabora: 1
dovecot: 1
freshclam: 1
icap: 1
jibri: 1
jicofo: 1
jitsi: 1
jitsiKeycloakAdapter: 1
jvb: 1
keycloak: 1
milter: 1
nextcloud: 1
openproject: 1
postfix: 1
xwiki: 1
...

176
helmfile/environments/default/resources.gotmpl Normal file
View File

@@ -0,0 +1,176 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
resources:
clamd:
limits:
cpu: 4
memory: "4Gi"
requests:
cpu: 0.1
memory: "2Gi"
dovecot:
limits:
cpu: 0.5
memory: "0.25Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
freshclam:
limits:
cpu: 1
memory: "1Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
icap:
limits:
cpu: 2
memory: "4Gi"
requests:
cpu: 0.1
memory: "2Gi"
jibri:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
jicofo:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
jitsi:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
jitsiKeycloakAdapter:
limits:
cpu: "100m"
memory: "128Mi"
requests:
cpu: "10m"
memory: "16Mi"
jvb:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
keycloak:
limits:
cpu: 2
memory: "2Gi"
requests:
cpu: 0.1
memory: "0.75Gi"
keycloakExtension:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
keycloakBootstrap:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.25Gi"
keycloakProxy:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
mariadb:
limits:
cpu: 2
memory: "2Gi"
requests:
cpu: 0.1
memory: "0.5Gi"
milter:
limits:
cpu: 4
memory: "4Gi"
requests:
cpu: 0.1
memory: "2Gi"
nextcloud:
limits:
cpu: 2
memory: "1Gi"
requests:
cpu: 0.1
memory: "0.5Gi"
openproject:
limits:
cpu: 2
memory: "1Gi"
requests:
cpu: 0.1
memory: "0.25Gi"
oxConnector:
limits:
cpu: 2
memory: "2Gi"
requests:
cpu: 0.1
memory: "0.25Gi"
postfix:
limits:
cpu: 0.5
memory: "0.25Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
postgresql:
limits:
cpu: 2
memory: "1Gi"
requests:
cpu: 0.1
memory: "0.25Gi"
prosody:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
redis:
limits:
cpu: 1
memory: "0.5Gi"
requests:
cpu: 0.1
memory: "0.1Gi"
univentionCorporateServer:
limits:
cpu: 2
memory: "4Gi"
requests:
cpu: 0.5
memory: "1Gi"
xwiki:
limits:
cpu: 2
memory: "8Gi"
requests:
cpu: 0.1
memory: "6Gi"
...

88
helmfile/environments/default/secrets.gotmpl Normal file
View File

@@ -0,0 +1,88 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
secrets:
oxAppsuite:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum) }}
cookieHashSalt: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum) }}
sessiondEncryptionKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum) }}
shareCryptKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum) }}
oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }}
oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }}
univentionCorporateServer:
authSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum) }}
defaultAccounts:
userPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum) }}
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum) }}
ldapSearch:
keycloak: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum) }}
nextcloud: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum) }}
dovecot: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum) }}
ox: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum) }}
openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }}
xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }}
postgresql:
postgresUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum) }}
keycloakUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum) }}
keycloakExtensionUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum) }}
matrixUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum) }}
openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum) }}
notificationsapiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum) }}
mariadb:
rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum) }}
xwikiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum) }}
openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum) }}
nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum) }}
keycloak:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum) }}
clientSecret:
intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
jitsiPlain: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
as8oidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum) }}
nextcloud:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum) }}
metricsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum) }}
openproject:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum) }}
collabora:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
jitsi:
synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "as_token" | sha1sum) }}
synapseHsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "hs_token" | sha1sum) }}
jicofoAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jicofo_auth" | sha1sum) }}
componentAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "component_auth" | sha1sum) }}
jvbAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jvb_auth" | sha1sum) }}
jigasiAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jigasi_auth" | sha1sum) }}
jibriUserAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_user_auth" | sha1sum) }}
jibriRecorderAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_recorder_auth" | sha1sum) }}
rageshakeListingPass: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "rageshakeListingPass" | sha1sum) }}
conferencemapperSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "conferencemapperSecret" | sha1sum) }}
jitsiFeedbackBackend: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jitsiFeedbackBackend" | sha1sum) }}
jitsiPlain:
jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}
jicofoAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum) }}
jicofoComponentPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum) }}
jvbAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum) }}
etherpad:
apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }}
whiteboard:
apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }}
centralnavigation:
apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum) }}
redis:
password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum) }}
dovecot:
doveadm: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum) }}
xwiki:
superadminpassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum) }}
intercom:
secret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum) }}
...

10
helmfile/environments/default/smtp.gotmpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
smtp:
host: "mail.brained.io"
username: "relay@souvap-univention.de"
password: "{{ env "SMTP_PASSWORD" }}"
...

16
helmfile/environments/default/turn.gotmpl Normal file
View File

@@ -0,0 +1,16 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
turn:
transport: "udp"
credentials: "{{ env "TURN_CREDENTIALS" }}"
server:
host: "turn.develop.souvap-univention.de"
port: "3478"
tls:
host: "turn.develop.souvap-univention.de"
port: "5349"
...

42
helmfile/environments/default/workplace.gotmpl Normal file
View File

@@ -0,0 +1,42 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
masterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" }}
certificates:
enabled: true
clamav:
enabled: true
collabora:
enabled: true
dovecot:
enabled: true
intercom:
enabled: true
jitsi:
enabled: true
keycloak:
enabled: true
mariadb:
enabled: true
nextcloud:
enabled: true
openproject:
enabled: true
oxAppsuite:
enabled: true
oxConnector:
enabled: true
postfix:
enabled: true
postgresql:
enabled: true
redis:
enabled: true
univentionCorporateServer:
enabled: true
xwiki:
enabled: true
...

11
helmfile/environments/ionos/values.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
ingressClassName: "dedicated-haproxy-external"
persistence:
storageClassNames:
RWX: "nfs-client"
RWO: "ionos-enterprise-ssd"
...

7
helmfile/environments/uv-develop/values.yaml Normal file
View File

@@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
ingressClassName: "nginx"
...