diff --git a/helmfile/apps/element/helmfile.yaml b/helmfile/apps/element/helmfile.yaml index be62c7c8..e9796637 100644 --- a/helmfile/apps/element/helmfile.yaml +++ b/helmfile/apps/element/helmfile.yaml @@ -14,6 +14,18 @@ repositories: verify: true keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" + # openDesk Matrix Widgets + # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets + - name: "opendesk-matrix-widgets-repo" + oci: true + # yamllint disable rule:line-length + url: >- + {{ env "PRIVATE_IMAGE_REGISTRY_URL" | + default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }} + # yamllint enable rule:line-length + verify: true + keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" + releases: - name: "opendesk-element" chart: "opendesk-element-repo/opendesk-element" @@ -47,6 +59,14 @@ releases: - "values-synapse.gotmpl" condition: "element.enabled" + - name: "matrix-neoboard-widget" + chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget" + version: "3.0.0" + values: + - "values-matrix-neoboard-widget.yaml" + - "values-matrix-neoboard-widget.gotmpl" + condition: "element.enabled" + commonLabels: deploy-stage: "component-1" component: "element" diff --git a/helmfile/apps/element/values-element.gotmpl b/helmfile/apps/element/values-element.gotmpl index 9a7b5360..d14a190b 100644 --- a/helmfile/apps/element/values-element.gotmpl +++ b/helmfile/apps/element/values-element.gotmpl @@ -15,6 +15,31 @@ configuration: additionalConfiguration: logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" + "net.nordeck.element_web.module.widget_lifecycle": + widget_permissions: + "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html": + identity_approved: true + "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*": + preload_approved: true + capabilities_approved: + - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create + - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create + - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk + - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk + - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot + - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot + - org.matrix.msc2762.send.state_event:m.room.power_levels# + - org.matrix.msc2762.receive.state_event:m.room.power_levels# + - org.matrix.msc2762.receive.state_event:m.room.member + - org.matrix.msc2762.receive.state_event:m.room.name + - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard + - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard + - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#* + - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions + - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling + - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling + - town.robin.msc3846.turn_servers + image: imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" registry: "{{ .Values.global.imageRegistry }}" diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl b/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl new file mode 100644 index 00000000..057033b3 --- /dev/null +++ b/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl @@ -0,0 +1,33 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + imageRegistry: "{{ .Values.global.imageRegistry }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}" + tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}" + +ingress: + enabled: "{{ .Values.ingress.enabled }}" + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + tls: + enabled: "{{ .Values.ingress.tls.enabled }}" + secretName: "{{ .Values.ingress.tls.secretName }}" + +theme: + {{ .Values.theme | toYaml | nindent 2 }} + +replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }} + +resources: + {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.yaml b/helmfile/apps/element/values-matrix-neoboard-widget.yaml new file mode 100644 index 00000000..2e1906bb --- /dev/null +++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" + +podSecurityContext: + enabled: true + fsGroup: 101 +... diff --git a/helmfile/environments/default/global.yaml b/helmfile/environments/default/global.yaml index eb3c6161..a4e2ed31 100644 --- a/helmfile/environments/default/global.yaml +++ b/helmfile/environments/default/global.yaml @@ -15,9 +15,9 @@ global: intercomService: "ics" jitsi: "meet" keycloak: "id" + matrixNeoBoardWidget: "matrix-neoboard-widget" meetingWidgetsBot: "meeting-widgets-bot" meetingWidgets: "meeting-widgets" - newWorkBoardWidget: "whiteboard-widget" nextcloud: "fs" openproject: "project" openxchange: "webmail" diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 317f4f67..e2a5f6f4 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -75,6 +75,10 @@ images: # For upgrades at least confirm compatibility of target version with OX (regarding AS Guard) tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f" # @supplier: "openDesk DevSecOps" + matrixNeoBoardWidget: + repository: "nordeck/matrix-neoboard-widget" + tag: "0.4.0@sha256:c5e72409a0edc1962e9be618fcb83acce19e64c0c645075d8ff0ccde06e93fc7" + # @supplier: "Nordeck" memcached: repository: "bitnami/memcached" tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d" diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml index fb345e86..620cb25d 100644 --- a/helmfile/environments/default/replicas.yaml +++ b/helmfile/environments/default/replicas.yaml @@ -19,6 +19,7 @@ replicas: jitsiKeycloakAdapter: 1 jvb: 1 keycloak: 1 + matrixNeoBoardWidget: 1 # clamav-distributed milter: 1 nextcloud: 1 diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 1b5288b1..63116ca1 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -114,6 +114,13 @@ resources: requests: cpu: 0.1 memory: "500Mi" + matrixNeoBoardWidget: + limits: + cpu: 1 + memory: "250Mi" + requests: + cpu: 0.1 + memory: "50Mi" memcached: limits: cpu: 1