From 62f0a4bef274d55b00f18f7b0bb221bfbfbd2f7a Mon Sep 17 00:00:00 2001 From: Andreas Niemann Date: Mon, 13 May 2024 11:57:36 +0200 Subject: [PATCH] feat: adjust configuration for nubus provisioning, preparatory steps for refactored selfservice-listener --- .../values-umbrella.yaml.gotmpl | 156 ++++++++---------- helmfile/environments/default/images.yaml | 8 +- .../environments/default/provisioning.yaml | 37 +++++ helmfile/environments/default/secrets.gotmpl | 37 +++-- 4 files changed, 135 insertions(+), 103 deletions(-) create mode 100644 helmfile/environments/default/provisioning.yaml diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl index ba8574e4..9ac01743 100644 --- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl @@ -440,7 +440,7 @@ portal-server: {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} provisioning: - enabled: false + enabled: true api: image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} @@ -463,6 +463,8 @@ provisioning: - name: {{ . | quote }} {{- end }} credentialSecretName: "ums-provisioning-dispatcher-credentials" + config: + UDM_HOST: "ums-udm-rest-api" prefill: image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }} @@ -474,69 +476,19 @@ provisioning: - name: {{ . | quote }} {{- end }} credentialSecretName: "ums-provisioning-prefill-credentials" - nats: - config: - authorization: - enabled: false - users: - - user: "admin" - password: "$NATS_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_API_USER" - password: "$NATS_API_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_DISPATCHER_USER" - password: "$NATS_DISPATCHER_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_PREFILL_USER" - password: "$NATS_PREFILL_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - extraEnvVars: - - name: NATS_USER - value: "admin" - - name: NATS_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-nats-credentials - key: admin_password - - name: NATS_API_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: NATS_USER - - name: NATS_API_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: NATS_PASSWORD - - name: NATS_DISPATCHER_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-dispatcher-credentials - key: NATS_USER - - name: NATS_DISPATCHER_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-dispatcher-credentials - key: NATS_PASSWORD - - name: NATS_PREFILL_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-prefill-credentials - key: NATS_USER - - name: NATS_PREFILL_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-prefill-credentials - key: NATS_PASSWORD + register_consumers: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} + repository: {{ .Values.images.umsWaitForDependency.repository }} + pullPolicy: {{ .Values.global.imagePullPolicy }} + tag: {{ .Values.images.umsWaitForDependency.tag }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + credentialSecretName: "ums-provisioning-register-consumers-credentials" + jsonSecretName: "ums-provisioning-register-consumers-json-secrets" + provisioningApiBaseUrl: "http://ums-provisioning-api/internal/admin/v1/subscriptions" nats: nats: image: @@ -557,14 +509,13 @@ provisioning: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.umsNatsReloader.tag | quote }} - ingress: host: "localhost" tls: enabled: false udm-listener: - enabled: false + enabled: true image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} @@ -575,15 +526,18 @@ udm-listener: - name: {{ . | quote }} {{- end }} config: - debugLevel: "4" ldapBaseDn: {{ .Values.ldap.baseDn | quote }} ldapHost: {{ .Values.ldap.host | quote }} ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} ldapPort: "389" + internalApiHost: "ums-provisioning-api" notifierServer: "ums-ldap-notifier" - tlsMode: "off" natsHost: "ums-provisioning-nats" + natsUser: {{ .Values.provisioning.udmListener.nats.username | quote }} + natsPassword: {{ .Values.provisioning.udmListener.nats.password | default .Values.secrets.univentionManagementStack.provisioning.udmListener.nats.password | quote }} + eventsUsernameUdm: {{ .Values.provisioning.api.udmListener.username | quote }} + eventsPasswordUdm: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }} stack-data-ums: enabled: true @@ -1547,23 +1501,6 @@ extraSecrets: - name: ums-portal-server-authenticator-credentials stringData: authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }} - - name: ums-provisioning-api-credentials - stringData: - NATS_USER: "api" - NATS_PASSWORD: "password" - - name: ums-provisioning-dispatcher-credentials - stringData: - UDM_USERNAME: "cn=admin" - UDM_PASSWORD: "password" - NATS_USER: "dispatcher" - NATS_PASSWORD: "password" - - name: ums-provisioning-prefill-credentials - stringData: - NATS_USER: "prefill" - NATS_PASSWORD: "password" - - name: ums-provisioning-nats-credentials - stringData: - admin_password: "nimda" - name: ums-udm-rest-api-credentials stringData: ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} @@ -1578,4 +1515,53 @@ extraSecrets: stringData: KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }} GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} + + + - name: ums-provisioning-nats-credentials + stringData: + admin_password: {{ .Values.provisioning.nats.password | default .Values.secrets.univentionManagementStack.provisioning.nats.password | quote }} + - name: ums-provisioning-api-credentials + stringData: + NATS_USER: {{ .Values.provisioning.api.nats.username | quote }} + NATS_PASSWORD: {{ .Values.provisioning.api.nats.password | default .Values.secrets.univentionManagementStack.provisioning.api.nats.password | quote }} + ADMIN_NATS_USER: {{ .Values.provisioning.nats.username | quote }} + ADMIN_NATS_PASSWORD: {{ .Values.provisioning.nats.password | default .Values.secrets.univentionManagementStack.provisioning.nats.password | quote }} + ADMIN_USERNAME: {{ .Values.provisioning.api.admin.username | quote }} + ADMIN_PASSWORD: {{ .Values.provisioning.api.admin.password | default .Values.secrets.univentionManagementStack.provisioning.api.admin.password | quote }} + PREFILL_USERNAME: {{ .Values.provisioning.api.prefill.username | quote }} + PREFILL_PASSWORD: {{ .Values.provisioning.api.prefill.password | default .Values.secrets.univentionManagementStack.provisioning.api.prefill.password | quote }} + EVENTS_USERNAME_UDM: {{ .Values.provisioning.api.udmListener.username | quote }} + EVENTS_PASSWORD_UDM: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }} + - name: ums-provisioning-dispatcher-credentials + stringData: + UDM_USERNAME: "cn=admin" + UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + NATS_USER: {{ .Values.provisioning.dispatcher.nats.username | quote }} + NATS_PASSWORD: {{ .Values.provisioning.dispatcher.nats.password | default .Values.secrets.univentionManagementStack.provisioning.dispatcher.nats.password | quote }} + - name: ums-provisioning-prefill-credentials + stringData: + NATS_USER: {{ .Values.provisioning.prefill.nats.username | quote }} + NATS_PASSWORD: {{ .Values.provisioning.prefill.nats.password | default .Values.secrets.univentionManagementStack.provisioning.prefill.nats.password | quote }} + UDM_USERNAME: "cn=admin" + UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + PREFILL_USERNAME: {{ .Values.provisioning.api.prefill.username | quote }} + PREFILL_PASSWORD: {{ .Values.provisioning.api.prefill.password | default .Values.secrets.univentionManagementStack.provisioning.api.prefill.password | quote }} + - name: "ums-provisioning-udm-listener-credentials" + stringData: + NATS_USER: {{ .Values.provisioning.udmListener.nats.username | quote }} + NATS_PASSWORD: {{ .Values.provisioning.udmListener.nats.password | default .Values.secrets.univentionManagementStack.provisioning.udmListener.nats.password | quote }} + EVENTS_USERNAME_UDM: {{ .Values.provisioning.api.udmListener.username | quote }} + EVENTS_PASSWORD_UDM: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }} + - name: "ums-provisioning-register-consumers-credentials" + stringData: + ADMIN_USERNAME: {{ .Values.provisioning.api.admin.username | quote }} + ADMIN_PASSWORD: {{ .Values.provisioning.api.admin.password | default .Values.secrets.univentionManagementStack.provisioning.api.admin.password | quote }} + - name: "ums-provisioning-register-consumers-json-secrets" + stringData: + consumer.json: | + { "name": "consumer", "realms_topics": [["udm", "groups/group"]], "request_prefill": true, "password": "s0m3p4ss" } + - name: "ums-provisioning-selfservice-listener-credentials" + stringData: + NATS_USER: {{ .Values.provisioning.selfservice.nats.username | quote }} + NATS_PASSWORD: {{ .Values.provisioning.selfservice.nats.password | default .Values.secrets.univentionManagementStack.provisioning.selfservice.nats.password | quote }} ... diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 10def4a2..80badc7e 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -670,7 +670,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher" - tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d" + tag: "0.25.0@sha256:c6c9d1e4a46222105ded32c8e87cb2e9b19945592a9ada4e6c13e6942d721694" umsProvisioningEventsAndConsumerApi: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -680,7 +680,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api" - tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f" + tag: "0.25.0@sha256:f0382154126421e4078beede3ce2579f61859da64c497cb5c93acc693bf71647" umsProvisioningPrefill: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -690,7 +690,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill" - tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973" + tag: "0.25.0@sha256:a5beae74c2575fa20d305ae635bc0c2bba64a9b1173819f8ddd4cca3fb59f6a4" umsProvisioningUdmListener: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -700,7 +700,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener" - tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02" + tag: "0.25.0@sha256:b67e31d11461d02bc211117408ded3c0428d224b056f26734add7c024d5f710a" umsSelfserviceInvitation: # providerCategory: 'Supplier' # providerResponsible: 'Univention' diff --git a/helmfile/environments/default/provisioning.yaml b/helmfile/environments/default/provisioning.yaml new file mode 100644 index 00000000..148d76a0 --- /dev/null +++ b/helmfile/environments/default/provisioning.yaml @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +provisioning: + nats: + username: "admin" + password: "" + api: + nats: + username: "api" + password: "" + admin: + username: "admin" + password: "" + prefill: + username: "prefill" + password: "" + udmListener: + username: "udmListener" + password: "" + dispatcher: + nats: + username: "dispatcher" + password: "" + prefill: + nats: + username: "prefill" + password: "" + udmListener: + nats: + username: "udmListener" + password: "" + selfservice: + nats: + username: "selfservice" + password: "" +... diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index 203197cd..292efd00 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -31,20 +31,29 @@ secrets: portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }} portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }} provisioning: - apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }} - apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }} - apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }} - dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }} - prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }} - prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }} - udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }} - dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }} - dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} - udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }} - udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} - nats: - natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }} - + nats: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "admin" | b64enc | quote }} + api: + nats: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "api" | b64enc | quote }} + admin: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin" | b64enc | quote }} + prefill: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "prefill" | b64enc | quote }} + udmListener: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "udmListener" | b64enc | quote }} + dispatcher: + nats: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "dispatcher" | b64enc | quote }} + prefill: + nats: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "prefill" | b64enc | quote }} + udmListener: + nats: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "udmListener" | b64enc | quote }} + selfservice: + nats: + password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "selfservice" | b64enc | quote }} postgresql: postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }} keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}